How to Clean Infected Files in cPanel After a Virus Scan (Step-by-Step Guide)

If you’ve scanned your website in cPanel and it showed infected files, you’re not alone. Malware infections are common on websites, especially those running WordPress, Joomla, or PHP-based apps.

But here’s the important part: clicking Clean in cPanel doesn’t always mean your site is 100% safe. Infected files may be cleaned, quarantined, or left unchanged depending on the virus scanner (ClamAV, ImunifyAV, etc.).

This guide will walk you through a complete step-by-step checklist to ensure your website is fully clean and secure after a virus scan.

Step 1: Backup Your Website

Before making any changes, always create a full backup (files + databases).

• Go to cPanel → Backups or JetBackup.
• Download your Home Directory and Database backups.
  This ensures you can restore your site if something breaks during cleaning.

Step 2: Review the Virus Scan Results

After running a virus scan in cPanel:

• Check the Scan Report or Logs.
• See which files were:
  • ✅ Cleaned
  • 📦 Quarantined
  • ⚠️ Left unchanged

👉 Don’t assume everything is fixed. Some files may still contain hidden malware.

Step 3: Identify Suspicious Files

Malware often hides in:

• /wp-content/themes/
• /wp-content/plugins/
• /wp-content/uploads/
• tmp/ or cgi-bin/

Look for:

• PHP files inside /uploads/ (red flag).
• Recently modified files you didn’t touch.
• Files with strange names like cache.php, fonts.php, or class-wp-xyz.php.

Step 4: Replace WordPress Core, Themes & Plugins

If you use WordPress:

• Reinstall WordPress Core from Dashboard → Updates.
• Delete unused themes and plugins.
• Reinstall active ones from official sources.
• Check for “must-use” plugins in /wp-content/mu-plugins/.

Step 5: Inspect Critical Files

wp-config.php – Look for strange include or base64 code.

.htaccess – Reset to default WordPress rules (hackers often add redirects).

Default WordPress .htaccess:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Step 6: Clean Your Database

Using phpMyAdmin:

• Check wp_users for unknown admin accounts.
• Check wp_options for suspicious scripts, iframes, or base64 code.
• Review cron jobs inside the database for auto-injected malware tasks.

Step 7: Check Cron Jobs & Scheduled Tasks

Go to cPanel → Cron Jobs.

Remove any suspicious jobs calling wget or curl to unknown URLs.

Step 8: Reset Passwords & Keys

Change all passwords (cPanel, FTP, WordPress admins, DB).

Regenerate WordPress salts from: https://api.wordpress.org/secret-key/1.1/salt/

Step 9: Block PHP in Uploads

Add this .htaccess in /wp-content/uploads/:

<FilesMatch "\.(php|phtml|phar)$">
  Require all denied
</FilesMatch>

This prevents attackers from running PHP shells in your media folder.

Step 10: Reset File Permissions

Set proper permissions:

• Folders: 755
• Files: 644
• wp-config.php: 440

Step 11: Re-scan Your Website

Run another cPanel virus scan (ImunifyAV/ClamAV).

• If it comes back clean ✅, you’re good.
• If infections remain ⚠️, consider a deeper malware cleanup service.

Step 12: Secure Your Website Going Forward

Install a security plugin (Wordfence, iThemes Security).

Enable Imunify360 (if available on your hosting).

Keep WordPress, plugins, and themes updated.

Set up daily backups to an external storage (Google Drive, Dropbox, or host’s JetBackup).

Use Cloudflare for free firewall protection.

Conclusion

Clicking Clean in cPanel virus scan doesn’t always mean your site is completely safe. Hackers often leave backdoors that scanners may miss.

By following this step-by-step checklist, you can:

• Remove hidden malware
• Secure your WordPress site
• Protect your hosting account from future hacks

Keep your CMS updated, audit your site regularly, and always maintain backups + security plugins for maximum protection.