What to Do If You Suspect Your Hosting Account Is Compromised

You notice something wrong. Emails sent that you didn’t send. A spike in outbound traffic. Strange files in your account. A page that’s not yours appearing on your site. Don’t panic, but don’t delay either — the response in the first hour determines how much damage you take. This guide walks through the structured response: stop the bleeding, investigate, recover, harden.

Phase 1 — Stop the bleeding (first 15 minutes)

Whatever else, prevent the situation from getting worse.

Change passwords immediately

• cPanel password. From the iWebVault client area → Manage Hosting → Change cPanel password. Use a generated strong unique password.
• All mailbox passwords. Especially the one(s) that look compromised. cPanel → Email Accounts → password reset on each.
• FTP account passwords. cPanel → FTP Accounts → reset.
• WordPress admin password. If you can still log in: Users → your account → password reset. If admin access is locked: phpMyAdmin → wp_users table → manually update with new hashed password.
• iWebVault client area password. Most important — gives access to everything else.

Open a support ticket

Submit ticket here. Include:

• Symptoms you noticed (when, what).
• Affected domains / mailboxes / files.
• Actions already taken.
• Whether you’ve changed passwords yet.

We can:

• Flush any spam queue (preventing further IP damage).
• Run server-side malware scans.
• Pull access logs you might not see directly.
• Check whether other accounts on the server show similar compromise (sometimes there’s a common entry point).

If compromise involves spam flood: get the queue cleared fast

Every minute of unimpeded spam sending damages your domain and IP reputation further. We can purge the queue and block further sending from the compromised mailbox within minutes once you ticket. Queue management guide.

Phase 2 — Investigate (next hour)

Once you’ve stopped further damage, figure out what happened.

Check access logs

• cPanel → Metrics → Latest Visitors → look for unusual access patterns.
• cPanel → Metrics → Errors → look for repeated 404/500s that might indicate probing.
• Raw Access logs → full HTTP log, downloadable for grep/analysis.

Look for:

• Logins from unfamiliar IPs (countries you don’t operate in).
• Successful logins at odd hours.
• Requests for files that shouldn’t exist (shell.php, upload.php, etc.).
• WordPress admin access from unfamiliar IPs.

Find modified files

Via SSH:

# Files modified in last 7 days
find ~/public_html -type f -mtime -7 -ls

# Files modified in last 24 hours
find ~/public_html -type f -mtime -1 -ls

# PHP files with suspicious patterns
grep -rEn "(eval|base64_decode|gzinflate|str_rot13|preg_replace.*/e)" ~/public_html --include="*.php"

Output is your shortlist of files to investigate. Newly created files in your site root or wp-content/uploads are especially suspicious — uploads is meant for images, not PHP.

Check WordPress users

Common attack: add a hidden admin user. WordPress → Users → check for any account you don’t recognize. Delete suspicious ones.

If user list looks fine but a backdoor admin exists, check directly in phpMyAdmin → wp_users and wp_usermeta tables.

Check for unfamiliar email accounts and forwarders

Attackers often add forwarders so mail (password resets etc.) gets copied to them:

• cPanel → Email Accounts — any new mailboxes you didn’t create?
• cPanel → Forwarders — any forwarders to external addresses you didn’t set up?
• cPanel → Email Filters — filters that forward / blackhole specific messages?

Delete anything you didn’t set up yourself.

Identify the entry vector

How did they get in? Common vectors:

• Reused password leaked in third-party breach. Check your email at haveibeenpwned.com.
• Vulnerable WordPress plugin / theme. Outdated component allowed upload or RCE.
• Form on your site allowing arbitrary mail sending. Contact form without rate limiting / captcha.
• Compromised personal device. Malware on your laptop sniffed stored credentials.
• Phishing. You clicked a link, typed credentials into a fake login page.

Identifying the vector matters — if you don’t, the attacker will return through the same hole. Look for: outdated software in WP Admin, recent emails that asked you to log in to “verify your account”, any device where you’ve recently installed questionable software.

Phase 3 — Clean and recover

Option A: Restore from clean backup

Best if you have a backup from before the compromise:

1. Identify when compromise started (file modification times help).
2. cPanel → JetBackup → select backup from BEFORE that date.
3. Restore files (and database if needed).
4. Site is back to clean state.

JetBackup restore guide.

Important: change passwords AGAIN after restore. Backups may contain compromised user records.

Option B: Clean in place

If no clean backup exists, or restore would lose recent legitimate changes:

• Run Imunify360 scan from cPanel (Security → Imunify360 → Scan).
• Remove identified malicious files (review before deletion — false positives possible).
• Replace WordPress core files with fresh download from wordpress.org.
• Replace plugin and theme files (delete and reinstall from official sources).
• For modified database content (suspicious admin users, injected option_value entries), clean via phpMyAdmin.

Detailed workflow: Malware cleanup guide.

Option C: Pay for cleanup

For severe compromises (multiple sites affected, complex WordPress multisite, e-commerce stores with customer data), professional cleanup may be the right call. We offer cleanup services — open a ticket for quote.

Phase 4 — Harden against recurrence

• Strong unique passwords everywhere — use a password manager. Guide.
• 2FA on cPanel, client area, WordPress admin. Authenticator app preferred.
• Update everything. WordPress core, themes, plugins. Delete unused ones entirely (less surface area).
• Remove inactive mailboxes / FTP users. Less surface area to compromise.
• Set up file integrity monitoring. Imunify360 includes this — alerts on file changes you didn’t initiate.
• Backups. Multiple restore points, ideally including off-site copies. JetBackup runs scheduled; add manual exports for important milestones.
• Block geographic regions you don’t operate in. CSF rules to deny entire countries from cPanel/admin login pages.

What to tell customers / users

If the compromise affected customer-facing systems (e-commerce site, user database), disclosure is part of responsible recovery:

• Did customer data leak? If yes: tell affected users, recommend they change passwords if they had accounts.
• Did the site serve malware to visitors? If yes: notify visitors who came during the compromised window.
• Legal requirements vary by jurisdiction (GDPR for EU users requires disclosure within 72 hours of certain breaches).

For most small-site compromises (defacement, spam injection, no customer data), no disclosure is required. For anything involving real user data, talk to a lawyer.

What’s next

• Cleanup workflow in detail: Malware cleanup.
• Restore from backup: JetBackup restore.
• Prevent recurrence: Password managers, brute force protection.

The structured response matters. Most compromises clean up in hours when handled in order; they spiral into multi-day disasters when handled in panic. Stop bleeding first, investigate second, clean third, harden fourth. And ticket us early — much of the response is faster with both you and us working it.