My Account was Hacked!

HostGator takes security very seriously. Please read the sections below for help with a compromised site.

Steps for Hacked or Compromised Sites

If your site is hacked or compromised, please follow these steps:

  1. Submit a ticket.

    If you are the victim of a hacker, immediately submit a ticket to report this issue to our Security department. Our administrators will investigate as quickly as possible, both to correct the current issue and to help make sure it does not occur again. If you cannot submit a ticket yourself, please contact us for assistance with this step.

  2. Do not make any changes to the affected site.

    In the meantime, it is vital that you avoid logging in or making any changes to your account. This lets the necessary time stamps and other forensic data stay in place, which helps your investigation proceed as smoothly as possible.

  3. Watch for updates from our Security admins.

    Our Security team will notify you via email once the investigation has been completed, or to request additional information if required.

    Note: Only Security Administrators can help you with compromised or hacked sites, and you will be directly contacted via your ticket by the Security agents working your issue. Please submit or reply in your email to your Security ticket for updates.

Free Account Scan

HostGator offers complimentary automated account cleanings when you open a Security ticket for Shared and Reseller accounts with less than 20GB of disk space and below 100k inodes. If you find that something is missed we'll be happy to remove it manually for you.

Note: Cleanings do not include root cause analysis or preventative action, though we will provide you with guidance on basic security precautions. It is the customers responsibility to secure and update their software.
Note: This complimentary service is not available for Dedicated servers, VPS accounts, or Shared and Reseller accounts using more than 20GB or 100k inodes of disk space.

For Shared and Reseller accounts above 20GB or 100k inodes of disk space, customers with Dedicated servers or VPS accounts, or customers wanting a more detailed investigation, we can perform this work manually for a fee.

These cleanings will be quoted for the manual investigation by our Security administrators. Manual investigations will include a full cleaning of the account as well as information regarding the source of account exploitation, provided logs are available and content has not been modified in a way that will interfere with the forensics of the investigation.

Alternatively, you may use a third party cleaning service such as SiteLock for round-the-clock protection of your website.

What to Look For in a Hacked Account

In all cases, we recommend resolution of your issue through some sort of professional service, whether this is done by our Security department or through SiteLock. However, if these options are not available, you may wish to consider removing files or directories which have been recently added and which you do not recognize as part of your site. Things to look for include:

  • Strangely named files or directories (i.e: xf8c3l.php or /home/username/public_html/wellsfargo).
  • PHP files located in image folders.
  • Base64 or other encrypted injections inside of site files which can be removed using file editors.

Again, please do not make changes to your account if it is currently under investigation.

Google Attack Page

If Google's "Reported Attack Site!" page is seen, please refer to the following article for details on how to clean the site and remove the warning: