What can be done if a cPanel account is compromised?

Question

What can be done if a cPanel account is compromised?

Answer

The best course of action to recover from a compromised account is to restore from a backup, change all passwords on the account, revoke any ssh keys, and enable Two Factor authentication. You can read more about how to do these tasks below:

Cleaning the Infection

• Is it possible to clean malware from a hacked website?

Fixing the Security Hole

In the following sections, we provide information about how to restore the account, reset passwords, etc.
While those are critical steps, they alone may not fully resolve the issue. If the account was originally compromised due to a security flaw in the website or script on the account, then restoring the account to a point from before the compromise occurred will only remove the previous compromise.

It will not resolve the security flaw in the website or script that allowed the account to become compromised in the first place. Special care should be taken to identify and resolve any security flaws in the website or scripts on the account once it has been restored. This process would be a part of the "Security Analysis" section below but is being highlighted here due to its importance.

Restoration

• Restore an account from a backup file on the server
• How can I restore my backups from a remote destination?

Passwords

• How to reset a cPanel user's password
• How to reset your email password through the cPanel interface
• How to reset an FTP user password
• How to reset a database user password

Two Factor Auth

• How to enable Two Factor Authentication for cPanel users

Revoke SSH Keys

• How to manage a public key in the cPanel interface

Security Analysis

If you would like to find information about how the account was compromised, what security flaw allowed the compromise to occur, or what kind of malware might be on an account, you must reach out to a security specialist that has the skills, training, and expertise required to perform an investigation.

Future Mitigation

One of the best ways to mitigate account-level compromises in the future is to ensure that you have an excellent backup policy with remote backups. You can learn how to backup to a remote destination here

• How to backup to a remote location

You may also consider purchasing an Imunify360 license which would allow for you to clean malware from infected sites. More details can be found here:

• Is it possible to clean malware from a hacked website?