How To Scan Your WordPress Website For Hidden Malware

Posted on July 23, 2014 by in Tips & Tricks | 70 comments

How To Scan Your WordPress Website For Hidden Malware

As the most popular content management system online, WordPress websites are a common target for hackers, spammers, and other malicious parties. That is why it is vital to take measures to make your website more secure. Between brute force attacks and new threats like BabaYaga, you really need to be more careful to scan your site for malware than you ever have been before.

Subscribe To Our Youtube Channel

Why Are They Hacking Me, Anyway?

The goal of most hackers is to infect your website with malware, but not all malware is created equal. Common malware threats include:

  • Pharma Hacks – Injects spam into your website database or files
  • Backdoors – Allows hackers to gain access to your website at any time using FTP or your WordPress admin area
  • Drive-by Downloads – When a hacker uses a script to download a file to the users computer, either without their knowledge or by misleading the visitor and saying the software does something useful
  • File and Database Injections – Inserts code into your files or database that lets the hackers do a number of different things
  • Malicious Redirects – Redirects visitors to a page of theirs that misleads people into downloading an infected file
  • Phishing – Used to acquire usernames, passwords, email addresses, and other sensitive information

When most people think about a website being hacked, they think about the hacker defacing the website by placing a message to visitors like Your Website has Been Hacked by Teh Haxxo0rz!! and putting skulls and crossbones all over the place.

In reality, defacements are not that common. The majority of hackers do not want you to know that they have tampered with your website, as the first thing a website owner will do when they know that their website has been compromised is to remove the malicious files in question.

Letting them know is self-defeating.

Hackers who infect your website with malware are discrete. The longer a victim is unaware that the website is infected, the longer the hacker can use the website to send spam and grab visitors’ information. With that in mind, you have to realize that even a secure WordPress website can be hacked. It is therefore important that you scan your website regularly to detect any hidden malware.

We’ve rounded up some of the best solutions that can help you detect malicious malware on your WordPress website. From services to plugins, making sure you’re as secure as possible is our primary concern.

Sucuri Malware Scanning

Sucuri have a great reputation as an effective security and malware scanning solution. Their Sucuri SiteCheck scanner will scan your website for common issues free of charge. On top of that, their free WordPress plugin is by far one of the best security measures you can take.

The scanner will scan your website for malware, defacements, and spam injections. It will also detect whether your website server has been blacklisted (which can happen if a hacker has been using your server to send spam). The main limitation of the scanner is that you need to scan your website manually yourself.

Upgrading to their $89.99 yearly premium plan will give you automatic alerts via email and Twitter about any malware issues. This plan will also remove your malware for you and remove your website from any blacklists.

How to scan your WordPress website for hidden malware

Like I mentioned above, Sucuri also offer a free WordPress security plugin. In addition to scanning your website for malware, the plugin offers a firewall to make your website more secure, hardening options that address common WordPress security holes, and a “last logins” section that highlights exactly who has logged into your website.

How to scan your WordPress website for hidden malware

The plugin also has some useful features for recovering your website after an attack, such as updating the WordPress salt keys and resetting user passwords.


CodeGuard is a backup service that provides automated backups and restores at the click of a button. The service also monitors your website for changes every day and alerts you if it detects any malware.

How to scan your WordPress website for hidden malware

Plans start from only $5 per month to backup and monitor one website. One of its main rivals in the backup niche is VaultPress, however VaultPress only offer daily scanning with their $40 per month plan. If you are looking for an all in one monitoring and backup solution, CodeGuard is a great choice.



Anti-Malware will scan your website for malware and automatically remove any known threats. The plugin can also harden your wp-login.php page to stop brute force attacks. Anti-Malware also provides a WAF (web application firewall), which pretty much every WordPress website needs these days.

How to scan your WordPress website for hidden malware

Quttera Web Malware Scanner

Quttera Web Malware Scanner will scan your website for known threats such as backdoors, code injections, malicious iframes, hidden eval code, and more. The report will show you a list of suspicious files and advise whether your website has been blacklisted by ISPs. The big draw on this one is that the results are easy to read and parse. You know what needs to be fixed without much fuss.

How to scan your WordPress website for hidden malware

Wordfence Security

Wordfence Security is one of the most popular security plugins available for WordPress. The plugin can scan your website core files, theme files, and plugin files, against known threats.

How to scan your WordPress website for hidden malware

It also provides a log of changes to your website and offers many options for hardening your website and making it more secure. There’s a lot more to say about WordFence that you can read about here.

WP Security Audit Log

WP Security Audit Log keeps a log of every single change on your website. Security alerts can be sent to you for a number of reasons, including failed login attempts, changes to file templates, and plugin installation.

