How to Recover from a Website Hack (And Prevent Another One)

Knowledgebase Article

How to Recover from a Website Hack (And Prevent Another One)

Step One: Breathe

Okay, deep breaths. This isn’t fun, we know. But it’s also not the apocalypse—you’ll survive this.

At Kualo, we’ve built an absurdly strong, multi-layered security system to keep your site safe. We’re talking firewalls so sharp they make split-second calls on threats, malware scanners that never sleep, real-time exploit blocking, and automated patching that shuts down thousands of vulnerabilities every day. We enforce strong passwords, flag risky plugins, and stop millions of attacks before they even get close.

But security isn’t just about having the biggest, baddest defences. It’s about making sure there aren’t any tiny, overlooked gaps.

And this is where the real truth about security kicks in: it’s a shared effort.

We handle the heavy lifting—fighting off attackers, keeping our servers secure, giving you all the tools to stay protected.

But no matter how strong the castle walls are, if someone inside opens a window, a hacker has an opportunity to slip in.

The Important Thing? You Can Fix This.

Right now, your site is hacked, but it doesn’t mean it’s gone forever. Most hacks can be recovered from quickly with the right steps—and that’s exactly what we’re going to help you do.

This guide will:

✔ Help you understand what happened.
✔ Walk you through how to recover your site.
✔ Show you how to prevent it from happening again (and how our tools can help).

Navigation

🤔 How Did This Happen?

At this point, you might be thinking:

"Wait a second—if we have all these security measures in place, how is a hack even possible?"

The short answer? It almost certainly wasn’t a failure in our server-side security.

The vast majority of website breaches happen because of something inside the account itself. A password leaked in a data breach, an outdated plugin containing a vulnerability, a phishing email that tricked someone into handing over login details—these are the most common entry points for hackers.

It’s like defending a castle from thousands of incoming arrows. We might block thousands of them, but if just one gets through—because a door was left open (a vulnerability) or a guard was tricked into letting someone in (a stolen password)—that’s all it takes.

We can stop brute-force attacks, botnets, and defend against many known exploits. But we can’t patch a password that’s already exposed or a plugin that hasn’t been updated in three years and just happens to have a gaping security hole.

That’s why keeping your passwords secure, your software updated, and 2FA enabled is absolutely critical. Without those, even the best security systems can only do so much.

Now, let’s break down the most common ways hackers actually get in—and how you can stop them.

1. Compromised Credentials 🔑

Using weak or reused passwords.
Storing passwords in emails or unsecured documents.
Password theft due to malware on your device.

Our systems enforce strong password policies—both cPanel and MyKualo require secure passwords, and for WordPress and some CMS platforms, we detect and block weak or compromised passwords before login and block attempts to brute force (when attackers simply try lots of different passwords).

But here's the thing: the most common way credentials get compromised isn’t because someone guessed your password—it’s because they already have it. Maybe it was leaked in a data breach, maybe a phishing email tricked you into handing it over, or maybe malware on your device silently stole it.

To stay ahead, always use unique passwords for each service (a password manager helps), enable Two-Factor Authentication (2FA), and never enter your credentials into a website you didn’t explicitly navigate to.

If you’re ever unsure, you can check if your email or password has been part of a data breach using services like Have I Been Pwned.

2. Unpatched Software & Plugins 🛠️

Running outdated WordPress, Joomla, or CMS platforms.
Vulnerable plugins or themes that haven’t been updated.
Plugins that are abandoned (no longer receive updates) but are still installed.

A vulnerability is like a crack in your site's armour—hackers are constantly looking for these cracks and finding ways to sneak in. The vast majority of website hacks happen because of known vulnerabilities in outdated software. That’s why keeping your software updated is one of the most critical steps in website security.

At Kualo, we tackle this head-on with Patchman, which automatically detects and patches vulnerabilities in common CMS applications like WordPress, Joomla, and Drupal. These patches are backported, meaning you get essential security fixes without needing to jump to a major software version that could break your site. WP Toolkit helps automate updates using Smart Updates, so you can test updates safely before applying them.

