Linux find Command: How to Find Files and Processes

The find command searches for files and directories based on criteria you specify: name, extension, size, modification date, permissions, ownership. Unlike ls , which shows you what is in a single directory, find searches recursively through an entire directory tree. On a server with thousands of files spread across dozens of directories, this is how you locate what you need.

This guide covers find syntax and practical examples for every common use case, including combining find with other commands like grep to search inside files.

Basic syntax#

find [path] [expression]

• path — where to start searching.  .  means the current directory.  /  means the entire filesystem.  /var/www  means start in that directory.
• expression — what to look for. This is a combination of tests (criteria) and actions (what to do with matches).

The simplest example:

find .

This lists every file and directory under the current directory, recursively. On a WordPress site, this could return tens of thousands of results. You almost always want to add criteria to narrow the search.

Finding files by name#

Exact name match

find /var/www/html -name "wp-config.php"

Searches for a file named exactly wp-config.php in /var/www/html and all its subdirectories. The -name test is case-sensitive.

Case-insensitive name match

find /var/www/html -iname "readme.md"

The -iname test ignores case. This matches README.md , readme.md , Readme.MD , and any other variation.

Wildcard patterns

find /var/www/html -name "*.log"

Finds all files ending in .log . The * wildcard matches any sequence of characters. Always quote the pattern to prevent the shell from expanding it before find sees it.

find /var/www/html -name "debug*"

Finds all files starting with debug .

find /var/www/html -name "*cache*"

Finds all files and directories with cache anywhere in the name.

Finding files by extension#

Finding files with a specific extension is just a name search with a wildcard:

find /var/www/html -name "*.php"

Finds all PHP files.

find /var/www/html -name "*.js"

Finds all JavaScript files.

To find files with multiple extensions, use -o (OR):

find /var/www/html -name "*.jpg" -o -name "*.png" -o -name "*.gif"

Finds all JPEG, PNG, and GIF images.

When combining -o with other tests, use parentheses (escaped for the shell):

find /var/www/html \( -name "*.jpg" -o -name "*.png" \) -type f

Finding files vs directories#

By default, find returns both files and directories. Use -type to limit results:

# Files only
find /var/www/html -name "*.php" -type f

# Directories only
find /var/www/html -name "cache" -type d

# Symbolic links only
find /var/www/html -type l

The common type values:

Finding files by size#

Files larger than a threshold

find /var/www/html -type f -size +10M

Finds files larger than 10 megabytes. The + means “greater than.”

Files smaller than a threshold

find /var/www/html -type f -size -1k

Finds files smaller than 1 kilobyte. The - means “less than.”

Files of a specific size

find /var/www/html -type f -size 0

Finds empty files (zero bytes). No + or - means exactly that size.

Size units

Finding the largest files

To find the 10 largest files in a directory:

find /var/www/html -type f -exec du -h {} + | sort -rh | head -10

This combines find with du (disk usage) and sort to list the biggest files first. Useful for tracking down what is consuming disk space.

Finding files by modification date#

Modified within the last N days

find /var/www/html -type f -mtime -7

Finds files modified within the last 7 days. The -mtime test uses days. The - means “less than N days ago.”

Modified more than N days ago

find /var/www/html -type f -mtime +30

Finds files not modified in the last 30 days. The + means “more than N days ago.”

Modified within the last N minutes

find /var/www/html -type f -mmin -60

Finds files modified within the last 60 minutes. Use -mmin instead of -mtime for minute-level precision.

Modified on a specific date range

find /var/www/html -type f -newermt "2026-01-01" ! -newermt "2026-02-01"

Finds files modified in January 2026. The -newermt test compares against a date string. The ! negates the second test (not newer than February 1st).

Find recently changed configuration files

find /etc -name "*.conf" -type f -mtime -1

Finds configuration files changed in the last 24 hours. Useful after troubleshooting to verify which files were modified.

Finding text inside files (find + grep)#

find locates files. grep searches inside them. Combining the two lets you search for text across an entire directory tree.

Search for a string in all PHP files

find /var/www/html -name "*.php" -type f -exec grep -l "eval(" {} +

Finds all PHP files containing eval( . The flags:

• -exec grep -l ... {} +  — runs  grep  on each matched file. The  -l  flag tells grep to print only filenames (not the matching lines).
• {}  is replaced with the matched filenames.
• +  passes multiple filenames to a single  grep  invocation (more efficient than  \; ).

Search and show matching lines

find /var/www/html -name "*.php" -type f -exec grep -Hn "wp_redirect" {} +

The -H flag prints the filename and -n prints line numbers with each match, so you can go directly to the relevant line.

Search for a string in all files

find /var/www/html -type f -exec grep -l "database_password" {} +

Without -name , this searches every file. On large directories, this can be slow. Narrowing by extension or path is faster.

A faster alternative: grep -r

For simple recursive text searches, grep -r is often simpler:

grep -r "eval(" /var/www/html --include="*.php"

This does the same thing as the find + grep combination above. Use find + grep when you need find ‘s more advanced filtering (by size, date, permissions, etc.). Use grep -r when you just need a quick text search.

Finding processes#

Processes are not files, so find is not the right tool for locating them. Linux provides dedicated tools for that.

Find a process by name

ps aux | grep nginx

Lists all running processes and filters for those matching “nginx.” The output shows the PID (process ID), CPU usage, memory usage, and the command.

To exclude the grep command itself from the results:

ps aux | grep "[n]ginx"

The bracket trick prevents grep from matching its own process.

Find a process ID (PID)

pgrep nginx

Returns only the PIDs of matching processes, one per line. Cleaner than ps aux | grep .

pgrep -a nginx

The -a flag shows the full command line alongside each PID.

