How To Scan Your WordPress Website For Hidden Malware

As the most popular content management system online, WordPress websites are a common target for hackers, spammers, and other malicious parties. That is why it is vital to take measures to make your website more secure.

The goal of most hackers is to infect your website with malware. Common malware threats include:

  • Pharma Hacks – Injects spam into your website database or files
  • Backdoors – Allows hackers to gain access to your website at any time using FTP or your WordPress admin area
  • Drive by Downloads – When a hacker uses a script to download a file to the users computer, either without their knowledge or by misleading the visitor and saying the software does something useful
  • File and Database Injections – Inserts code into your files or database that lets the hackers do a number of different things
  • Malicious Redirects – Redirects visitors to a page of theirs that misleads people into downloading an infected file
  • Phishing – Used to acquire usernames, passwords, email addresses, and other sensitive information

When most people think about a website being hacked, they think about the hacker defacing the website and placing a message to visitors e.g. Your Website has Been Hacked by ABCXYZ!.

Defacement Example

In reality, defacements are not that common. The majority of hackers do not want you to know that they have tampered with your website, as the first thing a website owner will do when they know that their website has been compromised is remove the malicious files in question.

Hackers who infect your website with malware are more discrete. The longer you are unaware of your website being infected, the longer they can use your website to send spam emails and infect your visitors. Even a secure WordPress website can be hacked without the owner knowing. It is therefore important that you scan your website regularly to detect any hidden malware.

In this article, I would like to show you services and plugin solutions that will help you detect malicious malware on your WordPress website.

Sucuri Malware Scanning

Sucuri have a great reputation as an effective security and malware scanning solution. Their Sucuri SiteCheck scanner will scan your website for common issues free of charge.

The scanner will scan your website for malware, defacements, and spam injections. It will also detect whether your website server has been blacklisted (which can happen if a hacker has been using your server to send spam). The main limitation of the scanner is that you need to scan your website manually yourself.

Upgrading to their $89.99 yearly premium plan will give you automatic alerts via email and Twitter about any malware issues. This plan will also remove your malware for you and remove your website from any blacklists.

Sucuri SiteCheck

Sucuri also offer a WordPress plugin entitled Sucuri Security. In addition to scanning your website for malware, the plugin offers a firewall to make your website more secure, hardening options that address common WordPress security holes, and a “last logins” section that highlights exactly who has logged into your website.

The plugin also has some useful features for recovering your website after an attack, such as updating the WordPress salt keys and resetting user passwords.

Sucuri Security


CodeGuard is a backup service that provides automated backups and restores at the click of a button. The service also monitors your website for changes every day and alerts you if it detects any malware.

Plans start from only $5 per month to backup and monitor one website. One of its main rivals in the backup niche is VaultPress, however VaultPress only offer daily scanning with their $40 per month plan. If you are looking for an all in one monitoring and backup solution, CodeGuard is a great choice.


Theme Authenticity Checker

Theme Authenticity Checker will scan every theme installed on your website for malicious code. It can find things such as footer links and Base64 code injections.

Theme Authenticity Checker

Footer links will not stop a WordPress theme from passing their test, however the plugin will give you details of any links that are hard coded into the template. These will usually be harmless, but it is worth checking them nevertheless in case a bad link slips through.

Theme Authenticity Checker

WP Antivirus Site Protection

WP Antivirus Site Protection is a security plugin from SiteGuarding that can scan your website for backdoors, rootkits, trojan horses, worms, fraudtools, adware, and spyware. In addition to scanning theme files, the plugin will scan plugin files and media that has been uploaded to your website.

Their free plan will scan your website every week. Upgrading to their $4.95 per month basic plan offers daily monitoring, however their standard plan at $9.95 per month offers website antivirus and malware removal.

WP Antivirus Site Protection


AntiVirus is a free WordPress plugin that can scan your website theme files every day for malicious code and spam. It features a virus alert option in the WordPress admin bar. It can also notify you of any malware detections by email.

The main limitation of the plugin is that it will only scan your current WordPress theme. Your other installed themes will not be scanned. This is not a major issue if you remove inactive themes from your website (which is advisable as old themes that have not been updated can create a security risk).



Anti-Malware will scan your website for malware and automatically remove any known threats. The plugin can also harden your wp-login.php page to stop brute force attacks.


Quttera Web Malware Scanner

Quttera Web Malware Scanner will scan your website for known threats such as backdoors, code injections, malicious iframes, hidden eval code, and more. The report will show you a list of suspicious files and advise whether your website has been blacklisted by ISPs.

Quttera Web Malware Scanner


Wemahu is a new WordPress plugin that can detect malicious code on your website. It can perform scans on your website on a regular basis and then email you a report.


Wordfence Security

Wordfence Security is one of the most popular security plugins available for WordPress. The plugin can scan your website core files, theme files, and plugin files, against known threats.

It also provides a log of changes to your website and offers many options for hardening your website and making it more secure.

Wordfence Security

WP Changes Tracker & WP Security Audit Log

WP Changes Tracker is not a malware checker. What it does is highlight the changes that have been made to the WordPress database, plugin files, and theme files.

If you are hacked, this information may help you see what exactly was changed and how someone compromised your website. The plugin is also useful for tracking changes that have been made by staff.

WP Changes Tracker

A great alternative to WP Changes Tracker is WP Security Audit Log. The plugin will keep a log of every single change on your website. Security alerts can be sent to you for a number of reasons, including failed login attempts, changes to file templates, and plugin installation.

WP Security Audit Log

Other plugins to consider using for malware scanning are:

I encourage you all to scan your website regularly to help detect malicious files and changes. It is in your best interests to detect any successful hack attempts as soon as possible to minimize the damage from an attack.

If you know of any other good malware scanners and malware detection plugins, please share them in the comment area below.

Article thumbnail by benchart /

What's Your Reaction?

Angry Angry
Cute Cute
Fail Fail
Geeky Geeky
Lol Lol
Love Love
Win Win

How To Scan Your WordPress Website For Hidden Malware

Sign in to get started

Sign in with the social auth or your email and password in the form below

Don't have an account?
sign up

reset password

sign up

Choose A Format
Personality quiz
Series of questions that intends to reveal something about the personality
Trivia quiz
Series of questions with right and wrong answers that intends to check knowledge
Voting to make decisions or determine opinions
Formatted Text with Embeds and Visuals
The Classic Internet Listicles
Open List
Open List
Ranked List
Ranked List
Upload your own images to make custom memes
Youtube, Vimeo or Vine Embeds
Soundcloud or Mixcloud Embeds
Photo or GIF