security DigitalFixes
SFTP vs cPanel vs WP-CLI cleanup tools shown in a cybersecurity incident scene on a laptop screen.
Malware Removal

SFTP vs. cPanel vs. WP-CLI for Cleanup: What to Use During a Malware Incident (and Why)

May 3, 2026

A surprising truth: most “malware cleanup” failures aren’t caused by the malware itself. They’re caused by using the wrong tool at the wrong step, like deleting the wrong folder or missing the real entry point.

If you’re dealing with a hacked WordPress site in 2026, SFTP vs. cPanel vs. WP-CLI for cleanup isn’t a fun debate. It’s a practical decision that affects how fast you can restore trust, remove backdoors, and stop reinfection.

Here’s the direct answer up front: use cPanel File Manager for quick checks and screenshots, use SFTP for safe file moves and backups, and use WP-CLI for repeatable WordPress-level cleanup (users, plugins, themes, and core files). You’ll also want a clear “containment → verify → clean → harden” order so you don’t chase ghosts.

How to choose SFTP vs. cPanel vs. WP-CLI during a malware incident

Each tool shines at a different stage of incident response. Think of it like a toolbox: you don’t use a wrench to paint a wall.

cPanel is best when you need quick access to logs, domains, basic file browsing, and one-off actions. SFTP is best when you need careful file transfers, reliable backups, and moving suspicious files off the web root without mistakes. WP-CLI is best when you need to change WordPress data in a controlled way, especially when attackers messed with users, plugin settings, or database-backed options.

In real cases I’ve seen, the cleanup goes wrong when someone starts by deleting files without first verifying how the compromise happened. Even one wrong delete can remove a needed file you later need for forensic comparison.

SFTP for cleanup: when secure file transfer is the safest move

SFTP is a secure way to move files between your computer and the server, and during a malware incident it’s often the safest “hands-on” tool for working with the filesystem.

SFTP is Secure File Transfer Protocol, which means your login and transfers are encrypted. That matters because cleanup often includes copying suspicious code out for review, then restoring the right version.

Best SFTP cleanup tasks (and why they matter)

Use SFTP when you need control and a clear paper trail. I like it most for the steps where “close enough” can cause trouble.

  • Make backups before changes: Download the whole public_html folder (or at least the areas you’ll touch) before you start editing. In many incidents, the attacker leaves multiple small changes across different folders.
  • Move infected files out of the web root: Instead of deleting right away, rename or move suspicious folders. If you later find you removed the wrong file, it’s easier to put it back.
  • Compare file timestamps and sizes: Attackers often drop files with fresh timestamps. SFTP clients show sizes and modification dates, which helps you spot oddball files fast.
  • Check plugin and theme folders: Many compromises hide inside wp-content/plugins or wp-content/themes with small one-line changes.

What most people get wrong with SFTP

Here are the common mistakes I see from small business owners and even from some rushed “fixes.”

  • They download everything and never review: A full download is only useful if you inspect the files. If you can’t review quickly, at least sort by “modified” date and start there.
  • They delete, then discover they needed the evidence: Keep a copy. Even if you’re not doing a full legal investigation, keeping the suspicious files helps confirm what you removed.
  • They edit files directly on the server: If your editor crashes or saves in a different encoding, you can break the site. Prefer downloading → edit → upload.

Simple SFTP incident workflow I use

  1. Freeze the site impact: If you can, put the site in maintenance mode or block traffic (your host may offer a tool). This buys time while you clean.
  2. Backup with SFTP: Copy public_html (or your WordPress directory) to your local machine.
  3. Identify suspicious areas: Focus on /wp-content/uploads for files injected into images or PDFs, and on plugins/themes for PHP backdoors.
  4. Extract and inspect: Search inside PHP files for base64_decode, eval, gzinflate, str_rot13, or strange wp-config.php edits.
  5. Move infected files: Rename suspicious files first (for example, append .quarantine), then test.
  6. Restore clean versions: For plugins/themes, reinstall from the official WordPress plugin/theme sources when possible.

cPanel for cleanup: fast checks, logs, and file browsing

cPanel is the tool most hosting accounts already include, and it’s great when you need quick answers like “what changed?” or “where is the error?”

cPanel is not magic. It’s a control panel. You still need a plan, but it can speed up the early incident response.

cPanel cleanup tasks that pay off quickly

During an incident, these tasks often save hours.

