• Categories
    • Tutorials
    • Beginners Guide
    • WordPress News
    • WordPress Security
    • Best WordPress Plugins
    • WordPress Themes
    • Product Reviews
    • WP Tips & Tricks
  • Guides
    • Start a Blog
    • Make a Website
    • WordPress Hosting
  • WordPress Hosting
    • A2 Hosting
    • HostGator
    • Bluehost
    • Cloudways
  • Managed Hosting
    • WPEngine
    • Rocket.net
    • WPX
    • Kinsta
  • Coupons
    • WPEngine
    • Flywheel
    • Cloudways
    • A2 Hosting
    • WPX Hosting
WordPress Tutorials

How To Scan Your WordPress Site For Malware And Threats

Last Updated on: May 7, 2016 Ragnar 36 Comments

How To Scan Your WordPress Site For Malware And Threats

These days, where online crime is starting to overtake crime in real life, it’s important to learn how to protect yourself and your website, especially if your income relies on it.

Anyone with a website is a potential target, but anyone with a completely unchanged, standard version of WordPress (with the username admin and a generic password) has a big red bullseye plastered on their back, waiting for some lowlife to gain access and wreak havoc.

Why You Need To Scan Your Site

While it might seem like the first step to a safe website is to improve security to make sure noone gets the opportunity to do so in the first place, (we’ve already covered how you can easily improve your security by using a single plugin) your site could already have been hacked.

A person with bad intentions could already have access to your site, there could even be malware hiding out among your files as we speak. It’s possible that you are completely in the dark because you didn’t have the measures in place to alert you that something happened.

When people think of websites getting hacked, most likely they’ll get an image of a typical defacing in their heads. Defacing is when a hacker replace what was originally shown on the website with something else, usually a self-serving braggadocious flyer promoting their hacker pseudonyms.

But, a lot of the time when hackers get access to a website, they then choose to lay in wait for a while. They then discreetly start implementing some malware or other malicious scripts on the site. Bragging about gaining access is not their main intent, their intent is much worse than that.

They could be:

  • Phishing for usernames, passwords, emails or other stuff you’d rather stay private.
  • Making visitors download malware/trojans/viruses by injecting scrips on your website.
  • Inserting code to do different things, for example set up a backdoor, or monitor user activity or steal input information from forms.
  • Redirecting your visitors to a site with malware.

One of the reasons it’s important to do a proper check instead of just visiting your own website, is that the hacker could know your IP address, (or perhaps use the cookies for logging into the admin area) and have implemented code that shows only you the normal site as it should be, leading you to think that your site is okay, while in reality it could be ruining your reputation by having malware downloaded to visitors. (This can for example also lead to getting unindexed by Google and added to a list of sites that Google Chrome will warn you about visiting.)

So all this means that if you’re starting to implement WordPress security measures, it’s just as important to check and make sure that there’s no malware or other threats on your website already.

Scan Your WordPress Site For Malware & Threats

Below we go through a few different ways to find malware or other threats on a WordPress site.

Method 1: Use A ‘Site Checker’

These days, you can quickly and easily check for malware by using any of a number of free services.

But, you need to keep in mind that these services will check if your homepage, or other visible pages, include malicious scripts, or try to make visitors download malware.

Services to use:

  • Sucuri sitecheck
  • Virustotal
  • Quttera

These services are all easy to use. Simply type in your URL, click the Scan button, and presumably, the service does all the work for you and when it tells you you’re clean, you don’t have to worry anymore.

The problem with these services is that if the malware is on a hidden page (something you’re not able to reach through links, unlisted in the pageindex, for example the WordPress dashboard) it won’t be able to find it.

As Sucuri themselves put it: “Sucuri SiteCheck is a free & remote scanner. Although we do our best to provide the best results, 100% accuracy is not realistic, and not guaranteed.”

At the end of the day, a site checker like the ones mentioned above can be a good way to do an initial check if you suspect foul play on your site, but if you’re trying to clean your site in the aftermath of being hacked, leaving it at that is not a very good idea.

