Hostinger WordPress Malware Scan: How to Detect & Remove Infections

Hostinger provides a server-level malware scanner accessible from hPanel:

1. Log in to hPanel → Security → Malware Scanner
2. Click Run Scan for your WordPress site
3. The scanner checks all files against known malware signatures
4. Results show: infected files, file paths, malware type, and severity
5. For each infected file, you can view, quarantine, or delete it directly from hPanel

The scanner runs at the server level — it can detect malware even if your WordPress admin is inaccessible (which happens with severe infections). It checks PHP files for known backdoors, shell scripts, encoded malware, and spam injections.

Common signs of WordPress malware on Hostinger:

• Redirects: Site redirects to spam or phishing pages (especially on mobile)
• Google warning: 'This site may be hacked' or 'Deceptive site ahead' in search results
• Spam pages: Unknown pages or posts appearing (Japanese keyword spam is very common)
• Slow performance: Sudden unexplained slowness from cryptomining scripts
• Account suspension: Hostinger suspends your account for malware activity
• Modified files: Core WordPress files show unexpected modifications in File Manager
• Unknown admin users: New admin accounts you didn't create

If Hostinger's scanner finds malware, follow this cleanup process:

1. Don't panic. Take a backup of the infected site first (yes, even infected — for forensics and in case cleanup goes wrong)
2. Change all passwords: WordPress admin, FTP, hPanel, database passwords. Do this immediately.
3. Review infected files: Check if malware is in a plugin, theme, or WordPress core file
4. If in a plugin/theme: Delete and reinstall from the official WordPress repository. Do NOT simply update — the infected file may persist.
5. If in core files: Reinstall WordPress core: via WP-CLI (wp core download --force) or hPanel → WordPress → Reinstall
6. Check database: Search for <script> tags in wp_posts and wp_options tables via phpMyAdmin
7. Remove unknown users: WordPress admin → Users → delete any admin accounts you didn't create
8. Scan again: Run Hostinger malware scanner + Wordfence scan to verify cleanup

Hostinger's scanner catches server-level malware. Wordfence catches WordPress-specific threats at the application level. Use both:

1. Install Wordfence Security (free) from Plugins → Add New
2. Go to Wordfence → Scan → Start Scan
3. Wordfence compares your files against the official WordPress repository, checking for modifications, injections, and backdoors
4. For critical files, Wordfence lets you view the diff (what changed) and repair with one click

Wordfence's scan is more detailed than Hostinger's for WordPress-specific threats, while Hostinger's scan catches server-level malware that Wordfence might miss. Run both for comprehensive coverage.

After cleanup, harden your WordPress installation:

• Enable auto-updates for all plugins and themes (hPanel → WordPress → Auto Updates)
• Remove deactivated plugins — they're still exploitable even when inactive
• Install Wordfence with firewall enabled in Protection mode
• Use strong passwords + 2FA for all admin accounts
• Download plugins only from WordPress.org or verified commercial sources (never from 'nulled' theme sites)
• Run Hostinger malware scanner weekly — set a calendar reminder
• Keep daily backups enabled so you always have a clean restore point