Blog Winston AI @CustomerPanel
UnderHost
Knowledgebase Docs
/
Tools
Security Malware Advanced

Remove malware files from your hosting account

Step-by-step guide to finding and removing malware from a shared hosting account. Covers scanning tools, identifying malicious files, cleanup, and prevention.

UnderHost NOC Network Operations
10 min read Updated June 2026
On this page

Malware in a hosting account typically enters through an outdated plugin or theme, a weak password, or a vulnerable script. If your account has been flagged for spam sending, shows unexpected files, or loads strange content, act immediately.

Step 1-Change all passwords immediately

Before scanning or cleaning, change every credential that might have been compromised:

  • cPanel password (via CustomerPanel → Services → your plan)
  • All email account passwords
  • All FTP account passwords (cPanel → FTP Accounts)
  • WordPress admin and all user account passwords
  • All database user passwords (cPanel → MySQL Databases, then update wp-config.php)
  • CustomerPanel password

Step 2-Scan for malware

Use multiple tools to detect malicious files:

  • Imunify 360 or ImunifyAV+ in cPanel-Server-side scanner; run a full scan and review flagged files
  • Wordfence (WordPress)-Run a full malware scan from the Wordfence → Scan menu
  • Manual SSH scan (VPS/Dedicated)-Search for recently modified files and known malware patterns:
bash-find recently modified files 
# Files modified in the last 2 days
find ~/public_html -type f -mtime -2

# PHP files with base64 encoded content (common in malware)
grep -rl "base64_decode" ~/public_html --include="*.php"

# PHP files in the uploads folder (should not be there)
find ~/public_html/wp-content/uploads -name "*.php"

Step 3-Identify infected files

Common patterns in malicious files:

  • Long base64-encoded strings in PHP files
  • Obfuscated code using eval(), gzinflate(), str_rot13()
  • .php files in wp-content/uploads/ (images folder)
  • Files with names like wp-cache.php, config.php, or random strings in unexpected locations
  • Hidden backdoors disguised as legitimate WordPress files

Compare file dates-legitimate WordPress core files don't change unless you update. Files modified unexpectedly are suspicious.

Step 4-Remove malicious files

For WordPress sites, the most thorough cleanup is:

  1. Delete all WordPress core files and reinstall from a fresh download
  2. Keep only wp-content/ (your themes, plugins, and uploads) and wp-config.php
  3. Scan wp-content/ thoroughly before restoring-malware often hides there
  4. Reinstall all plugins fresh from WordPress.org
  5. Reinstall your theme fresh from the developer/theme store
  6. Import a clean database backup if the database was also infected

Step 5-Harden and prevent re-infection

  • Update WordPress, all plugins, and all themes immediately
  • Remove unused themes and plugins
  • Set correct file permissions (644 files, 755 directories, 600 for wp-config.php)
  • Install Wordfence with the firewall enabled
  • Enable 2FA on the WordPress admin account
  • Configure automatic daily backups
  • Monitor with the malware scanner included on your plan for ongoing protection
Open a support ticket if you need help

If you cannot identify or remove the malware, or if your cPanel access was compromised, open a Technical Support ticket. Our team can investigate server-level logs and assist with remediation.

Was this article helpful?

Professional malware removal

Need expert help cleaning your site? Our team can remove malware and restore security.

Get Cleanup Help CustomerPanel

Related articles

Back to Security