WordPress is a popular platform for websites. As a result, it brings in loads of attention, and sometimes it’s the unwanted attention of hackers and their malware.

The WordPress team at Automattic always works to make WordPress a safe CMS to work with, but this is a continuous process, a kind of battle, as new malware and hackers keep popping up.

In past, WordPress websites have been the target of attacks that redirected traffic to malicious URLs which is why it is so important to regularly scan WordPress for malware.

When something like this occurs, it’s possible that Google can turn away visitors from your site. This is done to protect visitors from being infected with malware. Then, you will then begin to see that traffic to your site begins to drop.

How Malware Reaches Your Website

WordPress users are spoilt for choice when it comes to themes. Choose any niche, and you will have many choices of themes for any niche, both free and paid. There’s one thing that users should watch out for while choosing a theme, are bits of unwanted code that are embedded in themes. For most, it’s easily unnoticed as the majority of users are not developers, which is why you should have a rule in place to scan WordPress for malware.

Being particularly wary while purchasing themes from third-party websites (not the author’s website) or when downloading free themes is a great place to start, however. This is because some theme vendors can embed code that can harm your website.

These bits of code can be harmless snippets that do little harm, but they can be harmful enough to bring down your site entirely. They embed themselves in your website unobtrusively. Most you will likely never notice them when it’s work as usual.

Themes aren’t the only way in which malicious code can reach your site, they can be included in plugins, left in the comments section, by hacking or brute force attacks.

Sometimes, you may opt to install software that comes bundled with some popular application that you download and install, that software could be malware or spyware, masked as an add-on feature and unknowingly allow these options on your site, where the malware hides around, often adding more malware to the site.

But why do hackers inject malware?

What purpose do these pieces of code serve? , why do hackers infect websites? Malware is embedded by hackers to be able to,

  • Add backlinks and redirects to the sites that they want to promote.
  • Track your site visitors.
  • Add their banners and advertisements.
  • Access personal information such as names, passwords and email addresses.
  • Or just to bring down your site completely, either for a particular reason or just for fun.

The longer the malware remains undetected, the better it’s for the hackers, this is because they can continue to use your site for collecting information and send spam emails, which infects your visitors in the process. Its left to us to regularly scan WordPress for malware and check our site, even those that appear solid, for malware.

These Plugins & Services are here to scan WordPress for Malware

Plugins and scans are a good way to check if your site is infected with malicious code, malware or any other security threat. Many quality plugins are available that can be used to check for malware, and in this WordPress Wednesday here’s eight plugins that in my opinion are the best.

Scanning a site is likely a memory-intensive activity, you may have to adjust your PHP memory access plus clear cache directories so that the scan can go faster.

Most of the plugins, related security features are bundled in and only a few plugins are complete solutions for detecting malware. While some are full-fledged security or backup solutions, that include a malware detection feature.

Even you can choose to leave all security, including malware detection to the professional if you choose to go with managed hosting services like SiteGround.

1. Wordfence

Wordfence Security

Wordfence is a plugin that is not only a malware scanner but almost complete security protection for your website. It is free and open-source and uses the constantly updated Threat Defense Feed to observe and prevent your website from being hacked.

The Web Application Firewall can pick out over 40000 known malware and prevent it from reaching your site. Wordfence also scans for backdoors, phishing URLs, trojans, suspicious code and any other security threat.

These scans are generally carried out at hourly periods. So you are likely to know of any malware content on your website within the hour of it reaching your site. Wordfence can also check core integrity as well as monitor traffic in real-time.

You can purchase a Premium API key that gives you the following features: scheduled scans, country blocking and some additional features.

Price: Free & Premium API key

2. McAfee SECURE

Mcafee Secure

The McAfee SECURE WordPress plugin comes with a set of security features including Malware scanning and it’s especially great for eCommerce sites.

By showing visitors your site is safe to engage with, they are more likely to interact with and make a purchase from your site acknowledging they can shop safely and in confidently.

It works so Simply once you’ve installed the plugin, just add your FTP credentials, and activate your free McAfee account. Right after your site passes the security scan, the Mcafee SECURE Trustmark will be displayed on your site.

This way users know at a flash that your site is secure and free of viruses, malware and any other malicious activity.

