In this tutorial:
Recovering from a Hack can be overwhelming. Not only do you have to deal with restoring your site to a good working state, you also need to take steps to help prevent a repeated attack on your site. The following is a series of recommended steps for recovering from a hack (regardless of the nature of the hack). While this may seem overwhelming, this is an exhaustive list. You will want to try and close any open doors the hacker might have used (or may have left behind) to compromise your site.
Note! If you are not sure whether your site has been hacked or not, see our guide titled "I think my website has been hacked".
Change Your Passwords
The first step you want to take is to make sure you change all passwords associated with your account. The following is a list of different passwords you will want to update.
- cPanel Password
- Email Passwords
- FTP passwords
- Passwords for any Content Management Systems (CMS) such as WordPress, Joomla or Drupal
Scan your Computer
Hacks can come to our servers through your local computer. When a computer is compromised by a virus, hack code can be uploaded to your site through FTP programs and HTML editors. When accessing the Internet, make sure the network you are on is secure. If it isn't, or you aren't sure if it is, do not connect to your cPanel/server (this includes using an FTP program, publishing from design software, logging into email, or logging into a CMS admin area). The following explains the steps to take to prevent hacks from your local computer.
- Update any anti virus programs you have on your local computer and run a full scan of local machine. If you do not have anti virus on your local computer, it is highly recommended that you install an anti virus program, keep it up to date, and run regular scans (yes this includes Mac and Linux users as well). Both AVG and Avast offer free anti virus programs from Windows, Linux and Mac users.
- If you use a wireless router to connect to the Internet, make sure it is a secured connection. If you are not sure how to secure your wireless router, consult your router's documentation or do a search online for your router model and how to secure it. Your router manufacturer may also be able to assist you further.
- If you use any local web design/development software (e.g. Dreamweaver, iWeb, Microsoft Expression Web, etc.) make sure your software is up to date.
- Make sure that all Adobe products (including Adobe Acrobat and Adobe Acrobat Reader) are updated.
- Check your browser version and update as needed. If you have more than one browser installed on your computer, check all browsers installed.
If you antivirus software fails to detect any viruses, or you are having trouble removing a particular virus, several resources are available in which individuals will assist you in removing the virus for free:
Securing your cPanel
The cpanel is your hosting account control panel. It is recommended to secure your server through your cPanel. Below are steps to do this.
- Change your cPanel password.
- Make sure all of the FTP accounts listed are in use. If they are not, remove them. Make sure passwords for all FTP accounts have been changed.
- Check that all email accounts listed are in use. If there are any listed that are not in use, delete the accounts. Change your email account passwords.
- In the Email Forwarders area of cPanel, make sure any forwarders listed are ones that you created and are still forwarding from and to the correct email addresses.
- Review the Cron Jobs area of cPanel and make sure any cron jobs listed are legitimate and still contain the correct commands.
- Check the Simple DNS Zone Editor in cPanel. Under "User-Defined Records", check for any records pointing site away that shouldn't be there. Of course, if you use a third party for email or other services (like Google Apps for instance) you will expect to see records for those things. Just make sure that any DNS records listed are correct.
- In Redirects, review any redirects listed. If there are any redirects you did not create, remove them. If you have redirects you have created, make sure the redirection is still set up properly.
After you verify that your server and your computer is secure, you will want to secure other areas of your server like your CMS software and maintaining a backup.
- If you are using a CMS (e.g. WordPress, Joomla, Drupal, etc.) to create your site, make sure you are running the latest version. Update if necessary.
- Create and download regular backups of your website with Softaculous or with cPanel. We cannot stress how important this is. Downloading your backups is essential. In the event something goes wrong, having the backup stored separately from your account is vital.
