Recovering After a Hack To Your Website

Recovering from a hack can be overwhelming. Not only do you have to deal with restoring your site to a good working state, you also need to take steps to help prevent a repeated attack on your site. The following is a series of recommended steps for recovering from a hack (regardless of the nature of the hack). While this may seem overwhelming, this is an exhaustive list. You will want to try and close any open doors the hacker might have used (or may have left behind) to compromise your site.

Change Your Passwords

The first step you want to take is to make sure you change all passwords associated with your account. The following is a list of different passwords you will want to update.

Scan Your Computer

Hacks can come to our servers through your local computer. When a computer is compromised by a virus, hack code can be uploaded to your site through FTP programs and HTML editors. When accessing the Internet, make sure the network you are on is secure. If it isn’t, or you aren’t sure if it is, do not connect to your cPanel/server (this includes using an FTP program, publishing from design software, logging into email, or logging into a CMS admin area). The following explains the steps to take to prevent hacks from your local computer.

  • Update any anti virus programs you have on your local computer and run a full scan of local machine. If you do not have anti virus on your local computer, it is highly recommended that you install an anti virus program, keep it up to date, and run regular scans (yes this includes Mac and Linux users as well). Both AVG and Avast offer free anti virus programs from Windows, Linux and Mac users.
  • If you use a wireless router to connect to the Internet, make sure it is a secured connection. If you are not sure how to secure your wireless router, consult your router’s documentation or do a search online for your router model and how to secure it. Your router manufacturer may also be able to assist you further.
  • If you use any local web design/development software (e.g. Dreamweaver, iWeb, Microsoft Expression Web, etc.) make sure your software is up to date.
  • Make sure that all Adobe products (including Adobe Acrobat and Adobe Acrobat Reader) are updated.
  • Check your browser version and update as needed. If you have more than one browser installed on your computer, check all browsers installed.

Secure Your cPanel

cPanel is your hosting account control panel. It is recommended to secure your server through your cPanel. Below are steps to do this.

  • Change your cPanel password.
  • Make sure all of the FTP accounts listed are in use. If they are not, remove them. Make sure passwords for all FTP accounts have been changed.
  • Check that all email accounts listed are in use. If there are any listed that are not in use, delete the accounts. Change your email account passwords.
  • In the Email Forwarders area of cPanel, make sure any forwarders listed are ones that you created and are still forwarding from and to the correct email addresses.
  • Review the Cron Jobs area of cPanel and make sure any cron jobs listed are legitimate and still contain the correct commands.
  • Check the Simple DNS Zone Editor in cPanel. Under “User-Defined Records“, check for any records pointing site away that shouldn’t be there. Of course, if you use a third party for email or other services (like Google Apps for instance) you will expect to see records for those things. Just make sure that any DNS records listed are correct.
  • In Redirects, review any redirects listed. If there are any redirects you did not create, remove them. If you have redirects you have created, make sure the redirection is still set up properly.

Update / Backup Software

After you verify that your server and your computer is secure, you will want to secure other areas of your server like your CMS software and maintaining a backup.

Clean Up Hacks

Clean Up a Code Injection

Typically code injections are carried out by an attacker uploading a PHP shell script to your account, either by compromising your FTP credentials, or by exploiting outdated software that you might have running on your website. If your site is trying to load malicious content for your visitors, or preventing your site from displaying properly, please see our guide on: Cleaning up a code injection attack

Cleaning Up a .htaccess Hack

The .htaccess file is used to primarily setup rewrite rules to control the way your site is accessed. You might not notice that your .htaccess file has been hacked until either a manual investigation, or you happen to get a malware warning on your website that it’s redirecting to a malicious site. The fix is explained in the following guide: Cleaning up a .htaccess Hack

Reinstall WordPress after a Hack

In most cases when a WordPress site is hacked, it is because you are not running the latest secure version of WordPress, or one of the plugins that you have installed is outdated and has been used by a hacker to exploit the site. To get your site back up and running after a hack, see our guide on: Reinstall WordPress after a Hack

Scan your Website

You can have your website scanned for vulnerabilities by using sites like those listed below. They have a “Free Online Website Malware Scanner” that you can use right from their front page. You can receive a scan, a report, and even additional assistance, if desired.

