How to Scan And Detect Malicious Code In WordPress Theme?

Apr 17, 2020

How to Scan And Detect Malicious Code In WordPress Theme?

Apr 17, 2020

Do you suspect that your WordPress theme is malicious? Or maybe you’ve finally found a WordPress theme you love but you’re not sure if it’s safe to install? We will show you how to scan WordPress theme for malicious code.

Apart from the WordPress repository, there are thousands of websites where you can find a theme for your site. Plus, there are nulled versions of a premium theme that are hard to resist.

We wish we could tell you could use any theme you find! But the truth is many themes from third-party sites contain harmful code that can infect your website.

Once you install an infected theme on your site, it gives hackers access to use your site to execute malicious activities. Hackers can redirect your visitors to other websites where they dupe them into sharing their personal data or buying fake products. They can display malicious ads on your site and even steal your data.

If there’s harmful or malicious code on your site, Google will blacklist you and your web host will suspend your account.

You can prevent all this by scanning your WordPress theme to make sure it’s clean. In this step-by-step guide, we’ll show you how to scan a WordPress theme and give you tips on how to pick a good theme that’s safe to use.


To scan your WordPress theme for malicious code, you can activate MalCare on your site. It will run an automated scan on every file and folder. If it detects malicious code in the theme, you can instantly clean it.

How Are WordPress Themes Infected With Malware?

Every WordPress site uses a theme. Themes enable the site owners to build professional-looking websites without knowing how to code or hiring expensive developers. In fact, the abundance of theme choices is one of the main reasons why WordPress is such a popular website-building platform with over a billion active websites.

On the flip side of the coin, you’ll find that themes are also the one of the most common reasons why websites get hacked. If you install an infected theme on your website, it makes your website vulnerable. Hackers can exploit the infected theme to gain access into your website.

The question is how are themes infected in the first place. Here, are the top reasons for infected WordPress themes:

1) Third-party sources

You can get a theme from the WordPress repository or you can get one from a third-party website or marketplace.

Before we begin, you should know that not all third-party sources are bad. There are premium theme sites that build and maintain their products very well.

That said, hackers also intentionally create websites that offer WordPress themes. These sites are made to look legitimate but carry themes that are already infected with malware. You may be tricked into believing it’s a good theme but once you install it, your site gets infected with malware.

2) Free themes

Premium themes are built professionally and with a lot of care as companies want to create a good name and garner more business.

The same principles may not apply to free products. They may be created by rookie programmers who aren’t savvy with securing their software.

There are often times when such themes become difficult to maintain and as it’s a free service, it’s just not worth the work. In such cases, developers may abandon the theme. This leads to the possibility of security issues and vulnerabilities appearing which can be exploited by hackers to gain access into the site.

When hackers break in, one of the first things they do is inject malware and create backdoors in your theme. This will enable them to access the website remotely.

3) Bundled Theme Solutions

Some themes come with plugins pre-installed to increase responsiveness and add functionality. These are referred to as bundled themes as they have other software all tied up together as one.

While the theme itself may be clean, there could be a plugin within the theme that’s infected.

For example, recently a vulnerability was discovered by exploit of a Slider Revolution plugin. Many themes offered the plugin as part of their package. However, many site owners were unaware that this plugin was a part of their theme and active on their site. Slider Revolution fixed the issue and released an update. If a site owner was using a theme that had this plugin bundled in, they couldn’t update it themselves. Only the theme owner could update the plugin. This left many WordPress sites vulnerable till theme owners updated it.

4) Theme Editor

We have been working with WordPress websites for over a decade and many times we’ve come across infected WordPress themes wherein the source of infection was not the theme itself. Hackers had already broken into the website and then infected the theme.

This can easily be done using the WordPress Theme Editor on the dashboard.


wordpress theme editor


This feature is made available for developers to easily make changes to the coding of themes. However, it is also exploited by hackers to infect your website. We’ll discuss how to disable this feature in a later section.

Impact Of An Infected WordPress Theme On Your Site

Installing an infected theme on your WordPress website could lead to devastating consequences. It could damage your site which could have a negative impact on your business and your revenue.

1. Direct Impact

When hackers infect your site, they carry out malicious acts such as:

    • Stealing Visitors – One of the most common things hackers do is redirect your visitors to their own sites. These sites are usually phishing sites designed to steal the visitor’s personal data. They could also be adult sites, or online stores that sell counterfeit products.
    • Stealing Data – Hackers can steal login credentials, credit card payment information, or even personal contact information of your customers. They can sell such data or use it to run more malicious schemes.
    • Integrating Unwanted Ads – Hackers hijack your advertisement spaces and display their own ads. Here too, these ads could lead visitors to malicious sites, adult sites and the like.

