WPBeginner

Beginner's Guide for WordPress

  • Blog
    • Beginners Guide
    • News
    • Opinion
    • Showcase
    • Themes
    • Tutorials
    • WordPress Plugins
  • Start Here
    • How to Start a Blog
    • Create a Website
    • Start an Online Store
    • Best Website Builder
    • Email Marketing
    • WordPress Hosting
    • Business Name Ideas
  • Deals
    • Bluehost Coupon
    • SiteGround Coupon
    • WP Engine Coupon
    • HostGator Coupon
    • Domain.com Coupon
    • Constant Contact
    • View All Deals »
  • Glossary
  • Videos
  • Products
X
☰
Beginner's Guide for WordPress / Start your WordPress Blog in minutes
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

WPBeginner» Blog» Plugins» How to Scan Your WordPress Site for Potentially Malicious Code

How to Scan Your WordPress Site for Potentially Malicious Code

Last updated on April 17th, 2019 by Editorial Staff
239 Shares
Share
Tweet
Share
Pin
Free WordPress Video Tutorials on YouTube by WPBeginner
How to Scan Your WordPress Site for Potentially Malicious Code

Often we get asked by our users, is there a way to scan your WordPress site for potentially malicious code? The answer to that question is YES, YES, and YES. There are both free and paid tools available to scan your WordPress site for potentially malicious or unwanted code. Usually, malware and malicious code can go unnoticed for a long time unless you regularly scan your website. In this article, we will show you how to easily scan your WordPress site for malware and potentially malicious code.

How to scan a WordPress site for malware and suspicious code

When To Scan Your WordPress Site for Malware and Malicious Code?

The best time to scan your WordPress site for malware and malicious code is now. Many beginners don’t install a WordPress security scanner right away, this means that a malware or malicious code injection can go unnoticed for a long time.

Many users don’t notice anything until some telltale signs make them suspicious. See our list of common signs that your WordPress site is hacked.

Even if your WordPress site is not hacked or affected, you should still learn how to scan your WordPress site for malicious code. It will help you protect your website against future attacks.

Most importantly, you can improve WordPress security to protect your WordPress site like a total pro (it doesn’t require any technical skills).

That being said, let’s take a look at how to thoroughly scan your WordPress site for potentially malicious code.

1. Sucuri

Sucuri free WordPress plugin dashboard

Sucuri is the industry leader in WordPress security. They are a paid service but offer limited WordPress scanning feature for free.

To quickly scan your website, you need to install and activate the free Sucuri Security plugin. For more details, see our step by step guide on how to install a WordPress plugin.

The plugin checks your WordPress files to see if they are changed. It also scans for possible malicious code, iframes, links, and suspicious activity.

The real value comes from their paid plans which come with the best WordPress firewall protection. Their DNS level website application firewall blocks any suspicious activity or malware even before it reaches your website.

We recommend using a DNS level website firewall because it is more effective. Sucuri firewall also serves your website static content through their own CDN which gives you a significant performance boost and improves WordPress speed.

Most importantly, if your website gets affected, then Sucuri experts will clean your website at no additional cost. Cleaning a hacked WordPress site is quite difficult even for experienced WordPress users. Knowing that you have real security experts available to clean your website is a huge peace of mind for business owners.

We use Sucuri on our website. To learn more see our complete Sucuri review.

2. Wordfence

Wordfence scan

Wordfence is another popular WordPress security plugin which allows you to easily scan your WordPress site for suspicious code, backdoors, malicious URLs, and known patterns of infections.

It automatically scans your website in the background, and you can also manually initiate a scan at any time.

You will be able to see the progress of the scan in the yellow boxes on the scan page. Once the scan is finished, Wordfence will show you the results.

It will notify you if it found any suspicious code, infections, malware, or corrupted files on your website. It will also recommend actions you can take to fix those issues.

Wordfence also comes with an application level firewall. This firewall helps you prevent brute force attacks and hacking. However, it runs on your website which makes it a little less effective.

For more details, see our step by step guide on how to install and setup Wordfence security in WordPress.

3. Anti-Malware Security

Anti-Malware Security

Anti-Malware Security is another very powerful WordPress security plugin which can help you to scan WordPress for malicious code and malware.

The plugin looks for suspicious code, scripts, .htaccess threats, backdoors, and known-patterns of infections in all folders and files of your website. It performs a comprehensive scan which may take a while to finish.

The plugin author actively maintains definitions which means that they are continuously improving to detect new threats as they are discovered.

Keep in mind that the plugin may show a lot of potential threats which are actually false positives. You will have to manually compare those files to source files which could be a lot of work.

It also includes a firewall option. The firewall is actually a software level firewall which is less effective than a DNS level firewall.

How to Clean up Malware or Suspicious Code in WordPress?

Clean up hacked WordPress

The first thing you need to do is to immediately change all your WordPress passwords. This includes your WordPress user accounts, WordPress hosting account, FTP or SSH user accounts, and your WordPress database password.

This ensures that if one of these passwords was compromised, then the hackers will not be able to use it to regain access.

Next, you need to create a complete WordPress backup by either using a plugin or manually through phpMyAdmin and FTP. This step ensures that if something happens during the cleanup, you can still revert back to the infected state of your website.

After that, we recommend hiring a WordPress security professional to clean the website for you. We recommend Sucuri, each of their paid plans include malware removal service. Even if your website is already affected, they will clean it for you.

You can also try to clean it yourself. It is difficult work and may take a lot of your time. Stay calm and follow the instructions in our step by step guide on how to fix a hacked WordPress website for beginners.

