How to Secure a Compromised Website or Hosting Account

If a hosting account or website operator is not careful with the way they use their hosting account or the associated websites are not properly secured, they can become vulnerable to being compromised or hacked.

Service logins

We use the term service logins in this article to refer to all of the following:

  • cPanel access
  • FTP access including FTP sub-accounts
  • SSH access
  • Web app logins such as WordPress and Joomla admin dashboards

Common causes of a website or hosting account being compromised or hacked

  • The account or site operator:

    • neglects to keep their web apps (such as WordPress, Joomla, etc.), plugins, and themes up-to-date;
    • obtains one or more of these items from dubious developers or sources; and/or
    • neglects to remove any such items that are no longer being actively maintained by their respective developers.

    Malicious parties can then look for known security holes in the outdated, vulnerable, or malicius web apps, plugins, and/or themes and exploit them to gain access to the hosting account or website(s).

    Web app, plugin and theme developers issue security updates from time to time to patch newly-discovered security issues with their products. It is important that account and site operators keep such products up-to-date at all times to close all known security holes in the web apps that they’ve installed.

    Once compromised, the malicious party can and often does plant multiple hard-to-find backdoors throughout your hosting account, allowing them to return whenever they wish as long as at least one of the hidden backdoors isn’t discovered and removed.

  • The account or site operator initiates a service login on a computer or device that happened to be infected with malware. The computer or device could be theirs, or someone else’s, or both.

    The malware secretly and invisibly monitors the user’s keystrokes or accesses their stored login details, and transmits them to the malicious party.

  • The account or site operator uses a weak or easily-guessed password for one or more service logins, such as an English word or a combination of English words, someone or something they like or are associated with. A malicious party gets lucky while trying out the various possible passwords.

  • The account or site operator uses a password for a service login that they also used on a different service elsewhere, and that other service is compromised, or their operators are malicious.

  • The account or site operator unknowingly enters their service login details on a phishing site, such as a malicious website pretending to be a service login.

  • The account or site operator writes down their service login details somewhere, and it is discovered.

  • The account or site operator stores their service login details elsewhere digitally, either locally or remotely, and the storage is compromised.

  • The account or site operator is in the process of entering their service login details when someone manages to sneak a peek, or it is recorded on camera or CCTV.

  • The account or site operator shares their service login details with a third party, and either the third party is malicious, or any of the above happens to the third party!

Steps to take when a hosting account or website is compromised

  1. Educate account and site operators about online security. Provide the above list of common causes to help them identify areas they need to work on immediately.

  2. Have account and site operators perform a complete anti-malware scanning and cleaning of any Windows-based computers or Android-based mobile phones or tablets with access to their service logins.

  3. Sign in to the Client Lounge.

  4. Visit the My Profile section to update your Client Lounge password. The new password should be unique, difficult-to-guess, and not used anywhere else.

  5. Visit the Info page for your hosting account at the Client Lounge.

  6. Under the cPanel Login Information section, change the password for your hosting account. The new password should be unique, difficult-to-guess, and not used anywhere else.

  7. Sign in to the hosting account’s cPanel with your new password.

  8. Under the Files section, click FTP Accounts and change the passwords for all of the sub-accounts listed there, or delete them if they’re unused.

  9. Sign in to each of your web apps’ admin dashboard and change its access password.

  10. Remove all unused web apps, plugins, and themes. This reduces security risks and improves website performance.

    Any unused web apps that you may have installed using Softaculous in cPanel should be removed using Softaculous.

  11. Remove all web apps, plugins, and themes that you may have obtained illegally or from dubious sources. Illegally obtained web apps, plugins, and themes often contain malicious code designed to allow backdoor access to your sites.

  12. Remove all web apps, plugins, and themes whose developers no longer keep them up-do-date at this time. Such files can contain outdated code that result in unnecessary security risks.

  13. Update each of your remaining web apps, plugins, and themes to their latest versions. Some web apps such as WordPress provide built-in updaters that can be configured and utilized within their admin dashboards.

    Web apps installed using Softaculous in cPanel can be updated from within Softaculous.

  14. If running WordPress, sign in to the WordPress admin dashboard, then select Users > All Users, then click Administrators to see if there are any admin users that aren’t supposed to be there. If so, delete them.

    For each remaining Administrator, be sure to change its password to a strong and unique one.

  15. If there are web apps or scripts within the hosting account that are custom-installed or created, check with their developers directly for up-to-date versions that close all known security holes.

    Developers who aren’t proactive or competent may not be good at identifying and patching such holes. When in doubt, use only web apps from reputable developers. If you develop your own web apps, gain ongoing expertise on web app security so that your own apps are secure.

  16. Using an FTP app or the File Manager in cPanel, look through all of the files and folders in your public_html folder and delete the ones that are no longer in use (after making sure you have an off-site backup of it in case you break something).

    Suspicious files that do not look like like they form part of the site should be removed. Again, be sure to make an off-site backup of each file before deleting it, and visit your site each time to ensure it truly doesn’t require that file.

  17. While doing so, also check to see if any of the files remaining in the account have been tampered with, as they might contain one or more backdoors planted by the malicious party so they can continue to have access to your hosting account.

    Files that look like they have been tampered with should be replaced with a clean version. Remember to make an off-site backup of each file before replacing it, and visit your site each time to ensure it continues to function correctly.

  18. Sign in to the hosting account’s cPanel.

  19. Under the Advanced section, click Virus Scanner and initiate a scan of the entire home directory to ensure that no known malware is detected.

    Infected files should be destroyed to prevent infections from spreading to other files within your hosting account. Again, be sure to make an off-site backup of each file before destroying it, and visit your site each time to ensure it continues to function correctly.

  20. If any restrictions were imposed by the security system, contact us via a Client Care ticket to confirm that the above steps have been completed, so that we can remove the restrictions for you.

  21. Continue to keep web apps, plugins, and themes up-to-date at all times.

The above steps will help increase the security of the hosting account and its associated websites, and reduce their chances of being compromised in the future.