What to Do If Your Website Is Hacked or Defaced via cPanel

If your website has been hacked, defaced, or is showing suspicious content, act quickly to minimise damage. This guide walks you through the immediate steps to secure your site and recover.

Step 1: Do Not Panic — Assess the Situation

1. Do not log in to your admin panels until you have changed your passwords (the hacker may have installed a keylogger).
2. Note what you see — is the homepage changed? Are there unknown pages? Is redirecting to another site?
3. Take a screenshot of the defaced page as evidence.

Step 2: Change All Passwords

1. Log in to your Allanux Web client area and change your account password.
2. Log in to cPanel and change the cPanel password.
3. Change your email account passwords.
4. Change your WordPress admin password (if applicable): Users → Your Profile → Scroll down → New Password.
5. Change your database password and update it in your website config file (wp-config.php for WordPress).

Step 3: Scan and Clean Your Website

1. Go to cPanel → Virus Scanner (if available) and run a full scan of your home directory.
2. For WordPress: install Wordfence or Sucuri Security plugin and run a scan.
3. Check for suspicious files in File Manager — look in public_html and wp-content/uploads/ for PHP files that should not be there.
4. Remove any unknown files, especially PHP files with random names like shell.php or admin_bak.php.

Step 4: Restore from Backup

1. If you have a clean backup from before the hack, restore your website. See our guide: How to Restore a Full Website Backup in cPanel.
2. If you do not have a backup, manually remove malicious files and repair corrupted ones.

Step 5: Secure Your Website

• Update all WordPress themes and plugins to the latest versions.
• Remove unused themes and plugins.
• Install and configure a security plugin (Wordfence, Sucuri).
• Enable Two-Factor Authentication on your cPanel account.
• Review file permissions — no file should be 777. Use 644 for files and 755 for directories.
• Change your database password and update wp-config.php.

Step 6: Report to Google

If your site was flagged as hacked by Google:

1. Go to Google Search Console.
2. Request a security review under the Security Issues section.
3. Google will re-crawl your site and remove the warning once it is clean.

Important Notes

• Report the hack to our support team — we can check server logs and help identify the attack vector.
• Most hacks happen through outdated plugins or themes, weak passwords, or file permission issues.
• Do not delete the hacked files before we investigate — they contain evidence of how the attack happened.
• If the hack affected multiple accounts on the server, our team will handle the server-side cleanup.

Troubleshooting

• Website keeps getting re-hacked: A backdoor may be hidden in a legitimate file. Restore from a clean backup instead of manually cleaning. Also check your .htaccess file for malicious redirects.
• Google shows "This site may be hacked" warning: Clean your site first, then request a review in Google Search Console. Removal typically takes 1-3 days after the review is approved.
• Visitors being redirected to another site: Check your .htaccess file for suspicious redirect rules. Also check for injected JavaScript in your website's header/footer files.
• Cannot access WordPress admin: The hacker may have changed your admin URL or deleted your admin account. Use FTP to access your files, or restore from backup. As a last resort, use the "WordPress Admin user via MySQL" method.
• Unsure if the site is fully clean: Contact support — we can run a server-level security audit on your account.

Need help? Contact our support team.