As a result of being a popular platform for websites, WordPress brings in loads of attention. And sometimes it is the unwanted attention of hackers and the malware they create.

So the WordPress team at Automattic, always works to make WordPress a safe CMS to work with. But this is a continuous process, a kind of battle, as new malware and hackers keep popping up.

In past, WordPress websites has been the target of attacks that redirected traffic to malicious URLs which is why it’s so important to regularly scan your WordPress site for malware.

When something like this occurs, it’s possible that Google can turn away visitors from your site. This is done to protect visitors from being infected with malware. But, than you will notice that your traffic to your site will begin to drop.

How Malware Reaches Your Website

WordPress users are spoilt for choice when it comes to find themes. Choose any niche, and you will have so many choices of themes, both free and paid. There is one thing that users should watch out for while choosing a theme, are bits of unwanted code that are embedded in themes.

For most, it’s easily unnoticed as the majority of users who aren’t developers, which is why you should have a rule in place to scan WordPress for malware.

Being particularly wary while purchasing themes from third-party websites (not the author’s website) or when downloading free themes is a great place to start, however. This is because some theme vendors can embed code that can harm your website.

These bits of code can be harmless snippets that do little harm, but they can be harmful enough to bring down your site entirely. They embed themselves in your website unobtrusively. Most you will likely never notice them when it your site is working as usual.

Themes aren’t the only way in which malicious code can reach your site, they can be included in plugins, left in the comments section, by hacking or brute force attacks.

Sometimes, you may opt to install software that comes bundled with some popular application that you download and install, that software could be malware or spyware, masked as an add-on feature and unknowingly allow these options on your site, where the malware hides around, often adding more malware to the site.

But why do hackers inject malware?

What purpose do these pieces of code serve? , why do hackers infect websites? Malware is embedded by hackers to be able to,

  • Add backlinks and redirects to the sites that they want to promote.
  • Track your site visitors.
  • Add their banners and advertisements.
  • Access personal information such as names, passwords and email addresses.
  • Or just to bring down your site completely, either for a particular reason or just for fun.

The longer the malware remains undetected, the better it’s for the hackers, this is because they can continue to use your site for collecting information and send spam emails, which infects your visitors in the process. Its left to us to regularly scan WordPress for malware and check our site, even those that appear solid, for malware.

These Plugins & Services are here to scan WordPress for Malware

Plugins and scans are a good way to check if your site is infected with malicious code, malware or any other security threat. Many quality plugins are available that can be used to check for malware, and in this WordPress Wednesday here’s four plugins that in my opinion are the best.

Scanning a site is likely a memory-intensive activity, you may have to adjust your PHP memory access plus clear cache directories so that the scan can go faster.

Most of the plugins, related security features are bundled in and only a few plugins are complete solutions for detecting malware. While some are full-fledged security or backup solutions, that include a malware detection feature.

Even you can choose to leave all security, including malware detection to the professional if you choose to go with managed hosting services like SiteGround.

1. iThemes Security

Ithemes Security Plugin

The iThemes Security plugin is one of the most popular choices to protect your site and scan through WordPress for malware. The free version of the plugin offers thirty layers of protection and security including a one-click “Secure Site” check, Malware scans which is via Sucuri SiteCheck, strong password enforcement, brute force protection, database backups, file change detection and more.

If you want to add even more layers of protection you should consider purchasing the iThemes Security Pro version which gives you access to features like two-factor authentication, scheduled Malware scans, password expiration, WordPress core file comparisons and more.

The pro version of this plugin costs $80 per year which might be a bit high for some bloggers, but you can’t really put a price on security, your time and peace of mind?

Price: Free & Paid Options

2. All In One WP Security & Firewall

All In One Wp Security Firewall Plugin

The All In One WP Security & Firewall plugin is an easy to use option. The plugin offers lots of security features such as password strength, brute force login protection, built-in captcha, database prefix options, file permissions, htaccess/wp-config backups and firewall protection.

The plugin additionally offers easy to setup security scans that you can use to promptly detect and remove malware.

It uses the file change detection scanner and database scanner to look for file changes or data tables you didn’t create. Use the settings to schedule automatic detection and to have an email sent directly to your inbox whenever a file change happens, this way any potential hacking attempt will be brought to your attention quickly.

Price: Free

3. Wordfence

Wordfence Security Plugin

Wordfence is a plugin that is not only a malware scanner but almost complete security protection for your website. It is free and open-source and uses the constantly updated Threat Defense Feed to observe and prevent your website from being hacked.

The Web Application Firewall can pick out over 40000 known malware and prevent it from reaching your site. Wordfence also scans for backdoors, phishing URLs, trojans, suspicious code and any other security threat.

These scans are generally carried out at hourly periods. So you are likely to know of any malware content on your website within the hour of it reaching your site. Wordfence can also check core integrity as well as monitor traffic in real-time.

You can purchase a Premium API key that gives you the following features: scheduled scans, country blocking and some additional features.

Price: Free & Premium API key

4. Quttera Web Malware Scanner

Quttera Web Malware Scanner Plugin

Malware, viruses, trojans, backdoors, shells, malicious code injection, auto-generated malicious content and more this WordPress plugin; Quttera Web Malware Scanner will find them all and if they’re lurking throughout your website.

For a reason if your site has been blacklisted by Google, it will reveal that in a scan as well. The plugin generates a detailed malware report, based on which you can clean up your website and if you in the need for any help in removing malware, you will have to contact Quttera support.

Price: Free


WordPress Wednesday – 4 WordPress Plugins that Scans for Malware