What can be done if a cPanel account is compromised?
The best course of action to recover from a compromised account is to restore from a backup, change all passwords on the account, revoke any ssh keys, and enable Two Factor authentication. You can read more about how to do these tasks below:
Cleaning the Infection
Fixing the Security Hole
In the following sections, we provide information about how to restore the account, reset passwords, etc.
While those are critical steps, they alone may not fully resolve the issue. If the account was originally compromised due to a security flaw in the website or script on the account, then restoring the account to a point from before the compromise occurred will only remove the previous compromise.
It will not resolve the security flaw in the website or script that allowed the account to become compromised in the first place. Special care should be taken to identify and resolve any security flaws in the website or scripts on the account once it has been restored. This process would be a part of the "Security Analysis" section below but is being highlighted here due to its importance.
Two Factor Auth
Revoke SSH Keys
If you would like to find information about how the account was compromised, what security flaw allowed the compromise to occur, or what kind of malware might be on an account, you must reach out to a security specialist that has the skills, training, and expertise required to perform an investigation.
One of the best ways to mitigate account-level compromises in the future is to ensure that you have an excellent backup policy with remote backups. You can learn how to backup to a remote destination here
You may also consider purchasing an Imunify360 license which would allow for you to clean malware from infected sites. More details can be found here: