Skip to main content
WordPress made easy with the drag & drop Total WordPress Theme.Learn More

The Best Plugins to Scan WordPress for Malware

May 5, 2018

WordPress is now a very popular platform for websites. As a result it attracts a load of attention, sometimes the unwanted attention of hackers and their malware. The WordPress team at Automattic works constantly to make WordPress a safe CMS to work with. But this is a continuous process, a kind of tug-of-war, as new malware and hackers keep popping up. In the past WordPress websites have been the target of attacks that redirected traffic to malicious URLs which is why it’s so important to regularly scan WordPress for malware.

When something like this happens, it is possible that Google can turn away visitors from your website. This is done to protect the visitors from being infected with malware. You will then begin to notice that traffic to your website begins to dip. If you want to understand how this kind of attack works, you can read Sucuri’s review of the attack.

Disclaimer: WPExplorer is an affiliate for one or more products listed below. If you click a link and complete a purchase we could make a commission.

How Malware Reaches Your Website

WordPress users are spoilt for choice when it comes to themes. Pick any niche, and you will have a multiple choice of themes for your niche, both free and premium. One thing that users should watch out for while picking a theme, is bits of unwanted code that are embedded in themes. For most it’s unnoticeable as the majority of users aren’t developers, which is why you should have a process in place to scan WordPress for malware.

Being particularly cautious while purchasing themes from third party websites (not the author’s website) or when downloading free themes is a good place to start however. This is because some unscrupulous theme vendors can embed code that can harm the user’s website.

These bits of code can be innocuous snippets that do little harm. But they can also be harmful enough to bring down your site entirely. They embed themselves in your blog unobtrusively. Most likely you will never notice them, when it is work as usual on your website.

Themes are not the only way in which malicious code reaches your website. They can be included in plugins, left in the comments section, by hacking or brute force attacks.

Sometimes, you may opt to install software that comes bundled with some popular application that you download and install. That software can often be malware or spyware, disguised as an add-on feature. You may unknowingly allow these options on your website, where the malware lurks around, often adding more malware to the site.

Why do hackers inject malware?

What purpose do these bits of code serve ? Why do hackers infect websites ? Malware is embedded by hackers to be able to,

  • Add back links and redirects to the sites that they want to promote.
  • Track your visitors.
  • Add their own banners and advertisements.
  • Access sensitive personal information such as names, passwords and email addresses.
  • Bring down your website completely, either for a reason or just for fun.

The longer the malware remains undetected, the better it is for the hackers. This is because they can continue to use your website for gathering information and send spam emails, infecting your visitors in the process. It is left to us to regularly scan WordPress for malware and check our websites, even those that appear ironclad, for malware.

The 10 Best Plugins & Services To Scan WordPress for Malware

Plugins and scans are a great way to check if your website is infested with malicious code, malware or any other security threat. A number of quality plugins are available that can be used to check for malware, and in our humble opinion these 10 are the best.

Scanning a website is potentially a memory intensive activity.  You may have to modify your PHP memory access and clear cache directories so that scanning is faster.

In most of the plugins, allied security features are bundled and only a few plugins are purely solutions for detecting malware. Some are full fledged security or backup solutions, that include a malware detection feature. Codeguard, for instance, is a complete backup and restore service that will also scan WordPress for malware. It alerts you if anything unwanted is found.

You can also choose to leave all security, including malware detection, in competent professional hands, if you choose to go with managed hosting services like WPEngine and SiteGround.

But for those of you on shared hosting, here are some of the more popular services and plugin options to detect malicious code.

1. VaultPress (included with JetPack plans)

VaultPress to scan WordPress for malware

If you’re using a JetPack plan then you’re in luck since you already have access to VaultPress – the backup and security plugin developed by Automattic.

While the Personal plan does include brute force protection and uptime monitoring, you will need to upgrade to a Premium plan ($99 per year) to have access to daily Malware scanning for your website (or spring for a Professional plan to have the added benefit of on-demand scans as well as automatic resolutions – so you never have to lift a finger).

VaultPress Security Scanning

With the VaultPress plugin installed and connected to your website via FTP/SSH it will monitor your site on it’s own. From your online VaultPress user dashboard you’ll be able to access information about any security threats found during your daily scan and make updates if needed (or restore to a secure full backup VaultPress took of your website).

