How to Scan Your Site for Malware

Updated 25 February 2026 11 views SSL & Security

Detecting and Removing Malware

If your website has been compromised, malware may have been injected into your files or database. Regular scanning helps detect infections early before they cause serious damage to your site and reputation.

Signs Your Site May Be Infected

  • Your site redirects to suspicious websites.
  • Google shows a "This site may be hacked" warning in search results.
  • Your browser displays a red security warning when visiting your site.
  • Unexpected new files or modified files appear in your hosting account.
  • Your site is significantly slower than usual.
  • You find spam content or links on your pages that you did not add.
  • Your hosting provider or email provider suspends your account due to abuse.

Scanning with cPanel Virus Scanner

  1. Log in to cPanel and go to Security > Virus Scanner (if available).
  2. Select Scan Entire Home Directory for a comprehensive scan.
  3. Wait for the scan to complete and review any infected files that are found.
  4. Choose to quarantine or delete infected files.

Scanning with WordPress Plugins

  • Wordfence: Install the Wordfence Security plugin, go to Wordfence > Scan, and click Start New Scan. Wordfence compares your WordPress core files, plugins, and themes against the official repository to detect modifications.
  • Sucuri Security: The Sucuri plugin provides malware scanning and security hardening. It can also check if your site is on any blacklists.

External Scanning Tools

  • Sucuri SiteCheck: Visit sitecheck.sucuri.net and enter your domain for a free external scan.
  • Google Safe Browsing: Check transparencyreport.google.com/safe-browsing to see if Google has flagged your site.
  • VirusTotal: Submit your URL to VirusTotal for a scan across multiple security engines.

Cleaning an Infected Site

  1. Restore from a clean backup if you have one from before the infection.
  2. If no backup exists, manually remove malicious code from infected files identified by the scanner.
  3. Change all passwords — WordPress admin, cPanel, FTP, database, and email.
  4. Update everything — WordPress core, all plugins, and all themes.
  5. Remove unused plugins and themes that may have been the entry point.
  6. Request a review from Google if your site was flagged, via Google Search Console.

Was this article helpful?

Let us know so we can improve our docs.

Back to SSL & Security All Categories

Related Articles

How to Force HTTPS on Your Website

Force all website traffic to use HTTPS using .htaccess rules, WordPress settings, or Cloudflare.

12 views

How to Set Up .htaccess Security Rules

Implement security rules in your .htaccess file to protect against common attacks and vulnerabilities.

12 views

Understanding SSL Certificates

Learn what SSL certificates are, how they work, and why every website needs one for security and SEO.

11 views

How SSL Is Included Free with Your Hosting

Learn how SillyHost provides free SSL certificates through AutoSSL with automatic installation and renewal.

11 views