{"id":681,"date":"2026-02-19T22:07:21","date_gmt":"2026-02-19T22:07:21","guid":{"rendered":"https:\/\/cloudabove.com\/help\/website-malware-what-to-do-next\/"},"modified":"2026-02-19T22:07:21","modified_gmt":"2026-02-19T22:07:21","slug":"website-malware-what-to-do-next","status":"publish","type":"post","link":"https:\/\/cloudabove.com\/help\/website-malware-what-to-do-next\/","title":{"rendered":"Website malware &amp; what to do next"},"content":{"rendered":"\n<p>If you&#8217;ve found malware or suspect your site has been infected, we&#8217;re here to help. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to know if your site is infected with malware<\/h2>\n\n\n\n<p>Most infected sites may have the following symptoms:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Randomly redirecting to third-party sites<\/li>\n\n\n\n<li>Suspicious content changes (e.g. defacement, new pages, unrelated content)<\/li>\n\n\n\n<li>Unrecognised admin-level users in your dashboard<\/li>\n\n\n\n<li>Unrecognised WordPress plugins <\/li>\n\n\n\n<li>Spam complaints<\/li>\n\n\n\n<li>A visitor&#8217;s anti-virus software or browser warns them about the site<\/li>\n<\/ul>\n\n\n\n<p>If your site is doing something unusual, or you&#8217;ve noticed changes that were not made by you, then it could be malware. <\/p>\n\n\n\n<p class=\"banner-note\">\ud83d\udca1 A technical problem with your website (e.g. performance issues, 50x errors) doesn&#8217;t necessarily mean your site is infected<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How is a site infected? <\/h2>\n\n\n\n<p>In most cases, a website is infected with malware when it&#8217;s <strong>out of date<\/strong>. For example, you may have a WordPress site that has fallen behind on routine updates and one of those missing updates addressed a security issue that has left your site vulnerable to attack. <\/p>\n\n\n\n<p>In other cases, it&#8217;s often due to a <strong>weak or compromised password<\/strong>. If you reuse passwords, or have a weak password, it may have been guessed or obtained through a security breach elsewhere. <\/p>\n\n\n\n<p class=\"banner-tip\">\ud83d\udc49 You can check to see if your email address or password has been seen in a breach at <a href=\"https:\/\/haveibeenpwned.com\/\">Have I Been Pwned<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What about your hosting security? <\/h2>\n\n\n\n<p>We believe that protecting your site(s) is part of the service that we&#8217;re providing and that&#8217;s why all of our hosting services are covered by numerous levels of security as standard. <\/p>\n\n\n\n<p>Our preferred security solutions are Imunify360 and Monarx, both are industry leaders and block thousands of attacks per day.<\/p>\n\n\n\n<p>However, no security solution can guarantee complete protection and if you have an out of date site or a weak password, then it&#8217;s typically only a matter of time before your site is compromised. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What happens next?<\/h2>\n\n\n\n<p>We recommend the following process for most situations:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Check your hosting&#8217;s anti-malware to confirm your site is infected<\/li>\n\n\n\n<li>Put your site into maintenance (optional but recommended)<\/li>\n\n\n\n<li>Identify when the infection occurred<\/li>\n\n\n\n<li>Restore from a backup or clean your site<\/li>\n\n\n\n<li>Run through our post-hack process<\/li>\n\n\n\n<li>Bring your site back online<\/li>\n<\/ol>\n\n\n\n<p>We understand that anything security related can be worrying and we&#8217;re here to help you through the above process<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Checking your hosting&#8217;s security history or anti-malware<\/h3>\n\n\n\n<p>If you&#8217;re on a cPanel or Plesk based hosting plan, login to cPanel\/Plesk and head to <strong>Imunify360<\/strong> and then <strong>History<\/strong>. <\/p>\n\n\n\n<p>Otherwise, if you&#8217;re on a <strong>Scout<\/strong> based service, you may have received an email to let you know that malware has been found, or the site shows a notice such as:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"563\" src=\"https:\/\/kb.cloudabove.com\/wp-content\/uploads\/sites\/4\/2026\/02\/image-3-1024x563.png\" alt=\"\" class=\"wp-image-682\" style=\"width:446px;height:auto\" srcset=\"https:\/\/kb.cloudabove.com\/wp-content\/uploads\/sites\/4\/2026\/02\/image-3-1024x563.png 1024w, https:\/\/kb.cloudabove.com\/wp-content\/uploads\/sites\/4\/2026\/02\/image-3-300x165.png 300w, https:\/\/kb.cloudabove.com\/wp-content\/uploads\/sites\/4\/2026\/02\/image-3-768x422.png 768w, https:\/\/kb.cloudabove.com\/wp-content\/uploads\/sites\/4\/2026\/02\/image-3-770x423.png 770w, https:\/\/kb.cloudabove.com\/wp-content\/uploads\/sites\/4\/2026\/02\/image-3.png 1376w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"banner-tip\">\ud83d\udc49 If nothing has been found, there could still be a problem and you&#8217;re welcome to contact us to investigate further <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Identifying when your site was infected<\/h3>\n\n\n\n<p>If you have a rough date\/time of when the site was infected, it&#8217;s easier to identify how it happened and what backups will be suitable for recovery. <\/p>\n\n\n\n<p>However, it&#8217;s not always possible to know exactly when a security issue occurred, but often the best place to start is to look at the date of oldest malware hit.