What you will do
By the end, you will have scanned your WordPress site on offshore hosting for malware — using both a server scanner and an in-dashboard scanner — and cleaned up anything that is found.
Do one step at a time. Finish a step, check it works, then move on. The order matters: update first, then scan, then clean.
Before you start
The goal: find and remove malware from a WordPress site, using a server scan and a dashboard scan together so nothing slips through.
Take a backup first. Before you touch or delete anything, make a backup or a server snapshot you can roll back to. Back up both the website files and the database. A clean backup is also what you will use to restore an infected file later.
- Keep your WordPress admin login ready.
- Keep your hosting/server panel login ready.
- Keep the server IP, username, and password (or SSH key) ready.
- Open a notes file and write down every file you find and every change you make.
- Note the full path to your site folder (for example
/var/www/yourdomain.com).
Where does each part happen?
A scan happens in two places. Here is the simple rule:
- WordPress core, plugins, and themes → wp-admin (the WordPress dashboard).
- Server-level scan of the files → over SSH on the server.
- Dashboard malware scan → a security plugin inside wp-admin.
- Cleanup and password changes → SSH, wp-admin, and your hosting panel.
The steps
Step 1: Update WordPress, plugins, and themes
First, update WordPress core, all plugins, and themes. Outdated code is the most common way sites get infected, so closing those holes comes before anything else. Do this in wp-admin under Dashboard → Updates.
Check: the Updates screen shows no pending updates, and your homepage still loads normally.
Step 2: Scan the files on the server with ClamAV
Install a server scanner and scan your whole WordPress folder. ClamAV is free and reads every file on disk, so it catches things a dashboard cannot see.
apt install clamav -y
clamscan -r --infected /var/www/yourdomain.comCheck: the scan finishes and lists any infected files. Write down every path it reports.
Step 3: Run an in-dashboard scan with a security plugin
Install a security plugin (for example Wordfence) and run its scan from wp-admin. This catches WordPress-specific issues — changed core files, suspicious admin users, and known bad plugins — that a plain file scan may miss.
Check: the plugin scan completes and shows its results next to your ClamAV list.
Step 4: Clean up what was found
If something is found, remove the infected file or restore that one file from a clean backup. Then change all passwords — WordPress admin, the database, your hosting account, and SFTP — so an attacker who had access cannot get back in.
Check: re-run both scans and confirm they come back clean, and that you can still log in with the new passwords.
Extra commands you may need
Run these only on your own server. If your server uses a managed panel, check with support before changing system-level settings.
Update the virus database before scanning
freshclamThis pulls the latest virus signatures so ClamAV knows about recent threats. Run it before the scan in Step 2.
Quick check for a common injected pattern
grep -rl "eval(base64_decode" /var/www/yourdomain.comThis lists files that contain a code pattern often used by injected malware. Treat any result as a file to inspect — not every match is bad, but most are worth a close look.
Keep short notes as you go
While you work, jot down each finding: the file path, what the scanner said, the time, and what you did about it. For example: “wp-content/uploads/x.php flagged 11:05, deleted, re-scan clean.” It sounds small, but it saves a lot of confusion if something breaks or comes back.
If you run scan commands, paste the output into your notes too. Then if you ask support for help, you can show the exact command, the exact result, and the exact time.
If a step fails, how to undo it
Always have a way back. If you delete a file and the site breaks, restore that file from your clean backup. If a cleanup makes things worse, roll the whole site back to the snapshot you took at the start. Don’t delete ten files at once — remove one, test the site, then continue.
How to test after the scan
- Re-run
clamscan -r --infected /var/www/yourdomain.comand confirm it reports nothing. - Re-run the security plugin scan in wp-admin and confirm it is clean.
- Open the homepage in a private browser window — no warnings, no strange redirects.
- Open an inner page, a blog post, and a service page.
- Check that no unknown admin users exist under Users.
- Check Google Search Console for any security or hacked-content notices.
Quick troubleshooting
| Problem | Likely reason | What to do |
|---|---|---|
| Scan finds nothing but site still hacked | Malicious admin user or scheduled cron job | Check Users for unknown admins, and review WP-Cron / system cron for odd tasks |
| Reinfected after cleanup | A backdoor file was left behind | Restore from a known-clean backup, then change all passwords again |
| False positive | A safe file flagged by mistake | Verify the file before deleting — compare it to a fresh copy of the plugin or core |
Final checklist
- WordPress core, plugins, and themes updated.
- ClamAV scan run on the site folder.
- Dashboard scan run with a security plugin.
- Infected files removed or restored from a clean backup.
- All passwords changed.
OffshoreKaka offers privacy-friendly hosting with snapshots and real support, so cleaning up after a malware scare is far less stressful.
FAQ
Can I follow this without much experience?
Yes — go slowly and test after every step. The server commands run over SSH, but if you are not comfortable there, the dashboard scan alone is a good start, or ask support to run the server scan for you.
Will scanning improve my Google ranking?
Not on its own. A clean, secure site avoids being flagged or de-indexed for malware, which protects your rankings — but your content and links are what actually decide where you rank.
What should I send to support if something breaks?
Send your domain name, server IP, the file paths the scanner flagged, the exact command and its output, the last change you made, and whether the site broke after a delete or a restore.