  • Turn on maintenance mode: Some hosts have a “Maintenance” or “Soft Lock” feature. If not, you can do it via a plugin or manual .maintenance approach.
  • Review error logs and access logs: Error logs show PHP fatal errors that often appear after attackers drop broken code. Access logs show odd requests to hidden files.
  • Check scheduled tasks (cron): In 2026, malware commonly re-infects sites using cron jobs. Find and remove suspicious cron entries.
  • Use File Manager for quick “spot checks”: This is good for finding a few obviously bad files, but not my first choice for editing lots of code.
  • Manage backups: Many hosts offer snapshots. Just remember: a backup can restore the infection if you pick the wrong date.

Where cPanel can hurt you

The danger with cPanel comes from speed and convenience.

  • Accidental deletes from File Manager: It’s easy to remove the wrong file when you’re stressed. “Rename” first, and double-check the full path.
  • Editing files in-place: File Manager editors can change line endings or encoding. For small changes it’s okay, but for serious cleanup I prefer SFTP + local edits.
  • Restoring backups blindly: If your backup date is after the compromise, you’ll bring the backdoor back too.

A real-world example from a hack case study

In one cleanup I handled, the site started serving spammy pages only after midnight. The first instinct was to scan theme files, because that’s where attackers looked “loudest.”

But in cPanel, the real clue was a suspicious cron job that ran a PHP file from /wp-content/uploads. Once we removed the cron entry and quarantined that file, the spam stopped within minutes.

This is why I always check scheduled tasks before I assume the theme is the root cause.

WP-CLI for cleanup: controlled WordPress-level recovery

WP-CLI is command-line access to WordPress, and it’s one of the best ways to clean malware that hides in WordPress data like users, options, and plugin settings.

WP-CLI refers to a tool that runs WordPress commands from SSH. If you don’t have WP-CLI installed, ask your host or install it following your host’s instructions.

WP-CLI tasks that matter during malware cleanup

These commands help you fix the “WordPress side” of compromises, not just the files.

  • List users and lock suspicious accounts: Attackers often create new admin users with names that look random.
  • Reinstall or delete compromised plugins/themes: If a plugin is compromised, removing it is often faster than guessing which file is modified.
  • Reset options: Malware frequently updates WordPress options (settings stored in the database), like redirect rules or injected scripts.
  • Verify core: Compare WordPress core files to known good versions.
  • Search for writable directories: WordPress compromises often correlate with unsafe permissions.

WP-CLI examples (practical, not just theory)

Exact commands depend on your setup, but these are common patterns.

  • Show suspicious users: wp user list --role=administrator
  • List installed plugins: wp plugin list
  • Check themes: wp theme list
  • Disable a plugin: wp plugin deactivate plugin-slug
  • Remove a plugin: wp plugin delete plugin-slug

When I’m cleaning a compromised site, WP-CLI is also where I confirm whether a “harmless” plugin is still registered. Sometimes the plugin files are gone, but the database still points to odd settings.

What people misunderstand about WP-CLI during a hack

WP-CLI is not a magic malware remover. It doesn’t scan every file for you like a full security scanner would.

  • It can’t fix a compromised PHP file you can’t find yet: If attackers changed files outside WordPress data (for example, inside a hidden PHP backdoor), you still need file-level cleanup via SFTP.
  • It can break the site if used on the wrong directory: Use the correct WordPress path and double-check your wp-config.php before changing anything.
  • It’s still easy to remove too much: Reinstalling everything fast can remove a necessary custom plugin. If you have custom code, document it before deleting.

SFTP vs. cPanel vs. WP-CLI: which one should you use at each cleanup step?