Method 2: Use A Scanning Plugin

wordfence scan

There are specific plugins that focus on this capability, but some WordPress security plugins, Wordfence for example, offer scanning capabilities as well. Typically these plugins look for known malicious code, but some also go the extra distance and compare the files of core WordPress, as well as themes and plugins, to the sources. Then if it finds any inconsistency, it will provide a coherent list

Wordfence settings automatically set it to compare core WordPress files against repository versions for changes, and has the option available to do the same for plugin and theme files. (This is highly recommended if you suspect your site might have been breached, and you either haven’t changed theme/plugin files, or are 100% aware of what changes you have made.)

There’s also the option to scan outside of your WordPress installation, which is a good idea if your WordPress site is mostly what should be on your domain in the first place.

You can find the options for scanning under Scans to include in the Wordfence options. For your first scan, I’d recommend that your options look like this:

Wordfence scan settings

Depending on the volume of images on your site you might not want to scan image files as if they were executable.

A thing to note when you’re scanning theme and plugin files is that they might include logs or other files that will naturally change compared to the original files when you use the plugin. Plus, if you or your developer have made any changes to your theme’s core files, that will show up as warning as well. So don’t panic if your scan is showing warnings like the ones in the picture below.

wordfence new issues

Take a closer look. If you can’t remember changing that particular file, or it doesn’t seem like the file would need to change with use.

Using Wordfence’s scanner is a good way to check if you have any malware or threats anywhere on your site. In fact, it’s the plugin I used to make sure that I’d completely cleaned up my site after an attack to one of my WordPress site a few months ago.

Another great thing is that it also gives you the option to sort out the files in question from within the WordPress dashboard, without having to bother with FTP or a file manage.

It seems like the only plugin that searches through all files, rather than a surface level malware search done using one of the web based scanners above.

Other scanning plugins you could use:

  • Theme Authenticity Checker: A plugin checks any theme that you’ve installed for malicious code, and among other things, unwanted encrypted links in the footer or elsewhere.

Method 3: Do It Manually

The main technique of manually looking for malware in WordPress files, is simply looking for inconsistencies in the code and file size of your WordPress core and theme/plugin files and the repository files. A simple (but time consuming) way to check for malware, would be to download new copies of the core, your themes and plugins, and then comparing size and code individually.

If you keep the images you upload to your blog in a folder on your computer or on a cloud service like Dropbox, you can also check to see that the image sizes remain consistent.

Although if you don’t do any image optimization pre-upload, then the file sizes might have been changed in the process of uploading. The same goes if you use image optimization plugins. This way most image sizes will differ from the unuploaded versions whether there’s malware or not, so there’d be no way to differentiate.

The problem with this method is obviously how time consuming it is. For larger sites with decades of backlogs of visual content it’s just completely unrealistic to include images if you want to do it manually.

If you’re familiar with how to use one, you could use a scraper to collect most of the data and then compare it using spreadsheet or other software.

As for removal, just delete and replace the files in question.

Use A Plugin Or Service To Monitor Changes To Code or Files

To prevent anyone from sneaking in malicious code or malware, you can use a plugin or service to monitor changes to your code and files.

Sucuri not only takes note of these changes when done through WordPress, but immediately sends you an email whenever a file is changed, (along with whenever there’s been a failed, or of particular interest, successful login attempt). This allows you to react very quickly to any malicious changes to your website.

Then there’s services like Code Guard. These monitor any and all changes to files, the addition of new files, and send you regular, easy-to-digest reports. All you need to do is take a quick look, and if you see changes that you (or your staff) are not responsible for, then take a closer look at those files.

Conclusion

Scanning for malware and threats is a vital part of maintaining a secure and thriving website, and it’s absolutely necessary if your site’s security measures have been lax in the past. The good news is just how simple it can be.

We hope this tutorial helped you learn how to scan your WordPress site for malware and threats. While we are on the topic of WordPress security, you should check out our article WordPress Security 101.

Have you ever had a security breach on a WordPress site, or even, discovered malware and other threats? How did you find them? Let us know in a comment below.

+ Share
Disclosure

Ragnar

Ragnar is a passionate WordPress user and freelance writer for hire. When he's not writing or tinkering with WordPress, he's probably trying to learn a new language, or struggling to improve himself.

Related Posts

Back to all articles
  • Dealing with WordPress RSS Feed Errors: How to Identify and Fix Them

    Dealing with WordPress RSS Feed Errors: How to Identify and Fix Them

  • What is WordPress? A Beginner's Guide!

