Best way to identifty which user/website is compremised and sending spam?

I know this might be newbie ish question but I am hoping for some insight that might be Hestia CP specific.

I got an warning today from my host that my IP is sending spam. The server I have on that IP is my Hestia installation with about 20 different users, each with a wordpress site installed.

What is the best way to be able to quickly identify which is my users has the compromised site so I can troubleshoot their site (or nuke it)? Is there a specific place in Hestia I can check?


check exim4 mainlog, identify the user there and suspend it.


It was the main admin account that was compromised so I can’t suspend it. :confused: Found all the files in the web folder causing the issues.

Can I create a new one and delete this one easily?