How To Scan Your WordPress Site For Malware

How To Scan Your WordPress Site For Malware

If your WordPress site is infected with malware, you’re at risk of server crashes, data leaks, and even complete site suspension. Running regular scans is important if you want to tackle any problems before they get out of hand. We’re here to show you how…

Whether by clicking a dodgy link in an email, visiting a compromised website, or downloading software which has a bunch of nasty files sneakily bundled in – most of us have had some experience with malware.

The thought of malware infecting your computer and compromising your data is scary enough, but…what if it’s your site that’s been attacked?

This can put all of your visitors at risk, rack up hefty malware removal bills, and mean your site might need to be offline for a while until the malware is safely removed.

And whilst you might take every precaution to prevent your site from being infected, this doesn’t guarantee that you’ll be safe – regular scans should be an important part of your site security process.

So, what do you do if you suspect that something dangerous might be lurking in your files?

Read on to find out how to detect and remove malware from your WordPress site.

  1. What is Malware?
  2. The Importance of Regular Scans
  3. Scanning Your Site with Defender
  4. Online Scanning Tools
  5. What to Do if You Find Malware.

First of all, let’s take a quick look at what malware actually is.

What is Malware?

We all know malware is bad – it’s short for malicious software after all.

But in order to know how to tackle the problem, it’s important we understand it.

Malware is the blanket term for viruses, trojans, worms, and other malicious computer software created with the purpose of causing harm to a computer or network.

Keyloggers, for example, are a form of malware which record the keystrokes that a user makes. They steal passwords and other sensitive information which can be used by hackers to compromise accounts.

Other forms of malware such as viruses might have no benefit to the creator or sender – their goal could be to simply infect and destroy files, which can result in data loss and performance issues for the victim.

Diagram showing the different types of malware including trojans, worms, rootkits etc
Malware comes in many different shapes and sizes.

How Does a Site Become Infected With Malware?

Sites can become infected via a number of methods, but luckily two of the biggest culprits are two of the easiest to fix.

Outdated Plugins and Themes

Hackers look for vulnerabilities in themes and plugins and use them to their advantage.

When a vulnerability is identified, the developers will aim to get a new, patched, version ready for download as soon as possible.

Updating your plugins fixes the vulnerabilities and replaces any old and potentially compromised files with fresh versions – free of any tampering or changes.

A tool such as Automate is a great way to ensure your plugins and themes are always automatically updated with the latest patches and features.

Sloppy Security

Bad WordPress security can also pose a huge risk to your site.

If your password is weak, it could be susceptible to a brute force attack.

This happens when bots try thousands of common usernames and passwords to force their way into your site, which is why it is important to always use a long password with a variety of letters, numbers, and characters.

As well as using a secure password, two factor-authentication is a great way to add an extra layer of security to your WordPress login.

This prevents hackers from getting access to your site and planting malware within your files.

It’s Important to Run Regular Scans

Malware isn’t always easy to detect – just because your site seems to be running fine, it doesn’t mean that there isn’t something unpleasant going on in the background.

If you want to know for certain whether or not your site has been a victim of a malware attack, you can manually check every single WordPress file and folder looking for unknown code or files.

…or you could just run a malware scan!

Image of Defender taking a laptop through an airport scanner.
Defender doesn’t take any risks when it comes to site security.

A malware scan will alert you to any hidden nasties such as trojans, worms, spyware, and viruses, as well as warning you if your site has been blacklisted or is redirecting to suspicious sites.

You can carry out scans using a plugin or an online malware scanning tool.

Below, we’ll take you through some of the best options for scanning for, and removing, malware.

Scanning for Malware with Defender

Defender is more than just a malware scanning tool.

It’s the front-line against hacks and attacks, helping to keep your WordPress site protected and you informed of any suspicious activity.

Screenshot of Defender's page header from
Defender offers free malware scanning – and so much more!

It helps you identify exactly what you need to do to ensure your site is fully protected and provides you with the perfect set of tools to keep your site secure.

Running a Scan

To begin a scan, click on Defender’s Malware Scanning option in the WordPress sidebar.

Screenshot of Defender's first malware scan page
Click the button to run your first scan.

The free version of Defender will compare your core files against the originals in the WordPress repository – checking for additional files that might have been put there maliciously, or code edits which could mean your existing files have been tampered with.

Screenshot of Defender carrying out a scan
Wait a few minutes for the scan to complete.

When the scan has finished, Defender will let you know if there are any issues.

If it detects any additional files, it will alert you to these.