    What is WordPress? What Can it do & Is it Right for You? A Beginner’s Guide

  • How to Set Up WordPress Two-Factor Authentication: WP 2FA Review

    How to Set Up WordPress Two-Factor Authentication: WP 2FA Review

Coupons

View more deals
  • 10% OFF

    Elegant Themes Coupon

    You can’t move within WordPress circles without coming across E
    Get This Deal
  • pressable logo
    15% OFF

    Pressable Coupon

    If you’re looking for a high-quality managed WordPress hosting
    Get This Deal
  • Teachable Coupon Code
    10% OFF

    Teachable Coupon

    Building an online course business requires the right platform to
    Get This Deal
36 Comments Leave a Reply
  1. ovizii says

    February 13, 2013 at 7:21 am

    you missed WordFence 🙂

    Reply
    • Devesh says

      February 18, 2013 at 5:21 am

      ah.. seems like a great solution. Thanks for sharing, ovizii.

      Reply
  2. Showrav says

    February 13, 2013 at 12:37 pm

    Wow, this is great. I have a web site too. So i can surely try this. I was not concern about it. This is a nice news for me.
    Thanks for sharing.

    Reply
    • Devesh says

      February 18, 2013 at 5:21 am

      That’s great to hear, Showrav. Thanks for stopping by.

      Reply
  3. Fabrizio says

    February 14, 2013 at 9:44 am

    Nice post!
    Just a few days ago I had an attack due to malware and fortunately I was able to restore everything. Sucuri I was really help me.

    Reply
    • Devesh says

      February 18, 2013 at 6:18 am

      Glad you liked the post, Fabrizio. Thanks for stopping by.

      Reply
  4. Chery Schmidt says

    February 14, 2013 at 9:13 pm

    WOW I had no idea I should put an anti virus on my wordpress. Is there a way to see if there is already something set up for this? Also Do I just pick one I see that you have listed several here today Devesh? I did download the first one you mentioned above the wordpress anti virus, I Figured since this was the first one you talked about that it must be the best AM I correct to assume this? Thanks for sharing Chery 🙂

    Reply
    • Devesh says

      February 18, 2013 at 6:36 am

      Hi Chery,

      So glad to see you here, thanks so much for coming over and leaving a nice comment. All these are great plugins & services. The first one is fantastic and has a ton of features, so it’s good to know that you’re using the Antivirus plugin.

      I would also advice you to check out other tools such as Sucuri & Exploit Scanner.

      Have a great week ahead, Chery.

      Reply
  5. Rosemary says

    February 16, 2013 at 1:39 pm

    I’ve always suspected there could be more going on with themes. I only wish these could work for blogger. Do u have any ideas?

    Reply
    • Devesh says

      February 18, 2013 at 6:39 am

      Yes, there’s a tool that suspects for malwars in themes. It’s called ‘Theme Authenticity Checker’ and I did included that in the post.

      I’ve no idea about blogger. Haven’t used since 2009.

      Thanks for stopping by, Rosemary.

      Reply
  6. Marquita Herald says

    February 16, 2013 at 2:22 pm

    Great information. This is one of those areas that is so easily overlooked, and yet it can bring us to a complete standstill – I know because my blog got hit last year. Thankfully I didn’t lose any valuable content, but it took me nearly 2 weeks to get everything completely back to “normal.” Now I’m probably overly protected, but at least I have peace of mind – well as much as you can have on the Internet these days 🙂

    Reply
    • Devesh says

      February 18, 2013 at 6:45 am

      Hi Marquita,

      So sorry to hear about that, Herald. I can only imagine what nightmare it may have caused to you & your blog.

      yes – it’s much better to have overly protected blog, than waking up one day & knowing that your site has been hacked or infected.

      Thanks so much for coming over here and sharing your insights.

      Reply
  7. Dena-Lynn says

    February 16, 2013 at 4:44 pm

    Hi Davesh, I’d never considered that my blog would be exposed to malware – I’m glad that you brought it to my attention. Yes – I definitely want to save time and protect it before it’s too late. I appreciate all of the resources that you shared!

    Dena Lynn

    Reply
    • Devesh says

      February 18, 2013 at 6:47 am

      Hi Dena,

      Glad you liked the resources and It’s good to know that you’re taking action before it’s too late.

      Thanks for the nice comment, Dena. Have a great week ahead.

      Reply
  8. John Fishet says

    February 16, 2013 at 6:16 pm

    What about VaultPress?