2. Impact on SEO

    • Slow Website – In order to run their malicious acts, hackers use your website’s resources. This puts a heavy load on your server and will bring down your site’s performance and cause it to slow down.
    • Drop in SEO Rankings – Getting to the top of Google’s SERPs (Search Engine Results Pages) is no easy task. It takes constant effort to achieve SEO ranks. One of the ranking factors is the speed of your site. When Google detects that your site is slow, your ranking will drop. Plus, if your visitors are being redirected, it will cause a severe loss in traffic as well.
    • Google Blacklist – Next, Google and other search engines crawl sites regularly and if they detect such code on your site, they immediately blacklist your site. They display a warning to visitors that your site is infected in order to protect them.

3. Web Host Suspension

Once your hosting provider detects malware on your site, they will suspend your account and take your site offline.

They do this because hackers always use your server resources to run their malicious activities. Not only will you reach your server resource limit, it will also impact your server’s speed and performance. If you’re using a shared server, your site could bring down the performance of the other sites on the same server.

Many hosts have very strict policies against malware and may permanently ban your site from their platform if you have multiple instances of website hacks.

4. Brand Image and Reputation

Needless to say, when visitors are defrauded and duped by hackers on your site, they will lose the trust they have in your brand. It’s likely that many visitors won’t return to your website.

Thus, it’s so important to use only trusted themes on your WordPress site. So without further ado, let’s proceed to scanning WordPress themes to ensure their safe to use.

How To Scan WordPress Theme For Malicious Code

There are two ways you can scan a WordPress theme:

A. Using a plugin or a tool – There are plenty of tools available in the market to run an automated scan on a WordPress theme. Not all of them run thorough scans that give you reliable results. So choosing the right one becomes difficult. We’ll discuss the ones we think are best tools based on ease of use and reliability. You can use MalCare WordPress Malware Scanner.

B. Manually – This process requires technical expertise. It is a long process and is not always efficient. However, if you’d like to learn the process, we’ve detailed it here.

A. Scan a WordPress Theme Using an Automated Tool

There are two instances where you would need to scan a WordPress theme:

    1. Scan a theme that is already installed.
    2. Scan a theme before installation.

We’ve detailed the tools you can use in both cases.


1. Scan a theme that is already installed

You can use any WordPress security plugin to scan your website to check if there is any malicious code on your site.

We recommend using the MalCare Security Plugin because, or you can check our top WordPress security plugins here.

    • It’s reliable and guaranteed to find any kind of malware.
    • It’s very easy to use and doesn’t require any technical expertise.
    • You can scan and clean your WordPress theme using a single tool.
    • After the scan, it continues to monitor and protect your website from hackers.

Here’s how to use the MalCare’s malware scanner and malware removal plugin on your WordPress site.

(a) Install the plugin on your WordPress website.


malcare plugin for malicious code scan


(b) Access the plugin on your WordPress dashboard and enter your email address. Select ‘Secure Site Now’.


malcare secure site now


(c) You will be redirected to the MalCare dashboard. It will automatically configure security settings on your site and run a complete scan of your site. This will take only a few minutes.

(d) Once the scan is complete, it will indicate whether your site is clean or hacked. If it is clean, you will see the following screen:


malcare scanned website


You can be sure that your WordPress theme is clean and doesn’t contain any malicious code.

Note: In case you see that your WordPress site is hacked, you can upgrade to the premium version of MalCare to clean your site instantly.


2. Scan a theme before installation

If you want to check a WordPress theme before you install it on your site, we recommend using any of these tools:

A. Virus Total

This tool allows you to upload any zip file and scan it for malicious code.

I. Download the zip file of the theme you wish to install on your site. You can download it from the WordPress repository or from the third-party website that is offering the theme.

II. Visit and upload the file here.


virustotal scanned details


III. Next, the tool will display the scanned results. You can check the details of the zipped file to ensure there is no malicious code in it.


scan wordpress theme for malicious code


B. Theme Authenticity Checker

Theme Authenticity Checker is a WordPress plugin that scans all of your theme files for potentially malicious or unwanted code. If it finds such code, it displays the path to the theme file, the line number, and a small snippet of the suspect code.

To use Theme Authenticity Checker, follow these steps:

I. Create a staging site. This is a clone of your WordPress site where you can make changes without affecting your live site. We recommend using BlogVault to do this. It’s easy to use and creates a staging site in under a few minutes.

II. Once it’s set up, enter your username and password that BlogVault provides to access the wp-admin dashboard of the staging site.

III. Install and activate the theme you would like to scan.

IV. Install and activate the Theme Authenticity Checker plugin on your WordPress staging site.

V. Access the plugin from Appearance > TAC. You will see the following results:


result of a wordpress theme scan for malicious code


It will show you the details of each theme installed and whether it has found anything suspicious or not. If it isn’t suspicious, you can proceed to install the theme on your live site.