The free version of McAfee SECURE, the Trustmark will get displayed on your site for up to 500 visitors each month. This shows the visitors that they can securely browse your site and/or make a purchase from your store.

If your site gets more than 500 visitors or wanting more features you probably want to upgrade to a McAfee SECURE Pro plan which includes unlimited visits along with additional security and identity protection features.

Price: Free & Premium Option

3. All In One WP Security & Firewall

All In One Wp Security & Firewall

The All In One WP Security & Firewall plugin is an easy to use option. The plugin offers lots of security features such as password strength, brute force login protection, built-in captcha, database prefix options, file permissions, htaccess/wp-config backups and firewall protection.

The plugin additionally offers easy to setup security scans that you can use to promptly detect and remove malware.

It uses the file change detection scanner and database scanner to look for file changes or data tables you didn’t create. Use the settings to schedule automatic detection and to have an email sent directly to your inbox whenever a file change happens, this way any potential hacking attempt will be brought to your attention quickly.

Price: Free

4. malCure Malware Scanner

Malcure Wp Malware Scanner & Firewall

malCure Malware Scanner is a WordPress plugin that focuses on a very user friendly interface and simplicity while at the back-end it can detect 50,000+ infections.

malCure Malware Scanner executes a database scan as well as WordPress file scan for a complete detection. The thoroughness of malCure Malware Scanner is under the approach it takes a hybrid approach which includes multiple scans on every file and database record i.e. checksum integrity, scan against known malware signatures as well as a heuristic scan.

This allows for high-precision results and very rare false-positives. The Definitions are updated frequently so malCure can detect even the latest infections, with the plugin focused on simplicity, high-pressure & high-performance for the regular user, one place where malCure Malware Scanner shines is its robust integration with WP-CLI.

This takes it’s a utility to an entirely new level as you can easily scan and clean-up WordPress sites from the command-line in case the host has revoked the access to the site to contain malware-spread. It has a powerful feature-set in WP-CLI mode which makes it very appealing for web-security professionals too.

CLI integration helps automate scans via cron and with some scripting knowledge, you can utilise malCure Malware Scanner in almost every way possible.

You can also connect malCure scanner to your Google Search Console property to fetch any warnings or security notices issued by Google. This ensures that scans also cover injected spam links, Google Transparency blacklist and warnings too. malCure Scanner has a built-in firewall that protects from the most exploited WordPress attack vectors.

Price: Free

5. Quttera Web Malware Scanner

Quttera Web Malware Scanner

Malware, viruses, trojans, backdoors, shells, malicious code injection, auto-generated malicious content and more this WordPress plugin; Quttera Web Malware Scanner will find them all and if they’re lurking throughout your website.

For a reason if your site has been blacklisted by Google, it will reveal that in a scan as well. The plugin generates a detailed malware report, based on which you can clean up your website and if you in the need for any help in removing malware, you will have to contact Quttera support.

Price: Free

6. iThemes Security

Ithemes Security

The iThemes Security plugin is one of the most popular choices to protect your site and scan through WordPress for malware. The free version of the plugin offers thirty layers of protection and security including a one-click “Secure Site” check, Malware scans which is via Sucuri SiteCheck, strong password enforcement, brute force protection, database backups, file change detection and more.

If you want to add even more layers of protection you should consider purchasing the iThemes Security Pro version which gives you access to features like two-factor authentication, scheduled Malware scans, password expiration, WordPress core file comparisons and more.

The pro version of this plugin costs $80 per year which might be a bit high for some bloggers, but you can’t really put a price on security, your time and peace of mind?

Price: Free & Paid Options

Final Note

Scanning for malware is possible to throw up some false positives, which you will need to check out. If you do scan WordPress for malware and the result shows your website to be clean, can you rely on it? Maybe, but just take it with a pinch of salt as all scans are not foolproof.

There are ways to minimise malicious code from reaching your site, and that is to download themes and plugins directly from the author’s page or from a trusted theme marketplace and not from any suspicious third-party websites such as those “free” premium versions of plugins.

So if you decide to scan WordPress for malware it is a quick and easy first step to protect your site. Though it takes more than a few scans and plugins to safeguard your site from security threats. Website security just like securing your home is something you need to think through fully and implement diligently.


WordPress Wednesday – 6 Plugins to Scan WordPress for Malware