    Reply
    • Devesh says

      February 24, 2013 at 6:51 pm

      I am not a big fan of VaultPress and never tested their service.

      Reply
  9. nick catricala says

    February 17, 2013 at 5:23 pm

    Hey Devesh,
    WowWow, this is a great source for what is so important to keep the WP blog clean…. we can surely take a closer look to all your sources. It is not easy to find what you want and be safe to get it, but coming from you, it feels ok and for certain give a shot soon.
    Thanks again for sharing.
    nickc

    Reply
    • Devesh says

      February 24, 2013 at 6:50 pm

      Hi Nick,

      So glad to hear that, thanks for the nice comment.

      Reply
  10. David Merrill 101 says

    February 17, 2013 at 9:25 pm

    Nice tips here, Davesh.

    I’m one of those people who rarely thinks about security, but I know I’m playing with fire.

    My excuse is that I’m not “techie”, I suppose, but with plugins like these, all the tech headaches seem to dissolve.

    Just one other thing I’m always leery about though, and that is how much of an overload on my blog it is to upload too many plugins, or which ones are less taxing on my blog than others.

    Reply
    • Devesh says

      February 24, 2013 at 6:48 pm

      Hi David,

      Glad you liked the tips. I don’t think tech headaches can be dissolved easily, the best way to keep your blog secure is by taking a full backup every week. I have been doing this for last 12 months and it’s the only way to make sure you are on the safe side.

      None of these plugins will going to have any big impact on your WordPress site.

      Thanks for stopping by, David.

      Reply
  11. John Hartley says

    February 18, 2013 at 3:16 pm

    The podcast from the Securi guys is actually the “DradCast”…sorry to be that guy. DreadCast just makes it sound dark, which if they’re talking about viruses may be fitting 🙂

    Reply
    • Devesh says

      February 24, 2013 at 6:31 pm

      Haha DreadCast ;).

      Thanks for pointing that out, John. Much appreciated.

      Reply
  12. Patricia Gozlan says

    February 19, 2013 at 10:26 am

    Hi Davesh,
    Thank you for enlightening us on how to protect out site, I will give the link of this article to my wemaster. Thanks again for showing us the way to do it and the names of the plug ins!

    Reply
    • Devesh says

      February 24, 2013 at 6:12 pm

      Hi Patricia,

      That’s awesome to hear, can’t wait to read your wemaster post. Thanks for stopping by and leaving a nice coment.

      Reply
  13. Sadie-Michaela Harris says

    February 23, 2013 at 9:16 am

    Wow … I thought I was a real WordPress Geek and I have not heard or used and of these plugins that you have mentioned here. Fabulous share I salute you and I will be back here again. I found your site via the Biz Blogging community and I’m delighted I did. Have a great weekend and thanks again for this sharing, I appreciate it 🙂

    Reply
    • Devesh says

      February 24, 2013 at 9:23 am

      Hi Sadie,

      Thanks so much for coming over here and leaving a nice comment. I am so happy that I finally started engaging in communities like B3 ;).

      Have a great week ahead.

      Reply
  14. Scott Gallant says

    February 27, 2013 at 2:53 pm

    Great article! We’re just about to release our automated security scanning tools at wpstatus, if anyone is interested, I’d love to get your thoughts on it. We do daily scans of WP sites and if malware is detected you get notified instantly.

    Reply
  15. Yorinda says

    March 3, 2013 at 8:12 pm

    Hi Devesh,
    thank you so much for sharing these great ways of checking our blogs.
    It is always good to have a recommendation on what to use.
    I appreciate your overview of the tools you mention.
    Cheers,
    Yorinda

    Reply
  16. Pradeep says

    March 16, 2013 at 3:35 pm

    Thanks Devesh,
    I will try the above mentioned steps on my site.
    I have read some places there are few sites hacked and hard to backup.
    This is great information, I will be keep visiting to your site for more good information.

    Thanks
    Pradeep

    Reply
  17. Jagadish says

    June 30, 2013 at 1:43 am

    Due to this blog i am safe and i want to gives thanks to the writer of this post 🙂 You have a great blog …

    Reply
    • Devesh says

      July 1, 2013 at 11:21 am

      Glad to hear that, Jagadish :). Thanks for the nice words, much appreciated.