<\/p>\n\n\n\n<p>If Imunify360 or Monarx are not showing any results, then look for other dates\/times (e.g. when a user registered, or a file or page was created).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cleaning or recovering your site<\/h3>\n\n\n\n<p>There are multiple options for getting back online:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Roll back using a backup \u2013 all of our services have daily backups and these can be used to quickly recover<\/li>\n\n\n\n<li>Manual clean \u2013 only recommended for small infections or if you have a background in development or security<\/li>\n\n\n\n<li>Professional audit &amp; clean through cloudabove or a third-party \u2013 chargeable but thorough<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\">Using a backup<\/h4>\n\n\n\n<p>Backups are the safest way to recover from an infection, but this may not be feasible if you&#8217;ve made a lot of content changes or your site is ecommerce based. <\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Manually cleaning your site<\/h4>\n\n\n\n<p>Imunify360 or Monarx may have already quarantined or cleaned the infection for you automatically. If your site is otherwise working and doesn&#8217;t contain any unwanted content, you can proceed through to our post-hack steps to help secure your site. <\/p>\n\n\n\n<p>If the malware is still active (i.e. your site is still doing something unusual), then it may be possible to clean your site manually. Whilst we&#8217;re not developers, we can help you with this process, but we may refer you to a developer or recommend a professional clean if the infection is deeper than expected.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Professional audit &amp; clean<\/h4>\n\n\n\n<p>If backups are not suitable, the site is heavily infected or you simply want peace of mind that the site is definitely clean, then we recommend a professional audit and clean by a security company. <\/p>\n\n\n\n<p>We can provide professional cleans through our security partner Monarx, simply contact us to request a clean. Alternatively, research online or ask your developer for a recommendation. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Post-hack steps<\/h3>\n\n\n\n<p>Once your site has been recovered, you&#8217;ll want to follow our post-hack steps as soon as possible to prevent your site being reinfected:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resetting all website admin user passwords<\/li>\n\n\n\n<li>Checking for any unrecognised admin users and removing them<\/li>\n\n\n\n<li>Checking for any unrecognised plugins, extensions or themes &amp; removing them<\/li>\n\n\n\n<li>Removing any deactivated\/redundant themes and plugins (these can still be used to compromise the site)<\/li>\n\n\n\n<li>Bringing the site&#8217;s core, themes and plugins\/extensions fully up to date<\/li>\n\n\n\n<li>Setup two-factor authentication (if available)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>If you&#8217;ve found malware or suspect your site has been infected, we&#8217;re here to help. How to know if your site is infected with malware Most infected sites may have the following symptoms: Randomly redirecting to third-party sites Suspicious content changes (e.g. defacement, new pages, unrelated content) Unrecognised admin-level users&hellip;<\/p>\n","protected":false},"author":10,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,7,17],"tags":[],"class_list":["post-681","post","type-post","status-publish","format-standard","hentry","category-our-control-panel","category-cpanel","category-security"],"_links":{"self":[{"href":"https:\/\/cloudabove.com\/help\/wp-json\/wp\/v2\/posts\/681","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudabove.com\/help\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudabove.com\/help\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudabove.com\/help\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudabove.com\/help\/wp-json\/wp\/v2\/comments?post=681"}],"version-history":[{"count":1,"href":"https:\/\/cloudabove.com\/help\/wp-json\/wp\/v2\/posts\/681\/revisions"}],"predecessor-version":[{"id":683,"href":"https:\/\/cloudabove.com\/help\/wp-json\/wp\/v2\/posts\/681\/revisions\/683"}],"wp:attachment":[{"href":"https:\/\/cloudabove.com\/help\/wp-json\/wp\/v2\/media?parent=681"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudabove.com\/help\/wp-json\/wp\/v2\/categories?post=681"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudabove.com\/help\/wp-json\/wp\/v2\/tags?post=681"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}