Cleaning up Hacks:
Clean up a Code Injection
Typically code injections are carried out by an attacker uploading a PHP shell script to your account, either by compromising your FTP credentials, or by exploiting outdated software that you might have running on your website. If your site is trying to load malicious content for your visitors, or preventing your site from displaying properly, please see our guide on:
Cleaning up a code injection attack
Cleaning up a .htaccess Hack
The .htaccess file is used to primarily setup rewrite rules to control the way your site is accessed. You might not notice that your .htaccess file has been hacked until either a manual investigation, or you happen to get a malware warning on your website that it's redirecting to a malicious site. The fix is explained in the following guide:
Cleaning up a .htaccess Hack
Reinstall Wordpress after a Hack
In most cases when a WordPress site is hacked, it is because you are not running the latest secure version of WordPress, or one of the plugins that you have installed is outdated and has been used by a hacker to exploit the site. To get your site back up and running after a hack, see our guide on:
Reinstall WordPress after a Hack
Malicious User Activity/Hacks, and How it Affects your Account:
The following article explains why stopping malicious user activity and hacks from running on your account, is important to keeping your account's resource usage low:
Malicious User Activity and Hacks
We are here 24/7 to help you with your server. If you are hacked and need assistance, you can contact tech support to see if we can help. Even though coding support is beyond our support, we are always happy to see what we can do to help you get your site working.
Support Center Login
Social Media Login
2014-07-23 5:11 pm
My master domain is example.com and I've been hacked and all domain/files have been removed. I need to have all files as refrence. You guys move to quanrantine dir before but nothing for this time... Where I can have all the files... ?
2014-07-23 5:21 pm
Hello Kam, and thanks for your comment.
I see that your files in the /public_html directory were quarantined to the /quarantine directory, however it looks like the permissions were not setup correctly to allow you to view them.
You should be able to login to your account now and view all of your files. You can begin to move them back into your /public_html directory now. But please be mindful for any suspicious looking files that might still contain active hacks that could lead to your account being compromised by more malicious activity.
Please let us know if you have any further questions.
2014-08-20 11:40 am
I'ver already sent a email use email@example.com. But it seemed the email can't recieve email correctly. Please reply my email with this email: firstname.lastname@example.org. My master domain is www.postcardxp.com and I've been hacked. I tried to update all files backuped by myself. but the site still can not work properly. Please help me restore all files of my site use your backup before 1st July. After that day, I havn't upload any file onto my site. Thank a lot! Davy
2014-08-20 12:01 pm
If you need any files restored, you will need to contact the Live Support team or submit a restoration request via the AMP (Account Management Panel). The caveat is that our backups are no more than 24 hours old, so if you need a backup beyond the last 24 hours, you will need to provide those files yourself.
2015-02-15 1:24 pm
for your kind information, I can't open my any documents type file such as .docx, .xlx, .pdf, .jpeg etc. its happened after received a mail massage with attached ZIP file. I just extract ZIP and lost my file type. now all the file contain the file type as like PROFORMA.PDF.wmugstg
nOTE : PLEASE FIND OUT THE EMAIL ATTACHMENT AND TRY TO HELP ME IN YOUR LEVEL BEST.
2015-02-16 12:52 pm
Hello S. Khandker,
We would need a bit more information. When you say you cannot open specific files, what are you trying to open them with? Do you mean on your local computer or are you linking within a website?
2015-06-16 10:29 pm
hi- i have a site that is hosted by Inmotion and it has reported hacks each day for the last 3 days.
each time it has been restored to an unhacked version, and worked until the next day.
I have contacted IM and was sent a standard "what to do if your site it hacked" link. I have found that WP update checksums dont match, and dont think it is a hack, but rather a problem with an update.
Can you please assist as we are thinking of moving to another Host as having to restore every day is growing old quickly.
2015-06-17 1:14 pm
Sorry for the problems with your site. When I look up the issue of using checksums to verify WP update, we are not finding any official WordPress security alerts on the issue (or if there were, then they've been covered in a release). If you can provide more information on your account, we can take a closer look at the issue (URL or user name). I have numerous WordPress sites and there hundreds (if not thousands) of WordPress sites being hosted on InMotion, where the hack (checksum mismatch) is not an issue. I'm not saying this to say that there is NO problem, but it appears to be isolated to you. I would highly recommend that you use your latest backup, then disable ALL of the plugins and try your site out for a little bit. If the problem happens again, then I would recommend that you look at the theme. It's not unknown for malicious code be hiding in the plugins or the theme. If the problem was at the server level, then more than just your site would be repeatedly having this problem.
Apologies that I don't have a direct solution to get directly to the heart of the matter, but since the issue is not widespread at this point, we would like to eliminate the possible issues on your WordPress installation. Also, make sure that you have changed your passwords for your account.
If you have any further comments or questions, please let us know.