      Reply
  18. Jason says

    May 3, 2014 at 4:54 am

    Well, I would say Wordfence and Centrora Security are missed here, both have virus scanning function

    Wordfence
    http://wordpress.org/plugins/ose-firewall/

    Centrora Security
    http://wordpress.org/plugins/ose-firewall/

    Cheers!

    Reply
  19. Staphan says

    April 21, 2015 at 5:38 pm

    My favorite security plugin: Checksum Verifier / http://wordpress.org/plugins/checksum-verifier/

    Reply
  20. Amit Kumar says

    April 23, 2015 at 12:00 pm

    Since, i am new WordPress user. So i want to know and grab more and more information related to WordPress plugins and applications. Malware and Threats are quite dangerous for allWordPress site and i am facing it too on my blog.

    Thanks to you, i got the several ideas for Scanning my WordPress Site For Malware And Threats. thanks again. Keep helping us.

    Reply
  21. Don Silvernail says

    June 5, 2015 at 12:23 pm

    April and May of 2015 saw a vulnerability caused be a wrong use of code outlined in the WordPress codex. I immediately implemented all the techniques outlined here. Out of 40+ sites I handle only one got hacked it was my own! True story

    Reply
  22. chunghic says

    September 19, 2015 at 12:45 pm

    I’m having this problem, I like your article

    Reply

Leave a Reply Cancel reply

Full Disclosure This post may contain affiliate links, meaning that if you click on one of the links and purchase an item, we may receive a commission (at no additional cost to you). All opinions are our own and we do not accept payments for positive reviews.

Our Newsletter

Get awesome content delivered straight to your inbox.

Thank you!

You have successfully joined our subscriber list.

.

THE BEST OF WPKUBE

Some of the best content we have published so far.

BEGINNER GUIDES & REVIEWS

110 Best WordPress Hosting Options for 2025 (Pros & Cons)
28 Best Managed WordPress Hosting Providers for 2025 Compared
38 Best Cheap WordPress Hosting Providers in 2025 (From $1.99)
46 Best WordPress LMS Plugins – Detailed Comparison & Review for 2024
55 Best WooCommerce Hosting Providers Compared in 2024 (All Budgets)
66 Best WordPress Landing Page Plugins Compared + Recommendations (2024)
79 Best List Building Plugins for WordPress In 2024
8How to Fix the 500 Internal Server Error on Your WordPress Website
9Beaver Builder Review: Honest Thoughts + Pros and Cons (2025)
10OptimizePress Review: Create Landing Pages with Ease
11How to Make a Website: Complete Beginner’s Guide
12Top 22 Best Free Stock Photo Resources For Your Site
13How to Start a Blog in 2022 (Step by Step Guide)
14How To Fix ‘503 Service Unavailable’ WordPress Error
1511 Best Contact Form Plugins for WordPress in 2025
16How to Add a Custom Logo to Your WordPress Site
17How to Fix Error Establishing a Database Connection in WordPress

Cloudways: 30% OFF Deal

Save 30% on one of the best cloud hosting providers.

Get this Deal
Featured In Forbes Huffpost Entrepreneur SEJ

About WPKube

WPKube is an online WordPress resource which focuses on WordPress tutorials, How-to’s, guides, plugins, news, and more. We aim to provide the most comprehensive beginner’s guides to anything about WordPress — from installing plugins, themes, automated installs and setups, to creating and setting up pages for your website.

We have over 500+ tutorials, guides, product reviews, tips, and tricks about WordPress. Founded by Devesh Sharma, the main goal of this site is to provide useful information on anything and everything WordPress.

Twitter Facebook

Useful Links

  • Behind the Scenes
  • Beginner Guides
  • WordPress Hosting
  • WooCommerce Themes
  • MeridianThemes
  • Exclusive WordPress Deals
View All Guides »

Reviews

  • WPEngine 33% OFF
  • WPX Hosting
  • Flywheel 33% OFF
  • Divi Theme 20% OFF
  • Systeme.io
  • Elegant Themes
Reviews »

Deals

  • InMotion Hosting
  • LifterLMS Coupon
  • LiquidWeb Coupon
  • WPEngine Coupon
  • A2 Hosting
  • Solid Affiliate
More Deals »
© Copyright 2023 WPKube ® All Rights Reserved.
  • Contact
  • Site Terms
  • Disclosure
  • Privacy Policy