Top Rated Plugins To Detect Malware In Your WordPress Website

WordPress is now a very popular platform for websites. As a result it attracts a load of attention, sometimes the unwanted attention of hackers and their malware. The WordPress team at Automattic works constantly to make WordPress a safe CMS to work with. But this is a continuous process, a kind of tug-of-war, as new malware and hackers keep popping up. Recently, WordPress websites were the target of attacks that redirected traffic to malicious URLs.

When something like this happens, it is possible that Google can turn away visitors from your website. This is done to protect the visitors from being infected with malware. You will then begin to notice that traffic to your website begins to dip. If you want to understand how this kind of attack works, you can read Sucuri’s review of the attack.

How Malware Reaches Your Website

WordPress users are spoilt for choice when it comes to themes. Pick any niche, and you will have a multiple choice of themes for your niche, both free and premium. One thing that users should watch out for while picking a theme, is bits of unwanted code that are embedded in themes. Be particularly cautious while purchasing themes from third party websites (not the author’s website) or while downloading free themes. This is because some unscrupulous theme vendors can embed code that can harm the user’s website.

These bits of code can be innocuous snippets that do little harm. But they can also be harmful enough to bring down your site entirely. They embed themselves in your blog unobtrusively. Most likely you will never notice them, when it is work as usual on your website.

Themes are not the only way in which malicious code reaches your website. They can be included in plugins, left in the comments section, by hacking or brute force attacks.

Sometimes, you may opt to install software that comes bundled with some popular application that you download and install. That software can often be malware or spyware, disguised as an add-on feature. You may unknowingly allow these options on your website, where the malware lurks around, often adding more malware to the site.

Why do hackers inject malware ?

What purpose do these bits of code serve ? Why do hackers infect websites ? Malware is embedded by hackers to be able to,

  • Add back links and redirects to the sites that they want to promote.
  • Track your visitors.
  • Add their own banners and advertisements.
  • Access sensitive personal information such as names, passwords and email addresses.
  • Bring down your website completely, either for a reason or just for fun.

The longer the malware remains undetected, the better it is for the hackers. This is because they can continue to use your website for gathering information and send spam emails, infecting your visitors in the process. It is left to us to regularly scan and check our websites, even those that appear ironclad, for malware.

Plugins To Detect Malware

Plugins and scans are a great way to check if your website is infested with malicious code, malware or any other security threat. A number of quality plugins are available that can be used to check for malware.

Scanning a website is potentially a memory intensive activity.  You may have to modify your PHP memory access and clear cache directories so that scanning is faster.

In most of the plugins, allied security features are bundled and only a few plugins are purely solutions for detecting malware. Some are full fledged security or backup solutions, that include a malware detection feature. Codeguard, for instance, is a complete backup and restore service that also scans your website for malware. It alerts you if anything unwanted is found. VaultPress also offers daily malware scanning in all their plans.

You can also choose to leave all security, including malware detection, in competent professional hands, if you choose to go with managed hosting services like WPEngine and SiteGround.

But for those of you on shared hosting, here are some of the more popular services and plugin options for detecting malicious code.

Sucuri SiteCheck Scanner

Free Sucuri SiteCheck Scanner conducts a remote malware scan of your website. Visit Sucuri SiteCheck Scanner, enter the URL of your website and hit the Scan Website button. The scanner extracts the links, javascript files and iframes, and revisits the main page as a search engine bot.

Sucuri Site Check

It compares all the pages and links against Sucuri’s malware database and reports the anomalies. The scan will detect malware, blacklisting, defacing, website errors and out-of-date software. The scan generates a report of the malware found and recommends how you should handle it.

The scanner does not access your server. So anything malicious in the server that is not displaying in the browser, is not detected by the remote scanner. And therefore, this scan is not effective for phishing, backdoors and malicious usernames.

The Sucuri Security plugin can do much more – audit logging, integrity checking, email alert, security hardening and other tools. If you do not want to run the URL often, you can activate the plugin and generate a free API.

Sucuri plugin

Sucuri offers many paid services as well – A Firewall service (CloudProxy), that can prevent hacking, malware cleanup, security monitoring and more.

iThemes Security (Formerly Better WP Security)

iThemes Security

Downloaded by over 800,000+ WordPress users, the iThemes Security plugin is one of the most popular choices for protecting your WordPress site. The free version of this plugin offers 30 layers of protection and security including a 1-click “Secure Site” check, Malware scans (via Sucuri SiteCheck), strong password enforcement, brute force protections, database backups, file change detection and much more.

iThemes Security Scan

If you want to add even more layers of protection consider iThemes Security Pro which give you access to features like 2-factor authentication, scheduled Malware scans, password expiration, WordPress core file comparisons and more. The plugin does cost $80 per year which might be a bit high for some bloggers, but can you really put a price on security and peace of mind?

Anti-Malware Security and Brute Force Firewall

Anti-Malware Security and Brute Force Firewall not only scans and detects malware, it also helps you to fix them. It detects malware, viruses and other threats on your server, and marks them as Potential Threats, leaving it to you to deal with them.

Anti Malware GOTMLS

But if you register the plugin at GOTMLS.NET, you will have access to download of new definitions, automatic removal and patches for known vulnerabilities. The Revolution Slider in WordPress is particularly prone to attack, and so the protection for this feature is automatically enabled in this plugin.

The premium version affords protection against Brute Force and DDoS attacks, checks the integrity of the core files and downloads new definitions automatically. You can donate fixed amounts ranging between $14 to $133.7, and each level opens up different features. For $29, almost everything is unlocked for as many websites as you want.


Anti-Virus is a simple, easy-to-install plugin that can automatically do a daily scan for malware and spam and will notify you by email of anything suspicious. Any hacking attempt or successful hacking is brought to your notice quickly.


Cleaning up after a plugin removal and virus alerts in the admin bar are other handy features.


Wordfence is not merely a malware scanner, but an almost complete security protection for your website. It is free and open source and uses the constantly updated Threat Defense Feed to monitor and prevent your website from being hacked.

The Web Application Firewall can pick out over 44000 known malware and prevent it from reaching your website. It also scans for backdoors, phishing URLs, trojans, suspicious code and any other security threat.


The scans are generally carried out at hourly intervals. So you are likely to know of any malware content on your website within the hour of it reaching your website. Wordfence can check core integrity as well as monitor traffic in real time.

For scheduled scans, country blocking and some additional features, you will have to pay and obtain a Premium API key.

Exploit Scanner

Exploit Scanner scours the files and database of your website to hunt for unwanted code. Active plugins are also scanned. It’s only function is detection – cleanup and prevention will have to be done by other means.

Exploit Scanner

If you find scanning is slow on account of insufficient memory, you can increase PHP memory access from the plugin admin page. You can customize the scan and exclude some files from scanning, but it is always better to do a complete scan.

This plugin has a tendency to return ‘false positives’. So, to understand the results of the scan, you need to be able to identify unwanted code.

Quttera Web Malware Scanner

Malware, viruses, trojans, backdoors, shells, malicious code injection, auto-generated malicious content and more – Quttera Web Malware Scanner will find them all, if they are lurking in your website.

Quttera Web Malware Scaner

If your site has been blacklisted by Google, it will reveal that in a scan as well. It generates a detailed malware report, based on which you can clean up your website. For any help in removing malware, you will have to contact their support.

Theme Authenticity Checker

You can rely on Theme Authenticity Checker to find theme vulnerabilities quickly and easily. It helps to determine if a code cleanup is required or not.

Theme Authenticity Checker

This plugin scans the source code of the theme looking for unwanted code. When it finds the mischievous elements, it will highlight the location where you can find it, along with a snippet of the code. This plugin does not automatically remove the offending code. It leaves it to you to assess the impact of the code and choose to remove or keep it.

Though not updated for more than 2 years this plugin still works and enjoys a high rating and popularity, with a download of over a 100,000+.

Keep In Mind

Scanning for malware is likely to throw up some false positives, which you will need to check out. If a scan result shows your website to be clean, can you rely on it ? Not entirely, as scans are not foolproof.

One way to minimize malicious code from reaching your website is to download themes and plugins directly from the author’s page or from trusted theme houses and not from any third party website.

Scanning for malware is only a quick and easy first step to protect your website. It takes much more than a few scans and plugins to safeguard your website from security threats. Website security is something you need to  think through fully and implement diligently.

Not to worry,  Freddy has put it all together for us in one place. Starting from WordPress Hosting and moving on to backups, plugins, themes and cleaning up your computer, right down to SSL, passwords and folder permissions, you can find it all there. Check it out and take precautions proactively.

  • Updated on:
  • Posted Under: Plugins
Post Author: Vishnu

Vishnu is a freelance writer by night, works as a data analyst by day.

Got something to say? Join the discussion.
  1. attacomsian says:
    Looks awesome to me. Worth trying.
  2. I recommend Ninja Firewall. Very good plugin. It work as web application so It is really light weight. Very good rating too. I use this plugin for really long time.
  3. Hi Vishnu. Thanks for the great advice and list of plugins. I had some malware on my website way back in the early days. It replicated itself in many different folders and was very tedious to get rid of. All it seemed to do was send out a lot of spam and I only found it because my host limits the number of emails that can be sent in an hour. Fortunately it used random characters to generate file names so, while tedious, it was easy to find and eliminate the garbage. Now I use All In One WP Security. It does a lot to keep my website safe, but like you said, nothing is foolproof.

Leave a Reply

Your email address will not be published. Required fields are marked *