Discovering that your website has been infected with malware is alarming, but it is a situation that can be resolved with the right approach. Malware on a hosting account can lead to defaced pages, stolen visitor data, spam emails being sent from your account, search engine blacklisting, and loss of customer trust. This comprehensive guide walks you through identifying, scanning for, and removing malware from your SakuraHost hosting account, as well as preventive steps to keep your site secure going forward.

Signs Your Website May Be Infected

  • Your website displays unexpected content, pop-ups, or redirects to other sites
  • Google shows a "This site may be hacked" or "This site may harm your computer" warning in search results
  • Your hosting account is sending spam emails you did not authorize
  • Website performance has suddenly degraded
  • Unknown files or directories have appeared in your hosting account
  • Your cPanel or CMS admin passwords have been changed without your knowledge
  • Browser antivirus software flags your website as dangerous
  • SakuraHost has notified you of suspicious activity or resource abuse

Step 1: Isolate and Back Up

Critical First Step: Before making any changes, create a complete backup of your hosting account through cPanel > Backup Wizard or your SakuraHost client area. This preserves evidence and gives you a fallback if cleanup causes issues. Label this backup clearly as "infected" so you do not accidentally restore it later.

If possible, put your website into maintenance mode or temporarily disable it to prevent further damage to visitors while you perform the cleanup.

Step 2: Scan for Malware

Method 1: ClamAV Virus Scanner in cPanel

Step 1: Log in to cPanel from your SakuraHost client area.
Step 2: Navigate to the Advanced section and click Virus Scanner.
Step 3: Select Entire Home Directory for the most thorough scan.
Step 4: Click Scan Now. The scanner will check all files in your account against known malware signatures.
Step 5: Review the results. Infected files will be listed with options to quarantine or delete them.

Method 2: Online Malware Scanners

Use external scanning services to check your website from a visitor's perspective:

  • Sucuri SiteCheck: Free scanner at sitecheck.sucuri.net — detects malware, blacklisting status, and security issues.
  • Google Safe Browsing: Visit https://transparencyreport.google.com/safe-browsing/search and enter your domain to check Google's blacklist status.
  • VirusTotal: Scans your URL against 70+ antivirus engines.
  • Mozilla Observatory: Comprehensive security analysis including malware indicators.

Method 3: WordPress-Specific Scanning

For WordPress sites, install the Wordfence or Sucuri Security plugin and run a full scan. These plugins compare your core WordPress files, themes, and plugins against the official repository versions to detect any unauthorized modifications.

Step 3: Remove Malware

Manual Cleanup Process

Check Recently Modified Files

In cPanel File Manager, sort files by "Last Modified" date. Malware typically modifies files recently. Look for files modified at unusual times or dates when you were not making changes. Pay special attention to:

  • .htaccess files (attackers often add redirect rules)
  • index.php and wp-config.php (common injection targets)
  • Random-named PHP files in your uploads or temp directories
  • Files with suspicious names like wp-tmp.php, db_session.php, or strings of random characters

Look for Common Malware Patterns

Open suspicious files and look for these common indicators:

# Common malware indicators in PHP files: eval(base64_decode('...encoded string...')) eval(gzinflate(base64_decode('...')) $_POST['password'] or $_GET['cmd'] shell_exec() or exec() or system() or passthru() file_get_contents() loading remote URLs preg_replace with /e modifier

Remove Infected Code

For each infected file, either remove the malicious code (if it was injected into an existing file) or delete the file entirely (if it is a standalone malware file). For WordPress sites, you can replace core files by downloading a fresh copy from wordpress.org and uploading them via File Manager.

Clean the Database

Malware can also reside in your database, particularly in WordPress posts, pages, and options tables. Using phpMyAdmin in cPanel:

Step 1: Open phpMyAdmin from cPanel.
Step 2: Select your website's database.
Step 3: Search the wp_options table for suspicious entries, particularly in siteurl, home, and any options with encoded or obfuscated values.
Step 4: Search wp_posts for injected scripts using: SELECT * FROM wp_posts WHERE post_content LIKE '%<script%' OR post_content LIKE '%eval(%'

Step 4: Secure Your Account

After removing the malware, you must close the vulnerabilities that allowed the infection:

  1. Change All Passwords: cPanel password, FTP passwords, database passwords, CMS admin passwords, and email account passwords. Use strong, unique passwords for each.
  2. Update Everything: WordPress core, all themes, and all plugins. Outdated software is the most common entry point for malware.
  3. Remove Unused Themes and Plugins: Even deactivated plugins can be exploited if they contain vulnerabilities.
  4. Check User Accounts: In your CMS admin panel, review all user accounts and remove any you do not recognize. Attackers often create backdoor admin accounts.
  5. Review File Permissions: Files should be 644 and directories should be 755. No files should be 777.
  6. Enable Two-Factor Authentication: Add 2FA to your SakuraHost account and CMS admin panel.
Request a Review: If Google has flagged your site, after cleanup submit a review request through Google Search Console. Google will re-scan your site and remove the warning typically within 24-72 hours if the malware has been successfully removed.

Prevention Going Forward

  • Keep all software updated — enable automatic updates where possible
  • Use strong, unique passwords and enable two-factor authentication
  • Install a security plugin (Wordfence, Sucuri) for real-time monitoring
  • Maintain regular backups so you can quickly restore a clean version
  • Use SakuraHost's ModSecurity WAF for additional protection
  • Review the OWASP Top 10 security vulnerabilities to understand common attack vectors
  • Limit FTP/SSH access to only the IP addresses you use

If you need professional assistance with malware removal, contact SakuraHost Support. Our team can perform a thorough server-side scan and help you restore your website to a clean state.

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

Understanding SSL Certificates: Types, Benefits, and How They Work

.kb-article { line-height: 1.8; color: inherit; max-width: 900px; } .kb-article h2 { color:...
How to Install a Free SSL Certificate on SakuraHost (AutoSSL)

.kb-article { line-height: 1.8; color: inherit; max-width: 900px; } .kb-article h2 { color:...
Fixing Mixed Content Errors After Installing SSL

.kb-article { line-height: 1.8; color: inherit; max-width: 900px; } .kb-article h2 { color:...
How to Force HTTPS on Your Website Using .htaccess

.kb-article { line-height: 1.8; color: inherit; max-width: 900px; } .kb-article h2 { color:...
Understanding and Preventing DDoS Attacks on Your Website

.kb-article { line-height: 1.8; color: inherit; max-width: 900px; } .kb-article h2 { color:...