How to fix Abuse Notice Warnings and Compromised Websites
With tactics ranging from malicious links, inline frames, cross site scripting, base64 encoded code (encrypted to obscure it from antivirus programs) and phishing scams, compromised sites often go unnoticed, causing much frustration for both webmasters and visitors. Superficially, compromised sites may appear normal, which is why regular security audits are so important.
If you find that your site is displaying malicious content or you are notified of malware or suspicious files in your hosting account, we'd recommend taking the following steps:
Step 1 - Update your anti-virus program and run a full system scan. (We also advise that you notify your clients, web designers, or employees to do the same, where applicable.) Most website compromises occur due to either guessing a common password or a vulnerability in the CMS and associated extensions, but we'd still recommend checking that your computer has no malicious software installed. If you're unsure about a suitable malware scanner, talk to your IT team.
Note: All devices can get malware, even phones and Apple devices.
Step 2 - Change all your hosting passwords including your
Client Area,
cPanel/WHM,
Email accounts,
FTP users,
CMS (Wordpress/Joomla) users and
Database users. Depending on how the website was compromised the malicious actor may not have access to all of these passwords, but we'd still recommend this step to be safe.
Step 3 - If you were notified about specific files or folders, completely remove at least the problematic files from the hosting account. If you would like us to run a scan for suspicious files, please feel free to
reach out to our support team and request a malware scan of your hosting. If you have a VPS or Dedicated server, you are also able to run these scans yourself.
Step 4 - Upload a fresh version of your website from your local machine, making sure to check your
password strength and file/folder permissions. If you and your developer do not have an offline backup, you can use our R1Soft restore guides to restore the website:
Shared and Reseller Hosting Restore Guide
Plesk Hosting Restore Guide
Dedicated server and VPS Restore guide
As per these guides, we'd recommend removing/renaming the entire public_html directory, then restoring the full set of files from your backup. This will ensure there are no malware files (or malicious additions to existing files) that are still present in the folder after the restore.
Note: If your website was already compromised when a particular backup was taken, then restoring the backup will not resolve this issue. If your website was compromised for a long period of time, we may not have a clean backup of your site - in this case you will need to work with your web developer to manually investigate and remove the problematic files or code additions.
Step 5 - Be aware that reverting the site to a previous backup will not fix the problem permanently. Many sites are compromised due to an existing vulnerability in the website files. When reverting a site to a previous version, the malicious content is removed but the vulnerability is still present. You will need to get your website developer to update the website and all extensions (Plugins, Themes, etc.) so that any security vulnerability is patched.
Step 6 - Your website should now be fully functional again. We'd recommend
downloading a backup of your website and keeping it on your local machine for extra disaster recovery.