That brings us to the end of using automated tools to scan your WordPress theme. By using these tools, detecting malicious code in your WordPress theme is easy. Next, we’ll show you how to scan a WordPress theme manually.

B. How to Manually Scan A WordPress Theme

This method requires manually looking through every file which is a tedious process. Hackers also know how to hide and disguise their code which makes it difficult to identify. Thus, manually cleaning a WordPress site is not feasible.

We’ve briefly discussed the steps involved below, however, if you want a more detailed guide – we recommend reading How to Perform a Website Malware Scan.

To scan a theme manually, follow these steps:

    1. Download the zip file of the theme from the WordPress repository or the third-party site that is offering the theme.
    2. Unzip the file into a separate folder on your computer system.
    3. Open every file in this folder and check for suspicious code such as ‘eval base64 decode’.
    4. Upon finding these keywords, you will need to investigate whether the code is legitimate or malicious. This requires technical expertise.

Note: If you wish to scan an installed theme on your site, you will need to login to your hosting account. Access cPanel > File Manage > public_html. In this folder, you will find wp-content. This folder houses your themes. You can find the specific theme you wish to scan. You can continue the same process as mentioned above.

We do not recommend this method as it isn’t effective nor efficient. It’s much easier to use an automated tool like the ones we mentioned above.

With that, we have come to an end on how to scan your WordPress theme for malicious code. Before we wrap up, we’ll give you a few important tips to ensure your WordPress theme is secure and safe to use.

Tips on Securing your WordPress Theme

When choosing and using a WordPress theme, we recommend the following:

1. Use A Trusted Source

When selecting a theme, use only trusted sources. These include:

    • WordPress Theme Repository
    • Theme Forest
    • Mojo Themes
    • Creative Themes
    • ThemeSnap
    • WP Eden
    • InkThemes
    • DMartify
    • AppThemes

These marketplaces vet their developers before allowing them on their platform. They also have strict guidelines and policies that developers need to adhere to.

2. Always Scan Your Theme Before Installation

Whether you download your theme from a trusted source or not, we still recommend scanning your theme before you install it on your website. It’s easy to use automated online tools like VirusTotal to scan the files in under a few seconds. Once you’re sure it’s safe to use, you can go ahead and install it on your WordPress site.

3. Disable Your Theme Editor

As we mentioned earlier the theme editor is accessible through your WordPress dashboard. If hackers manage to break into your site, one of the first things they attack is your theme editor as it gives them access to your WordPress files directly from the dashboard. They can use this editor to create backdoors that will give them secret access to your site. If you do not require this feature, we strongly advise disabling it. You can do this in two ways:

    • Using The MalCare Security Plugin
        • Simply access the MalCare dashboard and click on your site.
        • Next, go to ‘Security’ and select ‘WordPress Hardening’.
        • Here, you can disable the File Editors. By clicking on this, you can disable the theme and plugin editors on your WordPress dashboard.
    • Manually By Editing Your wp-config.php File
        • This method is risky and the smallest mistake can break your site. We recommend taking a complete backup of your site before proceeding with this method.
        • Access your web hosting account and go to cPanel. Here, choose File Manager > Public_html.
        • Next, find the wp-config file, right-click and select ‘edit’.
        • Paste the following code just before the line that says ‘That’s all, stop editing! Happy publishing’ :

define( 'DISALLOW_FILE_EDIT', true );

The theme editor will be disabled on your WordPress dashboard.

4. Delete Inactive Themes

It is common for WordPress site owners to install and try out different themes. But often, we forget to delete the themes we aren’t using.

Every element on your website gives hackers another chance to break into your site including themes that are inactive. So, it’s best to keep only the theme you’re using and delete the rest.

After you implement these steps, we’re confident that your WordPress theme is secure.

Final Thoughts

WordPress themes can enhance your site and give it that unique flair. However, you need to take precautions to ensure your theme is safe to use.

But it’s not just your theme that can threaten the security of your site. Hackers attack your login page, vulnerable plugins, and even field inputs like comments on your blog. You can take protective measures like installing two-factor authentication, keeping plugins updated, checking for spam comments, etc. While there are many plugins that will enable you to execute these measures, we recommend using fewer plugins. A tool like a WordPress security plugin will offer you similar protective measures.

We strongly recommend activating MalCare on site. It will scan and monitor your site daily and alert you if it finds anything suspicious or unwanted. Its strong WordPress firewall will proactively block attacks as well. Also, with a good security plugin, it is easy to scan any WordPress theme for malicious code.

You can rest assured your site is completely protected against hackers.

Protect Your WordPress Site With MalCare.

scan wordpress theme for malicious code
Share via
Copy link