But not everything can be patched automatically. Some plugins and themes may be abandoned by their developers, leaving security flaws exposed. The good news for WordPress users? WP Toolkit scans WordPress installations for vulnerabilities, even in seemingly "up-to-date" plugins that are no longer maintained. Additionally, Softaculous detects outdated applications across different CMSs and provides easy upgrade options to keep your website secure.

The bottom line? Security starts with vulnerability-free software. While our defences work tirelessly to protect you, no security system is invincible if the code itself is inherently vulnerable. Staying on top of updates and security patches is a must for long-term protection.

3. Backdoors & Persistent Malware 👾

Hackers may create unauthorised WordPress admin users.
Malicious cron jobs and scripts can reinfect your site even after cleanup.
Database injections can add hidden admin accounts or malicious redirects.

Once a hacker gets inside a system, they rarely just walk away—they leave behind secret tunnels, hidden keys, and open windows so they can waltz back in anytime they want. This means that even if you clean up the obvious mess, a backdoor could still be lurking, waiting to reinfect your site at the first opportunity.

Cleaning up visible malware isn’t enough—you need to hunt down and eliminate any backdoors. Hackers commonly add unauthorised admin users, create malicious cron jobs, or hide scripts deep in your site files to keep their access alive. Regularly auditing admin users, checking cron jobs, and running WP Toolkit’s integrity checker can help you spot and remove these hidden threats.

If you're ever unsure, restoring your site to a clean state from before the compromise is a surefire way to remove hidden threats—but make sure you fix the original vulnerability first. Otherwise, you’re just rolling out a welcome mat for the attacker to come right back in.

4. Compromised Email Account ⚠️

If an attacker accesses your email, they can reset your hosting or CMS password.
Check for suspicious email forwarding rules.

Your email account is a treasure trove of sensitive information—password resets, account verification links, and communication history all live there. If an attacker gains access, they can not only reset your hosting or CMS password but also use your email to infiltrate other services. Never store passwords in plain text emails, as compromised email accounts are a leading cause of security breaches.

To protect yourself, enable Two-Factor Authentication (2FA) on all your accounts—including MyKualo and cPanel—to add an extra layer of security. Additionally, regularly check for unauthorised email forwarders in cPanel to ensure no one is secretly redirecting your emails to an attacker’s address. If your email has been compromised, assume all linked accounts could also be at risk and change passwords immediately.

⚡Immediate Action: What to Do Right Now

Alright, so now we know how hackers sneak in—bad passwords, outdated plugins, backdoors, the usual horror show. But knowing how they got in doesn’t fix the fact that they’re currently inside your house, probably eating your digital snacks and rearranging your furniture.

So, what do you do now? Here's your action plan to kick them out and change the locks. 🚀🔒

✅ Step 1: Scan Your Local Computer for Malware

If your device is infected, changing passwords won’t help.
Run a full scan with antivirus software.

Hackers often use keyloggers and other stealthy malware to steal your credentials the moment you type them in, so even the strongest password won’t help if your device is already compromised. Before changing any passwords, make sure your computer is clean by running a full malware scan with a reputable security tool. For added security, consider using an anti-malware scanner alongside your antivirus to detect more advanced threats.

Whether you’re using Windows, macOS, or Linux, you should always have a trusted antivirus program installed and running scans regularly. Many people believe that Macs can’t get viruses, but that’s a myth—malware exists for all operating systems.

✅ Step 2: Change All Passwords

Update passwords for cPanel, FTP, database, CMS (e.g., WordPress, Joomla, Magento), and email accounts.
Use strong, unique passwords everywhere—no repeats, no easy guesses.
Never store passwords in plain text (emails, notes, or sticky notes don’t count as secure storage).
Enable 2FA wherever possible.

Passwords are the foundation of your online security, and attackers thrive on weak, reused, or leaked credentials. If just one of your passwords is compromised, hackers will try it everywhere—your hosting, email, database, even your social accounts.

Which Passwords Should You Change?

Most people remember to update their CMS login (e.g., WordPress) but forget all the other access points that a hacker could still use.

