If your website has been hacked and malicious content has been inserted into your files, you should clean them as soon as possible to prevent further damage to your hosting account.

Let’s say that the following code has been inserted to some of your files:

<?php eval(base64_decode(‘malicious_code’)); ?>

You have to search in all of your files for this string. You can search in your files using a local website building application such as Dreamweaver.

First you should download all files to your local PC using an FTP client.

Once you do this, you should use the search option in Dreamweaver and search for the malicious code. Delete it from the files and the issue will be resolved.

When the malicious code has been removed, you should upgrade all applications on your hosting account to their latest stable versions.

To ensure you are the only one who has access to your account, you should also:

1. Update your Antivirus software to the latest version.

2. Run a complete antivirus scan on your local computer including all hard drives.

3. Ensure your Operating system (Windows, Linux or MacOS) is up-to-date and all security patches are applied.

4. Ensure your Internet connection is secure. If you are using wireless connection the only secure encryptions is wpa2. For more information contact your router vendor or ISP.

5. Change your cPanel password .

6. Change the passwords for your web applications backends.

7. Check our basic security guidelines and implement as many of the suggested solutions as possible.

Basic security guidelines for the shared hosting server

• Make sure your local computer is safe. For this purpose use reliable updated antivirus software such as:
  • Norton Internet Security, offering Antivirus, Antispyware, Two-way firewall, Antiphishing, etc.
    or
  • Kaspersky Internet Security, offering Integrated protection from all Internet threats, such asParental Control, a personal firewall, an anti-spam filter, Privacy Control and more.

• Check whether all of your web applications are up-to-date. This includes any modules, components and addons you have added and / or integrated;

• Pick up strong passwords for the main cPanel account, MySQL, FTP and mail users. Never use the same passwords for different users. For example a MySQL user should not have the same password as your cPanel user or an FTP user. It is essential that your cPanel user’s password is not found in any file on your account by any means;

• Avoid having directories with permissions above 755. If your applications require such directories, try to put them outside your webroot (public_html) or place a .htaccess file in them containing “deny from all” to restrict public access to these files.

• Use only secure / encrypted connections when logging in cPanel (https://yourdomain.com/cpanel).

• Tweak your local PHP settings for better security. This can be done by disabling unnecessary functions and options. Here are some sample recommended directives:

allow_url_fopen=off

disable_functions = proc_open , popen, disk_free_space, set_time_limit, leak, tmpfile, exec, system, shell_exec, passthru

Note that the above directives can cripple your code’s functionality. They have to be pasted in a php.ini file in each directory you’d like to have them applied.

• Deny perl and other bots from accessing your site. This can be easily done with the following rules in your .htaccess:

SetEnvIfNoCase User-Agent libwww-perl bad_bots
order deny,allow
deny from env=bad_bots

• If you are not using Perl scripts, add a bogus handler for these files. In your home directory create a .htaccess file with the following content:

##Deny access to all CGI, Perl, Python and text files
<FilesMatch “.(cgi|pl|py|txt)”>
Deny from all
</FilesMatch>
##If you are using a robots.txt file, please remove the
# sign from the following 3 lines to allow access only to the robots.txt file:
#<FilesMatch robots.txt>
#Allow from all
#</FilesMatch>

The above will prevent Perl scripts from being executed. Many exploits / backdoors are writtent in Perl and the above will prevent them from running. This directive will apply to all your subdirectories.

IMPORTANT: Once your account has been compromised, it is very likely that the intruder will leave a backdoor to easily gain access later. That’s why only fixing your vulnerable code might not be enough. Finding the backdoors will be time-consuming and expensive (requiring a professional developer). That’s why you might prefer to start from scratch your site.