Get Qi Theme with 150 superbly designed WordPress demos

Get Qi Theme
Qi Theme
Sign up for our newsletter and be the first to get all the latest Qode news and updates.

How to Scan a WordPress Site for Malware

How to Scan a WordPress Site for Mallware

WordPress is the world’s most popular content management system (CMS) that powers millions of blogs, shops, or other types of websites. WordPress enables simple site creation, requiring little to no coding knowledge. However, it is just as easy for hackers to explore your site’s vulnerabilities and infect it with malware. The malware comes from a plethora of sources. It can be a part of your theme, plugins, and software, so be extremely careful where you’re downloading them. Malware can also be inserted via comments on your blog posts. Malware can contain fake forms for acquiring sensitive information, redirects to other sites a hacker wants to promote, and code injections that can alter your website or take over it. Furthermore, if the Google Search Console determines that your site’s content has been hacked or appears harmful to visitors, search results with your pages will have a warning label or page, deterring visitors from accessing your site.

To prevent this, you need to regularly scan WordPress for malware. In this article, we’ll show you our selection of reliable and credible plugins you can use to scan your WordPress site for malware. Namely, we’ll take a look at:

Scanning Your WordPress Site

Although you can scan the site manually, reviewing thousands of files can be daunting and time-consuming. This is where WordPress plugins and other third-party software can help you out. Some plugins are free, while others might require monthly fees. This depends on the number of features they offer, as well as the quality of scanning. Some WordPress plugins offer only scanning for the site or its specific parts, while others can also include malware removal and additional security features.

At the same time, WordPress malware scans and security plugins often require quite a lot of resources. That’s why you should choose your scanning plugin carefully, considering your website’s specific needs and possibilities. If you don’t plan to use the scanner continuously, consider deactivating it after the scan. We included four popular and feature-rich plugins into our selection.


Wordfence Security – Firewall & Malware Scan is the most popular WordPress scanning plugin. It scans your entire site for malware, injected code, bad URLs or backdoors by comparing the code to the repository. The plugin checks your posts, pages and comments for any suspicious entries. Wordfence will also warn you about any security vulnerabilities and suggest updates.

Apart from being a scanning plugin, its security features are exceptional. Wordfence blocks any malicious requests or traffic and has two-factor authentication and login attempt restriction, which can prevent brute force attacks. Premium features include a real-time firewall, country blocking, and scheduled scans blacklisting malicious IPs. The paid version also comes with a support service and regular checks whether your site has been blacklisted for having malicious content.

Install the plugin by navigating to Plugins > Add New.

Add new plugin

Then type in a keyword and click on the Install Now button once you’ve found the plugin.

Wordfence Security Firewall & Malware Scan

When the installation is complete, you can scan your site. To do that, you need to navigate to your WordPress dashboard, find the Wordfence menu and click on Scan.

Wordfence Scann

In the central part of your screen press the Start a new scan button. As the scan goes on you can see the progress and results as the padlock icons change to check marks and warning signs.

Start new scan

The results will be displayed in the same window where you ran the scan. And you can handle them as you see fit—edit or ignore them.

Results found


Sucuri is a globally recognized name in the website security industry. Most of their services are paid, but they offer a free plugin called Sucuri Security – Auditing, Malware Scanner, and Security Hardening.

The plugin scans the content of your site for malware, errors, outdated software, blacklists, and defacements. It also searches for malicious activities and checks your URLs and iframes. However, since it is a remote scan, it can’t inspect your server files completely. This means it may not catch phishing attempts, malicious usernames, and code injections invisible within a browser and backdoors.

To install the plugin, navigate to Plugins > Add New, type a keyword in the search box and click on Install Now.


Sucuri’s security features include activity auditing, monitoring for file integrity and blacklists, and security hardening. Their paid plans also come with malware removal and the Sucuri firewall. The firewall is highly effective in blocking backdoors, spam, DDOS attacks, preventing access and blacklisting malicious IPs.

Sucuri Dashboard
Sucuri Plugin Dashboard

To start a scan, simply go to the Sucuri SiteCheck site. Insert your website URL and press the Scan Website button.

Press the Scan Website button

Before the scan, Sucuri will remind you about the limitations of its free scanner.

Sucuri SiteCheck is a free website security scanner.

Remote scanners have limited access and results are not guaranteed. For a full scan, contact our team.

If you opt for Sucuri, we suggest combining this tool with a plugin that can scan the files on your server.

Qode WordPress Themes: Top Picks
Bridge WordPress Theme Banner

Creative Multi-Purpose WordPress Theme

Stockholm WordPress Theme

A Genuinely Multi-Concept Theme

Startit WordPress Theme

Fresh Startup Business Theme

Biagiott banneri

Beauty and Cosmetics Shop

iThemes Security

iThemes Security (formerly Better WP Security) is a very popular security plugin that can also serve as a scanner. The free version includes 30 levels of protection, including backups, safeguard against brute force attacks, one-click site check, malware scan, SSL, file change detection, etc. With the premium version, you get two-factor authentication, scheduled malware scans, user logging, user security checks, reCAPTCHA, and numerous other features.

Find the plugin by navigating to Plugins > Add new, typing the keywords and clicking on the Install Now button.

iThemes Security

While in the admin dashboard, go to Security and click on Settings. Scroll down and find the section Malware Scan. Select the Sucuri SiteCheck to open a scanner, or scan the homepage only by choosing the Scan Homepage for Malware option. For best results, pair this scanner with some other scanning plugin.

Security Settings
Malware Scan


Anti-Malware Security and Brute-Force Firewall is another WordPress scanning plugin that is very popular with users. It scans all your website files and folders for malicious code, backdrops, and injections. It marks suspicious code as potential threats, leaving it up to you to evaluate and remove them. This plugin requires regular definition updates, which continuously improve the scanning process.

It also offers a firewall that prevents plugin vulnerabilities from being exploited – for example, it blocks Slider Revolution vulnerability exploits. The paid version includes protection against brute force attacks, checking the integrity of your WordPress core files, automatic removal, and automatic updates.

To install this plugin, navigate to Plugins > Add New, type the keywords and click on the Install Now button.

Anti Malware

To scan, navigate to Anti-Malware > Scan Settings in the admin dashboard and click on the Run Complete Scan button. The scanning process can be monitored and the results will appear in a separate tab.

Scane Settings Anti Malware
Run complete scan

Additional Steps

Once you create the list of malicious files, there are a couple of things you need to do before cleaning up the malware. It is strongly recommended that you backup your WordPress website. Although this means you may be backing up an infected site, it will still serve as a precautionary measure in case of mishaps during the cleanup process. Additionally, we suggest changing all your WordPress passwords. In case of a security breach, changing passwords will deny further access to hackers.

After these preparatory steps, you can clean your site. This process can get quite complicated, so consider hiring professional help. You can hire a security expert or buy the premium version of a security plugin, with features such as malware removal. Additional benefits of premium security plugins are increased security measures.

Alternatively, you can also try removing the malicious code yourself.

Final Thoughts

Solid security is one of the most important considerations for your website – so invest in it wisely. If you scan WordPress for malware regularly using high-quality software, malicious code can be traced quickly. In this selection, we’ve covered the strengths and weaknesses of the most popular scanning plugins. Choose the right fit based on your site’s structure and needs. And choose carefully, because the best scanning plugin will give you much-needed peace of mind.

Post your comment