Options for Hacked or Compromised Sites
Finding out that your account has been compromised by malicious activity can be incredibly stressful. By the time you find out, it is possible that the compromise of your content can have extremely adverse effects including, but not limited to: email blacklisting, Google attack warning pages blocking your content, or even suspension of your account.
At this time, HostGator does not offer any direct services to assist with malware removal for websites that have been compromised. If your account has been compromised, the following options are available to you:
- Malware Cleaning Services: Attempting to have your site repaired/cleaned is a potential option. We recommend SiteLock's anti malware services, however their basic plan would not be sufficient for a site that is already infected. Be aware you would need services that include active repair/recovery for an account that is already compromised.
- Restore Your Site: If you have a backup prior to the compromise of your site, you may restore your site from that backup. HostGator makes weekly backups of eligible accounts which may be used for a fee. It is important to be aware that if the backup was made after the site was hacked it will still contain the hacked code, and if it is not hacked, it may have the same vulnerability that would allow it to be hacked again without preventative measures.
- Create a New Site: A final option if the site cannot be restored or repaired may be to create a new website or to hire a developer to create a new website for you.
If you contact our support for assistance with a hacked site, we will direct you to one of the options above. For security purposes our agents cannot directly troubleshoot a site that is believed to be compromised.
What to Look For in a Hacked Account
In all cases, we recommend resolution of your issue through some sort of professional service. However, if these options are not available, you may wish to consider removing files or directories which have been recently added and which you do not recognize as part of your site. Things to look for include:
- Strangely named files or directories (i.e: xf8c3l.php or /home/username/public_html/wellsfargo).
- PHP files located in image folders.
- Base64 or other encrypted injections inside of site files which can be removed using file editors.
Again, please do not make changes to your account if it is currently under investigation.
If Google's "Reported Attack Site!" page is seen, please refer to the following article for details on how to clean the site and remove the warning: