Malware infections on hosting accounts are more common than most website owners realize. Research consistently shows that thousands of websites are compromised every day, with shared hosting accounts being a frequent target. A single infected file can redirect your visitors to phishing sites, steal customer data, send spam from your email address, or get your domain blacklisted by Google.
The good news is that cPanel provides several tools for detecting and removing malware. This guide walks you through the process step by step, from identifying an infection to cleaning it up and preventing it from happening again.
Signs Your Hosting Account May Be Infected
Malware does not always announce itself. Some infections are designed to be invisible to the website owner while actively exploiting visitors. Watch for these warning signs:
- Google Search Console warnings — messages about malware, hacked content, or social engineering on your site
- Browser warnings — "This site may be hacked" or "Deceptive site ahead" in Chrome or Firefox
- Unexpected redirects — visitors being sent to other websites, often only on mobile or from search results
- Unknown files or code — files you did not create appearing in your account, or unfamiliar code injected into existing files
- Spam emails — your hosting account sending emails you did not authorize
- Increased resource usage — unexplained spikes in CPU, memory, or bandwidth
- Modified file dates — core files showing recent modification dates when you have not changed anything
- cPanel/Imunify360 alerts — notifications from your hosting provider about detected threats
If you notice any of these signs, begin the scanning and cleanup process immediately.
Step 1: Check Imunify360 in cPanel
If your hosting provider uses Imunify360, this is the fastest way to identify infections. Log into cPanel and look for the "Imunify360" icon in the Security section.
The Imunify360 dashboard shows:
- Malicious files detected — a list of infected files with their paths and threat types
- Proactive Defense events — PHP scripts that were blocked during execution
- Cleanup options — buttons to clean or delete infected files
For each detected file, Imunify360 offers several actions:
- Clean — removes the malicious code while preserving the legitimate parts of the file. This is the preferred action for files that contain both legitimate and malicious code (like a WordPress core file with injected malware).
- Delete — removes the entire file. Use this for files that are entirely malicious (like uploaded webshells or backdoors).
- Ignore — marks the file as a false positive. Only use this if you are absolutely certain the file is legitimate.
Click "Clean All" to automatically clean all detected infections if you trust Imunify360's detection (which is accurate in the vast majority of cases).
Step 2: Manual File Inspection
Even with automated scanning, manual inspection catches infections that scanners miss, especially in less common CMS platforms or custom applications.
Check Recently Modified Files
Use cPanel's File Manager or SSH to find files that were recently modified. In SSH, run:
# Find PHP files modified in the last 7 days
find ~/public_html -name "*.php" -mtime -7 -type f
# Find files modified in the last 24 hours
find ~/public_html -type f -mtime -1
# Find PHP files in upload directories (common malware location)
find ~/public_html/wp-content/uploads -name "*.php" -type fPHP files in upload directories are almost always malicious. WordPress uploads should contain images, documents, and media files — never PHP scripts.
Look for Common Malware Patterns
Search your files for common malware indicators:
# Search for base64-encoded code (common obfuscation technique)
grep -rl "base64_decode" ~/public_html --include="*.php"
# Search for eval() with variable input (code execution)
grep -rl "eval(\$" ~/public_html --include="*.php"
# Search for common backdoor functions
grep -rl "str_rot13\|gzinflate\|gzuncompress" ~/public_html --include="*.php"
# Search for file_get_contents with external URLs
grep -rl "file_get_contents.*http" ~/public_html --include="*.php"
# Search for common webshell signatures
grep -rl "c99shell\|r57shell\|WSO\|FilesMan" ~/public_html --include="*.php"Note that some legitimate plugins use base64_decode and eval(), so these searches may produce false positives. Examine each result carefully before deleting.
Check .htaccess Files
Malware frequently modifies .htaccess files to inject redirects. Check every .htaccess file in your document root:
# Find all .htaccess files
find ~/public_html -name ".htaccess" -type f
# View the contents of each one
cat ~/public_html/.htaccessA clean WordPress .htaccess file contains only the standard WordPress rewrite rules. Anything else — especially base64-encoded strings, redirect rules to unknown domains, or PHP code — is likely malicious.
Step 3: Use cPanel's Built-In Virus Scanner
cPanel includes a built-in virus scanner (powered by ClamAV) accessible from the cPanel dashboard under "Advanced" > "Virus Scanner." While less sophisticated than Imunify360, it provides an additional layer of detection.
Select "Scan Entire Home Directory" for the most thorough scan. The scanner will:
- Scan all files in your account for known virus signatures
- Display a list of infected files
- Offer options to quarantine or delete infected files
ClamAV uses signature-based detection, so it works best for known malware. For new or obfuscated malware, Imunify360's AI-powered scanner is significantly more effective.
Step 4: WordPress-Specific Malware Checks
If you run WordPress, perform these additional checks:
Verify Core File Integrity
WordPress core files should never be modified. If they have been, it indicates a compromise. Install and run the Wordfence or Sucuri Security plugin to compare your core files against the official WordPress repository:
- Wordfence: Go to Wordfence > Scan > Start New Scan. It will flag any modified core files.
- WP-CLI (if available via SSH): Run
wp core verify-checksumsto compare your files against the official checksums.
Check User Accounts
In the WordPress dashboard, go to Users > All Users and look for accounts you did not create, especially any with Administrator role. Malware often creates hidden admin accounts for persistent access. Delete any unauthorized users immediately.
Review Installed Plugins and Themes
Check for plugins or themes you did not install. Malware sometimes installs additional plugins to maintain access. Also, deactivate and delete any plugins or themes you are not actively using — they represent unnecessary attack surface.