Find what is using a specific port

sudo ss -tlnp | grep :80

Shows which process is listening on port 80. The flags: -t (TCP), -l (listening), -n (numeric ports), -p (show process).

sudo lsof -i :3306

Shows what is using port 3306 (MySQL). lsof lists open files and network connections.

Find and kill a process

Once you have the PID:

kill 12345

Sends a SIGTERM signal, asking the process to shut down gracefully.

If it does not respond:

kill -9 12345

Sends SIGKILL, which forces immediate termination. Use this as a last resort because the process cannot clean up.

Kill a process by name

pkill php-fpm

Kills all processes matching “php-fpm.” Be careful — this matches partial names, so pkill php would kill any process with “php” in the name.

To see what would be killed before actually doing it:

pgrep -a php-fpm

Review the list, then run pkill if it matches what you expect.

Kill a process using a specific port

sudo fuser -k 8080/tcp

Kills whatever process is listening on TCP port 8080.

Checking disk usage with find#

Find large files consuming disk space

find / -type f -size +100M 2>/dev/null

Finds all files over 100 MB on the entire system. The 2>/dev/null suppresses permission-denied errors for directories you cannot read.

Find large log files

find /var/log -type f -size +50M

Log files are the most common cause of unexpected disk usage. Old, unrotated logs can grow to gigabytes.

Summarize disk usage by directory

While find can help locate large files, du is often more practical for understanding disk usage:

du -sh /var/www/html/wp-content/uploads/*/ | sort -rh | head -10

Shows the 10 largest subdirectories in the uploads folder.

Find and delete old files

find /var/log -name "*.log.gz" -type f -mtime +90 -delete

Deletes compressed log files older than 90 days. The -delete action removes each matched file. Always run the command without -delete first to verify what will be deleted:

find /var/log -name "*.log.gz" -type f -mtime +90

Finding the hostname#

The hostname is not something you search for with find . Use these commands:

hostname

Prints the system hostname.

hostname -f

Prints the fully qualified domain name (FQDN), like server1.hostney.com .

hostnamectl

Shows detailed hostname information including the static hostname, kernel version, and operating system. Available on systems running systemd.

The hostname is stored in /etc/hostname :

cat /etc/hostname

Checking the Ubuntu version#

Another task that does not involve find but is commonly searched for:

lsb_release -a

Shows the distribution name, version number, and codename. Works on Ubuntu and Debian.

cat /etc/os-release

Works on any modern Linux distribution. Shows the distribution name, version, and other details.

uname -r

Shows the kernel version. This is different from the distribution version. A server running Ubuntu 22.04 might have kernel version 5.15 or 6.5 depending on what has been installed.

Useful find combinations#

Find recently modified PHP files (possible hack detection)

find /var/www/html -name "*.php" -type f -mtime -1

If you did not modify any PHP files in the last 24 hours but this returns results, investigate. Unexpected changes to PHP files can indicate a compromised site.

Find files with specific permissions

find /var/www/html -type f -perm 777

Finds files that are world-writable. Files should not be 777 on a web server. Directories should be 755 and files should be 644 in most cases.

Find files owned by a specific user

find /var/www/html -user www-data -type f

Finds all files owned by the www-data user (the default web server user on Ubuntu/Debian).

Find and change permissions

find /var/www/html -type d -exec chmod 755 {} +
find /var/www/html -type f -exec chmod 644 {} +

Sets all directories to 755 and all files to 644. This is the standard permission set for a web server document root.

Find empty directories

find /var/www/html -type d -empty

Finds directories with no files or subdirectories in them.

Find broken symbolic links

find /var/www/html -xtype l

The -xtype l test matches symbolic links that point to a target that does not exist.

Limiting search depth#

Search only the current directory (no recursion)

find /var/www/html -maxdepth 1 -name "*.php"

The -maxdepth 1 flag limits the search to the specified directory only, without descending into subdirectories.

Search one level deep

find /var/www/html -maxdepth 2 -name "*.conf"

Searches the specified directory and its immediate subdirectories, but no deeper.

Skip the starting directory itself

find /var/www/html -mindepth 1 -maxdepth 1 -type d

Lists only subdirectories of /var/www/html , without including /var/www/html itself in the output. The -mindepth 1 flag excludes the starting point.

exec vs xargs#

Both run commands on find results, but they work differently.

-exec with ;

find . -name "*.log" -exec rm {} \;

Runs rm once for each matched file. If find matches 1000 files, rm is invoked 1000 times. This is simple but slow.

-exec with +

find . -name "*.log" -exec rm {} +

Passes as many filenames as possible to a single rm invocation. Much faster for large result sets.

Piping to xargs

find . -name "*.log" | xargs rm

Similar to -exec ... + , but uses a pipe. The issue with this approach is that filenames containing spaces or special characters break it. The safe version:

find . -name "*.log" -print0 | xargs -0 rm

The -print0 flag separates filenames with null bytes instead of newlines. The -0 flag tells xargs to expect null-byte separation. This handles any filename safely.

Which to use: -exec ... + is simpler and handles filenames safely by default. Use xargs when you need its additional features, like running commands in parallel with -P .

Common flag reference#

find on Hostney#

On Hostney, find is available via SSH in your account container. You can use it to search for files, locate large uploads, find recently modified files, or clean up old cache and log files.

Connect via SSH using the credentials from the Terminal Access section in the control panel. The find command works within your account directory. For transferring files you locate, use SFTP or SCP. For running commands remotely without an interactive session, see How to run commands over SSH.