Malicious User Activity/Hacks, and How it Affects Your Account

The following article explains why stopping malicious user activity and hacks from running on your account, is important to keep your account’s resource usage low: Malicious User Activity and Hacks


We are here 24/7 to help you with your server. If you are hacked and need assistance, you can contact tech support to see if we can help. Even though coding support is beyond our support, we are always happy to see what we can do to help you get your site working.

39 thoughts on “Recovering After a Hack To Your Website

  1. Under Cleaning Up Hacks: Scan Your Website, the AVG link is no longer active, can you please update it to the correct page or remove it from that list?

    Thanks.

    1. Thank you for your feedback. I have updated that link to the new location of the service they offer.

    2. I’m sorry to see that the link in the comment is no longer working. I recommend searching on google for “PHP best practices” for more information. Unfortunately, we are unable to modify the content on behalf of the third party and it is no longer available.

  2. My email has been hack and the party concerned is trying to blaclmail me. I want to completely remove the old website (email only) and set up a new website and email accounts. I see nothing anywhere on how to do this and you chat does not see my email therefore I cannot log in. I am also trying to set up last pass and there is a problem with that on your site. When a lastpass generated password was used, I could not log in. This is all very frustrating.

    1. Apologies for the frustration caused by the hacker. If the issue is in regards to your email and you are in InMotion Hosting customer, then please contact our live technical support team immediately. They will have access to assist you with your email account. If you are not a customer then I recommend that you contact your email host’s support team. LastPass will not help you with an email hacking situation. It can help you with tracking your passwords as it is primarily a password manager.

      1. When your site is online, you can exhale and figure out what went wrong the first time. To do this, you need to look at the processes and files of the old server.

  3. I recibed this e mail.

     

    Our System Administration team has discovered your website security was compromised and ‘hacks’ inserted into your account. These ‘hacks’ were loaded onto your account through through a vulnerability in the website software hosted on your account or a weak CMS password. 

    We identified the following hacked files: 
    /home/blessi16/public_html 
    /home/userna5/public_html/wp-content/uploads/2018/01/Ymxlc3NpbmdjaGFwbGFpbnVuaXZlcnNpdHkub3Jn/php 

    We have quarantined those malicious files. Due to the nature of the compromise, we cannot guarantee that your website is completely clean or does not contain exploitable vulnerabilities. Most frequently, hacks the result of out-of-date software installations; any outdated installation on the account can result in hacks on any site on the account. Please note that while upgrading the outdated software is recommended and may close existing vulnerabilities, it will not remove any hacks that have already been injected into the site. Therefore, you should have a developer or someone familiar with the website review the account thoroughly. Please note that if the security issues are not addressed, your site may be disabled. 

    And I don’t know what to do… anyone pleas help me

    1. The article that you are commenting on indicates the process for handling a hacked account/files. Is there a particular step or instructions you need additional clarity on? We are happy to assist you.

  4. Hello, 

    I got an email from inmotion saying our website was hacked and after following all of the steps other than paying sucuri to scan our malware, the website seems to be working on the internet explorer but not on google. It just comes up as the inmotion hack link saying ” website coming soon” and when searched in google it comes up as chinese letters. I know nothing about websites or what is going on please help, we are a non profit animal shelter and cant afford much help with paying someone to help with this and we live in a small community with no one with experience to help. 

  5. All my websites were hacke and i managed to re upload them apart from one. I seem to have lost the backup files when my computer hacked. how do i go about restoring the website from c-panel quarantine files. Its a cms website.

    1. Hello Christopher,

      Sorry for the problem with the hacking. I would recommend reloading the CMS to at least get a clean copy of it and then re-load any themes or add-ons. Using the quarantine files is not recommended as you would need to go through EACH file and clean it before you could use it. Please review the article above for the appropriate steps to take to recover after a hack.

      If you have any further questions, please let us know.

      Kindest regards,
      Arnel C.

    1. While mysqli or pdo is now recommended since mysql has been deprecated in php, that is not going to make it any less susceptible to hacking. Hacking is due to a hole in the code itself, so better coding will make for a stronger site.

  6. my website is getting hacked again and again. The hacker is deleting all files and folders via ftp or cpanel and uploading his own files which redirects to xyz.com. I am frustrated what to do. The hosting team is not assisting me, they are blaming that is coding issue. I don’t understand how the hacker is deleting all the files and folders. The technology which I used to develop the website is PHP.

