What can be done if a cPanel account is compromised?

Question

What can be done if a cPanel account is compromised?

Answer

The best course of action to recover from a compromised account is to restore from a backup, change all passwords on the account, revoke any ssh keys, and enable Two Factor authentication. You can read more about how to do these tasks here:

Restoration:

Restore an account from a backup file on the server

How can I restore my backups from a remote destination?

Passwords

How to reset a cPanel user's password

How to reset your email password through the cPanel interface

How to reset an FTP user password

How to reset a database user password

Two Factor Auth:

How to enable Two Factor Authentication for cPanel users

Revoke SSH Keys:

How to manage a public key in the cPanel interface

If you would like to find information about how the account was compromised or what kind of malware might be on an account, you must reach out to a security specialist that has the skills, training, and expertise required to perform an investigation.

If you would like to take steps to help mitigate this kind of issue in the future, you may be interested in reviewing the following resources:

How to backup to a remote location