My Account has been Hacked! IMPORTANT Information
An account is considered pirated (or hacked) when an unauthorized individual (or automated software, such as a virus) has compromised its security measures in order to retrieve information, deface/alter its contents, or use it as a platform for further attacks.
Why would someone want to hack my web site?
While every case is different, there are many different reasons why someone would want to hack your web site:
- To install viruses or malware so that they may spread quickly to other users,
- To send spam,
- To collect sensitive information for unsuspecting users (often referred to as phishing),
- Because they can, or to prove they are competent hackers.
- To purposely disrupt your specific business or organization, although this is the rarest of cases
It may be useful to note that in most cases, web sites are hacked or exploited by automated scripts running on other compromised servers on the Internet.
How did my account get hacked?
There are generally two ways this may have happened:
Your password was compromised. It may have been guessed (password that was too easy), used by someone you trust, stolen from your computer (often by an automated virus or through an unencrypted network connection). This could be your cPanel password, your Client Area password, FTP password, or your custom software's Admin password.
- Your web site contained scripts or web applications that had security vulnerabilities which were exploited, allowing the hacker to gain control of your account. This is particularly common with Joomla, Wordpress, and phpBB applications when they are not up-to-date.
How do I know if my account has been hacked?
Sometimes a hacker will boldly display the fact that your site was hacked on your main web site. Other times, however, it can be much harder to detect that your site has been hacked. Hacked web sites may:
Inject code in your web page's HTML code that installs fly-by viruses or malware that infects your web site's visitor. Infected sites will generally be blocked by certain web browsers and search engines in order to limit the spread of the virus. This will evidently cause substantial loss of traffic to your web site.
- Contain visibly pirated web pages (with links and images that are not yours) .
- Contain an exact replica of some other site (called « phishing »).
- Send spam emails from your account .
- Install scripts that may remotely attack other web sites or attempt to damage and further compromise the server.
Our servers are regularly scanned and monitored for suspicious activity, and we may alert you by email if we believe your account to have been compromised. In some extreme cases, it is possible that we suspend immediately your account to prevent important problems on the server.
Other ways of detecting possible issues with your web site are:
- Check your site for Malware using the free Sucuri SiteCheck tool
- Inspect the files and folders in your web site with the tool of your choice (FTP, File Manager, etc), and pay particular attention to files you don't recognize.
- If you are using software such as Wordpress, Joomla or other CMS, ensure there aren't other authorized administrators on your account
If you suspect a hack but do not see any evidence of it, we encourage you to change all your passwords and contact our Support team to request a free malware scan, or a Premium Security Audit.
What Should I Do If My Web Hosting Account Has Been Hacked?
Once an account is confirmed to be hacked, several important steps need to be taken:
- Stay calm, but act quickly! Waiting more than 24 hours following a hacking incident may seriously hamper your ability to recover your website.
- If you are not the person who manages your web site, immediately contact the person in charge of your web site and inform them of the problem
- Run a complete anti-virus scan of your computer and any other computers having had access to your web hosting account in the past, with an up-to-date antivirus.
- You now have the option to either request a SiteSafe cleanup by our team (strongly recommended) or request that your account be restored from a clean backup. Depending on the nature of the hacking incident, one method may be preferred over the other. For example, if you choose to clean the infection with SifeSafe, you may be able to preserve your latest content while removing the code that negatively impacts your web site. Restoring a clean backup can be a helpful free alternative but (a) requires you to have a clean backup available and (b) may cause you to lose some data if the backup is not very recent. Contact our support team for assistance with either of these options.
- By now your site is hopefully restored to a functional state and you are ready to address the security issues that had initially allowed the security incident to occur in the first place. It is generally best to assume that any sensitive contents on your hosting account (including emails, database passwords) have already been compromised, so you may wish to react accordingly. Start by change all your passwords, including:
- Client Area
Log in to the Client Area and click on Profile > Change Password
Log in to the Client Area and click on My Services > (if you have more than one service, View Details of affected service) > Change cPanel Password
- Email Accounts
From the cPanel, under Email Accounts (scroll to the bottom and select Change Password on the right next to an email)
- Additional FTP Accounts
From the cPanel, under FTP Accounts
- Database Users
From the cPanel, under MySQL Databases. You'll need to create a new database user, grant him the necessary permissions to your existing database, then remove the previous database user.
- Any Admin users for your Wordpress, Joomla, or other PHP software you run on your site.
- Client Area
- Update any software you have installed on the server, including their core, plugins, themes and extensions. This should be done with the person or people that have built your web site in order to ensure nothing breaks
- Delete any old installations you may have installed and forgotten about, as they pose potential security threads.
- We have also compiled several Wordpress and Joomla-specific tips:
For Wordpress Sites:
- Update your wp-config.php file in your Wordpress root directory with the new database password.
- Still in the wp-config.php file, change all your security keys to ensure cached active sessions are not permitted to connect with logging in again. You can use this tool to generate new ones.
- Change all your Admin user's passwords
- We recommend installing the free WordFence security plugin for added protection. You'll find this through a search from the Wordpress plugins section.
- Update your core Wordpress version, all plug-ins, themes, and modules.
- Read more about hardening your Wordpress installation here: http://codex.wordpress.org/Hardening_WordPress
For Joomla Sites
- Update your configuration.php file in your Joomla root directory with the new database password
- Update your Joomla core and other extensions to the latest available versions
- Change all your Admin user's passwords
- Complete the Joomla security checklist: http://docs.joomla.org/Security_Checklist/Joomla!_Setup
- Read more about Joomla security here: http://docs.joomla.org/Security
What Should I Do If My Dedicated Server Has Been Hacked?
Dedicated servers compromised at the root level are very difficult to fix or patch. We strongly recommend you perform a backup of all needed files form your server and consider reinstalling the Operating System and Control Panel (if any), then manually restoring the content after verifying that it is not infected.
Always keep your dedicated server software, kernels, and components updated on a regular basis. Our Server Management plans also help you ensure you are better protected against potential security threats.
Article ID: #HC5111