How to scan your WordPress website for hidden malware

This activity report is awesome given the prevalence of brute force attacks and other such malware-infesting actions. You will be able to see just when and how the bad guys are trying to break into your site.

Other Plugins to Stop Malware

You will find a ton of security plugins out there on the repository. But you don’t need to sort through them all. Let us do that for you.

Stay Safe Out There

The internet is a dangerous place. I encourage each and every one of you to scan your website regularly to help detect malicious files and changes. Read up about new threats and set up a firewall to prevent such nastiness. It is in your best interests to detect any successful hack attempts as soon as possible to minimize the damage from an attack. It’s not just for you; it’s for your users, too. When they’re happy, everyone’s happy, right?

If you know of any other good malware scanners and malware detection plugins, please share them in the comment area below.

Article thumbnail by benchart /

Premade Layouts

Check Out These Related Posts

Splice Video Editor: An Overview and Review

Splice Video Editor: An Overview and Review

Posted on May 7, 2019 by in Tips & Tricks

Video is a valuable form of content for social media. Unfortunately, creating quality videos is usually a long process that involves moving mobile footage to a desktop app for editing. However, mobile editing is on the rise. Apps such as Splice Video Editor make it possible to efficiently create...

View Full Post


  1. We have ClamAV on all our shared hosting plans. I just assumed it would work as well, and works beyond a wordpress install.

    Any thoughts on ClamAV as a general server malware and antivirus remover?


    • It doesn’t hurt to run ClamAV as well. If you are looking for a basic server-level exploit scanner that includes ClamAV as well, check out CXS.

  2. Thanks for the great information to help keep our websites (that of course use Elegant Themes products) safe and secure, Kevin!!

  3. Great article and valuable info Kevin, thanks!

    I personally use Wordfence Security and Sucuri have save two of my sites by successfully finding and removing effected files at one time when I was on their yearly plan. Wordfence has help me to realize how much a website is tried to get access to using “Admin” as the user name amongst other insights.

  4. What do you think about ithemes Security?

    • I use iThemes security on all my sites and have had great success with it. It’s amazing how many brute force attacks are done on the sites almost on a daily basis. So far I have had no problems with it.

      • Brute force attacks against what – the login page ? Why are you not using iThemes simple method of hiding your login page ? This stops all automated brute force attacks against the login page

        • Sorry, isn’t it easy to pull up a login page, simply by adding wp-admin to the url?

          • Hide any page you want just by using the htaccess file. You don’t change the structure of the page its just let you access the login page by another url. direct access to the file will be impossible by automated bots that will use fingerprinting won’t be able to do their work (most attacks are done automatically). If you need to know more feel free to contact me. I’ll be happy to show you how for free.

      • Well its good to know that I am not the only one and I hide my login also. I think it is very easy to use and I am happy with it so far. Thanks!

      • Yeah, Ithemes Security former BetterWP Security. I wonder why Kevin never mentioned it in his article considering its popularity

      • Yes, I also use iThemes Security, which was originally Better WP Security. It is the first plugin that I install on all my sites.

  5. Awesome article and list! I use codeguard on my site and it’s great.

  6. This past weekend mine and 6 of my clients websites were hacked. It has been a nightmare to say the least! I’ve had to purchase SiteLock plans and am crossing my fingers that the sites will be up and running soon.

    A tough and costly lesson learned 🙁

    • crossing your fingers wont help, you need an expert to rid of the hack

  7. Nice article.

    My website was in attack few days ago. I just activated wordfence security plugin and came to know the IP addresses and blocked them. Now everything is good. It took 5 minutes to save my site from hackers. And the best solution to keep your site safe is to have both Wordfence and Cloudflare.

    • Blocking by IP address will only help against basic attacks – more sophisticated attacks will spoof the IP or quickly rotate via proxy servers – we have recorded attacks over several hours that have come from tens of thousands of different IP addresses

  8. Only scanning will give you information, no doubt. WP is highly secured system, but it’s security needs improvement. So I recommend to use also “Better WP Security” plugin.

    And use smth like “WordPress File Monitor Plus” — it will inform you by e-mail when every file in your WP installation created/changed/deleted.

    You’ll find no 100% reliable way to protect from all attacks, but you will know for sure if one happens. You will see that file changed and have to think — why? And you can then do smth with it.

    • It’s true, scanning is just part of the solution. We have some other great posts about basic security tips as well as how to deter WordPress hackers that touch on these other topics. This post is focused on scanning only.

  9. Hi Kevin
    I use a number of security features plus the paid version of Sucuri.

    If you run several websites the price per site is pretty reasonable.

  10. I have to say, this is by far one of the most usefull posts to the date, thank you very much.

  11. Thanks for this article. I have already checked my website – free from viruses.

  12. Just want to contribute a plugin that helps with many of these issues as well. It is called WordFence and there is a free version of it that works great.

