My Account was Hacked!

HostGator takes security very seriously. Please read the sections below for help with a compromised site.


Steps for Hacked or Compromised Sites

If your site is hacked or compromised, please follow these steps:

  1. Submit a ticket.

    If you are the victim of a hacker, immediately submit a ticket to report this issue to our Security department. Our administrators will investigate as quickly as possible, both to correct the current issue and to help make sure it does not occur again. If you cannot submit a ticket yourself, please contact us for assistance with this step.

  2. Do not make any changes to the affected site.

    In the meantime, it is vital that you avoid logging in or making any changes to your account. This lets the necessary time stamps and other forensic data stay in place, which helps your investigation proceed as smoothly as possible.

  3. Watch for updates from our Security admins.

    Our Security team will notify you via email once the investigation has been completed, or to request additional information if required.

    Note: Only Security Administrators can help you with compromised or hacked sites, and you will be directly contacted via your ticket by the Security agents working your issue. Please submit or reply in your email to your Security ticket for updates.

Free Account Scan

HostGator offers one complimentary account scanning/cleaning per six month period when you open a Security ticket, per the following schedule:

Shared: Customers may request one free cleaning per account every six months.

Reseller: Customers may request one free cleaning per each resold and reseller account every six months.

VPS/Dedicated Server: Customers may request one free cleaning per each account on the server every six months AND may request one full server scan every six months.

If this service is required more than once within a six month period, there will be a premium involved. Alternatively, you may use a third party cleaning service such as SiteLock.


What to Look For in a Hacked Account

In all cases, we recommend resolution of your issue through some sort of professional service, whether this is done by our Security department or through SiteLock. However, if these options are not available, you may wish to consider removing files or directories which have been recently added and which you do not recognize as part of your site. Things to look for include:

  • Strangely named files or directories (i.e: xf8c3l.php or /home/username/public_html/wellsfargo).
  • PHP files located in image folders.
  • Base64 or other encrypted injections inside of site files which can be removed using file editors.

Again, please do not make changes to your account if it is currently under investigation.

Google Attack Page

If Google's "Reported Attack Site!" page is seen, please refer to the following article for details on how to clean the site and remove the warning: