Skip to content

netcup Documentation

Web Hosting

Suspected Compromised Web Hosting

Learn about the possible causes of a compromised web hosting account and what you can do after reporting a suspected compromise.

1. Possible Causes

A compromised web hosting account may have the following causes and symptoms:

  • Abuse report
  • Unknown files or directories in the webspace
  • Unexpected redirects
  • Spam sent via the web hosting service
  • Blacklisting of a domain, IP address, or mail server
  • Unusually high load
  • Unusual traffic
  • Warnings from browsers, search engines or external security services
  • Altered CMS files, themes, plugins or configuration files

Describe as precisely as possible what you've noticed and how long the problem has been occurring. Also, check whether any restrictions or blocks are already in place on the web hosting service.

2. Checking and Changing Login Credentials

If a compromise is suspected, all relevant login credentials must be changed – especially in areas where symptoms are evident.

 

Change the following login credentials:

  • Customer Control Panel (CCP) Login
  • Web Hosting Control Panel (WCP) Login
  • FTP/SFTP Access
  • Database Access
  • Administrator accounts; e.g., WordPress, Joomla, or TYPO3
  • Email Accounts

3. Checking Local Systems

When a web hosting account is compromised, it’s usually not just a single file that’s affected. Keep in mind that deleting individual suspicious files is usually not enough.

Check the local systems used to access the web hosting account.

This is especially important if FTP clients, saved login credentials or older systems were used.

 

Run a full virus and malware scan on your own computer and check the following:

  • all devices used to access the web hosting
  • FTP clients and saved passwords

The login credentials should not be saved again until the local system has been checked.

Run a scan of your local system (for viruses and malware) before taking any further action. If the local system is compromised, newly set passwords can be intercepted again.

Additional recommended cleanup steps:

  • Restore a clean backup from a point in time before the incident. Then, update the CMS, plugins, themes and extensions.
  • Remove unnecessary plugins, themes and users.

 

If a clean backup is not available:

  • Restore content only selectively and after verifying it.
  • Reinstall plugins and themes only from trusted sources.
  • Change all login credentials.

4. Blocked or Restricted Web Hosting

Note that the cleanup can only be performed during a Maintenance Window if your web hosting account has been suspended or restricted – without a Maintenance Window, the suspension will not be lifted.

Specify a specific date and time as soon as possible in the Abuse form in the Customer Control Panel (CCP) – without a date and time, we cannot process your request.

General conditions for a Maintenance Window:

  • Duration: up to 120 minutes
  • Request: Can be submitted at any time
  • Processing: Monday – Friday, 10:00 a.m. – 6:00 p.m.
  • Lead time: at least 2 hours

 

Note that abuse-related processing is generally free of charge and simply requires a little patience.

If you need urgent activation, you can request it after 6:00 p.m. Note that a fee of €60 applies for this.

To request a Maintenance Window, log in to the Customer Control Panel (CCP) and click the magnifying glass icon next to the abuse report under the Abuse Notices menu item. Then, proceed to the Requesting a Maintenance Window step.

5. Frequently Asked Questions (FAQ)

You may also be interested in:

Last update: 6 July 2026

Was this article helpful?