  13. Hey Kevin, this articles are the best in the field…

    But why you don´t do top tens? I always end up testing most of them instead to aim for the best 🙂

    • There is rarely one best solution for everyone ! A top ten list is usually biased either by the authors requirements or by some financial incentive so this approach is much better – giving an outline of available solutions and letting the reader decide which will suit their situation

  14. A good roundup of available solutions although also very surprised that iThemes Security wasnt included in the list especially as prevention is much better than a cure. A site where the core, plugins and themes are always kept updated ; themes and plugins are from reputable developers ; where everything is properly protected by iThemes Security (in our opinion the best security plugin) and the Sucuri plugin are pretty secure against most of the standard hacks. Add to that using a hosting company that takes security seriously (a very large percentage dont do this and dont care) and also restricting access to admin directories to specific IP addresses and you are secure against most things. The Sucuri cleanup service is good for those that havent tied everything down and have been hacked

      • Understand that, and that is a great post as well, but if you are including Wordfence Security, then iThemes Security does pretty much all same functionality you list for that

        • I wasn’t aware that iThemes Security had a malware scanning tool like WordFence. Good to know 🙂

  15. Loving these daily updates, good job to the entire ET crew

  16. Thanks for the great article! I use BlueHost – so I haven’t thought too much about site security. Which is not smart since I have had sites hacked in the past. Off to download some plugins and start installing! Thanks again for the great post!

    • I’m considering using bluehost as well 🙂

  17. Thanks for the list of plugins. Don’t have time to test them all. Anyone know the bare minimum security set-up that will keep my site safe & secure?

    • Dont go with any of the cheap or free hosting companies – their server security isnot as good. The install and properly configure iThemes Security and the Sucuri plugins. For extra security you can take Sucuri yearly plan and WAF but that is belt and braces

  18. Awesome list! Wordfence is awesome but it creates huge log files if the traffic is substantial. There are plugins to remove those logs, but it should be included in the plugin itself. A simple and effective plugin I would recommend everyone use is “Rename wp-login.php”. It will simply hide your /wp-admin login by changing it to a name of your choosing and keep automated bots from trying to hack your site. It’s not going to stop other intrusions but it will stop those pesky scripts from trying a million login attempts. It also reduces wordfence logs substantially. If paid solutions are your thing, I would ask that you look up “We Watch Your Website”. When I get calls from potential clients about their site being hacked, I get WWYW on the case. They are so cheap, and so good, it’s a crime anyone pays monthly for the same type of service.

    • Again why would you use two or three plugins when iThemes Security does all of this ?

      • Though I use WordFence and I so mush love their security update and 2 factor authentication aside being enough to keep hackers at bay. Are you saying that using iTheme security pro pack is the All-in-One solution to WordPress security HavenSwift Hosting?

        • No, it isnt the only solution (see our other answers for what else we also suggest) but properly configured, it is a great foundation and getting better with each release but also includes a setting to do what the previous person was saying they use “Rename wp-login.php” for.

          • A whooping $444/yr to get all the real values, iThemes isn’t meant for a lone blogger maybe for a small/medium enterprise!

  19. Great article and such a great reminder to be proactive and protect or pay the price! Thanks again.

  20. Helpful article…..

    I’m using Sucuri Malware Scanning…

  21. Very Good article Kevin, I mostly used Sucuri for scan my or my clients websites.

  22. Hey good to see few plugins which are unknown to me but seems useful.
    It will be very good if you can through some light on the malicious code in database, how to figure it out and prevent it,

    The common areas we should take care of in terms of wp database.


  23. +1 for sucuri

    One problem in having is failed attempts at logging in by random ip addresses. I get like 40 a day.

    How can I stop them?

  24. I get calls regularly with non-clients with Malware problems in their WP sites.

    Great information as always



  25. The timing of these articles are great. After reading this I installed Wordfence on my sites and actually found a couple of threats on different sites. Thankfully I was able to remove the files.

  26. thanks to tips. should the deleted the plugin does not use. and regularly update the version of the theme plugin wordpress

  27. I have had a couple of instances when WordPress sites for my clients were hacked. The reason which I diagnosed was the users there checked the “Remember Me” check box. This allowed the malware to slip in from the local machines to the websites and cause issues. We have never faced the malware issue ever since.

    But this seems to be a pretty good round up for website security. I will definitely test and try these someday for my WordPress websites.


  28. Nice post. Although I have installed all the plugins, none of them has found a spam code even tho in the footer of my website there is a display:none spam links, which are displayed randomly. Which means if I refresh the page a new links are displayed there. I am trying to solve this issue for days and none of the plugins work. I cant seem to find how the links are placed there. I runned thru all the files with scanner..also decoded the links into base64 and searched thru the database and the files, I cant seem to find them anywhere. Any idea?

