Your WordPress website is your digital storefront, blog, or business portal. But even with strong passwords and secure plugins, your site can still fall victim to malware. Hackers are constantly looking for vulnerable sites to infect with malicious code, backdoors, or spam links.

While many security plugins can automate malware detection, sometimes you need to take matters into your own hands—especially if:

• You can’t access wp-admin due to the infection

• You want to confirm what the plugin flagged

• You’re on a shared hosting plan and want to reduce resource usage

In this article, we’ll show you how to manually scan your WordPress files for malware using File Manager in your hosting control panel (like cPanel or DirectAdmin). No paid tools. No coding knowledge required.

What You Need Before You Begin

Before diving into file scanning, make sure you have:

• Access to your hosting control panel (like cPanel)

• File Manager access

• Basic knowledge of WordPress file structure

Also, back up your website before making any changes. Even if it’s infected, a backup can help restore non-malicious files or compare changes.

Step-by-Step: Manually Scanning WordPress for Malware in File Manager

1. Login to Your Hosting Control Panel

Most hosting companies offer a control panel like cPanel. Log in with your hosting credentials and locate the File Manager. It usually sits under the “Files” section.

2. Navigate to Your WordPress Directory

Open File Manager and go to:

Or, if your site is installed in a subfolder:

Here, you’ll see files like:

• wp-config.php

• index.php

• wp-content/

• wp-includes/

These are your core WordPress files.

3. Check for Recently Modified Files

Malware often hides in recently edited or added files.

• In File Manager, enable the “Last Modified” column (usually a sort option).

• Sort files by date (most recent first).

• Look for PHP files modified within the last few days that you did not update.

Examples of suspicious behavior:

• index.php modified without reason

• PHP files inside /wp-includes/ or /wp-admin/ (these folders rarely need new PHP files)

• Unusual files in the root like zz.php, x.php, cmd.php, or random strings like a9z8.php

4. Open and Inspect Suspicious Files

Right-click any file that looks out of place and choose “Edit” or “View”.

Look for common malware indicators:

Base64 Encoded Strings

These are used to obfuscate malicious code.

Unfamiliar Functions

Watch out for:

• eval()

• exec()

• shell_exec()

• system()

• passthru()

• assert()

• gzuncompress()

PHP Backdoors

Some malware files act as hidden uploaders. You might see code like:

If you didn’t add that functionality, delete or quarantine the file.

5. Compare With a Fresh WordPress Installation

If you’re unsure about a file, download the same version of WordPress from wordpress.org and compare the file line by line.

For example:

• Compare wp-settings.php from your site with the clean one.

• Use free tools like DiffNow.com to visually compare two file versions.

6. Scan the wp-content Directory Thoroughly

The wp-content/ folder is where most infections hide because it holds:

• Themes

• Plugins

• Uploads

Inspect these subdirectories:

/wp-content/themes/

• Look inside active and inactive themes.

• Delete any themes you don’t use.

• Check for hidden files like functions.php containing unfamiliar code.

/wp-content/plugins/

• Look for plugins you didn’t install.

• If a plugin has recently been modified and you didn’t update it, investigate.

/wp-content/uploads/

• Malware shouldn’t exist here, but hackers sometimes upload PHP files disguised as images.

• Sort files by extension. If you see .php, inspect immediately.

7. Remove or Quarantine Malicious Files

Once you identify suspicious files:

• Download a copy if needed for analysis.

• Delete them from File Manager.

• If unsure, rename the file extension (e.g., file.php.bak) to disable it without full deletion.

8. Secure Your Site After Cleanup

After removing malware:

• Change all passwords (WordPress, cPanel, FTP, database)

• Update WordPress core, plugins, and themes

• Reinstall clean versions of affected themes/plugins

• Install a security plugin like Wordfence or iThemes Security (for ongoing monitoring)

Bonus Tips to Keep in Mind

• Avoid installing nulled themes/plugins—they are a common malware source.

• Disable PHP execution in uploads/ via .htaccess.

• Set proper file permissions (644 for files, 755 for folders).

Final Thoughts

Manual malware scanning might sound intimidating at first, but it’s one of the most effective ways to regain control of your WordPress site when things go wrong. File Manager gives you direct access to every file use that power to investigate and clean your site thoroughly.

By understanding what to look for and where malware often hides, you reduce your site’s vulnerability and save time waiting for automated tools to catch up.

If you ever feel overwhelmed, you can always consult your hosting provider’s support team. But knowing how to handle things yourself gives you an edge and helps maintain your site’s integrity long-term.