How to Check a Website for Malware Infections



As cybercrime evolves, malware remains a constant weapon in a hacker’s arsenal. Malware, short for malicious software, is created with the intent of causing harm to a website or computer. Website malware can be used to steal sensitive user data, launch phishing scams, create hidden redirects, inject malicious code, hold websites for ransom, or take control of the website itself. Victims of malware may not realize they’ve been attacked until it’s too late.
If you suspect your website has malware, start by running a website malware scanner, checking Google Safe Browsing, and reviewing Google Search Console for security warnings. These tools can help you spot visible malware, malicious redirects, blacklist warnings, suspicious scripts, and other signs of compromise.
You should also perform manual checks of your website files, source code, database, and server settings to look for issues. Learn about the main ways to check your website for malware and what to do if you find suspicious activity.
What are the common signs of malware?
Malware activity may not be immediately obvious to you or your visitors. For example, many website owners might assume that website defacement, an attack that changes the visual appearance of a website or web page, is the only way of knowing their site has malware. In reality, what makes malware so effective is its elusiveness and ability to hide.
Other signs of malware include:
- Your account login information was changed without your consent.
- Your website files were modified or deleted without your knowledge.
- Your website freezes or crashes.
- Your site has been flagged by a search engine or security service. Google Safe Browsing may display a warning to visitors, or your domain may appear on a blocklist or blacklist that blocks normal access.
- Visitors are being redirected to pages you didn't create.
- Your search engine rankings have dropped, or you've noticed a sudden, unexplained drop in traffic.
Should any of these common signs appear, you can follow these next steps to confirm your suspicions.
How to quickly scan and check for malware
Before digging into your site files or database, start with a few quick checks. These steps can help you identify security alerts before moving into a deeper manual review.
Run a website malware scan
First, find a scanning tool to run an initial scan. SiteLock’s free website security scanner checks your domain for known vulnerabilities and signs of malware. Enter your domain (e.g., mywebsite.com), and the tool runs a real-time external scan to detect common threats.
Keep in mind that free scan tools check the public-facing frontend of your site, not the server-side files underneath. If your scan shows signs of malware, contact SiteLock 911 for emergency malware removal and cleanup support. If your results come back clean but you’re still seeing warning signs, deeper analysis may still be needed.
Check Google Search Console
Log in to Google Search Console, review the Security Issues section for warnings about malware, hacked content, or suspicious pages. Google may also show sample URLs where it found a problem, which can help you narrow down where to start.
If Google flags your site, fix the issue before requesting a review. Submitting a review before the malware is fully removed can delay recovery.
Check Google’s Blacklist status
Use Google Safe Browsing to see whether your site has been flagged as unsafe. This can help confirm whether visitors may be seeing browser warnings or search result warnings when they try to access your website.
A clean result does not always mean your site is malware-free, but a warning is a clear sign that you should investigate and remove the issue as soon as possible.
How do you manually check a website for malware?
Manual malware checks help you look for suspicious changes that an external scan may not catch. Start by comparing your current site against a known clean version.
A best practice for all site owners is to keep frequent backups of your website. You can do this easily by using a tool that creates backups automatically. This offers several advantages, including having a clean copy to restore your site in the event of a cyberattack. Knowing what the clean, normal code on your website looks like can help you spot potential malware.
If you don’t have a clean backup to restore from, you can still look for malware by inspecting your database, files, and source code manually.
Check your databases
To check for malicious code in your databases, you will need access to a database administration tool offered by your web host, such as phpMyAdmin. If your host offers a different tool, you may want to refer to their knowledge base for specific instructions.
Once you have access, here’s what to look for. The following is a short list of common syntax used by hackers when they inject malware into a site. While not comprehensive—and likely to produce some false positives—it’s a strong starting point for a manual search.
- eval: This is a PHP function that attempts to process any string as valid PHP itself. It becomes dangerous when it executes input from user-defined variables. It’s also dangerous, as most fail-safes included within the code of an application are disregarded within an “eval” statement. For these reasons, they are not only a prime target for hackers but also a common destination for their injected code.
- base64_decode: This PHP function is used to decode base64-encoded text for further processing within the PHP engine. Open-source applications do not typically have encoded text within their source code. More importantly, it’s an easy way for hackers to disguise their malicious code. If this function is found and shouldn’t be there, you may have found your culprit.
- gzinflate: Very similar to “base64_decode,” the “gzinflate” function is used to inflate (decode) a deflated (encoded) string of text. Again, if this function is being used to disguise code and isn’t a typical part of your site’s code, chances are it’s a problem.
