• Contents hide
    1 WordPress Malware File Scan Checklist
    1.1 Suspicious signs
    1.2 Checklist
    1.3 Final check

  • Reading Now

    Backup Restore Drill Checklist for Website Operators
    halfbrain_logo512
    admin

    14/06/2026
    WordPress Login Attack Response Checklist
    halfbrain_logo512
    admin

    14/06/2026
    DNS Propagation Troubleshooting Checklist
    halfbrain_logo512
    admin

    14/06/2026
    WordPress Mixed Content SSL Checklist
    halfbrain_logo512
    admin

    14/06/2026
    MySQL High Load Checklist for WordPress VPS
    halfbrain_logo512
    admin

    14/06/2026

    • WordPress Malware File Scan Checklist

    halfbrain_logo512adminJune 13, 2026
    1 lượt xem

    WordPress Malware File Scan Checklist

    When a WordPress site is suspected of being hacked, file scanning helps identify suspicious PHP files, modified plugins, unknown uploads and injected code. This checklist focuses on practical checks before cleanup.

    Suspicious signs

    • Unknown PHP files in uploads.
    • Plugin folders you did not install.
    • Recently modified core files.
    • Encoded or obfuscated code.
    • Unexpected redirects.
    • New admin users.

    Checklist

    1. Backup the current infected state for evidence.
    2. Record the website root path.
    3. Check wp-content/uploads for PHP files.
    4. Check plugin and theme folders for unknown files.
    5. Compare WordPress core files with clean versions.
    6. Search for suspicious functions carefully.
    7. Check recently modified files.
    8. Review admin users.
    9. Remove malware only after identifying entry points.
    10. Restore from a clean backup if available.

    Final check

    Malware cleanup is not complete until suspicious files are removed, vulnerable access is closed, passwords are changed and the site is monitored after recovery.

    Checklist Type WordPress Security
    Level Intermediate
    Risk Level Critical Risk
    Estimated Time 45–120 minutes

    When to Use This Checklist

    Use this checklist when a WordPress site shows signs of malware, redirect injection, unknown files or suspicious admin activity.

    Required Tools

    SSH access or file manager, WordPress admin, backup, malware scanner, clean WordPress core package, Nginx logs

    Before You Start

    Do not delete suspicious files before creating a backup of the current state and recording what you found.

    Structured Checklist Steps

    1. Backup current state.
    2. Check uploads for PHP files.
    3. Check plugins for unknown folders.
    4. Check themes for unknown files.
    5. Find recently modified files.
    6. Search for suspicious code patterns.
    7. Check admin users.
    8. Change passwords.
    9. Restore clean files.
    10. Monitor after cleanup.
    See also  MySQL High Load Checklist for WordPress VPS

    Verification Steps

    1. No unknown admin remains.
    2. No PHP files remain in uploads unless intentionally required.
    3. Suspicious files are documented.
    4. Passwords are changed.
    5. Site no longer redirects unexpectedly.

    Rollback Plan

    If cleanup breaks the site, restore the latest backup and repeat the cleanup in a staging copy or restore from a known clean backup.

    Common Mistakes

    • Deleting files without backup.
    • Cleaning malware but keeping the same passwords.
    • Ignoring plugin vulnerabilities.
    • Not checking uploads folder.
    • Assuming one scan means the site is clean.

    Related Commands

    find wp-content/uploads -name "*.php"
find . -type f -mtime -7
grep -R "base64_decode" wp-content/
grep -R "eval(" wp-content/
ls -la wp-content/plugins

    Share:

    Disclaimer: The guides, checklists, commands, and examples on HalfBrain.net are provided for educational and operational reference only. Server environments, hosting providers, software versions, security settings, and WordPress configurations can vary, so you should always review commands before running them on your own system. We do our best to keep the content accurate and useful, but we cannot guarantee that every command, configuration, or recommendation will fit every environment. Always back up your website, database, and server configuration before making changes. HalfBrain.net is not responsible for data loss, downtime, security incidents, misconfiguration, or other issues that may result from applying the information on this website. Use the material at your own discretion.

    halfbrain_logo512
    admin

    HalfBrain.net is a practical field notebook for people who want to self-operate websites, VPS servers, Linux systems, Docker stacks, Nginx configurations, DNS records, SSL certificates, and AI automation workflows. Our goal is simple: turn messy infrastructure problems into clear, repeatable checklists, commands, and operating procedures. We focus on practical execution, not theory for theory’s sake.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Related articles: