Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            My Website Was Hacked: Cleanup & Recovery

            Discovering that your website has been compromised is stressful, but it is recoverable. This article walks you through how to confirm a hack, contain the damage, clean your site, and prevent it from happening again.

            How websites get compromised

            Most shared-hosting site compromises come from outdated software, weak passwords, or vulnerable plugins and themes — not from the hosting server itself. Common signs include:

            • Browser or search-engine warnings that your site is "deceptive" or "contains malware"
            • Unexpected pop-ups, redirects, or spam content on your pages
            • New files or admin users you did not create
            • A sudden spike in resource usage or outbound email

            If you see these, act quickly — the longer a compromise sits, the more damage it does and the harder it is to clean.

            Before you begin

            • cPanel access, to inspect files, change passwords, and run backups.
            • A way to work safely. Avoid logging into the compromised site's admin from a device you suspect is also infected.
            • Your most recent clean backup, if you have one.

            Step 1: Contain the damage

            Limit further harm before you start cleaning.

            1. Take the site offline temporarily if possible (a maintenance page or password-protecting the directory), so visitors are not exposed.
            2. Change your cPanel password immediately. See the cPanel password article.
            3. Change passwords for your site's admin accounts, database users, and FTP accounts.
            4. If you reuse the compromised password anywhere else, change it there too.

            Step 2: Find out what happened

            1. In cPanel, open File Manager and look for recently modified or unfamiliar files, especially in public_html.
            2. Check for admin users you do not recognize in your application (for example, in the WordPress users list).
            3. Review your raw access and error logs in cPanel for suspicious activity.

            Tip: Note the date things changed. It helps you choose a backup from before the compromise and identify what was affected.

            Step 3: Clean the site

            You have two main approaches. Choose based on what you have available.

            Option A: Restore from a clean backup (fastest, if available)

            1. Identify a backup from before the compromise.
            2. Restore your files and database from that backup. See Restoring Your Site from a Backup.
            3. Immediately apply the prevention steps in Step 5, or the site can be re-compromised the same way.

            Option B: Clean manually

            1. Replace your application's core files with fresh copies from the official source (for WordPress, reinstall the core).
            2. Delete any unfamiliar files and remove injected code from legitimate files.
            3. Update or reinstall all plugins and themes from trusted sources; delete any you do not recognize.
            4. Scan your database for injected content.

            Warning: Do not simply delete the warning or visible spam and assume the site is clean. Attackers usually leave hidden backdoors. If you cannot confidently remove everything, restore from a clean backup or get professional cleanup help.

            Step 4: Verify and restore access

            1. Confirm the malicious content and files are gone.
            2. Re-scan the site and check that warnings no longer appear.
            3. If a browser or search engine flagged your site, request a review through their tools once it is clean. [SME CONFIRM: whether EH provides or recommends a malware-scan/cleanup service or a specific blocklist-removal path.]
            4. Bring the site back online.

            Step 5: Prevent it from happening again

            • Update everything. Keep your application, plugins, and themes current — outdated software is the top cause of compromises.
            • Use strong, unique passwords for cPanel, your site admin, databases, and FTP.
            • Remove what you don't use. Delete unused plugins, themes, and old installations.
            • Harden WordPress. See Hardening Your WordPress Site.
            • Use the security tools in cPanel. See Securing Your Site with cPanel Tools.
            • Keep backups. Maintain regular, off-site backups so a clean restore point always exists.

            Next steps

            If your account shows signs of ongoing compromise or you are unsure whether your site is fully clean, contact us right away.

            Questions? Contact Exact Hosting Support.

            How helpful was this article?

            Thanks for your feedback!

            Do you still need help? If so please submit a request here.