Support

Your site was compromised via a malicious PHP file (Filefuns.php) placed in /media. That directory is publicly accessible and, by default, PHP files in it can be executed directly by a visitor. This is the attack vector.

Step 1 — Update everything, right now. Today (16 June 2026), a small number of Joomla extensions — including SP Page Builder — published emergency updates addressing 0-day vulnerabilities that are actively being exploited. If any of those extensions are installed on your site, your site was almost certainly compromised through one of them. Please log into the administrator backend and update every extension and Joomla itself before doing anything else.

Step 2 — Clean the site properly. Restoring /htdocs from a copy gets the site working, but that copy may itself have been compromised at an earlier date, or you may have missed additional backdoor files that the attacker planted elsewhere. A thorough clean-up is required:

• Run Components → Admin Tools → PHP File Change Scanner and start a new scan. It will flag every PHP file with a non-zero Threat Score, as well as any files that are new or unexpectedly modified compared to your last known-good baseline. Files like Filefuns.php planted in /media, /tmp, /images or other non-code directories will stand out immediately as they have no business being there.
• If this is the first time you have run the scanner, it will build a baseline from your current state. In that case, focus on files flagged as Suspicious or Threat files, and on any .php files in directories that Joomla does not normally put PHP files in (e.g. /media, /images, /tmp, /cache).
• After removing any malicious files, change all database credentials, Joomla Super User passwords, and any API keys or credentials stored in the site configuration.

Step 3 — Prevent this class of attack in future. The .htaccess Maker in Admin Tools has a Server Protection feature that generates rules blocking direct HTTP access to PHP files in directories such as /media, /images, /tmp, /cache, /logs, and others where Joomla stores user-uploaded or generated content rather than executable code. If Filefuns.php had been placed there while Server Protection was active, the web server would have refused to execute it with a 403 Forbidden error before PHP even started.

To enable this, go to Components → Admin Tools → .htaccess Maker, scroll to the Server Protection section, enable Frontend protection (and Backend protection for the administrator area), then click Save and Create .htaccess.

Full documentation for Server Protection, including how to add exceptions for legitimate files that need direct access, is at: https://www.akeeba.com/documentation/admin-tools-joomla/server-protection.html