Here’s what to check:

1️⃣ cPanel / Hosting Control Panel

Your cPanel password is critical because it controls everything—file access, databases, email accounts, cron jobs, and more. If an attacker had access, they could have planted backdoors or changed settings without you realising. Change this first and also set up 2FA.

2️⃣ FTP Accounts

If you (or a developer) use FTP to upload files, update those credentials. A compromised FTP account can allow attackers to modify your site without needing CMS access. Check for any unknown FTP accounts in cPanel > FTP Accounts and consider resetting all passwords.

3️⃣ Database Passwords (Often Overlooked!)

Your website’s database contains all of your content, user accounts, and critical site data. If an attacker gained access, they could still manipulate your site even after you clean up everything else.

For WordPress:

Open wp-config.php in File Manager (cPanel) or via FTP.
Find the line starting with define( 'DB_PASSWORD', 'yourpassword' );.
Generate a new strong password and replace it here.
Update the database user password in cPanel > MySQL Databases to match the new one.

For Joomla, Magento, or other CMSs, look for a configuration file (configuration.php, env.php, or settings.php) where database credentials are stored and update accordingly.

4️⃣ CMS (WordPress, Joomla, Magento, etc.) Admin Passwords

Your CMS is usually the first thing a hacker targets because it’s the easiest way to gain control. Reset all admin-level passwords and review user accounts for suspicious new admins (attackers often create backdoor users).

For WordPress:

Go to Users > All Users and remove any unknown admins.

5️⃣ Email Accounts

If a hacker had access to your email, they could have forwarded messages, stolen login details, or used it to reset passwords elsewhere.

Change all email passwords in cPanel > Email Accounts, particularly if you suspect the hacker has gained access to your hosting account as a whole.

6️⃣ Third-Party Services (Domain Registrars, Payment Providers, CRMs, etc.)

If you use external services like domain registrars, payment processors, or CRMs, reset those passwords too. A compromised registrar account could allow an attacker to transfer your domain away—which is a nightmare scenario.

How to Keep Your Passwords Secure Going Forward

Use a password manager (Bitwarden, 1Password, LastPass, etc.) to generate and store unique passwords.
Never reuse passwords across multiple services—if one gets leaked, hackers will try it everywhere.
Enable Two-Factor Authentication (2FA) wherever possible, especially for email, cPanel, and CMS logins.
Regularly audit your admin and FTP accounts to remove old or unused access.

Changing passwords isn’t just a one-time fix—it’s a habit.

Get into the routine of updating and securing your logins, and you’ll make life a lot harder for hackers. 🚀

✅ Step 3: Restore a Clean Backup (If Needed)

Restoring from a backup can be the fastest way to recover from a hack, but it’s important to determine whether this is the right approach before proceeding.

🔹 When a backup is the best option:

The attack happened recently, and you have a known clean backup from before the compromise.
Your site hasn’t changed significantly since the last backup—this is especially important for eCommerce stores, forums, or membership sites where restoring could overwrite orders, user signups, or content updates.
You’d rather restore than manually clean files (as long as the original vulnerability is fixed afterwards).

🔹 When you should be cautious about restoring:

The hack may have been present for a while, meaning older backups could still contain the compromise.
You’ve made significant content updates, transactions, or changes that would be lost if you roll back.
You’re unsure when the hack occurred and need to investigate further before restoring.

How to Decide

1️⃣ Check File Modification Timestamps

In cPanel > File Manager, sort files by Last Modified to identify when changes were made.
If many files were altered around the same time, that could be the moment of compromise.

2️⃣ Review Access & Malware Logs

If you have Imunify360 in cPanel, check its logs for malware detections and timestamps.
Look at cPanel access logs to see if any unknown logins occurred.

3️⃣ Determine the Best Restore Option

If you only need to roll back files, you can restore just the site files while keeping the database intact.
If you need to restore the database, check if you have a database snapshot that doesn’t overwrite critical data.
If unsure, our team can help you determine the best approach.

If you do restore from a backup, you must still complete the following steps to ensure the security hole is patched, or the hacker could gain access again.

