Here are the basic steps you can take to clean your account and restore security in order to stop this from happening again:
The most commonly used method that we see used to compromise a hosting account is vulnerabilities in scripts, on the account. This is especially true with popular scripts such as Wordpress, Drupal, and/or most other popular shopping cart scripts or other Content Management Systems.
First, ensure that all scripts are updated to and running the latest version. Popular scripts are especially notorious for being hacked since so many sites use them. Old versions of scripts will sometimes have security vulnerabilities that have been patched by a new release. Remember: this includes any addons, plugins, or modules for a script!
Be sure that everything is running the latest version and is secure. Always research before installing any 3rd party addon or module! If someone else has had a problem with what you are looking for, they will usually post about it online.
The second most common method we see to compromise an account is the use of malicious files on the computers that have access to the account. Many types of virus/malware/adware will look for hosting accounts and passwords to send to attackers.
The second step is to scan all computers that you use to access to your hosting account (cPanel, FTP, and E-Mail) for malware and viruses!
After a full virus scan, I would highly recommend scanning again with the free version of Malwarebytes Anti-Malware which is a great application for cleaning malware and adware.
Third, after your computer is virus/malware free and your scripts are up to date, be sure to check EVERY FILE THAT YOU ARE HOSTING! This may be tedious, but if the attacker has left a vulnerable file on your account, they can use it to gain access to your account in the future even after you change your passwords.
Be sure that all the files on your account have the correct permissions, and make sure that you are not giving too much permission that might pose security vulnerabilities.
You can set permissions using FTP or in cPanel > File Manager. 777 or “full permissions” should NEVER be used for files and/or directories, even when specified by installation instructions. Anytime that it is instructed to set the permissions to 777, 755 should be used instead. Directories should be set to 755 permissions. PHP files should be set to 644 permissions or you can use the lowest permission that allows the script to work.
Any files that contain MySQL database or other login details, or configuration files should be set to 400 permissions so they are only readable by the account owner.
CHANGE YOUR PASSWORDS
CHANGE ALL YOUR ACCOUNT PASSWORDS TO HIGHLY SECURE PASSWORDS to cut off attacker access. You should change your main account (cPanel) password, all CMS admin passwords (i.e. WordPress), all email account passwords, and all custom FTP account passwords. We also recommend updating your database passwords.
Without changing ALL those listed, the attacker may still have partial access to the account, which could allow them to get in enough to check for other vulnerabilities, or gather personal information until they can gain full access again.
A large number of exploits we see are due to the use of weak passwords and are easily preventable. Passwords should never be based on common or "dictionary" words as these are easily guessed or cracked by such means as a brute force attack. Also, be extremely careful with whom you trust your password to! Be sure that anyone who has access to your account also knows to use secure scripts, and has a malware and virus free computer. cPanel has an excellent password generator, or you can use generators like the one found here to create a highly secure password: https://secure.pctools.com/guides/password/
You should change your account passwords AFTER securing your computer, account files, and scripts! This is because if a vulnerability remains in one of these places, it can be exploited and will simply continue to use your account and possibly get your new password.
CAN YOU SCAN MY ACCOUNT FOR HACKED/MALICIOUS FILES?
Technical Support can run a basic scan that can help them analyze and identify hacked/compromised/malicious files on your account.
Please be aware that, depending on the size of your account, this process can take 12+ hours to complete.
Click Here to submit a ticket to Technical Support.
Compromised WordPress Resources
Compromised Joomla Resources
Google's Cleaning Your Site Guide:
Removing Malware From Your Site:
StopBadware's Information for Website Owners: