Best Plugins to Scan WordPress for Malware
WordPress is now a very popular platform for websites. As a result it attracts a load of attention, sometimes the unwanted attention of hackers and their malware. The WordPress team at Automattic works constantly to make WordPress a safe CMS to work with. But this is a continuous process, a kind of tug-of-war, as new malware and hackers keep popping up. In the past WordPress websites have been the target of attacks that redirected traffic to malicious URLs which is why it’s so important to regularly scan WordPress for malware.
When something like this happens, it is possible that Google can turn away visitors from your website. This is done to protect the visitors from being infected with malware. You will then begin to notice that traffic to your website begins to dip. If you want to understand how this kind of attack works, you can read Sucuri’s review of the attack.
How Malware Reaches Your Website
WordPress users are spoilt for choice when it comes to themes. Pick any niche, and you will have a multiple choice of themes for your niche, both free and premium. One thing that users should watch out for while picking a theme, is bits of unwanted code that are embedded in themes. For most it’s unnoticeable as the majority of users aren’t developers, which is why you should have a process in place to scan WordPress for malware.
Being particularly cautious while purchasing themes from third party websites (not the author’s website) or when downloading free themes is a good place to start however. This is because some unscrupulous theme vendors can embed code that can harm the user’s website.
These bits of code can be innocuous snippets that do little harm. But they can also be harmful enough to bring down your site entirely. They embed themselves in your blog unobtrusively. Most likely you will never notice them, when it is work as usual on your website.
Themes are not the only way in which malicious code reaches your website. They can be included in plugins, left in the comments section, by hacking or brute force attacks.
Sometimes, you may opt to install software that comes bundled with some popular application that you download and install. That software can often be malware or spyware, disguised as an add-on feature. You may unknowingly allow these options on your website, where the malware lurks around, often adding more malware to the site.
Why do hackers inject malware?
What purpose do these bits of code serve ? Why do hackers infect websites ? Malware is embedded by hackers to be able to,
- Add back links and redirects to the sites that they want to promote.
- Track your visitors.
- Add their own banners and advertisements.
- Access sensitive personal information such as names, passwords and email addresses.
- Bring down your website completely, either for a reason or just for fun.
The longer the malware remains undetected, the better it is for the hackers. This is because they can continue to use your website for gathering information and send spam emails, infecting your visitors in the process. It is left to us to regularly scan WordPress for malware and check our websites, even those that appear ironclad, for malware.
The 10 Best Plugins & Services To Scan WordPress for Malware
Plugins and scans are a great way to check if your website is infested with malicious code, malware or any other security threat. A number of quality plugins are available that can be used to check for malware, and in our humble opinion these 10 are the best.
Scanning a website is potentially a memory intensive activity. You may have to modify your PHP memory access and clear cache directories so that scanning is faster.
In most of the plugins, allied security features are bundled and only a few plugins are purely solutions for detecting malware. Some are full fledged security or backup solutions, that include a malware detection feature.
You can also choose to leave all security, including malware detection, in competent professional hands, if you choose to go with a managed hosting service like WPEngine.
But for those of you on shared hosting, here are some of the more popular services and plugin options to detect malicious code.
1. JetPack Backups – VaultPress (included with JetPack plans)
If you’re using a JetPack plan then you’re in luck since you already have access to Jetpack Backups (aka VaultPress) – the backup and security plugin developed by Automattic.
While the Personal plan does include brute force protection and uptime monitoring, you will need to upgrade to a Premium plan (starting at about $5/month) to have access to daily Malware scanning for your website (or spring for a Professional plan to have the added benefit of on-demand scans as well as automatic resolutions – so you never have to lift a finger).
With the Jetpack Backups installed and connected to your website via FTP/SSH it will monitor your site on its own. From your online VaultPress user dashboard you’ll be able to access information about any security threats found during your daily scan and make updates if needed (or restore to a secure full backup VaultPress took of your website).
2. MalCare Security and Firewall for WordPress
MalCare is a complete Security Solution, developed after analyzing over 400,000 WordPress sites. It is free and uses the collective intelligence from its network of sites to keep your website protected from malware, hackers and the rest.
The early malware detection technology helps prevent blacklisting of your websites by Google or from being blocked by web hosts. MalCare could successfully detect complex malware that goes undetected in other popular plugins.
The plugin focuses on the accuracy of identifying a malware and significantly reducing the number of false positives being reported. This means that you are alerted only when the plugin is certain that it has detected malware and not a ‘possible suspect.’
