If your Joomla! website has been hacked then you should follow the steps below to remove the malicious code and prevent future attacks.
Initial Emergency measures
1. The first and most important thing is to completely disable your site and allow access only from your own IP addresses. This way you will quarantine your site, so that hackers will not be able to edit your files and Joomla! database. This step is absolutely mandatory. If you don’t disable your site your visitors will access harmful content. In addition, search engines (Google, MSN, etc.) will also block your site and display warning messages to all users. The easiest way to quarantine your site is to edit your .htaccess file and allow access only from your own IP address. Use the following two lines (they work on Apache based servers):
deny from all
allow from IP_ADDRESS
Replace IP_ADDRESS with your own IP address. Once you do this the site will be down for your visitors. Taking your site offline during the recovery will not affect your future search engine rankings. It is also a good idea to create a custom 403 error page to inform your visitors that your site is temporarily closed for maintenance. Check out this article for more information on how to do that.
Do not rely of Joomla!’s maintenance mode – it is not designed to protect your site from web attacks.
2. To make sure that you’re the only one who has access to your hosting account/site you have to change all passwords – for Joomla! administrators, FTP users, MySQL database users, cPanel accounts, etc. If you are not sure how to do this you can contact your web host and ask for assistance.
Restore your site from a working backup && Update Joomla!
3. The fastest way to get your website up and running again is to restore it from a working backup. Please note that the following procedure will erase all of your site’s modified or added data since the last known good backup. However, before you do this you should remove the infected Joomla! files and database, so that they will not be publicly accessible. Instead of deleting the site, you should move the Joomla! files and database to a safe location for further analysis. Create a backup of the infected site (files + database) and store them in a separate folder which is not accessible via a web browser. After that use the backup to restore the site.
4. Check your Joomla! site and make sure that it works as expected. At this stage, you managed to restore your site but it is vulnerably and you still cannot remove the quarantine. In addition, you need to reset the passwords for all Joomla! users one more time. This is needed because the passwords were reset when you restored the database backup. Very often Joomla! websites are hacked because of outdated extension, plugins and/or the Joomla! core itself. Thus, the next step is to upgrade your Joomla! application and all extensions to the latest stable available versions.
5. Scan the infected backup of your website (files + DB) using a local Anti-Virus program such as Norton Anti-Virus. When you scan your infected backup you will see a full list of the malicious files and then you can check the access log records on your server to find out more information about how the hackers accessed your site. You should always strive to identify the source of the attack (unfortunately sometimes this is not possible). Identifying the attack is also a difficult task and you may need to ask your host for assistance.
6. Remove the quarantine, so that your site will be publicly accessible again. If Google has marked your site as harmful you should also request a review from your Webmaster Tools account.
7. Secure your Joomla! site even more to avoid future security incidents. For more details how to secure your Joomla! site check our Joomla Security tutorial.