Beginner's Guide for WordPress - Start your WordPress Blog in minutes.
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
WordPress Plugins
View all Guides

How to Scan Your WordPress Site for Potentially Malicious Code

Last updated on by
Special WordPress Hosting offer for WPBeginner Readers
How to Scan Your WordPress Site for Potentially Malicious Code

Often we get asked by our users, is there a way to scan your WordPress site for potentially malicious code? The answer to that question is YES, YES, and YES. There are both free and paid tools available to scan your WordPress site for potentially malicious or unwanted code. It is always good to do a regular checkup of your site by scanning it for potentially malicious code. In this article, we will show you a few ways on how to scan your WordPress site for potentially malicious code.

Video Tutorial

If you don’t like the video or need more instructions, then continue reading.

Theme Authenticity Checker (TAC)

Theme Authenticity Checker is a free plugin that scans all of your WordPress theme files for potentially malicious or unwanted code.

Theme Authenticity Checker

Often hackers target themes to inject links, so this plugin is a good way of checking for that.

Exploit Scanner

Exploit Scanner is another free WordPress plugin that is much more robust than the Theme Authenticity Checker because it search all files and database of your WordPress install. It checks for signs that may indicate if your installation has fallen victim to malicious hackers.

Note: this does return a lot of false positives, so you have to know what you are doing to see if the error is really malicious or if it is ok.


Sucuri is by far the BEST WordPress security scanner out there. They have a very basic free site scanner, which checks your site to see if your site is doing ok. But the real value is in their paid version. See our article: 5 reasons why we use Sucuri to improve our WordPress security for detailed overview. In short, once you install Sucuri, it automatically monitors your website 24×7 against all threats. It audits all the activities that happen on your site to keep track of where things went wrong. If something looks fishy, Sucuri blocks the IP. They also send you alerts if they notice something going on with your site. Last but not least, they offer a malware cleanup service which is included in the price of their service (no matter how big or small your site is).

We have their 5 site plan which comes out to be about $3 per site monthly. It makes sense to pay $3 per month to keep our websites safe.

By the way, this service is not just for beginners. Major publications like CNN, USAToday, PC World, TechCrunch, TheNextWeb, and others are recommending these guys. These guys know what they are doing, and we trust them with our website.

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Page maintained by Syed Balkhi.

WPBeginner's Video Icon
Our HD-Quality tutorial videos for WordPress Beginners will teach you how to use WordPress to create and manage your own website in about an hour. Get started now »


  1. sardar says:

    While some of them might sound complicated at first, their instructions are extremely easy and they can be completed without any further study,

  2. Vitaliy says:

    Actually, I was trying to check against the Sucuri tool, but it looks that they don’t have the free version any more. Am I looking at the wrong place or it’s really not possible to use their tool for free any more?

  3. Paolo says:

    Em.. is sucuri a little bit more expansive then 3$/month?

    • Grietje Goedkoop says:

      Right Paolo, I searched their site looking for this offer but all there is, is this : $18 per month and that’s just for 1 site.
      WPbeginner, I believe you’d update your article because now it looks like you’re just trying to get hits on the referral link… I’m sure this is not your intention though.

  4. Sidd says:

    I was just looking around for the right kind of exploit scanner plugin and it seems there aren’t many :(
    It would be great if you could impress upon the Sucuri guys that their 5 website bundled plan was fantastic. And that they should bring it back.
    They have super expensive plans now :(

  5. Bas van der Linden says:

    Hmm, I tried the exploit scanner….
    Lots of faults in .css files, .js files
    Unknown files found

    and several .php codes (Mostly Eval() and Base64_decode() UUdecode

    Total of around 7000 problems found, whereof 500 “Severe” problems….

    Don’t even know what to do now >,<

  6. bernard collin says:

    I had 2 websites compromised with the front page saying hack by mitzy and the other one showing a display of viagra and medic offers.
    I put them both in the sucuri scanner, both came perfectly clear.
    I wrote to sucuri to let them know, they denied the fact, I told them check my websites, they are hacked and since they only are personal wp blogs, I did not care so I suggested to let them hacked until they had found why they could not see them hacked.
    They never replied to me so after 4 days I was asked by my ISP to clean or remove my sites.

  7. Marc says:

    Keith – Wordfence is easy to set up. It won’t prevent attacks but makes it easier to clean them up and it can catch them pretty quick. It is a default plugin for any site I build (which I do on a hobby basis rather than a professional one). I’m now looking at the other plugins Lisa suggested. There are a lot of Wordfence Firewall plugins and the default one isn’t for the current version of WP.

  8. Muhammad Khalil Janjua says:

    Thanks dear you just save my wordpress millions of blessed.

  9. Mike Lund says:

    I WORRY that a plugin that ‘appears to offer protection’ could be a virus.

    How do we know who to trust?

    Some ‘recommended’ plugins have 3 reviews (and one was by a cat)!

    • WPBeginner Support says:

      There are several ways to find out whether a plugin is trustworthy or not. You can do a simple Google search to see what others are saying about a plugin. You can click on the support tab of the plugin page to see what users are saying. Number of downloads are also a good indicator of a plugin’s reliability. If you are still unsure, then your safest web is Sucuri. We use it on all our websites.

