Site Malware Cleanup — Recovering From a Hacked Website

Discovering your site is hacked is stressful but recoverable. The path back to clean: scan with the tools available, identify the entry point, restore or clean, and harden against reinfection. This guide walks the full process — practical and concrete, not generic advice.

Signs your site has been compromised

• Strange ads or popups appearing for visitors but not for you (logged-in admins).
• Browser warnings when accessing your site (“Deceptive site ahead”).
• Imunify360 quarantine emails for files you don’t recognize.
• Unknown admin users in WordPress or other CMS.
• Unexpected redirects to pharmaceutical/gambling/adult sites.
• Search engine spam — your site appearing in search results for unrelated topics (often Japanese characters, pharma terms).
• Mailbox flooded with bounces for emails you didn’t send.
• Resource usage spiking from unrecognized cron jobs or processes.
• Site suddenly suspended by your host (for sending spam, hosting phishing pages, etc.).

Step 1: Don’t panic, don’t make it worse

Avoid these knee-jerk reactions:

• Don’t immediately delete files. You need evidence of what happened to know how to prevent recurrence.
• Don’t reinstall WordPress over the existing install. Malware often hides in themes, plugins, uploads — reinstalling core leaves it behind.
• Don’t change ONLY one password. Multiple credentials are usually involved; partial fixes leave attacker access.
• Don’t put the site back online prematurely. A “clean-looking” site can still be compromised.

Step 2: Take the site offline (temporarily)

If active malware is serving to visitors, the priority is stopping that. Two options:

• Maintenance mode plugin in WordPress (if WP login still works): WP Maintenance Mode, SeedProd.
• .htaccess block at root: rename index.php to index.php.disabled; create new index.php with <?php exit; ?>. Visitors see blank page; you preserve evidence.

Don’t disable the site entirely (DNS, hosting) — you still need access to fix it.

Step 3: Run a full Imunify360 scan

1. cPanel → Security → Imunify360.
2. Click Action → Start Scanning.
3. Wait for scan completion (can take minutes to hours depending on account size).
4. Review the Files tab: every detected malicious file is listed.

For each detection:

• Quarantine if the file is purely malicious (a webshell, an isolated dropped file).
• Clean if it’s a legitimate file (WordPress core, theme, plugin) with injected malicious code — Imunify360 can often remove the injection while keeping the legitimate code.
• Delete if it’s an unrecognized file you’re sure shouldn’t exist.

Step 4: Find the entry point

Cleaning files without finding how the attacker got in just means they’ll come back. Common entry points:

A. Outdated plugin or theme (most common)

Look at modification dates of detected files. They cluster around a single timestamp — that’s when the attack happened. Check what plugin/theme has files near that timestamp. Search the plugin name + “vulnerability” on Google — public CVEs reveal exact issues.

Specific patterns: malware in /wp-content/plugins/[plugin-name]/ usually means that plugin was the vulnerability. Malware in /wp-content/uploads/ usually means a file-upload vulnerability allowed dropping PHP into a folder that shouldn’t have any.

B. Compromised WordPress admin

Check WP Admin → Users. Unknown user with admin role? That’s the attacker. Look at last login times in any plugin that logs them. Weak admin password + brute-force = compromised account.

C. Compromised hosting/FTP credentials

If files modified came in via FTP/SFTP and there’s no plugin/theme correlation, your cPanel or FTP credentials leaked. Check cPanel → Last Visitors or FTP logs for unusual locations.

D. Cross-account contamination

Rare on cPanel due to CloudLinux isolation, but possible if another site you host (addon domain) on the same account was compromised first.

Step 5: Change all credentials

Before doing anything else:

• cPanel password (Account Preferences → Password).
• All WordPress admin passwords. Delete unknown users.
• FTP/SFTP user passwords.
• Database passwords — and update wp-config.php to match.
• API keys for any integrations (Stripe, Mailchimp, anything).

Use new strong passwords from a password manager. Don’t reuse anything.

Step 6: The nuclear option — restore from backup

If the compromise is extensive, restoring from a clean backup is often faster than cleaning piecemeal.

1. cPanel → JetBackup 5.
2. Pick a backup from BEFORE the compromise date. Look at file timestamps from your earlier investigation to determine when the attack started.
3. Full Account Backups → Restore.
4. After restore: still update plugins/themes/core to patch the original vulnerability.
5. Still change passwords.

Caveat: legitimate data created since that backup (orders, posts, signups, uploads) is lost. For high-velocity sites, balance against the data loss.

Step 7: Manual cleanup checklist (after scanner-based cleanup)

Even after Imunify360 clears your account, manually check these high-risk spots:

• Cron jobs. cPanel → Cron Jobs. Attackers add cron jobs to re-download malware after you clean. Delete anything you didn’t create.
• WordPress users. Delete unknown admins. Check their author archives for content they added.
• .htaccess files. Search for redirects, RewriteRule entries you didn’t add. Check every .htaccess in every subdirectory, not just the root.
• wp-config.php. Check for unfamiliar PHP at the top, especially obfuscated/base64-encoded sections.
• Uploads folder. No PHP files should exist in wp-content/uploads/. Search and delete: find ~/public_html/wp-content/uploads -name "*.php" in File Manager terminal.
• Themes folder. Unfamiliar theme directories? Themes you don’t recognize? Delete them.
• Sitemap and search results. Search Google for site:yourdomain.com — see any unfamiliar pages? Those are attacker-injected SEO spam.

Step 8: Harden against re-infection

• Update WordPress core, every plugin, every theme.
• Delete plugins/themes you don’t actively use — every installed plugin is attack surface, even if deactivated.
• Enable WP 2FA via a plugin (WP 2FA, Wordfence Login Security).
• Limit login attempts (Limit Login Attempts Reloaded).
• Block XMLRPC if you don’t use it (most sites don’t): add RewriteRule ^xmlrpc.php - [F,L] to .htaccess.
• Hide the WP version: remove the meta generator tag.
• Consider a security plugin: Wordfence, iThemes Security, Sucuri.

Step 9: Verify clean

• Imunify360 — final clean scan after cleanup.
• VirusTotal (virustotal.com) — enter your domain URL; scans against 70+ engines.
• Sucuri SiteCheck (sitecheck.sucuri.net) — free external scanner specifically for web malware.
• Google Search Console — request review if Google flagged your site. Submit a reconsideration request explaining the cleanup.

When to call for help

Some signs you should open a support ticket rather than continue alone:

• Re-infection happens within hours of cleanup despite changing passwords.
• Imunify360 keeps detecting files even after deleting and updating.
• Your account is suspended for abuse and you need help diagnosing before reactivation.
• You think credentials may have leaked outside our environment (your own machine compromised).

We can do deeper forensic work, audit server-side logs, and confirm whether the threat persists at infrastructure level.

What’s next

• Prevention via hardening: WordPress hardening.
• Backup strategy that supports faster recovery: JetBackup 5 guide.
• Imunify360 ongoing monitoring: Imunify360 customer guide.

A hack is recoverable. Methodical cleanup — scan, identify entry, change everything, harden — beats panicked thrashing every time. Most sites that go through this once and harden afterward never see another compromise.