Check wp-config.php
Review your wp-config.php file for any code that does not belong. It should contain only WordPress configuration settings (database credentials, salts, table prefix, debug settings). Any include, require, eval, or base64_decode calls are suspicious.
Step 5: Clean the Infection
Once you have identified all infected files, clean them:
For WordPress Core Files
Replace modified core files with clean copies from WordPress.org. Download a fresh copy of your WordPress version and upload the clean files via cPanel File Manager or FTP. Do not replace wp-config.php or the wp-content directory — these contain your configuration and custom content.
For Plugin and Theme Files
Delete the infected plugin or theme directory entirely, then reinstall it from the official WordPress repository or the developer's website. Do not try to clean individual files within a plugin — it is faster and safer to replace the entire plugin.
For Custom Files
If malware has been injected into your custom files (custom themes, uploaded scripts), you need to manually remove the malicious code. Open each infected file in the cPanel Code Editor and remove the injected code, which is usually found at the beginning or end of the file, often wrapped in obfuscated PHP.
For Database Infections
Some malware injects itself into the WordPress database — typically in post content, widget settings, or options. Use phpMyAdmin to search for suspicious content:
-- Search for script tags in post content
SELECT ID, post_title FROM wp_posts
WHERE post_content LIKE '%<script%' AND post_content LIKE '%eval(%';
-- Search for suspicious options
SELECT option_name, option_value FROM wp_options
WHERE option_value LIKE '%base64_decode%' OR option_value LIKE '%eval(%';Step 6: Prevent Reinfection
Cleaning malware without addressing the entry point leads to reinfection, often within hours. Here is what to do after cleanup:
Change All Passwords
- cPanel password
- FTP/SFTP passwords for all accounts
- WordPress admin password
- WordPress database password (update in
wp-config.phpand in cPanel > MySQL Databases) - Email account passwords
Update Everything
- WordPress core to the latest version
- All plugins to their latest versions
- All themes to their latest versions
- PHP version to the latest supported version
Remove Unnecessary Components
- Delete inactive plugins and themes
- Remove unused FTP accounts
- Delete old staging sites, test installations, or backup files in your web root
Implement Security Hardening
Follow our complete WordPress hardening guide for cPanel to lock down your installation against future attacks. Enable two-factor authentication on your cPanel account and WordPress admin login.
Malware Scanning Tools Comparison
| Tool | Detection Method | Real-Time Scanning | Auto Cleanup | cPanel Integration | Cost |
|---|---|---|---|---|---|
| Imunify360 | AI + signatures + heuristics | Yes | Yes | Full dashboard | Included with hosting |
| ClamAV (cPanel) | Signatures only | No (on-demand) | No (quarantine only) | Built-in scanner | Free |
| Wordfence | Signatures + heuristics | Yes (premium) | Yes (premium) | WordPress plugin | Free / $119/yr |
| Sucuri SiteCheck | Remote scanning | No (on-demand) | No | No | Free scan / paid cleanup |
| MalDet (LMD) | Signatures + heuristics | Yes (inotify) | No | CLI only | Free |
The most effective approach is to use multiple layers: Imunify360 at the server level (which is included with MassiveGRID's high-availability cPanel hosting) combined with a WordPress security plugin like Wordfence for application-level scanning.
When to Ask for Professional Help
Some infections are too complex for self-service cleanup:
- Persistent reinfection — if malware returns after cleaning, the attacker likely has a backdoor you have not found
- Database infections — malware in the database is harder to clean without damaging legitimate content
- Blacklisted by Google — removing the malware is only the first step; you also need to submit a review request to Google
- E-commerce sites — if credit card data may have been compromised, you have legal obligations to investigate and notify affected customers
In these cases, contact your hosting provider's support team. MassiveGRID offers expert support that can assist with malware cleanup and hardening, backed by infrastructure with CageFS isolation that prevents cross-account infections.
Frequently Asked Questions
How did malware get into my hosting account?
The most common entry points are: outdated WordPress plugins or themes with known vulnerabilities, stolen FTP or cPanel credentials (from phishing or credential stuffing), compromised WordPress admin accounts with weak passwords, and file upload vulnerabilities in poorly coded plugins. On shared hosting without proper isolation, malware can also spread from other compromised accounts — which is why CageFS isolation is essential.
Will cleaning malware fix my Google blacklisting?
Cleaning the malware is the first step, but Google does not automatically remove warnings. After cleanup, go to Google Search Console > Security Issues, review the issues Google detected, and click "Request a Review." Google typically reviews the site within 72 hours. Use the "Fetch as Google" tool to verify the cleaned pages render correctly.
Should I restore from a backup instead of cleaning malware?
Restoring from a clean backup is sometimes faster than manual cleanup, but only if you know when the infection occurred and have a backup from before that date. The risk is that the infection may predate your oldest backup, or the backup may contain the same vulnerability that allowed the infection. After restoring, immediately update all software and change all passwords to prevent reinfection.
How often should I scan for malware?
With Imunify360, scanning happens in real time — every file that is uploaded or modified is scanned automatically. If your host does not provide real-time scanning, run manual scans at least weekly. High-traffic sites or e-commerce sites should scan daily. Also scan immediately after any unusual activity or security alert.
Can malware in my hosting account affect my visitors?
Yes. Common malware behaviors include redirecting visitors to phishing or malware download sites, injecting cryptocurrency mining scripts that use visitors' CPU, displaying fake virus warnings to trick visitors into downloading malware, and stealing form data (including login credentials and credit card numbers). This is why rapid detection and cleanup is critical — your visitors' security depends on it.