      • Phreddo Phrog says:

        “Sucuri. We use it on all our websites.”

        Isn’t something of an irony that all extensions, fixes etc end up costing more time and money than the flamin’ site cost in the first place – especially if it was done “offshore”.

  10. gmornob says:

    thanks for share wordpress security tips. I am agree with LISA CASSON =D because who has many WP site that is costly .

  11. Wendy Morelli says:

    Another vote for Wordfence!

  12. JaY Srivastava says:

    First of All Lemme Thank You For This Article it Helped me a Lot as My Site had Some Malicious Code since Long Time And I was Having Trouble with it.

    Secondly thanks to people above for posting some more tools and links.

  13. Michael Patrick McCarty says:

    Thank you so much for this information. I had suspected that I had picked up some malware, and I was beginning to lose some sleep over it. I installed some of your recommended plugins and discovered that I was fine. I don’t know how else I would have found the info I needed. Good to go. Write on!

  14. zimbrul says:

    I was reading few months ago a quite comprehensive article about using FREE WordPress themes and the malicious code they can have within their code.
    TAC is a excellent plugin and I use it every time when I experiment with free themes. Many of them got base64 code and most of the time this will link your site with some no-so-techie type of sites.

  15. Lisa Casson says:

    Scanning your website is a small step in securing WP sites. I’ve learnt that the hard way. It’s more useful if you can stop malicious code getting onto your site in the first place.

    We used to get hacked all the time until I started using these 3 handy plugins:
    WordPress Firewall
    Block Bad Queries

    Haven’t been hacked since (touch wood). Scanning your current site is important, but it’s just not any good at securing your site long term.

    • Editorial Staff says:

      We entirely agree with your statement that scanning is a small step. However if you look at the last option we suggested (Sucuri), it is essentially all 3 plugins you suggested (combined into one and then some more).

      • Lisa Casson says:

        Except it’s not free :) For me who has 50+ WP websites, it’s not even close to affordable. It’s great if you have one website, but I need a ‘bulk’ solution.

        • Editorial Staff says:

          Yes, you get what you pay for. Not sure what’s your definition of affordable is, but to use Sucuri for 50 websites, it comes down to $1.8 per website monthly. Assuming, you are making a lot more than that from all of your websites, it’s a worthwhile investment. At least that is what we learnt from our experience. An example of this would be: self-insurance vs. going with an insurance company (that will cover everything). Pros and Cons to both.

          You can save the money in your piggy bank and hope that you never get hacked. You take all the precautions necessary that decreases your chances of getting hacked. If you don’t get hacked, then yes you saved a lot of money. Say you do hacked across your 50 websites, you not only have to pay someone to clean it up, but you also lose users and revenue during the time you were hacked. Total bill would be a lot higher vs. if you have Sucuri you know you are in safe hands. Similar argument can be made that what if I use sucuri and never get hacked. I lost all that money. Well Sucuri is actively helping you keep your site safe and if something goes wrong during their watch (they will fix it for no additional costs). We’d rather be safe than sorry.

          We have seen hacks that will not trigger most malware scanners and firewalls. The changes a hacker might make would be hard to detect. Some hacks are very sneaky and not obvious at all. For example, changing canonical URLs of some of your popular articles. Adding links in your older articles. How many folks regularly check all of their older posts? This can happen if you have a plugin that may have a vulnerability. Or another script on the same server that can be infected. Just a few months ago, we found a hack like this spreaded across numerous popular sites, and their webmasters had no clue. Won’t name any of those companies, but they are fairly well-known in the webmaster world. All were losing long-tail search traffic because their articles were suddenly disappearing from search. Instead another site with duplicate content was ranking really high. Everyone was thinking that it was some google penalty. Turned out, the canonical URLs on those pages were changed to this spam site that was ranking high instead.

          Services like Sucuri help monitor that and alert you right away because Sucuri has server-side scanning built-in. More importantly, they will help you fix it along with finding and closing the loop hole that exist.

        • Lisa Casson says:

          Well firstly, my clients do not pay me to secure their websites – I just add a bit of security because I know the vulnerabilities in WordPress. Also, it’s easy if you look at the monthly cost, but the reality is, I would need to fork out $1450 in one go, to secure 50 websites. I keep regular backups of my websites, and we revert when sites are compromised, and it works well enough for me.

          I can’t comment on the large sites with the problem you mentioned because I have much smaller websites, and often websites without blogs.

          I have nothing against Sucuri, but it’s just not an option for me; that was all I was trying to say.

    • maurizio says:

      i would add wpscan ( to your list

      IMO security can’t affidate only to plugin.
      thare are some good practice that can apply without plugin: strong password, login pretection, file permission policy…

      Remember that each Plugin can create a overhead…

    • Keith Davis says:

      Hi Lisa
      Not heard of Wordfence, but it gets a 5 star rating over on
      Is it difficult to set up?

      This might be a plugin that I’ll add to my security.

      Editorial Staff – what happened to the comments system you were using?
      It’s all changed.

    • bernard collin says:

      thank Lisa,

      I like the look of what these plugins do, I will install them on my websites and I agree with you, sucuri is too expensive and probably not doing what these ones are doing anyway

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.