Frequently Asked Question

Now that I've been hacked, what should I do?
Last Updated 9 years ago

The obvious question is "Now that I've been hacked, what should I do?"

If the software compromised was third party software you purchased you should contact the Vendor you purchased it from.

Regardless we strongly encourages you to hire a qualified professional to repair your hacked website for you. The cost will be minimal compared to the amount of stress your are spared. Plus, if you do not do it right, you will just get hacked again. A qualified professional will provide the emotional relief you desire. You won't have to exert an ounce of energy recovering from this nightmare. And you will enjoy peace of mind knowing your website is properly secured -- it won't be hacked again when you wake up.

Best of all, we have found a qualified professional for you -- a guy who genuinely cares about you and your website. Helping you recover from a hacked website is his life passion. If you are interested in this referal please let us know.

We have written the following general guide for those who insist on handling the recovery on their own.
This guide was written with a novice in mind, but covering all necessary vocabulary, industry knowledge, and script-specific information is impractical. Novices should expect to do additional research (Googling) to fill in their knowledge gaps. Working with your software vendor or hiring a qualified professional.

Here is what we suggest do:
Backup your account
You can download all of your site's content to your local machine via FTP or, if you have access to cPanel, you can process a full account backup through your cPanel.  Download the backup to your local machine. You will want to ensure you have your backup saved somewhere other than your account on the server before proceeding with the next step.
Reset all of your passwords
This includes your cPanel (control panel), FTP users, database users, script admin users, and email addresses.
Delete all cron jobs
If you have access to cPanel this can be done there.
Remove your current content
Delete all of the content from your account's document root folder. This is most commonly the public_html folder.
Once your account is compromised, it is possible that the attacker has installed a backdoor for easier access in the future. Deleting all of the content from your account's document root folder is the only true way to ensure you have cleared out all untrusted material.
Re-install your site's scripts
Re-install the latest version of any scripts you still need. This includes any plugins, modules, addons, themes, and etc.
If you have shared hosting with us or have purchased Fantastico and/or Softaculous for your virtual/dedicated server(s), we suggest installing your script(s) using Fantastico or Softaculous which are available in your cPanel. Fantastico and Softaculous can send you notifications when new versions of the script(s) you have installed are available and installing scripts through Fantastico and Softaculous is a lot easier than manually installing them.
Check your databases to see if they were hacked
Hacked databases are not common but it does happen. If the database is hacked, it will need to be cleaned before you use it again.
Reconnect your scripts
Re-configure the newly installed script(s) to connect to the appropriate database.
If you're unsure which file holds the database information for your script, we maintain a Configuration File Location Cheat Sheet in the knowledgebase.
Upload clean files
Upload any needed clean files from the backup you generated.

Please Wait!

Please wait... it will take a second!