Scan WordPress Site for Malware: Definitive Guide to Finding Every Trace


Feeling like something’s not quite right with your WordPress website or just want to ensure everything’s in order? You’re not alone. Many website owners notice odd behaviours or pick up on tips from a podcast or article that leaves them questioning: Does my website have malware?

Whether you’re dealing with a slow site, strange popups, or you simply want to test your current security measures, this article is for you. We’ll walk you through the simple steps to scan WordPress site for malware and, if needed, we’ll show you how to clear it out for good measure.

TL;DR:  Use MalCare to scan your WordPress site for a clear-cut malware check, then effortlessly upgrade to remove any nasties with equal ease. Keep your site clean with just a few clicks!

Malware scanning is the first step in diagnosing malware on your site, however there is a lot of misinformation around it—which we will try to dispel in this article. 

First of all, all malware scanners are not the same: they don’t do the same things; they use the same nomenclature to mean different things; and many of them are ineffective. How do we know? We tested a bunch of malware scanners thoroughly. 

Second of all, of late, there has been some debate about how effective malware scanning is: depending on whether you choose the right scanner, malware scanning can be a critical pillar in your site’s defence strategy. There is no question about this, and saying that all malware scanners are useless is irresponsible, and potentially putting thousands of sites at grave risk. 

Step 1: Install malware scanner plugin

The first step to scanning your site for malware is to install a malware scanner plugin. This is specifically a plugin that scans for malware, not just vulnerabilities—which is a vastly different thing. 

You can find MalCare in the WordPress repository, or install it from wp-admin on your site. Alternatively, create an account here, and let the plugin auto-install on your site. 

We recommend MalCare, because it has the best malware detection rate of any WordPress security plugin available. Best of all, the scanner is completely free. 

Wordfence is a decent alternative to MalCare, although it uses a less effective scanning mechanism to flag malware. Both are free, however, and top our list of malware scanner plugins for WordPress

Important: Do not bother trying to scan your site manually, or even with an online scanner. These are incomplete methods that invariably miss malware on your site. Missed malware is a huge problem, and is the major reason that sites get reinfected. A plugin-based scanner, on the other hand, is installed on the site, and therefore can scan every part of that site—files and database—thoroughly for malware.

Step 2: Run the scan

Once MalCare is installed, it will automatically sync your site. Once the sync finishes, you will have a clear report about the state of your site. 

MalCare will give you a binary answer to the question: Does my site have malware? It is a ‘yes’ or a ‘no’. If malware is detected on your site, you will need to upgrade to a paid subscription to remove it. 

If not, you can keep MalCare on your site to scan it daily, and have the firewall block attacks from hackers. This is a considerable amount of protection for your site as well. 

Step 3: Remove malware

MalCare has an automated one-click malware removal tool, which will surgically excise all malware from your site, leaving the legitimate code intact and untouched. 

Additionally, as part of the subscription, you also have the option to have your site reviewed by MalCare’s crack WordPress security experts. 

Once again, we strongly recommend against attempting to manually remove malware, as this is a labour-intensive process that is prone to errors and missed malware.

Step 4: Post-malware removal checklist

While MalCare is a malware removal wonder, it can only do so much. Once the malware is gone from your site, you need to do some housekeeping as well. This will ensure that reinfections are kept to a minimum, and your site remains in its glorious malware-free state for as long as possible.

  • Reset users and passwords: Hackers will often create user accounts, with the view of escalating privileges to administrators in order to take over a site. Review all user accounts and reset passwords as necessary. 
  • Clear caches: Make sure to clean all caches, especially if you are using a CDN plugin. Malware often manifests unpalatable symptoms, and you want to avoid visitors seeing those as far as possible. Caches store copies of your site, and need to be refreshed in case they still have the malware-infected versions. 
  • Change salts and security keys: Depending on the kind of attack that led to malware on your site, it is good practice to change the salts and security keys. This has the effect of making all logged in sessions invalid, and force-logging out all users.

Step 5: Remove your site from google blacklist

If your site gets hit with malware, it’s like setting off an alarm that both search engines and web hosts hear loud and clear. A lot of them use Google’s blacklist to keep tabs on online safety, so it’s important to clear your site’s name off Google’s Transparency Report if it gets flagged. 

You can do this through Google’s Search Console, submitting a request once you’re confident your WordPress site is squeaky clean.