Brute force attack is very common for WordPress sites, and so the Web Application Firewall and the Login Protection are automatically enabled in the free plugin. It helps protect your site 24/7 from bots, hackers, and the likes.
The premium version automatically cleans malware that has been found on your website. For an added layer of protection, there are options like IP Blocking, Login Protection, and Website hardening. Managing plugins can be a headache especially if you have multiple websites to maintain. Updating or removing plugins, themes and WordPress core can be carried out from within the MalCare Pro dashboard.
3. Astra Security Suite
Astra Security Suite is a go-to security plugin for thousands of WordPress sites. The plugin offers a comprehensive firewall solution, malware scanner, and immediate malware removal service for the sites running on WordPress. The free version of Astra’s security scanner offers only remote scanning of a website for finding out OWASP top 10 vulnerabilities, zero-day. backdoors, SEO spam infection, website blacklist check, hidden crypto miners, credit-card phishing scripts, and much more.
The Astra Security Suite premium plugin offers an extra advantage with a wide range of website security solutions including, a real-time web application firewall, automated malware scanner, vulnerability assessment and penetration testing (VAPT), immediate malware cleanup in case your website is hacked, & a community security platform.
But the best thing about Astra Security Suite is it does not require a DNS change while installing. Which means unlike other plugins, this plugin does not store your website traffic on their servers. Instead it monitors your website for incoming and outgoing threats on a real-time basis.
4. Sucuri SiteCheck Scanner
The free Sucuri SiteCheck Scanner conducts a remote malware scan of your website. Visit Sucuri SiteCheck Scanner, enter the URL of your website and hit the Scan Website button. The scanner extracts the links, javascript files and iframes, and revisits the main page as a search engine bot.
It compares all the pages and links against Sucuri’s malware database and reports the anomalies. The scan will detect malware, blacklisting, defacing, website errors and out-of-date software. The scan generates a report of the malware found and recommends how you should handle it.
The scanner does not access your server. So anything malicious in the server that is not displaying in the browser, is not detected by the remote scanner. And therefore, this scan is not effective for phishing, backdoors and malicious usernames.
The Sucuri Security plugin can do much more – audit logging, integrity checking, email alert, security hardening and other tools. If you do not want to run the URL often, you can activate the plugin and generate a free API.
Sucuri offers many paid services as well – a firewall service, that can prevent hacking, malware cleanup, security monitoring and more.
5. MalCure WP Malware Scanner & Firewall
malCure Malware Scanner is a recent addition to the malware scanner’s list. The plugin focuses on a very user-friendly interface and super-simplicity while at the backend it is able to detect 50,000+ infections. malCure Malware Scanner executes a database scan as well as WordPress file scan for a complete 360° detection. The thoroughness of malCure Malware Scanner is by virtue of the approach it takes: a hybrid approach which includes multiple scans on every file and database record i.e. checksum integrity, scan against known malware signatures as well as a heuristic scan. This allows for high precision results and extremely rare false-positives. Definitions are updated frequently so malCure is able to detect even the latest infections.
With the plugin focused on simplicity, high-pressure & high-performance for the regular user, one place where malCure Malware Scanner really shines is it’s robust integration with WP-CLI. This takes it’s utility to a whole new level as you can easily scan and clean up WordPress sites from the command-line in case the host has revoked the access to website to contain malware-spread. malCure has a powerful feature-set in WP-CLI mode which makes it very appealing for web-security professionals too. CLI integration helps automate scans via cron and with some scripting knowledge you can utilize malCure Malware Scanner in almost every way imaginable.
You can also connect malCure scanner to your website’s Google Search Console property to fetch any warnings or security notices issued by Google. This ensures that scans also cover injected spam links, Google Transparency blacklist and warnings too. malCure Scanner has a built-in firewall that protects from the most commonly exploited WordPress attack vectors.
6. Solid Security
Downloaded by over 900,000+ WordPress users, the Solid Security plugin is one of the most popular choices to protect your site and scan WordPress for malware. The free version of this plugin offers 30 layers of protection and security including a 1-click “Secure Site” check, Malware scans (via Sucuri SiteCheck), strong password enforcement, brute force protections, database backups, file change detection and much more.
If you want to add even more layers of protection consider Solid Security Pro which give you access to features like 2-factor authentication, scheduled Malware scans, password expiration, WordPress core file comparisons and more. The plugin does cost $80 per year which might be a bit high for some bloggers, but can you really put a price on security and peace of mind?
