Checking Joomla! Databases for Malicious Users
Attackers often create users to exploit security vulnerabilities in Joomla! and other Web-based applications. If you think your site's been compromised, reviewing the Joomla! users in your website's database can make sure attackers can't easily re-exploit your website.
This article details removing users through the database itself. However, you can also use Joomla!'s administrative control panel using the information Joomla! provides here.
Note: This procedure might vary depending on the version of your Joomla installation. For more assistance, or for version-specific instructions, please visit Joomla.org.
To log in to your database, you'll need the database's username and password. This was created when you installed Joomla! and is not the same as your Joomla! administrative credentials.
If you didn't store this login information, you can find it in your website's connection string, which is a file called
configuration.php. You can find this file in the directory where you installed Joomla! using either FTP (more info) or your control panel's file manager (more info).
configuration.php file, you need to copy the following information:
Note: Depending on your Joomla! version, your formatting might look slightly different.
We recommending backing up your database before making any changes to it. For more information, see Backing up and Restoring MySQL or MSSQL Databases.
Use the information you copied from your connection string to log in to your database through phpMyAdmin. For more information, see Log in to phpMyAdmin.
After logging in to your dabatase, click its name in the upper-left to see its tables.
Table names begin with the
dbprefix you saw in your connection strings — for Joomla! websites, it's typically
To view the content of an individual table, click its name in the left column, and then click Browse.
Now that you're in your database, you can remove any malicious users an attacker added.
View Your Site's Users
View the content of the
jos_users table. You should see something similar to:
This table contains the User ID, username, email address, hashed password, and the dates the user was created and last accessed.
name for each user.
View Users' Privileges
View the contents of the
jos_user_usergroup_map table, which lists which User IDs are mapped to which group. In this table,
user_id corresponds to the User ID from the list of users.
group_id for each
View Group Designations
To control users' permissions and access, Joomla assigns users to groups. You can see your group designations in the
Users assigned to groups
8 have Administrative or Super User permissions, which have enough access to compromise your site if used maliciously.
Review the list of users you noted for any users that have a
group_id matching Administrator or Super Users. This will include your own Joomla! username.
Remove Suspicious Users
Any users that you do not recognize can be removed. If you discover that the user was legitimate, you can always re-add them through the Joomla! administrative control panel.
To remove users, view the
jos_users table, and then click X next to the
id you want to remove.
Do not remove entries from