2. MalCare Security and Firewall for WordPress

Malcare Security and Firewall for WordPress

MalCare is a complete Security Solution, developed after analyzing over 240,000 WordPress sites. It is free and uses the collective intelligence from its network of sites to keep your website protected from malware, hackers and the rest.

The early malware detection technology helps prevent blacklisting of your websites by Google or from being blocked by web hosts. MalCare could successfully detect complex malware that goes undetected in other popular plugins.

The plugin focuses on the accuracy of identifying a malware and significantly reducing the number of false positives being reported. This means that you are alerted only when the plugin is certain that it has detected malware and not a ‘possible suspect.’

Malcare Security and Brute Force Protection

Brute force attack is very common for WordPress sites, and so the Web Application Firewall and the Login Protection are automatically enabled in the free plugin. It helps protect your site 24/7 from bots, hackers, and the likes.

The premium version automatically cleans malware that has been found on your website. For an added layer of protection, there are options like IP Blocking, Login Protection, and Website hardening. Managing plugins can be a headache especially if you have multiple websites to maintain. Updating or removing plugins, themes and WordPress core can be carried out from within the MalCare Pro dashboard.

3. Sucuri SiteCheck Scanner

Free Sucuri SiteCheck Scanner conducts a remote malware scan of your website. Visit Sucuri SiteCheck Scanner, enter the URL of your website and hit the Scan Website button. The scanner extracts the links, javascript files and iframes, and revisits the main page as a search engine bot.

Sucuri Site Check to scan WordPress for malware

It compares all the pages and links against Sucuri’s malware database and reports the anomalies. The scan will detect malware, blacklisting, defacing, website errors and out-of-date software. The scan generates a report of the malware found and recommends how you should handle it.

The scanner does not access your server. So anything malicious in the server that is not displaying in the browser, is not detected by the remote scanner. And therefore, this scan is not effective for phishing, backdoors and malicious usernames.

The Sucuri Security plugin can do much more – audit logging, integrity checking, email alert, security hardening and other tools. If you do not want to run the URL often, you can activate the plugin and generate a free API.

Sucuri plugin

Sucuri offers many paid services as well – A Firewall service (CloudProxy), that can prevent hacking, malware cleanup, security monitoring and more.

4. iThemes Security (Formerly Better WP Security)

iThemes Security

Downloaded by over 800,000+ WordPress users, the iThemes Security plugin is one of the most popular choices to protect your site and scan WordPress for malware. The free version of this plugin offers 30 layers of protection and security including a 1-click “Secure Site” check, Malware scans (via Sucuri SiteCheck), strong password enforcement, brute force protections, database backups, file change detection and much more.

iThemes Security Scan

If you want to add even more layers of protection consider iThemes Security Pro which give you access to features like 2-factor authentication, scheduled Malware scans, password expiration, WordPress core file comparisons and more. The plugin does cost $80 per year which might be a bit high for some bloggers, but can you really put a price on security and peace of mind?

5. Anti-Malware Security and Brute Force Firewall

Anti-Malware Security and Brute Force Firewall not only scans and detects malware, it also helps you to fix them. It detects malware, viruses and other threats on your server, and marks them as Potential Threats, leaving it to you to deal with them.

Anti Malware GOTMLS

But if you register the plugin at GOTMLS.NET, you will have access to download of new definitions, automatic removal and patches for known vulnerabilities. The Revolution Slider in WordPress is particularly prone to attack, and so the protection for this feature is automatically enabled in this plugin.

The premium version affords protection against Brute Force and DDoS attacks, checks the integrity of the core files and downloads new definitions automatically. You can donate fixed amounts ranging between $14 to $133.7, and each level opens up different features. For $29, almost everything is unlocked for as many websites as you want.

6. All In One WP Security & Firewall

All In One WP Security & Firewall

The All In One WP Security & Firewall plugin is another popular and easy to use option. The plugin offers tons of security features such as password strength, brute force login protection, built-in captcha, database prefix options, file permissions, htaccess/wp-config backups and firewall protection. But the plugin also offers easy to setup security scans that you can use to quickly detect and remove malware.

All In One WP File Scanner

Use the file change detection scanner and database scanner to look for file changes or data tables you didn’t create. use the settings to schedule automatic detection and to have an email sent directly to you inbox whenever a file change occurs. This way any potential hacking attempt will be brought to your notice quickly.