  29. My site is safe with codeguard!Thanks for this beautiful Article!

  30. Helpful article….. I’m using Centrora Security, better to add it to the list, it finds malware on my site

  31. I installed Limit Login Attempts by Human Made Ltd. Free, easy to configure, and logs IP addresses and username hack attempts. Yes, there are better solutions, thanks all for some good reading 🙂

  32. I installed Limit Login Attempts by Human Made Ltd. Free, easy to configure, and logs IP addresses and username hack attempts.

  33. I wonder is this safe to install all the plugin you mention above?
    In this month, my website is hacked two times although I installed 3 anti-hack plugin. Really tired.

  34. Great list. So what do YOU use?

  35. Thank you for this article! So helpful!

    Do you have any suggestions for what to do if malware is detected on your site via one of these plugins? Are there any plugins or tutorials for dealing with malware that you know of?

  36. I had a different experience with the 2 big Security plugins. I first had ITheme and it let a hacker in and threw me out. I then went to Wordfence and found it changed a lot of code in my root files, I might be different then some but I wasn’t comfortable with that. If you already have Wordfence you cannot just delete the plugin and move on. I’m not complaining, just explaining my next choices which I have been very happy with. I was newbie several months ago so did not question the most popular choices.
    Part of the problem was mine on leaving Admin on my login and the former server I had was not very secure on their end. I have since moved on to better server and non-invasive security plugins.
    They are: Sucuri not upgraded (which I had originally at the first site), Simple Firewall and Betterwebsoft Limit Attempts. Everything has been going great now and even some brute force attacks have been recorded but not gotten in.
    I just tried the Anti-Malware plugin above. It seems in-depth and brought up a couple of files that are plugin’s as questionable. The only problem is I’m not a code savvy so not sure what I’m looking at. I will give some others of these a go though, thank you for making the list.

  37. I have been attacked 2 times on my network, i have 4 websites (shared hosting) on bluehost, when first time i was attacked, i was told by adwords and then i bought sitedoctor from bluehost and they scanned and remove malware, now i attacked again and bluehost deactivate my account again, now i again bought sitedoctor (60$/ scan&remove), i am now afraid that every time i have to give 60$ when i am attacked?? first time malware was “Copyright (C) 2000 Free Software Foundation, Inc. See LICENSE.txt” in all .js files and second time (now) it is “base64” in .php and .css files, can anybody tell me what should i do? i am not a programmer and i dont know from where the hacker gets hi, ooh 1 thing. i installed wordfence security plugin after first attack and befor 2nd attack wordfence gave me allert that someone is trying to access wp-admin with some usernames like “admin” and “urdudvds” from china, but i don’t have any of above usernames for my site, please give me a suggestion/service on which i can trust and my money will not be wast. thank you in advance

  38. Any plugin that detects malware cryptphp?

  39. thanks thanks thanks u saved my website reputation !!!!

  40. Just scanned all of my sites with sucuri. All clear.

  41. Just was told my sites had some bad files and bluehost sent me to used there plugin and it was awesome. The best part is the support in helping understand some bad files. That help was impressive and for that alone it is worth getting. Donations are accepted and rightfully so.

  42. My Hosting was recently taken down due too Malware in my .php files, i manually deleted most files listed by my ISP, what i would like to know is, how does it work as the code just looked like variables,

    ” $countermeasure =’C’; $maam=’iPCJeSH6′;$dugout = ‘]NeQv’;$grape = ‘j_t)’;$eavesdropper= ‘(r$o’;$bertie =’u’; $armor =’_$sIJapa’; $crafty =’iEe’;
    $bridie= ‘_’; $barth = ‘e’; $dequeuing=’o;,ja’; $electricalness =’R’; $expiration= ‘W’; $dolf= ‘s[)_’; $converge= ‘l’;$brightness=’d’;$herculie=’Uait’; $around=’O’; $dastard= ‘)’; “,

    any info or links will be appreciated

  43. Nice information on how to make a healthy WordPress website and remove hidden malware..

  44. Thanks for publishing nice peace of information regarding WordPress security and removing hidden malware files…

  45. really amazing article all those security plugins are amazing i try many of them but I wordfence and I recommend for others will thanks you for sharing great article I just love it

  46. Thanks for the list of useful scanners – been looking for a solution that caters to a range of different CMS options and is also not too expensive if I have multiple domains.


  47. Update: iThemes security plugin seems to have started charging for malware scans as of this writing.

    I installed it a month ago and it was free.

    Now I’m using

  48. Hey,
    Just to include a plugin I used.. You forgot about the all in one wp security from wordpress repo.. Its a good plugin I used… Maybe add it also,,:)


Join To Download Today

Pin It on Pinterest