We hope this article helped you learn how to scan your WordPress site for malware and potentially malicious code. You may also want to see our guide on fixing a backdoor in a hacked WordPress site.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

239 Shares
Share
Tweet
Share
Pin
Popular on WPBeginner Right Now!
  • Revealed: Why Building an Email List is so Important Today (6 Reasons)

    Revealed: Why Building an Email List is so Important Today (6 Reasons)

  • How to Properly Move Your Blog from WordPress.com to WordPress.org

  • How to Start Your Own Podcast (Step by Step)

    How to Start Your Own Podcast (Step by Step)

  • Checklist

    Checklist: 15 Things You MUST DO Before Changing WordPress Themes

About the Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Trusted by over 1.3 million readers worldwide.

The Ultimate WordPress Toolkit

4 Comments

Leave a Reply
  1. Brett says:
    Dec 19, 2018 at 5:11 am

    After removing malware any idea how to get Google, Facebook and Insta to be your friend again?

    Reply
    • WPBeginner Support says:
      Dec 21, 2018 at 8:56 am

      Hi Brett,

      You will need to submit your site for reconsideration. If you are using Google search console then you can do this from your search console dashboard.

      Reply
  2. Muhammad says:
    Dec 11, 2018 at 9:32 pm

    Have done all this, but still every other day, there are weird files in my wordpress directories. Using Godaddy.

    Reply
    • WPBeginner Support says:
      Dec 11, 2018 at 11:54 pm

      Hi Muhammad,

      You may also want to try steps mentioned in our article on how to clean a hacked WordPress website.

      Reply

Leave a Reply Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Over 1,320,000+ Readers

Get fresh content from WPBeginner

Featured WordPress Plugin
RafflePress - WordPress Giveaway and Contest Plugin
RafflePress
Giveaway and Contest Plugin for WordPress. Learn More »
How to Start a Blog How to Start a Blog
I need help with ...
Starting a
Blog
WordPress
Performance
WordPress
Security
WordPress
SEO
WordPress
Errors
Building an
Online Store
Useful WordPress Guides
    • 7 Best WordPress Backup Plugins Compared (Pros and Cons)
    • How to Fix the Error Establishing a Database Connection in WordPress
    • Why You Need a CDN for your WordPress Blog? [Infographic]
    • 30 Legit Ways to Make Money Online Blogging with WordPress
    • Self Hosted WordPress.org vs. Free WordPress.com [Infograph]
    • Free Recording: WordPress Workshop for Beginners
    • 24 Must Have WordPress Plugins for Business Websites
    • How to Properly Move Your Blog from WordPress.com to WordPress.org
    • 5 Best Contact Form Plugins for WordPress Compared
    • Which is the Best WordPress Popup Plugin? (Comparison)
    • Best WooCommerce Hosting in 2020 (Comparison)
    • How to Fix the Internal Server Error in WordPress
    • How to Install WordPress - Complete WordPress Installation Tutorial
    • Why You Should Start Building an Email List Right Away
    • How to Properly Move WordPress to a New Domain Without Losing SEO
    • How to Choose the Best WordPress Hosting for Your Website
    • How to Choose the Best Blogging Platform (Comparison)
    • WordPress Tutorials - 200+ Step by Step WordPress Tutorials
    • 5 Best WordPress Ecommerce Plugins Compared
    • 5 Best WordPress Membership Plugins (Compared)
    • 7 Best Email Marketing Services for Small Business (2020)
    • How to Choose the Best Domain Registrar (Compared)
    • The Truth About Shared WordPress Web Hosting
    • When Do You Really Need Managed WordPress Hosting?
    • 5 Best Drag and Drop WordPress Page Builders Compared
    • How to Switch from Blogger to WordPress without Losing Google Rankings
    • How to Properly Switch From Wix to WordPress (Step by Step)
    • How to Properly Move from Weebly to WordPress (Step by Step)
    • Do You Really Need a VPS? Best WordPress VPS Hosting Compared
    • How to Properly Move from Squarespace to WordPress
    • How to Register a Domain Name (+ tip to get it for FREE)
    • HostGator Review - An Honest Look at Speed & Uptime (2020)
    • SiteGround Reviews from 4196 Users & Our Experts (2020)
    • Bluehost Review from Real Users + Performance Stats (2020)
    • How Much Does It Really Cost to Build a WordPress Website?
    • How to Create an Email Newsletter the RIGHT WAY (Step by Step)
    • Free Business Name Generator (A.I Powered)
    • How to Create a Free Business Email Address in 5 Minutes (Step by Step)
    • How to Install Google Analytics in WordPress for Beginners
    • How to Move WordPress to a New Host or Server With No Downtime
    • Why is WordPress Free? What are the Costs? What is the Catch?
    • How to Make a Website in 2020 – Step by Step Guide
Deals & Coupons (view all)
IPVanish Coupon
Get 20% OFF on IPVanish, one of the best VPN service providers for bloggers and WordPress users.
Theme Trust
ThemeTrust Coupon
Get 20% off on all ThemeTrust themes brought to you by Henry Jones.
Featured In
About WPBeginner®

WPBeginner is a free WordPress resource site for Beginners. WPBeginner was founded in July 2009 by Syed Balkhi. The main goal of this site is to provide quality tips, tricks, hacks, and other WordPress resources that allows WordPress beginners to improve their site(s).
Join our team: We are Hiring!

Site Links
  • About Us
  • Contact Us
  • FTC Disclosure
  • Privacy Policy
  • Terms of Service
  • Free Blog Setup
  • Free Business Tools
Our Sites
  • OptinMonster
  • MonsterInsights
  • WPForms
  • SeedProd
  • Nameboy
  • RafflePress
  • Smash Balloon

Copyright © 2009 - 2021 WPBeginner LLC. All Rights Reserved. WPBeginner® is a registered trademark.

Managed by Awesome Motive | WordPress hosting by SiteGround | WordPress CDN by MaxCDN | WordPress Security by Sucuri.