There are around 90,000 attacks targeting WordPress sites every minute. Malware attacks are nothing to joke about. If you don’t manage your cybersecurity properly, it could put your site and business at risk.

However, malicious activity doesn’t have to be something to fear. Scanning WordPress for malware can help you identify and eliminate any harmful content if your site has been compromised. There are also lots of ways to prevent attacks on your website in the future.

This post will cover what malware is and why searching for it is essential for site maintenance. We’ll also explain how to scan for malware and remove it if you think your site has been hacked.

Let’s get started!

What Is Malware?

Malware stands for “malicious software.” It’s a catch-all term for any harmful software hackers use to gain unauthorized access to or damage your WordPress website. It can negatively affect your site in many ways and poses a severe security risk to both you and your website visitors.

If malware is present on your website, you’ll usually know about it. You might notice signs such as:

While these problems can all have multiple causes, if you’re seeing one or more of them, it’s worth looking into the possibility that malware has infected your site.

How Malware Gets Installed on WordPress Sites

Malware can get installed on WordPress sites in many ways. Usually, a hacker or bot will exploit some security vulnerability.

For example, if you don’t have security measures in place to prevent repeated incorrect login attempts, or if your password is weak, a hacker may gain access to your site. They can then install the malware via a brute force attack. This is when a bot cycles through hundreds of username and password combinations on your login page until they hit on the right one.

Out-of-date plugins and themes are also security vulnerabilities that hackers can exploit. Bot networks search through the internet for websites with these vulnerabilities and use them to install malware.

Malware can also infiltrate your website via phishing links. It can happen if you accidentally click on a phishing link in an email or visit a compromised website. By doing so, you can inadvertently download malicious software to your machine. This may then find its way onto your WordPress server.

Why Scanning WordPress for Malware Is Important

As we mentioned, there will usually be some signs that malware is present on your website. However, this isn’t always the case. Sometimes, you might not be aware that your website has been compromised.

Fortunately, there’s an easy way to find out: you have to run a malware scan. Regularly scanning for malware is very important, especially since 83 percent of hacked CMS-based sites are built on WordPress.

If you don’t scan for malware regularly, you open yourself up to many risks, such as:

  • SEO penalties: Google often denylists compromised websites. This can cause your rankings in search engine results pages (and organic search traffic) to fall.
  • Poor website performance: Malware can enable hackers to use your server resources to attack other websites. Diverting resources away from your site can lead to performance issues such as slow-loading pages.
  • Denylisted IP address: Hackers can also use malware to send spam emails from your website’s IP. This can cause your IP address to be delisted by major email providers.
  • Risks to your website visitors: Malware can even pose a security risk to your website visitors. It may load dangerous pop-ups on your site and pass malware on to your users.

In addition to scanning your website for malware, you can also take a proactive approach to security. Check out our site security cheat sheet for advice on how to harden your site against breaches.

When to Scan WordPress for Malware

Don’t wait until you see the warning signs to scan your WordPress website for malware. Malicious code can go unnoticed for a long time. Therefore, it’s a good idea to check your website regularly, even if there are no signs that something’s wrong.

We recommend checking for malware once per month at a minimum. You should probably run a scan whenever you make changes to your website’s structure or install new plugins. Additionally, we recommend scanning if you notice any of the telltale signs we mentioned earlier.

You may want to set a regular reminder to scan your website for malware. For example, you could do so on the first day of every month to get into the habit.

Best Tools for Scanning WordPress for Malware

The easiest way to scan your WordPress site for malware is to use a security plugin. Here are some tools that we recommend you use to conduct a scan.

Wordfence

Wordfence is one of the easiest plugins to use for malware detection.

Wordfence security plugin
Wordfence security plugin.

Once you install the plugin, it will periodically search for malware automatically. Alternatively, you can run manual scans if you feel that there might be a security issue on your site.

Once the scans are complete, WordFence will also recommend actions you can take to correct security issues. It is available in both free and paid versions. We highly recommend this plugin, as it’s easy to use. Additionally, the free version is perfect for running rudimentary scans and correcting minor malware issues.

Sucuri

Sucuri is another excellent tool that offers basic malware scanning features.

Sucuri security plugin homepage on WordPress
Sucuri Security plugin.

Using Sucuri SiteCheck, you can quickly and easily scan your site for issues by inputting your site’s URL. You can also use the scanning feature by installing the plugin on your WordPress site.

The free Sucuri plugin also offers email alerts about security issues and firewall protection that can help prevent malicious activity on your website. It’s a well-built plugin with an excellent reputation, and the paid plans, in particular, offer WordPress users comprehensive protection against malware.

If you are a Kinsta customer and you would like to use it you can follow this Sucuri installation guide.

MalCare

MalCare is one of the most comprehensive malware scanners and security plugins for WordPress.

MalCare WordPress security plugin
MalCare

Once you install the plugin on your site, the entire site is synced to MalCare’s servers for scanning. This way, the scanner doesn’t use any of your site’s resources for scanning.

The scan uses several mechanisms to detect malware in the site files, database, and even cron. It can detect the most complex malware and those often missed by other scanners.

Once the scan is complete, you need to subscribe to a plan to use the malware removal tool.

MalCare is a great diagnostic tool if you think your site may have malware.

iThemes Security

Another great option is the iThemes Security plugin.

iThemes security plugin homepage
iThemes Security plugin.