Here’s the clean way to decide. Use the table as a guide during the incident, not as a substitute for checks.

Cleanup step Best tool Why it fits Common risk
Contain the incident fast cPanel (maintenance) + any host firewall option Quick access for blocking traffic while you work Restoring later from a bad backup
Full backup before touching files SFTP Safe encrypted copy to your computer Downloading without reviewing key files
Check logs and scheduled tasks cPanel Error/access logs show patterns quickly Missing the cron reinfection source
Fix WordPress users and database options WP-CLI Controlled WordPress-level changes Running commands in the wrong folder
Quarantine/move suspicious PHP and upload files SFTP Rename first, inspect later Deleting evidence too early
Reinstall plugins/themes/core WP-CLI + SFTP (for file placement) Fast disable/delete and restore behavior Breaking custom functionality
Confirm the site is clean All tools + browser tests + security scanning Needs both file and runtime checks Only checking one page

What to do first in a WordPress malware incident (order matters)

Web administrator enabling maintenance mode to stop reinfection during a WordPress malware incident
Web administrator enabling maintenance mode to stop reinfection during a WordPress malware incident

The order you clean in can be the difference between a one-day recovery and a never-ending loop of reinfection.

When I’m working with clients, I use a simple plan: contain → identify entry point → remove persistence → restore → harden.

Step 1: Contain (stop reinfection)

As soon as you confirm malware, stop public access if you can. In practice, that means maintenance mode, temporary blocks, or pausing scheduled jobs.

Then check for reinfection triggers like cron jobs and suspicious admin accounts. Attackers often leave a “timer” that re-posts spam or reinserts code every few hours.

Step 2: Identify persistence (how the attacker comes back)

Most cleanups fail because the attacker’s persistence is still there. That persistence can be:

  • a cron job that runs a file from /wp-content/uploads
  • a modified plugin file that re-writes itself
  • a newly created WordPress admin user with a plugin-based web shell
  • unsafe permissions that let anyone upload PHP scripts

Step 3: Remove the infected entry points

Now use the right tool for the right data.

  • SFTP: Quarantine suspicious files and folders. Rename first, then inspect.
  • cPanel: Remove cron jobs, check log spikes, and verify no weird file permissions changed.
  • WP-CLI: Remove suspicious users, disable compromised plugins, and reset dangerous options.

Step 4: Restore clean copies and verify

For WordPress core, reinstall from a trusted source. For plugins/themes, prefer re-installing the exact versions from official sources when possible.

Then verify more than your homepage. Check form submissions, product pages, and any pages the attacker used (like fake login pages or injected scripts).

Step 5: Harden so it doesn’t happen again

Hardening is where a cleanup becomes real security. If you only remove the visible infection, you’re restarting the clock.

If you want more hardening steps, this pairs well with our guide on WordPress hardening tips for small businesses and our case study collection in Hack Case Studies.

People also ask: SFTP vs cPanel vs WP-CLI during cleanup

Is WP-CLI enough to clean a malware-infected WordPress site?

No. WP-CLI is mainly for WordPress data and controlled actions. If attackers added PHP backdoors in files, you still need file cleanup using SFTP or cPanel file browsing.

In most real incidents, the best results come from combining tools: WP-CLI for users/options/plugins, and SFTP for the actual PHP and uploaded files.

Should I delete hacked files or quarantine them first?

Quarantine first. Rename or move the file out of the web root before deleting. This gives you a safety net if something breaks or if you later confirm the file wasn’t the real entry point.

I’ve seen situations where deleting “suspicious” files broke a custom theme, making the owner think the site was still hacked when it was actually just broken.

When does cPanel File Manager cause problems?

File Manager is fine for quick checks. It’s risky for heavy editing and large-scale changes because it can cause save/encoding issues and increases the chance of deleting the wrong file.

If you’re making lots of changes, SFTP + local editor gives you better control.

Can I rely on my host’s restore or backup after a hack?

You can, but only if you pick the right backup time. If the compromise happened before the snapshot, restoring it brings the malware back.

