I was building my website. I was aware that my website is vulnerable, because I was using simple mysqli code and easy password in login script that can be guessed for testing purpose. I was planning to change mysqli to pdo to save from sql injection. I couldn't change because of lack of time. After few days, when I tried to reconstruct website, I found website was hacked. Hacker's had put own code in index.php uploaded his html file in public_html folder. Immediately I deleted his code and pasted code in index.php from my backup. When I try to change login script, I got suck, there is not admin folder in cpanel which I'd created. My question is that how they hack my website. I want to know they hack my cpanel or admin panel. As I mentioned above, my admin panel was weak. But cpanel is strong. Is it possible to delete public_html folder from sql injection. I think it is not only from sql injection. Are they able to get cpanel access ? If they can access cpanel, why they didn't delete other file and folder of cpanel, such as images, videos folder.