If you’re unsure about pinpointing when the hack occurred, we may be able to help you analyse this, feel free to open a ticket so we can discuss the best approach.

✅ Step 4: Review & Remove Suspicious Admin Users

Check for unauthorised admin users in your CMS (e.g., WordPress, Joomla, Magento, or other platforms).
Remove any unknown accounts with elevated privileges.
If locked out, access the database via phpMyAdmin or a similar tool to check and remove rogue users (we can help you regain access if needed).

One of the first things attackers do after breaching a website is create a backdoor—often in the form of a hidden admin account. This allows them to return even after you’ve cleaned up other traces of the attack. Whether you’re using WordPress, Joomla, Magento, or another CMS, it’s crucial to regularly audit your user accounts. If you spot an unfamiliar admin user, delete them immediately.

If you’re locked out of your CMS, the attacker may have changed credentials to maintain access. Access can usually be gained via Softaculous or WP Toolkit, or we can help you re-gain access via other means.

✅ Step 5: Scan & Remove Malicious Code

Use Imunify360 in cPanel to scan for and remove malware automatically.
Manually check for unknown or suspicious files in public_html and other critical directories.

If your website has been compromised, scanning for malicious code is non-negotiable—because once hackers get in, they rarely just pack up and leave. Imunify360 is constantly on guard, automatically scanning and removing threats, but here’s the thing: no malware scanner is 100% foolproof. That’s why a manual check is still worth your time.

Take a deep dive into your website files using cPanel’s File Manager—sort files by last modified date, check for anything suspicious, and actually open unexpected files with the file editor to see what’s inside. If a file named wp-config-extra.php suddenly appeared last Tuesday at 2:13 AM and you don’t remember putting it there, it might not be your friend.

Imunify360 is included with all of our shared hosting plans, but if you’re running your own server, you may have ImunifyAV, which doesn’t offer real-time scanning—so running a full manual scan is essential. If you don’t have Imunify360, now might be the time to upgrade and let automation do the heavy lifting.

For WordPress users, another essential step is verifying the integrity of core files using WP Toolkit. This tool can tell you if any system files have been tampered with and restore them with a click. But if something still feels off, a manual sweep of your public_html folder is always a good idea. Look for strange filenames, unexpected scripts, or anything lurking in your directories that shouldn’t be there—because once a hacker has left a backdoor, they’re probably planning to waltz back in.

✅ Step 6: Review Cron Jobs in cPanel

Go to cPanel > Cron Jobs and look for anything suspicious.

Cron jobs are your website’s to-do list—automated tasks that run at scheduled intervals. Normally, they’re used for useful things like clearing cache, running backups, or sending emails. But if a hacker gets in, they can weaponise cron jobs to keep their attack running indefinitely.

Here’s the scary part: a malicious cron job can remotely download and execute malware without even writing a file to your server. That means even if you wipe your site clean, the infection could come right back like a bad sequel. Proactive Defence in Imunify360 helps in these cases by blocking suspicious PHP executions in real-time, but it's best to be certain by removing anything that shouldn’t be there.

So, take a close look at your cron jobs in cPanel. If you see a command you don’t recognise—especially anything fetching files from a remote server (wget, curl, or anything pointing to an unfamiliar URL)—that’s a huge red flag. If you’re unsure, disable it immediately and investigate further or reach out to us. Your site shouldn’t be running mystery tasks in the background.

✅ Step 7: Update Everything

Update all your software (core, plugins, themes, and PHP version if compatible).
If you’re using WordPress, use WP Toolkit’s vulnerability scanner to detect risky plugins.

Software updates might not be the most thrilling part of website management, but they’re absolutely essential—because if you’re running outdated code, you’re basically leaving your digital front door unlocked with a flashing neon sign that says “WELCOME HACKERS”. The majority of website compromises happen not because of some genius hacker working their way in, but because of unpatched vulnerabilities that attackers already know how to exploit.