Just a heads up though—make sure your site is completely free of malware before asking Google for a review. They check each request individually, and if they find even a trace of malware, they’ll reject your appeal. Additionally, it is better to be sure before submitting an appeal, because if you’re turned down too often, they can label you as a ‘Repeat Offender.’ Repeat offenders are left hanging for 30 days before they can appeal again. So take the time to get that deep scan done and wipe out every bit of malware before reaching out to Google.

  • First, log into your Google Search Console account.
  • Navigate to the Security Issues section – it’s right at the bottom of the page.
  • You’ll see a Request a review button, click on it.
  • In the form provided, detail the steps you’ve taken to resolve the security issues. Be as detailed as possible here. If you used MalCare to remove the malware, you can request a list of remediation actions from support to bolster your case. 
  • Submit the form to start your review process.

After submitting the form, the next step is to be patient. Google usually takes a few days to review and process each request. It might be tempting to try and hurry things along, but there’s no fast track available. Keep in mind that frequent checking or follow-ups can do more harm than good. So, relax and give Google the time they need to handle your review—you’ve done your part.

Step 6: Secure site against future malware infections

The best security against malware is always prevention. There are a few steps you can take that will protect your site in most situations. A little effort can go a long way. 

  1. Install a firewall: A security plugin with a malware scanner, cleaner and firewall is the way to go. MalCare is a best-in-class security plugin, proactively defending WordPress sites against the most egregious hackers. It has an advanced firewall to block attacks, even if vulnerabilities exist on your site; a scanner to stay vigilant about infections; and finally, a cleaner to remove any detected malware in minutes.
  2. Keep everything updated: Make sure to keep all plugins and themes, and WordPress itself, always updated. Updates often contain security patches that fix vulnerabilities. 
  3. Take regular backups: Backups are an insurance policy for your site. Malware can decimate a site completely, and sometimes the only option for recovery is a backup.

You’ll find lots more tips in our security checklist, but just doing these three things will significantly improve site security in any case. 

Why scanning for malware is important

Sometimes malware can sneak onto your site without any obvious signs. That’s why it’s important to scan your site for malware; it’s how you can be sure whether it’s there or not.

Other times, symptoms can be all over the map. You could be redirected to a pharma site once, and then never again. Or redirects only take place on mobile devices. Maybe a popup shows to visitors, and never to admins. It is disorienting, infuriating, and difficult to deal with. 

Therefore, scanning for malware is a big part of keeping your site safe. Make sure to do it often. Regular scans help you find and fix any hidden malware, keeping your site secure for everyone who visits.

It is important to choose the right scanner, though. There has been some debate about the viability of scanners in the WordPress ecosystem, but rest assured that they are a necessary pillar in site defence.

How to choose the right malware scanner for your site

A malware scanner’s primary job is to detect malware. It’s surprising we have to emphasise this, but it is more than a vulnerability checker or a blacklist checker. It must detect malware. 

Next, detecting malware is a complex process, and cannot be reduced to detecting changes in files. It is not a file integrity monitor. 

Additionally, hackers aren’t the most considerate bunch in the world, so they aren’t going to stick to inserting malware in just the files. The database is also fair game, and often is riddled with malware. Scanners that focus on just the files are useless. Online scanners, while convenient, are also useless because they cannot scan the full site, as they do not have access to core and configuration files. While lack of access is an important safety measure, it still prevents a malware scan from being as thorough as it should be.

Scanning should be thorough, covering all types of malware, backdoors, and any other form of malicious activity. The scans need to be conducted regularly and automatically to keep your site clean without your constant oversight.

When determining what is malware and what isn’t, signal matching beats traditional signature matching. Signals are behavioural markers of code, and are used to assess what the code is designed to do. If the eventual outcome is malicious, then the code is flagged as malware. MalCare uses over 100 signals to detect malicious behaviour in code, reducing the risk of new malware going undetected and minimising false positives. It is a significant improvement over signature matching, which is wholly dependent on the signature being already present in the database.
Lastly, a good scanner doesn’t rely solely on open source code from the repository. It should also be able to examine premium themes and plugins that aren’t listed there at all.

How did malware get on your site?

The short answer is that a hacker put it there. Even if your site has a security plugin, and is protected by firewalls, malware will sometimes sneak past. This is precisely why a malware scanner is critically important. It is a canary in a mine, and as soon as a malware is flagged on your site, you can handle it easily. 

95% of hacks occur because of vulnerabilities in plugins and themes, and, in rare instances, in the WordPress core. In our extensive experience, vulnerabilities lead to attacks, where hackers insert malware, in order to take control of sites. 

