Often we get asked by our users, is there a way to scan your WordPress site for potentially malicious code? The answer to that question is YES, YES, and YES. There are both free and paid tools available to scan your WordPress site for potentially malicious or unwanted code. Usually, malware and malicious code can go unnoticed for a long time unless you regularly scan your website. In this article, we will show you how to easily scan your WordPress site for malware and potentially malicious code.
When To Scan Your WordPress Site for Malware and Malicious Code?
The best time to scan your WordPress site for malware and malicious code is now. Many beginners don’t install a WordPress security scanner right away, this means that a malware or malicious code injection can go unnoticed for a long time.
Many users don’t notice anything until some telltale signs make them suspicious. See our list of common signs that your WordPress site is hacked.
Even if your WordPress site is not hacked or affected, you should still learn how to scan your WordPress site for malicious code. It will help you protect your website against future attacks.
Most importantly, you can improve WordPress security to protect your WordPress site like a total pro (it doesn’t require any technical skills).
That being said, let’s take a look at how to thoroughly scan your WordPress site for potentially malicious code.
Sucuri is the industry leader in WordPress security. They are a paid service but offer limited WordPress scanning feature for free.
The plugin checks your WordPress files to see if they are changed. It also scans for possible malicious code, iframes, links, and suspicious activity.
The real value comes from their paid plans which come with the best WordPress firewall protection. Their DNS level website application firewall blocks any suspicious activity or malware even before it reaches your website.
We recommend using a DNS level website firewall because it is more effective. Sucuri firewall also serves your website static content through their own CDN which gives you a significant performance boost and improves WordPress speed.
Most importantly, if your website gets affected, then Sucuri experts will clean your website at no additional cost. Cleaning a hacked WordPress site is quite difficult even for experienced WordPress users. Knowing that you have real security experts available to clean your website is a huge peace of mind for business owners.
We use Sucuri on our website. To learn more see our complete Sucuri review.
Wordfence is another popular WordPress security plugin which allows you to easily scan your WordPress site for suspicious code, backdoors, malicious URLs, and known patterns of infections.
It automatically scans your website in the background, and you can also manually initiate a scan at any time.
You will be able to see the progress of the scan in the yellow boxes on the scan page. Once the scan is finished, Wordfence will show you the results.
It will notify you if it found any suspicious code, infections, malware, or corrupted files on your website. It will also recommend actions you can take to fix those issues.
Wordfence also comes with an application level firewall. This firewall helps you prevent brute force attacks and hacking. However, it runs on your website which makes it a little less effective.
For more details, see our step by step guide on how to install and setup Wordfence security in WordPress.
Anti-Malware Security is another very powerful WordPress security plugin which can help you to scan WordPress for malicious code and malware.
The plugin looks for suspicious code, scripts, .htaccess threats, backdoors, and known-patterns of infections in all folders and files of your website. It performs a comprehensive scan which may take a while to finish.
The plugin author actively maintains definitions which means that they are continuously improving to detect new threats as they are discovered.
Keep in mind that the plugin may show a lot of potential threats which are actually false positives. You will have to manually compare those files to source files which could be a lot of work.
It also includes a firewall option. The firewall is actually a software level firewall which is less effective than a DNS level firewall.
How to Clean up Malware or Suspicious Code in WordPress?
The first thing you need to do is to immediately change all your WordPress passwords. This includes your WordPress user accounts, WordPress hosting account, FTP or SSH user accounts, and your WordPress database password.
This ensures that if one of these passwords was compromised, then the hackers will not be able to use it to regain access.
Next, you need to create a complete WordPress backup by either using a plugin or manually through phpMyAdmin and FTP. This step ensures that if something happens during the cleanup, you can still revert back to the infected state of your website.
After that, we recommend hiring a WordPress security professional to clean the website for you. We recommend Sucuri, each of their paid plans include malware removal service. Even if your website is already affected, they will clean it for you.
You can also try to clean it yourself. It is difficult work and may take a lot of your time. Stay calm and follow the instructions in our step by step guide on how to fix a hacked WordPress website for beginners.