How to Scan a Website for Malware Infections

Over one million new malware threats are released daily. To keep your website secure, it is critical to take matters into your own hands and become proactive about website security issues. There are two primary ways to do this: the first is by learning to check for malware manually. The second and most effective way to protect against malware is by using a website malware scanner that detects malicious content and automatically removes it.

Learn how to identify, check, and remove malware from your website—manually or with automated tools.

Common signs of malware

Malware activity may not be immediately obvious to you or your visitors. For example, many website owners might assume that website defacement, an attack that changes the visual appearance of a website or web page, is the only way of knowing their site has malware. In reality, what makes malware so effective is its elusiveness and ability to hide.

If your site hasn’t been defaced, you might still have malware if:

• Your account login information was changed without your consent.

• Your website files were modified or deleted without your knowledge.

• Your website freezes or crashes.

• You’ve experienced a noticeable change to your search engine results, such as a blacklisting status or harmful content warnings.

• You’ve experienced a rapid drop or increase in traffic.

Should any of these common signs appear, you can follow these next steps to confirm your suspicions.

Manual website monitoring for malware

A best practice for all site owners is to keep frequent backups of your website. You can do this easily by using a tool that creates backups automatically. This offers several advantages, including having a clean copy to restore your site in the event of a cyberattack. Additionally, knowing what the clean, normal code on your website looks like can help you spot potential malware.

If you don’t have a clean backup to restore from, don’t panic. If you're familiar with your website or content management system (CMS) code, you can still look for malware by inspecting your database, files, and source code manually.

How to check for malware in your databases

To check for malicious code in your databases, you will need access to a database administration tool offered by your web host, such as phpMyAdmin. If your host offers a different tool, you may want to refer to their knowledge base for specific instructions.

Once you have access, here’s what to look for. The following is a short list of common syntax used by hackers when they inject malware into a site. While not comprehensive—and likely to produce some false positives—it’s a strong starting point for a manual search.

• eval: This is a PHP function that attempts to process any string as valid PHP itself. It becomes dangerous when it executes input from user-defined variables. It’s also dangerous, as most fail-safes included within the code of an application are disregarded within an “eval” statement. For these reasons, they are not only a prime target for hackers but also a common destination for their injected code.

• base64_decode: This PHP function is used to decode base64-encoded text for further processing within the PHP engine. Open-source applications do not typically have encoded text within their source code. More importantly, it’s an easy way for hackers to disguise their malicious code. If this function is found and shouldn’t be there, you may have found your culprit.

• gzinflate: Very similar to “base64_decode,” the “gzinflate” function is used to inflate (decode) a deflated (encoded) string of text. Again, if this function is being used to disguise code and isn’t a typical part of your site’s code, chances are it’s a problem.

• shell_exec: This function can be particularly dangerous if a server is not properly locked down. In short, it allows PHP to run commands at the server level and then feed their output into the PHP code of the site. Hackers are more interested in taking over a server than just one site, so this is a prime vector for them to leverage.

• GLOBALS: Disabled by default in versions of PHP since 2002 (v. 4.2.0), “GLOBALS” can pose a security risk when not implemented thoughtfully and carefully. If used in conjunction with user input, there is a much higher risk of unintended variable manipulation, which can lead to a compromised site. As a result, most applications and sites these days do not use global variables.

• error_reporting(0): When set to “0,” the “error_reporting” directive in PHP will effectively disable any code errors from being displayed in the browser or log. It is very unlikely that a stable release of an application or site would require such a directive. Instead, this exact directive might be used by a hacker who is testing out different bits of code within your site to see what might work.

Please note that this is by no means a complete list, but it does briefly outline some of the most common bits of PHP code that can be found in compromised websites.

How to check your source code for malware

When inspecting your website’s source code for malware, pay close attention to suspicious script or iframe elements. Malicious code often hides in unfamiliar third-party scripts or invisible iframes. Look for <script src="..."> and <iframe src="..."> lines that link to domains you don’t recognize, especially if they contain random character strings, shortened URLs, or point to unrelated external sites.

Other red flags include:

• Obfuscated inline scripts: Look for scripts with long, unreadable character strings or encoded text. These are often used to hide malicious behavior and can be difficult to interpret without decoding tools.

• Unexpected script placement: Malware may inject scripts at the end of the <body> or within the <head> section of your HTML. If these weren’t part of your original codebase, they could be executing malicious functions without your knowledge.

• Suspicious inline event handlers: Check for attributes like onload, onerror, or onclick tied to unfamiliar JavaScript functions. These handlers can be used to trigger malware automatically when a page loads or a user interacts with it.

Compare these entries against a clean version of your code or backup when possible. Even small anomalies could indicate injected malware or hidden redirects that send visitors to malicious or unexpected websites.

How to check a website for infected files

To manually scan your website for infected files, start by connecting to your site via FTP or a secure file manager provided by your hosting provider. Review file directories for the following:

• Recently modified files: Look at the “Last Modified” timestamps. Any sudden or unexpected changes, especially in core files like index.php, .htaccess, or config files, could signal a breach.

• Suspicious filenames: Malware often uses inconspicuous or random names (e.g., tempf.php, xload.php, cache99.txt) to blend in.

• Unfamiliar scripts: Check for unexpected .php, .js, or .html files in directories that usually don’t contain them.

• Hidden files: Files beginning with a dot (e.g., .hidden, .config) might be used to conceal malicious activity.

Once identified, cross-reference the content of these files with known safe versions, or use a malware scanner to confirm suspicions. Even if you're unsure, isolating or temporarily disabling suspect files can help limit further damage while you investigate.

Try our free malware detection scanner

To make this process easier, SiteLock offers a free online tool that quickly scans your website for known vulnerabilities and signs of malware. Just enter your domain (e.g., mywebsite.com), and we’ll run a real-time external scan to detect common threats.

Running a malware scan can help you verify whether your site is infected. If it is, you can begin isolating and removing malicious code from your files right away.

Automatic website scanning and malware removal

According to a 2024 data threat report, 41% of enterprises experienced a malware attack over the past year. With such a high level of criminal activity, you’ll need protection that can keep up, such as a website scanner that can scan for malware and remove it automatically.

Daily, automated security scans save time and help you catch infections early—minimizing damage to your site and users. Malware scanners are typically designed to automatically scan for known and common malware types, including backdoor files, shell scripts, and spam. If the tool identifies malware, the website owner will be alerted immediately, and some solutions even provide automatic malware removal.

It’s important to note that preventative measures against malware are only as effective as their ability to keep up with emerging threats. Malware scanning should be supported by a comprehensive, regularly updated database that tracks the latest and most persistent threats. For complete protection, it’s also essential to implement additional security layers, such as web application firewalls (WAFs) to block malicious traffic and routine patching of vulnerable plugins and software to close known security gaps.

Mitigate website security vulnerabilities with SiteLock

Being proactive about your cybersecurity is your best defense against hackers. Search engines favor safe browsing and websites, so malware can also put your search engine optimization (SEO) performance and rankings at risk. Whether you check for malware manually or use an automated solution, understanding the different ways to detect it brings your website one step closer to being secure.

Cyber threats are especially dangerous for eCommerce and other online businesses, as they can impact more than just your bottom line—and the effects can be long-lasting. To keep your site protected, learn about SiteLock’s website security plans or contact us for more details. If your site has been hacked, our website repair services can help you quickly restore security and get back online.