How To Scan Your WordPress Site For Malware

Updated on May 12, 2023

If your WordPress site is infected with malware, you may experience server crashes, data leaks, and even site suspension. Running regular scans is critical if you want to address any issues before they become severe. Most of us have had some experience with malware, whether it was by clicking a shady link in an email, visiting a compromised website, or downloading software that had a slew of nasty files sneakily bundled in.

The idea of malware infecting your computer and compromising your data is frightening enough, but what if your website has been attacked?

This can endanger all visitors, result in hefty malware removal bills, and force your site to go offline until the malware is safely removed.

And, while you may take every precaution to keep your site safe from infection, this does not guarantee that you will be safe - regular scans should be an important part of your site security process.

This post includes:

What is Malware?

After all, malware is an abbreviation for malicious software. However, in order to know how to approach the problem, we must first comprehend it. Malware is a catch-all term for viruses, trojans, worms, and other malicious computer software designed to harm a computer or network. Keyloggers, for example, are a type of malware that records a user's keystrokes. They steal passwords and other sensitive information that hackers can use to compromise accounts.

Other types of malware, such as viruses, may provide no benefit to the creator or sender; their goal may simply be to infect and destroy files, resulting in data loss and performance issues for the victim.

Malware comes in many different shapes and sizes.

How Does a Site Become Infected With Malware?

Sites can become infected in various ways, but luckily, two of the most common causes are also two of the simplest to resolve.

Outdated Plugins and Themes

Hackers look for vulnerabilities in themes and plugins and exploit them. When a vulnerability is discovered, the developers will work quickly to make a patched version available for download.

Updating your plugins resolves the vulnerabilities and replaces any old and potentially compromised files with fresh versions that have not been tampered with or changed. The WP Toolkit is a great way to keep your plugins and themes up to date with the latest patches and features.

Inadequate Security

Bad WordPress security can also put your site at risk. A brute-force attack could be successful if your password is weak.

This occurs when bots attempt thousands of common usernames and passwords to gain access to your site, which is why it is critical to always use a long password that includes a variety of letters, numbers, and characters.

Two-factor authentication, in addition to using a secure password, is a great way to add an extra layer of security to your WordPress login. This prevents hackers from accessing your site and inserting malware into your files.

It’s Important to Run Regular Scans

Malware isn't always easy to spot - just because your site appears to be functioning normally doesn't mean there isn't something unsavory going on in the background. If you want to be certain whether or not your site has been compromised by malware, you can manually inspect every WordPress file and folder for suspicious code or files. When it comes to site security, the defender takes no chances.

A malware scan will detect hidden threats such as trojans, worms, spyware, and viruses, as well as notify you if your site has been blacklisted or is redirecting to suspicious sites. Scans can be performed using a plugin or an online malware scanning tool. We'll go over some of the best options for scanning for and removing malware in the sections below.

Scanning for Malware with Defender

Defender is more than just a malware scanning tool.

It's the first line of defense against hacks and attacks, keeping your WordPress site safe and informing you of any suspicious activity. Defender provides free malware scanning, among other benefits. It identifies exactly what you need to do to ensure your site is completely secure and provides you with the ideal set of tools to keep your site secure.

How to Run a Scan

To begin a scan, go to the WordPress sidebar and select Defender's Malware Scanning option. To begin your first scan click New Scan.

The free version of Defender will compare your core files to the originals in the WordPress repository, looking for maliciously added files or code edits that indicate your existing files have been tampered with. Allow a few minutes for the scan to finish. When the scan is finished, Defender will notify you if there are any problems.

If it finds any additional files, it will notify you. Each unknown file will be listed individually. Defender will also notify you if any changes are made to your WordPress core files. It compares the original to the modified version.

If you are confident that Defender has flagged something harmless or that you manually added, you can choose to ignore it so that it is not brought to your attention after every scan. However, if you are certain that a flagged file should not be present, you can delete it with a single click.

If the problem is unknown code within one of your WordPress core files, Defender makes it simple to restore the file to its original version, removing any potentially dangerous code from your installation. You can restore or ignore it individually or in bulk.

Take it a Step Further with Defender Pro

The malware scan that Defender Pro undertakes should be sufficient for most sites, however if you want to be absolutely sure that your files are safe, or if you have reason to suspect that something still isn’t quite right, Defender Pro could be just what you need.

Defender Pro’s scan is even more powerful – it checks for current vulnerabilities in plugins and themes so that you can update them with patched versions, and also checks their files for suspicious code. It will list all issues and provide relevant code snippets for each one.

Online Scanning Tools

Defender's main goal is to protect your site from attacks by providing you with security tools. The ability to scan your files for malware is the cherry on top. You can, however, use an online scanner tool to perform a thorough check of your site's output.

Tools such as VirusTotal or Sucuri cannot scan your files like Defender does, as they do not have access. However, they can scan the HTML output of your site, which is something plugins are generally unable to do. You only need the URL of a website to run a scan, so you can even perform checks on websites you want to visit.

Most plugins will ignore malware hiding in the database and inject malicious code into your WordPress posts because they do not check the database. This is why combining a plugin like Defender, which checks the files within your WordPress installation, with an online tool like VirusTotal or Sucuri, which focuses solely on the site's output, is the safest option.

So You’ve Found Malware – What Next?

If your scan detects suspicious code or files and you are confident they should not be there, you must select a removal method.

Defender can replace infected files with fresh copies from the WordPress repository, effectively eradicating any malicious code contained within them. It can also help you delete suspicious files individually or in bulk. Before deleting any files, make a backup of your website.

If your issue is severe or rooted deep within the database, you might need the help of a specialist website recovery service. These services typically charge one-time fees and are focused on removing malware as quickly as possible in order to get you back online.

There are also numerous guides on the internet that show you how to manually remove malware. This may be a viable option if you are an experienced developer. However, anything that involves editing core WordPress files should be approached with caution, as you may end up doing more harm than good!


While malware scans should be part of your security routine, the best practice is to ensure your site has strong enough security in place to prevent attacks from succeeding in the first place.

Defender is the ultimate tool for keeping out intruders, and when combined with The Hub, which includes a powerful hosted WAF, hackers should be out of luck.

We hope you find this article useful. Discover more about FastCloud - the top-rated Hosting Solutions for personal and small business websites in four consecutive years by the HostAdvice Community!

WordPress Hosting

  • Free WordPress Installation
  • 24/7 WordPress Support
  • Free Domain Transfer
  • Hack-free Protection
  • Fast SSD Storage
  • Free WordPress Transfer
  • Free CloudFlare CDN
  • Immediate Activation
View More