This plugin, formerly known as Better WP Security, has over 30 security features that can keep your site safe from all kinds of attacks. You can use the free version of iThemes to run basic malware scans and identify any issues.

On the other hand, you can use the Pro version to set up scheduled malware scanning and email updates. This makes it extremely easy to stay on top of your site security checks.

Any of these tools will be able to help you to scan WordPress for malware. For this article, we’re going to use the Wordfence plugin.

However, if Kinsta hosts your site, it may not be necessary to follow these steps. Instead, you can rely on the Kinsta Security Guarantee to secure your site.

How to Scan WordPress for Malware in 4 Easy Steps

If you think your WordPress website has been hacked, you can follow the four steps below. We’ll explain how to scan your site and plugins for malware using Wordfence, as well as how to secure your site against future attacks.

Step 1: Install the Wordfence Security Plugin

First, we’re going to install the free version of the Wordfence plugin. To do so, log in to your WordPress dashboard and navigate to Plugins > Add New. Then search for Wordfence and click on Install Now under Wordfence Security – Firewall & Malware Scan:

Install the Wordfence Security plugin from the WordPress plugin repository
Install the Wordfence Security plugin.

Once the plugin is installed, click on Activate. You may receive a prompt to accept the terms of use and specify your email address to complete the installation.

Step 2: Back Up Your WordPress Site

Before you go any further, we recommend backing up your website. In the next step, you’re going to be deleting potentially malware-infected files.

If something goes wrong, this can accidentally delete critical data and cause significant website problems. Backing up your website first means you can revert to it if something unexpected happens.

One of the easiest ways to back up your website is to install the free UpdraftPlus plugin.

The UpdraftPlus WordPress Backup plugin homepage
UpdraftPlus WordPress Backup plugin.

You can install and activate it following the same process as you did for Wordfence. Then, navigate to Settings > UpdraftPlus Backups and click on Backup Now:

UpdraftPlus backup now button
Find the “Backup Now” button

All you have to do now is wait for the process to complete. If anything goes wrong in later steps, you can restore the backup data from the same page.

Step 3: Run a Scan and Delete Malware Files

The next thing to do is run a malware scan. Wordfence should automatically scan your site daily, but you can also manually start the process.

To do so, navigate to Wordfence > Scan from your WordPress dashboard. Then click on Start New Scan:

Start a new scan using Wordfence
Start a new scan using Wordfence.

Wordfence will begin searching your website for malware, file changes, and more. It can take a while for this process to finish. You can monitor the progress in the timeline on the scanning screen.

Once the scan is complete, you’ll see a detailed breakdown of the results.

Malware scan detailed results
Detailed results of the Malware scan.

This log displays a list of all the security issues found. It labels them as either high, medium, or low priority, depending on how serious they are. A result labeled ‘unknown file in WordPress core’ indicates the possible presence of malware.

Fortunately, Wordfence makes it easy to delete those files. All you have to do is click Delete All Deletable Files above the results log. You should then see a warning message:

Delete files warning message
Delete all files warning message.

Make sure to read this warning message carefully. It’s possible that the files detected weren’t malware and were essential to the proper functioning of your website. This is why we suggested backing up your site in the previous step.

If you’re confident that the files detected are malicious software, you can go ahead and click on Delete Files. This should remove all of the malware from your website. If it causes any problems, you can restore the previous version of your website from your backup.

Once the malware has been dealt with, you might also want to address any other issues the scan picked up. For example, you may want to address any out-of-date plugins.

Step 4: Take Steps to Secure Your Site Fully

Once you’ve deleted the malicious files, there are some extra steps you might want to take to secure your site fully:

  • Change your passwords: If you had malware on your site, likely, your passwords have also been compromised. Therefore, it’s best to change all of the passwords on your website, and anywhere else you’ve used them online.
  • Set up Two-Factor Authentication (2FA): Setting up 2FA on your website adds an extra layer of security. If your password is compromised, the attacker still won’t progress further without completing an additional check.
  • Audit user profiles: It’s possible the malware created a new user role on your website. You can check your user profiles and delete any from your database that shouldn’t be there to address this.
  • Implement regular security checks: You can toggle the settings in Wordfence so that it regularly checks for malware. You should also take further steps to lock down your site.
  • Back up your site again: Once you’ve got rid of the malware, create a new backup of your website. That way, you can always restore it to a clean, malware-free version if anything goes wrong in the future.

Taking the above steps might seem like a lot of work, but it’s worth it. They will help to ensure that your website stays free of malware in the future.

Summary

Malicious software is an ever-present threat to WordPress users. However, by scanning for it regularly and following a strict site security procedure, it’s easy to keep your site safe and malware-free.

Here’s a quick recap of how to scan WordPress sites for malware and secure your site against malicious activity:

  1. Install the Wordfence security plugin.
  2. Back up your WordPress site.
  3. Run a scan and delete malware files.
  4. Take steps to secure your site thoroughly.

Do you have any questions about scanning your WordPress site for malware? Ask us in the comments section below!

Jeremy Holcombe Kinsta

Senior Editor at Kinsta, WordPress Web Developer, and Content Writer. Outside of all things WordPress, I enjoy the beach, golf, and movies. I also have tall people problems.