My website has been hacked!

Updated 4 weeks ago by Adam Thacker

If your website has been compromised, it’s crucial to act quickly to minimize damage and restore your site’s security. This guide provides step-by-step instructions to recover from common compromises, particularly for sites using well-known CMS platforms like WordPress, Joomla, or Drupal.

1. Immediate Actions: Lock Down Your Site

Suspend Your Site: In cPanel, go to "File Manager" and modify .htaccess to redirect visitors to a maintenance page while you investigate. This prevents further spread of malware and protects your visitors. (Guide to turning off your website here)
Change Passwords Immediately: Update cPanel, FTP, database, and CMS admin passwords to prevent further unauthorized access. Use strong, unique passwords.

2. Run Malware Scan and Check Logs

Imunify’s Auto Clean: While you won’t have direct access to ImunifyAV, it will automatically scan and clean infected files. You should still verify the state of your site manually.
- Check cPanel File Manager: Look for unusual files, especially in /wp-content/plugins/, /wp-content/uploads/, or similar directories.
- Review Logs: In cPanel, navigate to "Raw Access Logs" or "Errors Logs" to find traces of unauthorized access, failed login attempts, or malicious scripts executed.

3. Backup and Isolate

Create a Backup: Before making any changes, take a full backup of the compromised site (files and databases) via cPanel’s "Backup Wizard". This allows you to analyze or restore data later if necessary.
Quarantine Malicious Files: After identifying potentially malicious files (often renamed or injected PHP files), move them to a quarantine directory or delete them entirely if you're certain they are compromised.

4. Update CMS, Themes, and Plugins

Replace Core WP files - Use the WP-CLI tool to replace all Core WP Files - (Click here to learn how)
Core Updates: Ensure that the CMS (WordPress, Joomla, etc.) is updated to the latest version. Most CMS have an update option in the admin dashboard (e.g., WordPress Admin → Dashboard → Updates).
Plugin and Theme Updates: Update all installed plugins and themes to their latest versions. Outdated plugins are a common source of vulnerabilities.
Disable or Remove Vulnerable Plugins: In cPanel’s File Manager or via FTP, navigate to the plugin directory (e.g., /wp-content/plugins/ in WordPress) and rename or delete plugins that are no longer supported or known to be vulnerable.

5. Restore Clean Versions

Restore from Backup: If you have a recent clean backup, restore it using cPanel’s "Backup Wizard" or manually upload the files via FTP. Ensure the restored files are not compromised. (Guide to restoring using our backups here)
Use CMS Restore Features: Some CMS platforms offer a restore function that can revert to a clean version of the site, replacing compromised files while preserving data.

6. Review and Harden File Permissions

Correct File Permissions: Set proper file and directory permissions to reduce vulnerability to future attacks. For WordPress, standard permissions are:
- Files: 644
- Directories: 755
- wp-config.php: 440 or 400
Lock Down Sensitive Files: Ensure that sensitive files such as .htaccess, wp-config.php, and any other config files are locked down with stricter permissions.

7. Scan and Secure the Database

Check for SQL Injections: Use a tool or manually inspect your database (via cPanel's phpMyAdmin) for injected malicious content like <script> tags or unauthorized admin users.
Remove Malicious Entries: Remove suspicious entries in content tables (e.g., posts, comments) or any unknown admin accounts created in the users table.

8. Check for Backdoors

Look for Backdoor Files: Backdoor scripts often appear as innocuous PHP files with strange names or hidden in directories like /wp-content/uploads/. Delete these files to close any easy re-entry points for attackers.
Use Security Plugins: For WordPress, install security plugins like Wordfence or Sucuri to scan for backdoors and harden your site against future attacks.

9. Re-enable the Site and Monitor

Re-activate the Site: Once you are confident the site is clean, remove the suspension and allow traffic again. Test the site functionality thoroughly to ensure everything is working as expected.
Enable Monitoring: Set up automated monitoring for unusual activity. Use tools like Jetpack for uptime monitoring or CMS security plugins that provide continuous scanning.

10. Secure Your Site for the Future

Regular Updates: Implement an update schedule for CMS, plugins, and themes to ensure your site always runs the latest, most secure versions.
Limit Login Attempts: Install plugins like Limit Login Attempts Reloaded for WordPress to prevent brute force attacks. Enable Two-Factor Authentication (2FA) for all admin accounts.
Harden .htaccess: Add rules to your .htaccess file to block suspicious user agents, limit access to critical directories, and restrict access to admin panels by IP where possible.
Backup Regularly: Use cPanel’s automated backup solutions or plugins like UpdraftPlus to maintain regular off-site backups, ensuring quick recovery from any future compromises.