Also, confirm whether the host backup includes files outside WordPress, like cron scripts, or changes in system folders.

Checklist: what to inspect before you run a cleanup command

Before you run WP-CLI commands or start deleting files, do a quick checklist. This cuts mistakes down a lot.

  1. Confirm your WordPress path: Is WordPress in /public_html or a subfolder?
  2. Document admin users: Take a screenshot or list of administrators. You need a baseline.
  3. Record plugin and theme list: Use WP-CLI (or the WordPress dashboard if it’s still accessible) and write down what’s installed.
  4. Check cron: In cPanel, search cron entries for unknown scripts, weird names, or calls to PHP files in upload folders.
  5. Look for web shell patterns: Search files for common web shell code markers like base64_decode, gzinflate, and eval(.
  6. Check permissions: Malware often appears after bad permission changes (like allowing uploads to create executable files).

When we provide malware removal services, this checklist is part of our first-hour triage. It’s simple, but it prevents a lot of “we fixed it but made it worse” outcomes.

Cost and time reality in 2026: how long each approach takes

Everyone wants a “quick fix.” The reality is that the right tool speeds up specific parts of cleanup.

Typical time ranges

  • cPanel checks: 30 minutes to 2 hours (logs + cron + quick file spot checks)
  • SFTP backup + quarantine: 1 to 4 hours depending on site size
  • WP-CLI cleanup: 30 minutes to 2 hours (users, plugins, options, core verification)
  • Verification and re-test: 1 to 3 hours (multiple page types and key flows)

Where costs come from (what owners don’t expect)

The expensive part isn’t “running commands.” It’s verifying the site is truly clean and finding persistence mechanisms that weren’t obvious at first.

That’s why we tell clients not to rush the final “go live” step. If Google or visitors still see redirects or spam, search engines may keep their distrust.

How to avoid reinfection after cleanup

Reinfection usually happens because the original weakness still exists. The malware code might be gone, but the door is still unlocked.

Do these hardening actions after your cleanup

  • Remove unknown admin users: WP-CLI makes this fast. Then change passwords.
  • Disable unused plugins and themes: Attackers love old plugins with known vulnerabilities.
  • Patch core and plugins: In 2026, staying behind even one minor patch can create risk.
  • Turn on 2FA for every admin: If you only set it for one person, you’re still exposed.
  • Set up file integrity checks: This can be a plugin or an external service. The key is that you get alerts when files change unexpectedly.

If you’re rebuilding from a bad incident, you’ll also want to review our malware removal guide so you know what “done” looks like.

Which tool should small business owners use first?

If you’re not technical, you don’t need to guess. Start with the tool that matches your goal for the next 10 minutes.

  • If you need quick answers about activity and errors: use cPanel first.
  • If you need safe backups and controlled file moves: use SFTP.
  • If you need to fix WordPress users, plugins, themes, and options: use WP-CLI.

My strong opinion: the “best” cleanup tool is the one you can use correctly under stress. If WP-CLI feels scary, don’t improvise. Get help, or use the dashboard for read-only checks while you plan the WP-CLI steps with someone who knows it.

Conclusion: Use SFTP, cPanel, and WP-CLI together—then verify and harden

During a malware incident, SFTP vs. cPanel vs. WP-CLI for cleanup comes down to matching the tool to the job. Use cPanel to contain the blast radius and review logs/cron. Use SFTP to back up, quarantine, and move suspicious files safely. Use WP-CLI to clean WordPress-specific persistence like users, plugin states, and database options.

The win isn’t just removing the visible hack. The win is proving you removed the persistence and then hardening the site so the attacker can’t come right back.

If you want a second set of eyes, our team focuses on WordPress security, hack recovery guides, and practical hardening steps—so your cleanup turns into long-term protection.

Featured image alt text (use when adding the image): SFTP vs cPanel vs WP-CLI tools for WordPress malware cleanup during a security incident

Next » Website Backups After a Compromise: When They Help, When They’re Dangerous, and How to Test Them