Discovering that your website has been infected with malware is a stressful experience for any site owner. When browsers display "This site may be dangerous" warnings or visitors complain about being redirected to suspicious destinations, it is clear the site has been compromised. The cleanup process must be thorough and methodical, otherwise the malicious code will return within days. Based on our experience working with Sayt.uz customers, malware most often enters through outdated plugins, weak passwords, or unpatched CMS installations.
Confirming the infection
Several signs indicate a malware infection: Google Search Console showing warnings in the Security Issues section, browsers blocking the site with red screens, visitors being redirected to advertising sites, or unfamiliar text appearing on the homepage. Start by scanning the site through external tools like VirusTotal or Sucuri SiteCheck. These services examine the site from outside and identify the type of infection. Also review server logs because access.log typically contains information about when and from which IP the breach occurred.
Backup and going offline
Before starting cleanup, always create a complete backup. Even an infected copy may be needed later as evidence. Archive files and database separately and store them in a secure location. Then put the site into maintenance mode or block external access through .htaccess. This protects visitors from the malicious code and prevents stricter penalties from Google. For WordPress, the WP Maintenance Mode plugin works well; for regular sites, a static holding page on the server is sufficient.
Scanning with Wordfence and Sucuri
For WordPress sites, the most effective cleanup tools are Wordfence and Sucuri Scanner. Even the free version of Wordfence compares core files with originals from the Wordpress.org repository and identifies modified files. Sucuri checks files against a database of known malware signatures. Use both tools since each has unique strengths. When suspicious files appear in scan results, review their contents before deleting because legitimate files are sometimes flagged as false positives.
Manual inspection steps
Automated scanners cannot find all malicious code, so manual inspection is essential. Get a list of files modified in the last 30-60 days using the find command via SSH or by sorting files by date in an FTP client. Pay attention to unfamiliar PHP files, especially in the uploads folder which should contain only images. Code using eval(), base64_decode(), and gzinflate() functions is often malicious. Carefully inspect the .htaccess file because redirect rules or unfamiliar RewriteRule directives may be traces of the breach.
Sayt.uz practice
On the Sayt.uz hosting network, our ImunifyAV module automatically scans files of every site. If malware is detected, an alert appears in the customer dashboard and our technical team contacts the customer within 24 hours. Automatic daily backups are kept for 14 days, so reverting to a clean state usually takes a single click. We also offer the premium ImunifyAV+ option which automatically cleans malicious code and closes existing vulnerabilities going forward. The Sayt.uz support team assists with any complex situation.
Changing passwords and closing vulnerabilities
After cleanup, change all passwords: WordPress admin, FTP/SSH, database user, hosting panel, email accounts. The attacker may have entered through one weak point and then compromised the others. Update all plugins, themes, and the core CMS to the latest versions. Remove unused plugins because every extra component expands the attack surface. Enable two-factor authentication and change the admin login URL from the default /wp-admin to something else.
Removal from Google blacklist
After cleanup, request reconsideration through Google Search Console. In the Security Issues section click Request Review and briefly describe how the malware was removed and what measures were taken. Google typically rechecks the site within 24-72 hours. Run the same procedure in Yandex Webmaster as well. Browser warnings may take several days to disappear.