- shell_exec: This function can be particularly dangerous if a server is not properly locked down. In short, it allows PHP to run commands at the server level and then feed their output into the PHP code of the site. Hackers are more interested in taking over a server than just one site, so this is a prime vector for them to leverage.
- GLOBALS: Disabled by default in versions of PHP since 2002 (v. 4.2.0), “GLOBALS” can pose a security risk when not implemented thoughtfully and carefully. If used in conjunction with user input, there is a much higher risk of unintended variable manipulation, which can lead to a compromised site. As a result, most applications and sites these days do not use global variables.
- error_reporting(0): When set to “0,” the “error_reporting” directive in PHP will effectively disable any code errors from being displayed in the browser or log. It is very unlikely that a stable release of an application or site would require such a directive. Instead, this exact directive might be used by a hacker who is testing out different bits of code within your site to see what might work.
Please note that this is by no means a complete list, but it does briefly outline some of the most common bits of PHP code that can be found in compromised websites.
Check your source code for malware
When inspecting your website’s source code for malware, pay close attention to suspicious script or iframe elements. Malicious code often hides in unfamiliar third-party scripts or invisible iframes. Look for <script src="..."> and <iframe src="..."> lines that link to domains you don’t recognize, especially if they contain random character strings, shortened URLs, or point to unrelated external sites.
Other red flags include:
- Obfuscated inline scripts: Look for scripts with long, unreadable character strings or encoded text. These are often used to hide malicious behavior and can be difficult to interpret without decoding tools.
- Unexpected script placement: Malware may inject scripts at the end of the <body> or within the <head> section of your HTML. If these weren’t part of your original codebase, they could be executing malicious functions without your knowledge.
- Suspicious inline event handlers: Check for attributes like onload, onerror, or onclick tied to unfamiliar JavaScript functions. These handlers can be used to trigger malware automatically when a page loads or a user interacts with it.
Compare these entries against a clean version of your code or backup when possible. Even small anomalies could indicate injected malware or hidden redirects that send visitors to malicious or unexpected websites.
Check your website for infected files
To manually scan your website for infected files, start by connecting to your site via FTP or a secure file manager provided by your hosting provider. Review file directories for the following:
- Recently modified files: Look at the “Last Modified” timestamps. Any sudden or unexpected changes, especially in core files like index.php, .htaccess, or config files, could signal a breach.
- Suspicious filenames: Malware often uses inconspicuous or random names (e.g., tempf.php, xload.php, cache99.txt) to blend in.
- Unfamiliar scripts: Check for unexpected .php, .js, or .html files in directories that usually don’t contain them.
- Hidden files: Files beginning with a dot (e.g., .hidden, .config) might be used to conceal malicious activity.
Once identified, cross-reference the content of these files with known safe versions, or use a malware scanner to confirm suspicions. Even if you're unsure, isolating or temporarily disabling suspect files can help limit further damage while you investigate.
How do you prevent future malware infections?
Preventing malware starts with consistent monitoring. According to a 2024 data threat report, 41% of enterprises experienced a malware attack over the past year, which shows why website security cannot be a one-time check.
Automated website security scan services save time and help you catch infections early—minimizing damage to your site and users. Malware scanners are typically designed to automatically scan daily for known and common malware types, including backdoor files, shell scripts, and spam. If the tool identifies malware, the website owner will be alerted immediately, and some solutions, including SiteLock, even provide automatic malware removal.
Scanning works best when paired with other protective layers. A web application firewall (WAF) can help block malicious traffic before it reaches your site. Routine patching can close vulnerabilities in your CMS, plugins, themes, and other software. Frequent backups give you a clean version to restore if your site is compromised.
If malware is found, fast remediation is critical. Remove infected files, restore clean backups when needed, and patch the original entry point so the same infection does not come back.
Mitigate website security vulnerabilities with SiteLock
Being proactive about your cybersecurity is your best defense against hackers. Search engines favor safe browsing experiences, so malware can also put your search engine optimization (SEO) performance and rankings at risk.
Whether you check for malware manually or use an automated solution, understanding the different ways to detect it brings your website one step closer to being secure. SiteLock helps simplify that process with a website security platform that scans for threats, monitors your site’s health, and gives you a clear view of what needs attention.
With SiteLock’s Site Health score, you can see your website’s overall security and risk status at a glance. Prioritized Tasks then turns scan results into a clear action queue, helping you understand which vulnerabilities, misconfigurations, malware risks, or security gaps to address first.
Contact SiteLock today for more details on our plans. If your site has been hacked, our website repair services can help you quickly restore security and get back online.