How to Check cPanel for Hacked Files
If your website suddenly redirects, loads slowly, or shows strange code, you may need to inspect cPanel for compromised files.
This guide explains how to check cPanel for hacked files using built-in tools, file patterns, and safe verification steps.
Because many web attacks leave subtle traces, the most effective approach is not just looking for obvious malware, but comparing file activity, permissions, timestamps, and account behavior.
First Signs Your cPanel Account May Be Compromised
Hacked files often show indirect symptoms before the malware is obvious.
In cPanel environments, common warning signs include unexpected PHP scripts, changes to .htaccess rules, or new files in directories that normally remain static.
- Homepage redirects to spam or phishing pages
- Unknown admin users in CMS platforms like WordPress or Joomla
- New PHP, JS, or .ico files in image or upload folders
- Modified file timestamps without a known update
- Unusual CPU or entry process spikes in cPanel metrics
- Messages about blacklisting from Google Safe Browsing or email providers
Where to Start in cPanel
cPanel itself does not replace a malware scanner, but it gives you several useful places to investigate.
Start with File Manager, then review Metrics, Raw Access, and any security tools your host provides, such as ImunifyAV, ClamAV, or VirusTotal integration.
Use File Manager to Inspect Suspicious Directories
Open File Manager and review the most commonly abused locations: public_html, wp-content, uploads, cache folders, and any directory that allows write access.
Attackers often hide malicious payloads in places where images or attachments are stored.
Sort by modified date and look for files you did not create.
Pay close attention to filenames that imitate legitimate assets, such as logo.php, style1.php, or class-wp.php, because attackers often use trusted-sounding names to avoid detection.
Check for Hidden Files and Unusual Extensions
Enable hidden file visibility in File Manager so you can inspect .htaccess, .user.ini, and other dotfiles.
These files are frequently altered to force redirects, inject PHP handlers, or weaken security settings.
- .php files inside image folders
- .phtml, .php5, .phar, or .ico files with code inside
- Long random filenames or base64-looking strings
- Files with double extensions such as image.jpg.php
File Patterns That Commonly Indicate Malware
When learning how to check cPanel for hacked files, pattern recognition matters.
Most malicious files are not random; they are built to survive scans, persist through updates, or execute silently.
Common Malware Code Indicators
Open suspicious files and look for obfuscation, especially when code is compressed into a single line or wrapped in encoding functions.
Hackers use this to hide payloads from casual review.
- eval(), base64_decode(), gzinflate(), str_rot13()
- preg_replace() with the /e modifier in old code
- Long strings of encoded text
- Unfamiliar includes from remote URLs or strange local paths
- References to system(), exec(), shell_exec(), or passthru()
Not every occurrence of these functions is malicious, but they deserve review when they appear in files that should only serve static content.
Check for Unauthorized PHP in Uploads and Cache
In content management systems, upload folders should usually contain media files, not executable code.
A PHP file in wp-content/uploads or a similar directory is one of the clearest signs of compromise.
The same applies to cache directories, where attackers sometimes place backdoors because these locations are overlooked.
How to Review File Ownership and Permissions
Incorrect permissions can expose your account to repeated reinfection.
In cPanel File Manager, review permissions for scripts, directories, and configuration files.
Typical safe defaults vary by application, but in general, directories should not be writable by everyone, and critical files should not allow unnecessary execution.
Look for cases where a file permission changed from 644 to 777 or from 755 to something far more permissive.
World-writable files are a frequent security problem in shared hosting environments.
- Directories should usually be 755 or similar
- Files should usually be 644 or similar
- Configuration files may need tighter restrictions
- Avoid 777 unless your host specifically requires it temporarily
If cPanel shows file ownership details, compare them with your normal account structure.
Unexpected ownership changes can indicate a script ran under another user context or that your hosting environment has been affected by privilege abuse.
Use cPanel Logs to Trace Suspicious Activity
Logs help you determine whether suspicious files were uploaded through a vulnerable plugin, stolen credentials, or a compromised form.
In cPanel, review Raw Access Logs, Errors, and any available access statistics to identify when the behavior started.
What to Look for in Access Logs
Search for POST requests to vulnerable endpoints, repeated login attempts, strange user agents, and requests to file upload handlers.
If a malicious file appeared at a specific time, compare that timestamp to access logs from the same window.
- Requests to xmlrpc.php, admin-ajax.php, or login pages
- Unexpected POST activity to upload scripts
- Repeated 404s for probing common exploit paths
- Requests from unfamiliar IP addresses or countries
Review Error Logs for Execution Clues
Error logs can reveal broken include paths, suspicious function calls, or PHP warnings that point to tampering.
A file that was inserted by an attacker may generate parse errors, especially if it was uploaded incorrectly or partially removed.
How to Compare Clean and Suspicious Files
A reliable way to check cPanel for hacked files is to compare suspicious code with known-good versions from backups or official source packages.
If you run WordPress, Joomla, Drupal, or another CMS, re-download core files from the vendor rather than trusting infected copies already on the server.
Compare these items first:
- Core application files
- Theme and plugin files you did not customize
- .htaccess and index files
- JavaScript files injected into templates
If a file contains unfamiliar code added near the top or bottom, that is a common sign of injected malware.
Attackers often append payloads to legitimate files to make the site continue working while still executing malicious logic.
Scan with Malware Tools Available Through cPanel
Many hosting providers include malware scanners directly in cPanel or through the server control environment.
If available, run a full account scan rather than only a public_html scan, because backdoors may exist outside your document root.
Helpful tools may include ImunifyAV, ClamAV, or host-managed security plugins.
These tools can detect known signatures, suspicious PHP patterns, and some web shells, but manual verification is still important because attackers frequently customize their code.
If a scan finds infections, quarantine or rename the files first when possible.
Deleting immediately can remove evidence you may need to trace the breach source.
Check for Backdoors Hidden Outside the Web Root
One common mistake is focusing only on visible website folders.
Attackers often place backdoors in home directory subfolders, temporary directories, mail-related paths, or oddly named hidden folders that are not part of the website itself.
Review your account structure carefully in File Manager and look for:
- Recently created folders with generic names
- PHP files in non-website directories
- Archive files such as .zip or .tar.gz left behind after uploads
- Suspicious cron-related scripts or task files
Also inspect any scheduled tasks in cPanel Cron Jobs.
Malicious cron entries can restore malware after you remove it, which makes cleanup fail repeatedly.
Safe Steps After You Find Suspicious Files
Once you identify likely hacked files, avoid editing the live copy first.
Download the file for evidence, isolate it if your host provides quarantine features, and then replace it with a clean version from a trusted source or backup.
- Change all passwords for cPanel, FTP, CMS, databases, and email
- Review user accounts and remove unknown admins
- Update CMS core, plugins, themes, and server software
- Rotate security salts and API keys where applicable
- Reset file permissions and verify cron jobs
If the compromise is extensive, restore from a clean backup created before the intrusion and then patch the original weakness before reopening the site to traffic.
How to Reduce the Chance of Reinfection
Cleaning hacked files is only part of the job.
To prevent repeat infections in cPanel, close the entry point that allowed the attack.
That usually means updating vulnerable extensions, disabling unused upload features, enforcing strong authentication, and limiting write access to only the folders that need it.
Regularly review your cPanel account for new files, failed logins, and permission changes.
Scheduled scans, backup validation, and log monitoring make future compromise easier to detect and much harder to miss.