The plugin does offer Malware specific scanning, but you will need t upgrade to their premium ($9.95/mo) Site-Scanner plan for this feature.

7. Wordfence

Wordfence WordPress Security Plugin

Wordfence is not merely a malware scanner, but an almost complete security protection for your website. It is free and open source and uses the constantly updated Threat Defense Feed to monitor and prevent your website from being hacked.

The Web Application Firewall can pick out over 44000 known malware and prevent it from reaching your website. It also scans for backdoors, phishing URLs, trojans, suspicious code and any other security threat.

WordFence

The scans are generally carried out at hourly intervals. So you are likely to know of any malware content on your website within the hour of it reaching your website. Wordfence can check core integrity as well as monitor traffic in real time.

For scheduled scans, country blocking and some additional features, you will have to pay and obtain a Premium API key.

8. Exploit Scanner

Exploit Scanner scours the files and database of your website to hunt for unwanted code. Active plugins are also scanned. It’s only function is detection – cleanup and prevention will have to be done by other means.

Exploit Scanner

If you find scanning is slow on account of insufficient memory, you can increase PHP memory access from the plugin admin page. You can customize the scan and exclude some files from scanning, but it is always better to do a complete scan.

This plugin has a tendency to return ‘false positives’. So, to understand the results of the scan, you need to be able to identify unwanted code.

9. Quttera Web Malware Scanner

Malware, viruses, trojans, backdoors, shells, malicious code injection, auto-generated malicious content and more – Quttera Web Malware Scanner will find them all, if they are lurking in your website.

Quttera Web Malware Scaner

If your site has been blacklisted by Google, it will reveal that in a scan as well. It generates a detailed malware report, based on which you can clean up your website. For any help in removing malware, you will have to contact their support.

10. Theme Authenticity Checker

You can rely on Theme Authenticity Checker to find theme vulnerabilities quickly and easily. It helps to determine if a code cleanup is required or not.

Theme Authenticity Checker

This plugin scans the source code of the theme looking for unwanted code. When it finds the mischievous elements, it will highlight the location where you can find it, along with a snippet of the code. This plugin does not automatically remove the offending code. It leaves it to you to assess the impact of the code and choose to remove or keep it.

Keep In Mind

Scanning for malware is likely to throw up some false positives, which you will need to check out. If you do scan WordPress for malware and the result shows your website to be clean, can you rely on it? Maybe, but take it with a grain of salt as scans are not foolproof.

One way to minimize malicious code from reaching your website is to download themes and plugins directly from the author’s page or from trusted theme houses and not from any suspicious third party websites.

If you do decide to scan WordPress for malware it’s a quick and easy first step to protect your website. Though it takes more than a few scans and plugins to safeguard your website from security threats. Website security is something you need to  think through fully and implement diligently.

Not to worry, you can use this guide on WordPress blog security tips to safeguard your website. Starting from WordPress hosting and moving on to backups, plugins, themes and cleaning up your computer, right down to SSL, passwords and folder permissions, you can find it all there. Check it out and take precautions proactively.

Do you have any questions about how to scan WordPress for malware? Or any other security tips you’d like to add? Leave your thoughts below!

wordpress-malware-scan-plugins
Article by Vishnu WPExplorer Author
Published on: August 4, 2016
Last updated on: May 5, 2018
Subscribe to the Newsletter

Get our latest news, tutorials, guides, tips & deals delivered to your inbox.

3 Comments

  1. attacomsian says:

    Looks awesome to me. Worth trying.

  2. Emily says:

    I recommend Ninja Firewall. Very good plugin. It work as web application so It is really light weight. Very good rating too. I use this plugin for really long time.

  3. Ben says:

    Hi Vishnu. Thanks for the great advice and list of plugins. I had some malware on my website way back in the early days. It replicated itself in many different folders and was very tedious to get rid of. All it seemed to do was send out a lot of spam and I only found it because my host limits the number of emails that can be sent in an hour. Fortunately it used random characters to generate file names so, while tedious, it was easy to find and eliminate the garbage.

    Now I use All In One WP Security. It does a lot to keep my website safe, but like you said, nothing is foolproof.

Leave a Reply

Your email address will not be published. Required fields are marked *