Malware doesn‘t always come from malicious-looking websites; sometimes they could come from very legitimate ones, too.

In fact, hackers do routinely upload malware to legitimate websites, especially those that lack proper protection. They could then use those websites for other malicious activities too; like spamming, phishing attacks, DDoS attacks etc.

Hackers upload malware to unprotected websites in different ways - as disguised plugins, source code manipulation, drive-by downloads, malicious redirection, through phishing, via backdoors etc. And these hacks are never visible on your webpage. Hackers are extremely sophisticated with their attacks and so advanced that website owners are usually not even aware they’ve been attacked.

So, how do you know if your website has been infected? Furthermore, how do you remove malware from your site once you detect the presence of the malware? Here are some tips:

Begin with Google Free Malware Checker

Google website checker is a free service that employs Google's safe browsing technology which helps determine whether a website is safe or potentially dangerous to visit. You could check your website for malware presence on Google's free malware checker.

You could also go for a website check on the Google Console via the "Health" menu. The best thing is that in case Google had earlier flagged your website as holding malware, this check would help clear the flag, once you remove malware from site.

Remove Malware From Site

Go for a malware scan

Another great way to check your website for any malware is the free website scan service by cWatch Web. cWatch will not only scan for malware but will also rate the security of your website and provide a free malware removal service.

cWatch is a user-friendly platform thats scans and monitors the traffic on your website, allowing you to then take action on removing any identified malware. The platform also provides an additional suite of fully managed security solutions that will take care of any infections on your website.

Try code monitoring and backup

Code monitoring, which includes monitoring changes to the codes of your website, is a very effective way to check whether your website has been compromised.

You could use a trusted code monitoring service, while at the same time ensuring proper back up of your website data. Good code monitoring tools provide data backup along with the monitoring of website codes. Once you detect malware presence on your website, you can remove malware from site and then restore the data.

WordPress Security Plugin for WordPress Sites

For WordPress websites, WordPress gives its own WP Antivirus site protection, which is a really useful security plugin that protects websites against all kinds of malware, trojans, backdoors, rootkit scanning etc.

The highlight of this security tool, which has free and paid versions, is that it could help scan all plugins and media files uploaded to your website. The free version of the WP security plugin is enough for weekly scans while the paid version would be needed for more frequent scans.

Wordpress also provides another free plugin named gotmls, which helps you scan your WordPress website and also helps remove malware from site. You are notified of the activities in the admin bar section. A special thing about this plugin is that it has inbuilt DDoS protection plus a WordPress Login page hardening feature too.

Now, in case you have hosted your website using one of the ready-made themes you get from WordPress, you need to check your website very meticulously. This is because most of these themes are uploaded from third-party vendors. Thus, you could end up with malware on your website without a proper check for authenticity and security. You could solve this by using the theme authenticity checker plugin, which would check for common injection malware in the theme files and footer links as well.

Linux Malware Detect

Advanced users with their own server could also depend on LMD (Linux Malware Detect) to scan their server; LMD yields great results especially in regards to detecting PHP backdoors, dark mailers etc.

Do a manual check

Last but not the least, it’s aways good to do a manual check. You could always manually inspect your files, especially .htaccess files, .php files, media files, etc. that are more likely to attract hackers. Search all directories for base64 encoding and then, if you find any kind of malicious links being inserted, go for a prompt repair of your website.


It needs to be added, as a postscript, that no malware scanning method is foolproof, especially since hackers today go on improvising techniques for malware infiltration and planning attacks. Still, trusted malware scanning tools like cWatch Web ensure maximum protection for your websites and strive to keep you uninfected in the most effective of ways.