    1. Hello Amit,

      I’m sorry that you are frustrated with the hacks on your website. Make sure that you’ve taken all the steps to reset your passwords, and also make sure that all of your own systems have been scanned in case they are part of the security issue. I would also recommend reviewing articles like this one Writing Secure PHP. PHP is not totally secure against hackers if the necessary steps are not taken to harden against intrusion.

      I hope that helps to answer your question! If you require further assistance, please let us know!

      Regards,
      Arnel C.

  7. Hi!

    I have a problem regarding my website www.***********.com. I can’t access my website and I believe that my website was hacked can you guys please helo me with this? I just starting to create my website and apparently i was hacked already.

    Thanks for your prompt assisstance

    Justin

    1. Hello Justin,

      Sorry to hear that you’ve been hacked. I took a look at your site and it does look like you’ve been hacked. Unfortunately, since you are not hosted with us, we can offer only advice on how to approach the issue. I would highly recommend that you restore a backup, and follow the guidance above (i.e. change passwords, clean hacks, scan systems). Please contact your developer and/or your hosting service for further assistance. If you have any further questions or comments, please let us know.

      Regards,
      Arnel C.

  8. Hello,

     

    My company website seems to be have been hacked. I can see many pages added which are ad-ware. Not sure, what the root cause it and how do I go about correcting it. 

    1. I regret to hear you suspect your site was compromised. If you have a hosting plan with us you can certainly contact our Live Support for a scan of your site. Or, if you don’t have a hosting plan with us, the steps in the article above can be applied to troubleshooting in a general sense.

  9. Our website was hacked how do we get it back up and running after going through all the steps in this article. i moved uninfected items back into the public html  older but our site is still showing me an inmotion hosting screen instead of our page

    1. Hello jamie,

      Thank you for contacting us. Upload an index file (either index.htm index.html or index.php) and that file will load instead.

      When you visit a website, it will always attempt to display an index page which can be named index.html, index.php, etc. Due to how our servers are configured, our default coming soon page will be displayed in the event that the typical file names do not exist. To resolve the issue, upload an index file such as a file named index.php, index.html, etc. to your account within the public_html directory.

      This is taken from our full article How to remove the InMotion Coming Soon page.

      Often, if you are using a CMS such as WordPress, Joomla, etc. you can download the same version from their download site, and use the included index.php file.

      Thank you,
      John-Paul

  10. Interesting now to get this reponse that suddenly the finger is pointed at “our cpanel” when support said it was because that IP address belongs to several sites on the same server it could have been anyone.  You might want to get your stories straight,  And do tell can’t someone at inmotion log into our cpanel and upload the file?  Also, wordpress plugins have nothing to do with cpanel so why are you even trying to focus blame on wordpress.  Focus, Focus, Focus.

    1. Hello Jeffrey,

      Thank you for contacting us. Yes, in a shared server setting, multiple cPanel accounts share an IP address.

      Almost everything in cPanel is logged. The FTP log in question, includes the username of the cPanel account that uploaded it. While InMotion has access to your cPanel, we do not know your password (since it is secret to you). With our access level, if we uploaded a file via cPanel it would list our IP in the log.

      There are many reports (such as this) of cPanel’s being compromised via WordPress. Since WordPress is so popular, it is often the most targeted. It just depends on the nature of the Vulnerability, and the security of the specific 3rd party Themes/plugins you are using. Keep in mind they are all developed by individual people and companies.

      Thank you,
      John-Paul

  11. Actually none of this helps.  We had the site kind of hacked.  Someone FTPed an index.html file.  When checking the FTP log the ip address traces back to inmotionhosting.  So someone in inmotionhosting ftped a index.html to hack our site.  Trying to work with support yielded no help.  Within 10 seconds the response was we didn’t do it, even though the IP address traces directly to inmotionhosting.

    1. Hello Jeffrey,

      Thank you for contacting us. We understand your concern, and certainly take this type of report extremely seriously. I spent some time reviewing your server’s logs, and do see where the index.html file was uploaded.

      The IP address is from your cPanel; meaning someone logged into your cPanel with your credentials and uploaded the file.

      Since this was not you, I highly recommend changing your cPanel Password immediately. Be sure to use strong passwords. For detailed information see our full guide on Password Strength and Security.

      It may also be beneficial to scan any computers you are connecting from, just to be safe.