For WordPress users, start by checking WP Toolkit’s vulnerability scanner—this will flag plugins and themes with known security issues. Prioritise updating anything marked as vulnerable first. If you find some software that’s vulnerable, but has no update, it may no longer be maintained by the plugin/theme developer, and you may need to find a secure alternative.

Now, let’s talk PHP versions—this is where things get tricky. Updating PHP is important for performance and security, but we know some websites rely on older versions for compatibility.

The good news? We run hardened PHP, meaning even if you're on an older PHP version, it’s still protected from many vulnerabilities, even if its no longer a maintained release. However, that doesn’t mean your software itself is safe—outdated code can still be a security risk. If you need an old PHP version to keep your site running, it’s probably time to update your website’s code as well.

If you’re worried about updates breaking things, WP Toolkit’s Smart Updates lets you test updates in a safe environment first before applying them live. They can also be set to run automatically. If you’re not using WordPress, you can clone your site or use staging sites in Softaculous to test major updates before making changes to your main site. Either way, keeping everything up to date is one of the simplest and most effective ways to keep your website secure.

✅ Step 8: Check Email Forwarding & Filters

In cPanel > Email Filters, remove any unauthorised forwarding rules.

Your email account can often be the master key to everything. If an attacker gains access to your email, they can reset passwords, take over accounts, and generally make your life miserable. And they don’t even need full access—they just need to quietly forward your emails somewhere else.

A sneaky trick hackers love is setting up email forwarding rules that send copies of incoming emails (like password reset links) to their own inbox, letting them watch and wait for an opportunity to strike. Since this doesn’t require full email access, you might not even notice it’s happening.

To check for this, go to cPanel > Email Filters, and look for any forwarding rules you don’t remember setting up. If you see an unfamiliar rule—especially one forwarding to an unknown external email address—delete it immediately. Even if nothing looks suspicious, it’s a good habit to review these settings regularly. Because in a security breach, knowing is half the battle.

✅ Step 9: Review File & Folder Permissions

Files should be 644, folders 755.
Do not set files to 777 (full permissions).

Think of file permissions like the security settings on your house. 644 means only the owner can modify a file, while 755 means folders can be read and accessed but not changed by just anyone. 777? That’s like leaving your front door wide open and taping a spare key to the mailbox.

Hackers love overly permissive file settings because it lets them upload malicious scripts, modify existing files, or even wipe your site entirely. Some older guides or plugins might suggest setting files to 777 to "fix" permission issues—don’t do it. Instead, review your file and folder permissions in cPanel > File Manager or via SSH to ensure everything is locked down properly.

For WordPress users, WP Toolkit’s Security Measures can help automatically fix incorrect file permissions and apply other security hardening measures to keep your site safe.

🏰 Final Thoughts: Keeping Your Site Lockdown-Level Secure

Recovering from a hack isn’t fun, but the good news is you can prevent it from happening again—and it’s easier than you think.

If you take away just three things from this guide, make it these:

✅ Keep everything updated—your CMS, plugins, themes, and PHP (where possible).
✅ Use strong, unique passwords for every site—reusing passwords is like using the same key for your house, car, and office. If one gets stolen, everything is at risk.
✅ Enable 2FA—this shuts down most password based attacks before they even start.

With these in place—plus our firewall protection, malware scanning, and proactive security layers—you’re about as hacker-proof as it gets. Could someone still break in? Sure, sadly, there are never any guarantees, but hackers look for low-hanging fruit, and your site won’t be it.

Another big thing? How your hosting is structured matters. If you’ve got multiple sites inside one cPanel account using addon domains, a breach in one can infect the others like a bad cold. Keeping applications separate, updated, and isolated makes life much harder for hackers.

Not sure if your setup is secure? Check out our Addon Domains: When They’re a Bad (or Good) Idea guide.

And if something still seems off?

We’ve got your back. If you ever suspect a security issue, need help investigating weird activity, or want a second set of eyes before making changes, our team is here to support you.

Security isn’t about being invincible—it’s about making your site so annoying to hack that attackers give up and move on.

Do the basics, use the tools we provide, and your site will be one of the hardest targets around. 🚀