Web Hosting – Compromised Website

This guide addresses websites infected with malware. If you are experiencing other issues with your website, please refer to the article " Web Hosting – Troubleshooting Website Issues."

In this guide you will learn:

Signs of a compromised website

A compromised website typically exhibits one or more of the following symptoms:

  • Spamming. Malicious software uses unsecured contact forms or, more generally, the PHP `mail()` function to send spam. On our end, spamming is limited by setting a daily limit on the number of emails sent, and we strictly monitor when this limit is approaching or has been reached. If we detect increased volumes of sent emails that violate the rules and restrictions on sending emails ⧉, we may completely disable the mail() function on our end.
  • Redirect. Immediately upon arriving at the page, the user is redirected to another website. We cannot reliably detect such an attack, as any redirect could also be intentional.
  • Phishing sites or other unwanted content. In addition to or instead of legitimate content, the website contains fraudulent pages, intentionally harmful content, or, conversely, a completely blank page. Phishing is most often reported by users or the police. Deleted content may be the result of either an attack or a failure of the content management system (such as the WordPress "white screen of death").
  • Scripts targeting other targets. This type of attack often has no easily detectable symptoms and is only detected when a response to suspicious traffic from the server’s IP address is received, in the form of a warning or immediate blacklisting.
  • PHP backdoor (crypt PHP). This file allows attackers to access the website without proper authorization and repeatedly upload problematic pages and scripts that you delete.
Sample phishing email – a copy of the VEDOS admin login page at a suspicious URL
Sample phishing email – a copy of the VEDOS admin login page at a suspicious URL

Resolving the compromised website

VEDOS addresses compromised websites to the extent necessary to prevent damage in the following cases:

  • Spamming that jeopardizes the reputation of emails sent via our servers. In such cases, we disable the PHP `mail()` function or block the SMTP server of the web hosting email service. We send a notification regarding the restriction to the service’s billing email address.
  • Phishing, which poses a risk of sensitive visitor data being leaked or misused. Immediately after assessing the situation, we block access to the website and send a notification about the restriction to the service’s billing email address.
  • Attacks on other targets within and outside our infrastructure. Depending on the severity, we typically first contact the hosting provider via the billing email address; in extreme cases, we take the website offline until the malware is removed.

VEDOS primarily contacts the website owner via the billing email address; in serious cases, we send a text message. If there is no response to the request, we will contact the owner of the customer account associated with the service via email or phone (again, via text message only).

In other cases, where there is no risk of delay, resolving the issue is entirely up to the hosting provider or webmaster. We recommend following these steps:

  1. Back up your website. Even a compromised website may contain files and data that you don’t want to lose. For more information on backups, see the article “Web Hosting – Backups.”
  2. Run a virus scan and delete the files on the FTP server. The purpose of the scan is to detect and remove malicious scripts. There are various methods available, depending on the content management system used:
    • Full scan. Download the entire website from the FTP server and scan it with antivirus software. Replace any corrupted files with healthy ones from an older backup. Once the scan is complete, upload the website back to the cleared FTP server.
    • Reinstallation. Download and check only the user components of the content management system (for example, the directory wp-content/uploads (WordPress). Delete the rest of the content from the FTP server and replace it with a clean installation of the content management system. Then connect it to the original database and upload the verified data.
  3. Secure your website against further attacks. Use antivirus software to scan all devices that have access to the website’s administration. Change the passwords for the website’s administration and FTP access. Ensure that the website is using the latest versions of the content management system and plugins.

If you're not sure how to remove viruses from your website, contact an expert. You can find contact information , for example , on the VEDOS profi website.

Preventing Website Attacks

To best prevent your website from being hacked, follow these guidelines:

  • Update your content management system, all templates, and plugins regularly. If no updates have been released for a particular component for a long time, check to see if it is outdated, and if so, replace it with another solution that is regularly updated.
  • Block unused FTP accounts. For instructions, see the article " Web Hosting – FTP Accounts."
  • Update your PHP version. If your system allows it, keep your PHP version as up-to-date as possible. If you encounter a compatibility issue, identify which part of the content management system is incompatible and consider whether it is outdated and poses a security risk.
  • Follow the security recommendations for your content management system. For many content management systems, you can find security recommendations directly from their developers. For example, for WordPress, you can find them at https://codex.wordpress.org/Hardening_WordPress ⧉.

Frequently Asked Questions

Can you remove the virus from my website?

No, we do not block our customers' websites. Try searching for help on the VEDOS profi ⧉ website.

What's the best way to remove viruses from a WordPress website?

You can find a detailed community guide on how to remove malware from a website using the WordPress content management system at this link ⧉.

How am I supposed to remove the virus from the website if you’ve taken it down?

In the event of a cyberattack on the website, we will disable HTTP(S), but you will still have access to FTP and the databases.

The website has been cleaned of viruses, but it's still blocked on your end. What should I do now?

Please contact us either by replying to the email sent by our technician notifying you of the website breach, or via the contact form. In your message, please include the website name and the steps you have taken to resolve the issue.

I want to restore my website from a backup. How do I do that?

You can find all the necessary information about backups in the article " Web Hosting – Backups."

Did the instructions help you?

Thank you for your feedback!
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Article content
Categories