Therefore, it is important to clean the malware, plug the vulnerability, and follow the post-hack checklist thereafter to remove fake admin accounts and other types of backdoors that lead to reinfections.

Less than 5% of hacks occur because of poor passwords, login attacks, data breaches, successful social engineering attacks, etc. Unfortunately, these types of security breaches get the most attention, and you will see a number of security plugins talk incessantly about 2FA and other login security measures.
Finally, less than 1% of attacks are because of other causes like web host security issues, etc. Again, hosting security breaches are few and far between, but get a tremendous amount of press. Many web hosts do sell security in their hosting packages, but this does not protect from vulnerabilities that exist on the site itself.

Common WordPress malware attacks 

WordPress sites can be vulnerable to a variety of malware attacks. Here are some of the most common ones you should be aware of:

  • Japanese keyword hack: This attack is sneaky because it can go unnoticed for a long time. It injects pages with spammy Japanese text or keywords, intended to show up in the search results. The purpose is typically for SEO spam, and it can significantly harm your site’s search engine visibility.
  • Pharma hack: Much like the Japanese keyword hack, the pharma hack involves injecting spammy pharmaceutical keywords into your website. This is done to hijack your site’s search results and push pharmaceutical advertising. It’s not always visible to site administrators but is apparent in search engine results, affecting your site’s credibility and SEO.


Regular malware scanning and staying educated on the latest security practices can help mitigate the risk of malware infections. A robust security strategy, including regular security updates, strong password policies, and the use of MalCare can provide additional layers of defence against these intrusive attacks.


Can you scan a website for malware?

Yes, you can scan a website for malware using a security plugin like MalCare. Regular scans with these tools help ensure the integrity and safety of the website.

How do I remove malware from my WordPress site for free?

To remove malware from your WordPress site for free, you can use open-source security plugins like Wordfence. Additionally, manually reviewing and cleaning infected files, changing passwords, and updating all themes and plugins can help eradicate malware. However, these methods are very risky, and you may end up losing your site altogether. 

Can WordPress sites have viruses?

Yes, WordPress sites can be infected with viruses, often in the form of malware, if vulnerabilities are exploited by attackers. Regular maintenance and security measures are vital to prevent such infections.

Which is the best free malware scanner for WordPress? 

Among the best free malware scanners for WordPress, MalCare stands out for its powerful automatic scanning, instant malware removal, and user-friendly interface, making it a top choice for many WordPress site owners.

What is the best advice on cleaning malware?

The best advice on cleaning malware is to use a trusted tool like MalCare for thorough scanning and automatic removal, ensuring your website is not only clean but also protected against future infections.

How to eliminate WordPress site malware?

To eliminate malware from your WordPress site, consider using MalCare, renowned for its robust scanning and one-click malware removal capabilities, streamlining the cleanup process effectively.

My site has been infected with malware and I don’t know what to do!

To tackle malware on your WordPress site, immediately set up a scanning routine with MalCare—it’s an efficient tool for identifying and removing malware, helping you restore your site’s health quickly and confidently.

There is malware on my site, but the scan is clean. What to do now?

If there is malware on your site, but scans are clean, you need to change your malware scanner. MalCare is the best WordPress malware scanner and removal plugin. Install it, and run your site to recheck. 

Site down, and I cannot get to the WP dashboard because of a malware infection.

If your WordPress site is down and inaccessible due to a malware infection, you’ll likely need to employ a malware removal service or plugin like MalCare directly through your hosting provider’s control panel or FTP to clean your site and regain access.

Persistent problem with backdoor malware.

To address a persistent problem with backdoor malware on your WordPress site, it’s crucial to use a reliable security solution like MalCare. Its comprehensive scanning can detect hidden backdoors, and its one-click removal feature ensures they’re efficiently eliminated.


You may also like

dns hijacking
DNS Hijacking: All You Need to Know About It

Have you ever typed a familiar URL into your browser only to land on a strange, unfamiliar website? Imagine your visitors facing the same dilemma when accessing your website. They…

How to Protect Your Website from Hackers
How to Protect Your Website from Hackers

Every day, small businesses become victims of cyber attacks. Hackers break into websites, steal customer data, and damage reputations. Your website, which is vital for your business, is at risk…

What are Website Backdoors and How to Clean Them?
What are Website Backdoors and How to Clean Them?

Are you frustrated with your website getting hacked again and again, even after you’ve cleaned it each time? You’ve spent hours fixing your site, only to find that the problem…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.