🛠️ How to Recover a Hacked cPanel Server Using Default cPanel Backups

By /

✅ Your Solution to a Hacked cPanel Server

If one or more cPanel accounts on your server have been compromised, cPanel’s built-in backup system can be used to restore clean versions of those accounts. This method is ideal when JetBackup is not in use or unavailable.

🔐 Security and Privacy: Critical in Web Hosting

Your cPanel server may host websites that deal with private business or client information. A compromise in this environment may:

  • Damage business credibility
  • Leak customer data
  • Disrupt operations

To protect against such consequences, regular backups using cPanel’s default backup system should be enabled and monitored.

🔄 Restoring Multiple Accounts Using cPanel Default Backup System

✅ Step 1: Ensure Backups Are Enabled

  1. Log into WHM as root.
  2. Navigate to: Home » Backup » Backup Configuration
  3. Make sure:
    • Enable Backups is checked
    • Backup Accounts is enabled
    • Select the Backup Type (Compressed, Uncompressed, Incremental)
    • Set a backup schedule (Daily, Weekly, Monthly)
    • Choose a backup destination (Local or Remote)

Save the configuration.

🗂️ Step 2: Locate Backup Archives

By default, backups are stored in:

/backup/

Example backup path:

/backup/2025-07-08/accounts/username.tar.gz

Replace 2025-07-08 with your desired restore date and username with the cPanel username.

🔧 Step 3: Restore a Single Account

To restore a single user account:

/scripts/restorepkg /backup/2025-07-08/accounts/username.tar.gz

To restore multiple accounts (loop):

RESTORE_FROM_DATE="2025-07-08"
for backup in /backup/"$RESTORE_FROM_DATE"/accounts/*.tar.gz; do
  /scripts/restorepkg "$backup"
done

📌 This will loop through all .tar.gz backup files and restore them one by one.

🧹 Step 4: Post-Restoration Cleanups (Optional)

After restoring, you may want to:

  • Reset compromised passwords (FTP, email, cPanel)
  • Scan for malware using ImunifyAV or Imunify360
  • Reinstall WordPress or apps if infected
  • Run chkrootkit or rkhunter to check root integrity
  • Check file modification history via find:
find /home/username/public_html -type f -mtime -2

📝 Notes

  • Replace 2025-07-08 with the actual backup date you want to restore from.
  • If restoring from a remote location, first rsync or scp the .tar.gz backups to /backup/YYYY-MM-DD/accounts/ before running restorepkg.

📚 Glossary

TermMeaning
restorepkgcPanel script to restore full account backups
tar.gzCompressed file format used for cPanel backups
/backup/Default cPanel backup directory

🛡️ Bonus Tip: Strengthen Protection with Imunify360

While cPanel backups help you recover, Imunify360 protects you in real-time:

  • AI-powered threat detection
  • Malware scanning and cleanup
  • Intrusion prevention
  • Hardened PHP and kernel patching

Learn more: https://hostxnow.com/imunify360/

✅ Final Thoughts

If your server is hacked:

  • Stay calm.
  • Restore from the most recent clean backup.
  • Lock it down with security tools like Imunify360.

🧠 Backup. Restore. Protect. Repeat.

Scroll to Top