Our best pro WP tools in one bundle

Try free for 7 days
30-day money-back
Screenshot of a suspicious file found named 'Deafult'
Each unknown file will be listed separately.

Defender will also alert you to any changes to your WordPress core files.

Screenshot of a text edit flagging in Defender.
It provides a side-by-side comparison to the original.

The above screenshot shows a text comment added to the index.php file – Defender picked this up in the scan and shows the snippet in question.

This way, you can easily check whether or not it was you that made the edit.

You can then choose the course of action you want to take. Defender gives you two options – ignore or restore.

If you are confident that Defender has flagged up something that’s harmless or something that you added manually, you can choose to ignore it to make sure it isn’t brought to your attention after every scan.

However, if you are sure that a flagged file shouldn’t be there, you can delete it in one click.

If the issue is unknown code contained within one of your WordPress core files, Defender makes it super easy to restore the file to the original version, ridding your install of any potentially dangerous code.

Screenshot of Defender's ignore or restore options on a suspicious file.
You can restore or ignore individually or in bulk.

Take it a Step Further with Defender Pro

The malware scan that Defender Pro undertakes should be sufficient for most sites, however if you want to be absolutely sure that your files are safe, or if you have reason to suspect that something still isn’t quite right, Defender Pro could be just what you need.

Defender Pro’s scan is even more powerful – it checks for current vulnerabilities in plugins and themes so that you can update them with patched versions, and also checks their files for suspicious code.

Screenshot of Defender flagging up suspicious code in Quttera's files.
It will list every issue and provide the relevant code snippets

The screenshot above was Defender flagging up a suspicious function, which was actually in relation to another security plugin which had previously been installed.

It is, of course, harmless, but if any plugin is using external functions like this, it is better to be made aware as installing third-party plugins always carries a degree of risk.

Check out this article if you want to learn more about how Defender detects and removes malicious code.

Online Scanning Tools

Defender’s main goal is to protect your site from attacks by giving you the tools to secure it. The ability to scan your files for malware is just the icing on the cake.

However, if you want to do a thorough check of your site’s output, you can use an online scanner tool, too.

Tools such as VirusTotal or Sucuri cannot scan your files like Defender does, as they do not have access, however, they can scan the HTML output of your site, which is something plugins are generally unable to do.

All you need to run a scan is the URL of a website, which means you can even carry out checks on websites you want to visit.

Screenshot of malware being found on a Sucuri scan.
An example of Sucuri flagging malware on a website.

If malware is hiding in the database and injecting malicious code into your WordPress posts, it will be overlooked by most plugins, as they do not check the database.

This is why the safest option is to combine a plugin such as Defender, which checks the files within your WordPress installation, along with an online tool such as VirusTotal or Sucuri, which focus purely on the site’s output.

So You’ve Found Malware – What Next?

If your scan flags up suspicious code or files and you’re confident that they shouldn’t be there, you need to choose a method of removal.

Defender can replace the infected files with fresh copies from the WordPress repository, meaning that any malicious code contained within them will be deleted for good.

It can also help you to delete suspicious files either one-by-one or in bulk.

Screenshot of the option to delete a suspicious file in Defender.
Just remember to back-up your site before you delete any files!

If you have followed these steps but are still worried that something isn’t quite right with your site, WPMU DEV members can contact our support experts who will be happy to help clean up your site.

If your issue is severe or rooted deep within the database, you might need the help of a specialist website recovery service.

These services usually charge one-time fees and focus on removing your malware as quickly as possible to get you back online.

The internet is also full of guides showing you how to manually remove malware. If you are an experienced developer, this might be a viable route.

However, with anything that involves amending core WordPress files, just be sure to exercise caution as you may end up doing more harm than good!

Prevention is Better Than the Cure

Whilst malware scans should be an integral part of your security routine, best practice is always going to be making sure your site has strong enough security in place to stop attacks from being successful in the first place.

Defender is the ultimate tool for keeping out intruders, and combined with its integration with The Hub, which includes a powerful hosted WAF, hackers shouldn’t stand a chance.

Finally, be sure to check out our article showing how to get the most out of Defender to find out exactly what you need to do to keep malware at bay.

When was the last time you carried out a malware scan? Have you tried Defender's malware scanning feature, and if so, what were your thoughts? Let us know in the comments!

Kirstan Norman

Kirstan Norman Kirstan is a digital marketer from Yorkshire, England... She formerly wrote for the WPMU DEV blog on anything and everything WordPress, and provided copy for other areas of the website and business.