Fix a Hacked cPanel account and remove Malware
cPanel servers are prone to hackers and this post details hacked cPanel accounts. A cPanel account hack on Shared cPanel servers will have a diverse amount of people on them using all types of software. From WordPress to WHMCS it’s the end user’s responsibility to make sure the software they are running is always up-to-date.
However, it is often the case that users do not keep software up-to-date but also plugins uploaded to WordPress may contain Malware that causes a WordPress Website to become compromised. The main types of compromise we define are;
- Site Compromise (This blog post)
- Root Compromise
We will cover both of these issues in separate blog posts and how to fix the problem so it does not return.
cPanel Account Hacked/Compromised
cPanel accounts can become compromised in several ways. And, in our experience, the most common compromise is through WordPress and users uploading plugins embedded with Malware. The Malware allows a malicious user to gain access to the cPanel account through the plugin. This, in turn, exposes the wp-config.php file which contains the WordPress database username and password. Allowing them access to your WordPress website database.
This also has some caveats for cPanel server administrators. Unfortunately, If your cPanel Server is running some specific settings and a cPanel account has been compromised. In some circumstances, that malicious user can gain access to other accounts on the server. The problem then escalates from a simple, local infection to a server-wide issue but that is outside the bounds of this post.
Remediating a Hacked cPanel Account
So, a common sign that a WordPress website has been hacked is spam email. You may find spam being sent from a PHP script located within WordPress. If you are using F2HCloud High Availability Web Hosting you may have received an alert. We scan all files that are placed in the user’s account. If you have received an alert we have already taken action to remove the Malware. However, If not, follow the steps below.
- Identify the cPanel user who has had malicious files uploaded to their account
- Remove the malicious files or plugins in question.
- Update all software on this user’s account. WordPress, Joomla, themes, plugins everything should be fully updated.
- Ensure the files have not been put back in the account while you were updating the software on the site. If they have that indicates another file is adding the malware back automatically.
- Change the password on the user cPanel account
- Change all Email, and FTP passwords
- Change the WordPress MySQL Database password and update the wp-config.php file.