      Also, since it seems you are running WordPress, ensure it is updated regularly along with any 3rd party Themes/plugins. There have been a lot of WordPress updates recently. Here is a helpful link to our 10 recommended steps to lock down and secure WordPress.

      If you have any further questions, feel free to post them below.

      Thank you,
      John-Paul

  12. hi- i have a site that is hosted by Inmotion and it has reported hacks each day for the last 3 days.

    each time it has been restored to an unhacked version, and worked until the next day.

    I have contacted IM and was sent a standard “what to do if your site it hacked” link. I have found that WP update checksums dont match, and dont think it is a hack, but rather a problem with an update.

    Can you please assist as we are thinking of moving to another Host as having to restore every day is growing old quickly.

     

    thanks,

    tim

    1. Hello Tim,

      Sorry for the problems with your site. When I look up the issue of using checksums to verify WP update, we are not finding any official WordPress security alerts on the issue (or if there were, then they’ve been covered in a release). If you can provide more information on your account, we can take a closer look at the issue (URL or user name). I have numerous WordPress sites and there hundreds (if not thousands) of WordPress sites being hosted on InMotion, where the hack (checksum mismatch) is not an issue. I’m not saying this to say that there is NO problem, but it appears to be isolated to you. I would highly recommend that you use your latest backup, then disable ALL of the plugins and try your site out for a little bit. If the problem happens again, then I would recommend that you look at the theme. It’s not unknown for malicious code be hiding in the plugins or the theme. If the problem was at the server level, then more than just your site would be repeatedly having this problem.

      Apologies that I don’t have a direct solution to get directly to the heart of the matter, but since the issue is not widespread at this point, we would like to eliminate the possible issues on your WordPress installation. Also, make sure that you have changed your passwords for your account.

      If you have any further comments or questions, please let us know.

      Kindest regards,
      Arnel C.

  13. Hello,

    I have the same problem as above. www.*************.com has been hacked and was quarantined. I need to access the contents of the website as reference if we will need to recreate the website from scratch. Hope you can help me retrieve my files.

    Your prompt response would be greatly appreciated.

    Thanks

    1. Hello Lean,

      As per Jacob’s response above, your files are in a QUARANTINE folder. You just need to login to your account and look in that folder to see your files. If you have any trouble getting to them, please let us know.

      Regards,
      Arnel C.

  14. Hi, 

    for your kind information, I can’t open my any documents type file such as .docx, .xlx, .pdf, .jpeg etc. its happened after received a mail massage with attached ZIP file. I just extract ZIP and lost my file type.
    now all the file contain the file type as like PROFORMA.PDF.wmugstg

     

     nOTE : PLEASE FIND OUT THE EMAIL ATTACHMENT AND TRY TO HELP ME IN YOUR LEVEL BEST.

    Best regards

    S. Khandker

    1. Hello S. Khandker,

      We would need a bit more information. When you say you cannot open specific files, what are you trying to open them with? Do you mean on your local computer or are you linking within a website?

  15. I’ver already sent a email use [email protected]. But it seemed the email can’t recieve email correctly. Please reply my email with this email: [email protected]. My master domain is www.postcardxp.com and I’ve been hacked. I tried to update all files backuped by myself. but the site still can not work properly. Please help me restore all files of my site use your backup before 1st July. After that day, I havn’t upload any file onto my site. Thank a lot! Davy

    1. Hello Davy,

      If you need any files restored, you will need to contact the Live Support team or submit a restoration request via the AMP (Account Management Panel). The caveat is that our backups are no more than 24 hours old, so if you need a backup beyond the last 24 hours, you will need to provide those files yourself.

      Kindest Regards,
      Scott M

  16. My master domain is example.com and I’ve been hacked and all domain/files have been removed. I need to have all files as refrence. You guys move to quanrantine dir before but nothing for this time… Where I can have all the files… ?

    Thanks

    Kam

    1. Hello Kam, and thanks for your comment.

      I see that your files in the /public_html directory were quarantined to the /quarantine directory, however it looks like the permissions were not setup correctly to allow you to view them.

      You should be able to login to your account now and view all of your files. You can begin to move them back into your /public_html directory now. But please be mindful for any suspicious looking files that might still contain active hacks that could lead to your account being compromised by more malicious activity.

      Please let us know if you have any further questions.

      – Jacob

Was this article helpful? Join the conversation!