But what can you do if Virus Scanner is not effective and viruses were not found in your hosting cPanel? Then our support team can run an internal scan and provide you with a report that contains comprehensive information about each file in your hosting panel, the viruses, and suspicious matches (if some are present). For more on this, please check how to work with your scan report.

Quick Tip: if the scan report shows something like [Virus Found]: The_name_of_virus, then you should immediately remove the file.

Since clearing the viruses and removing malicious files and databases can affect your website structure, it is not certain that the website will display deleted or quarantined content. Make sure you have a backed-up version of your website files before removing them.
Keep in mind that Google and other search engines can block websites for malicious content at their sole discretion to avoid potential damage to user devices. In this case, your website cannot be unblocked by your host.

In your scan report, Webshell is a file that provides remote access for a malicious actor in your website's directory or hosting account. The Worldwriteable directory means that the file or directory has special permissions for external users. In other words, the attacker can manipulate malicious scripts from such a directory because it’s open globally. You can learn more in this guide to file permissions.

Removing malicious cron jobs

Let's imagine you clear your website from malicious content and viruses. But the same files are somehow recreated right after their removal. This is because the viruses sometimes create cron jobs in cPanel to be able to recreate themselves or execute other malicious tasks on the server. Once you notice the files are being recreated after their removal, check the "Cron Jobs" menu in your cPanel account. You can remove any cron jobs that you did not set up.

It is often the case that the cron jobs that recreate malicious files have the wget command in the cron command. The wget command is a non-interactive network downloader that allows the sending of GET requests to the attacker's server (or computer) to constantly update or reinstall malicious files.

When it comes to server processes, you can ask our support team to reset your light virtual environment (cage) to stop the scripts intercepted by viruses. To see the list of active processes on the server, use one of the following command in cPanel > Terminal:

ps axu (read more on this in the ps manual)
ps faux or top -c

This will give you a report of the current processes active on the server. In case you notice something unfamiliar or a suspicious-looking process that has to be stopped, get in touch through our Help Center.

Also, you can find more information on how to manage active processes on Shared and Reseller server here.

Permissions and owners

You may find a directory cannot be removed and returns the following error message:

FileOp Failure on: /path/directory/file: Directory not empty:

This error means you don't have permission to remove the content in the directory because it contains files that cannot be rewritten. Detailed information about the permissions for files and folders can be found in this file permissions guide.

Note that the correct permission for website files is 0644 and 0755 for folders. You may not have the required permissions to change these, but you can try changing the permissions of the whole directory and then try deleting the folder/file again. Please follow this guide.

Remember that the #WorldReadable file or folder in your scan report may also mean that an attacker has more permissions on the file or a folder, so we suggest checking before changing permissions and removing them.
The reason why we do not suggest removing all files/folders matched as #WorldReadable is that the file can be safe but for various reasons, the script developer decided to keep easy access for the user. In such situations, we recommend reinstalling files from trusted sources and comparing the content in the directory against the original.

Final steps

After removing viruses, killing malicious cron jobs and processes, and configuring the appropriate permissions for the safe files and folders, follow these steps to return your website to working condition:

1. Follow our guide on replacing core WordPress files.
2. Clear LiteSpeed Cache and flush your caching plugins.
3. Scan your hosting account again to make sure there are no malicious files left.
4. Follow steps to improving WordPress security in respect to your scan report. For example, if the PHP Exploit was intercepted through a plugin, explain this vulnerability to the developers or use another plugin with a similar function. If the malicious script was found in a website database, change the database password in the MySQL Databases menu and in the wp-config.php file using this guide.

You can request the backup restoration if these steps are not successful. Please note that we are unable to monitor or maintain websites to know when or how they are attacked, and how long the malicious files were stored in the website directories.

That's it!