This guide deals with websites compromised by malicious software. If you are dealing with other website problems, follow the article Webhosting – Website Troubleshooting.
In this guide, you will learn:
- How a compromised website manifests itself
- How to address a website compromise
- How to protect against website compromise
- Frequently Asked Questions
Symptoms of a Compromised Website
A compromised website most often manifests itself with one or more of the following symptoms:
- Spamming. Malicious software uses insecure contact forms, or generally the PHP function mail() to send spam emails. On our side, spamming is limited by setting a daily limit on the number of sent emails, and we carefully monitor approaching or reaching the limit. When we record increased volumes of sent mails violating the rules and email sending limits ⧉, we may completely disable the mail() function on our side.
- Redirecting. The user is redirected to another website immediately after arriving on the page. Such a compromise cannot be reliably detected by us, because any redirection may also be intentional.
- Phishing pages or other unwanted content. In addition to or instead of legitimate content, the website contains fraudulent pages, intentionally damaging content, or, conversely, a completely empty page. Phishing is most often reported by users or the police. Deleted content may be either the result of an attack or a failure of the content management system (for example the White Screen of Death in WordPress ⧉).
- Scripts attacking other targets. This type of compromise often has no easily noticeable symptoms, and it is only alerted by a response to suspicious traffic from the server's IP address in the form of a report or outright blacklisting.
- PHP backdoor (crypt PHP). This file allows attackers to access the website without proper authorization and repeatedly upload problematic pages and scripts that you delete.

Resolving a Compromised Website
VEDOS addresses a compromised website to the extent necessary to prevent damage in the following cases:
- Spamming that threatens the reputation of emails sent from our servers. Here we disable the PHP function mail(), or block the SMTP server of Webhosting email services. We send information about the set restriction to the service billing email.
- Phishing, where there is a risk of leakage or misuse of sensitive visitor data. Immediately after verifying the situation, we block access to the website and send information about the set restriction to the service billing email.
- An attack on other targets in our infrastructure and beyond. Depending on the severity, we usually first communicate with the hosting owner via the billing email; in extreme cases, we shut down the website until the malicious software is removed.
VEDOS primarily contacts the website owner via the billing email; in serious cases, SMS is sent. If the request remains unanswered, we contact the email or phone number (again only via SMS) of the owner of the customer account where the relevant service is located.
In other cases, where there is no urgent danger, the problem is entirely in the hands of the hosting service owner or webmaster. We recommend proceeding as follows:
- Back up the website. Even a compromised website may contain files and data you do not want to lose. More information about backups can be found in the article Webhosting – Backup.
- Perform an antivirus scan and clean up files on FTP. The goal of the scan is to find and eliminate malicious scripts. Various solution methods are available here, depending on the content management system used:
- Full scan. Download the complete website content from FTP and scan it with antivirus software. Replace damaged files with clean ones from an older backup. After completing the scan, upload the website back to the cleaned FTP.
- Reinstallation. Download and inspect only the user components of the content management system (for example the
wp-content/uploadsdirectory in WordPress). Delete the rest of the FTP content and replace it with a clean installation of the content management system. Then connect it to the original database and upload the checked data.
- Secure the website against further compromise. Scan all devices that have access to website administration with antivirus software as well. Change the access passwords for the website administration and FTP. Make sure the website uses the current version of the content management system and plugins.
If you are not sure how to clean the website from malware, contact a specialist. You can find contact information, for example, on the VEDOS profi ⧉ website.
Preventing Website Compromise
To best prevent your website from being compromised, follow these rules:
- Regularly update the content management system, all templates, and plugins. If no update has been released for a component for a long time, check whether it is outdated and, if necessary, replace it with another continuously updated solution.
- Block unused FTP accounts. Instructions can be found in the article Webhosting – FTP Accounts.
- Update the PHP version. If your system allows it, keep the PHP version at the highest possible value. In case of compatibility problems, find out which part of the content management system is incompatible and consider whether it is outdated and poses a security risk.
- Follow the security recommendations of the content management system. For many content management systems, you can find security recommendations directly from their developers. For example, for WordPress you can find them at https://codex.wordpress.org/Hardening_WordPress ⧉.
Frequently Asked Questions
Can you clean the website from malware on your side?
No, we do not clean customer websites from malware on our side. Try looking for help on the VEDOS profi ⧉ website.
What is the best way to clean a Webhosting with WordPress?
A detailed community guide to cleaning a website with WordPress can be found at this link ⧉.
How do I clean the website when you have shut it down?
In the case of a compromised website, we disable HTTP(S), but you still have access to FTP and databases.
The website has been cleaned, but it is still blocked on your side. What should I do now?
Contact us either by replying to the email about the website compromise sent by our technician, or via the contact form. In the communication, provide the website name and the measures you took to resolve the problem.
I want to restore the website from backup, how should I proceed?
All necessary information about backups can be found in the article Webhosting – Backup.