7. Anti-Malware Security and Brute Force Firewall
Anti-Malware Security and Brute Force Firewall not only scans and detects malware, it also helps you to fix them. It detects malware, viruses and other threats on your server, and marks them as Potential Threats, leaving it to you to deal with them.
But if you register the plugin through the developer’s site, you will have access to download of new definitions, automatic removal and patches for known vulnerabilities.
The premium version affords protection against Brute Force and DDoS attacks, checks the integrity of the core files and downloads new definitions automatically.
8. All In One WP Security & Firewall
The All In One WP Security & Firewall plugin is another popular and easy to use option. The plugin offers tons of security features such as password strength, brute force login protection, built-in captcha, database prefix options, file permissions, htaccess/wp-config backups and firewall protection. But the plugin also offers easy to setup security scans that you can use to quickly detect and remove malware.
Use the file change detection scanner and database scanner to look for file changes or data tables you didn’t create. use the settings to schedule automatic detection and to have an email sent directly to you inbox whenever a file change occurs. This way any potential hacking attempt will be brought to your notice quickly.
9. Wordfence Security
Wordfence is not merely a malware scanner, but an almost complete security protection for your website. It is free and open source and uses the constantly updated Threat Defense Feed to monitor and prevent your website from being hacked.
The Web Application Firewall can pick out over 44000 known malware and prevent it from reaching your website. It also scans for backdoors, phishing URLs, trojans, suspicious code and any other security threat.
The scans are generally carried out at hourly intervals. So you are likely to know of any malware content on your website within the hour of it reaching your website. Wordfence can check core integrity as well as monitor traffic in real time.
For scheduled scans, country blocking and some additional features, you will have to pay and obtain a Premium API key.
10. Quttera Web Malware Scanner
Malware, viruses, trojans, backdoors, shells, malicious code injection, auto-generated malicious content and more – Quttera Web Malware Scanner will find them all, if they are lurking in your website.
If your site has been blacklisted by Google, it will reveal that in a scan as well. It generates a detailed malware report, based on which you can clean up your website. For any help in removing malware, you will have to contact their support.
Keep In Mind
Scanning for malware is likely to throw up some false positives, which you will need to check out. If you do scan WordPress for malware and the result shows your website to be clean, can you rely on it? Maybe, but take it with a grain of salt as scans are not foolproof.
One way to minimize malicious code from reaching your website is to download themes and plugins directly from the author’s page or from trusted theme houses and not from any suspicious third party websites.
If you do decide to scan WordPress for malware it’s a quick and easy first step to protect your website. Though it takes more than a few scans and plugins to safeguard your website from security threats. Website security is something you need to think through fully and implement diligently.
Not to worry, you can use this guide on WordPress blog security tips to safeguard your website. Starting from WordPress hosting and moving on to backups, plugins, themes and cleaning up your computer, right down to SSL, passwords and folder permissions, you can find it all there. Check it out and take precautions proactively.
Do you have any questions about how to scan WordPress for malware? Or any other security tips you’d like to add? Leave your thoughts below!
Looks awesome to me. Worth trying.
I recommend Ninja Firewall. Very good plugin. It work as web application so It is really light weight. Very good rating too. I use this plugin for really long time.
Hi Vishnu. Thanks for the great advice and list of plugins. I had some malware on my website way back in the early days. It replicated itself in many different folders and was very tedious to get rid of. All it seemed to do was send out a lot of spam and I only found it because my host limits the number of emails that can be sent in an hour. Fortunately it used random characters to generate file names so, while tedious, it was easy to find and eliminate the garbage.
Now I use All In One WP Security. It does a lot to keep my website safe, but like you said, nothing is foolproof.
Hi – is it dangerous to have more than 1 security plugin running at a time? My client got paranoid after a hack and currently he has 5 security pkugins running!
I’m not sure that’s it’s dangerous (as in a security issue), but it would put your client’s site at risk for a plugin conflict which could break their site. As a quick rule of thumb, I try to avoid duplicate functions/features to avoid conflicts. So I would suggest using just one main security plugin.
Hi, Really appreciate that you explained the problem before moving on to the solutions.
Thanks
another tiny plugin that i like to add to most of my sites is Block bad queries. An extra level of protection never hurts.
Also, I try to use Cloudflare when possible as I can review malicious traffic coming in and usually when I see too many hacking attempts from certain countries, I use Cloudflare’s country blocking and block or Challenge with a captcha the entire country (unless that will have any business impact)