6 Top WordPress Security Scan Plugins Compared 2021

Your site is probably hacked.

And no, it’s not just you.

Compromised WordPress sites are as common as influenza these days.

The only way to be 100% sure is to do a WordPress security scan.

Better safe than sorry!

Tell us if any of these sound familiar to you:

  • Worried that your WordPress site has been hacked.
  • Looking for the best WordPress security scan plugin.
  • Not sure which malware scanner is right for you.

That’s OK!

We’re here to help. MalCare helps protect 250,000+ sites from hackers and malware every day.

In this article, we’re going to:

  • Talk about the different types of WordPress security scan plugins;
  • Understand which one is the best option for you;
  • And get you the best possible recommendation for a thorough WordPress security scan.

We are trusted by some of the biggest names in the WordPress industry. 

So, if we can find a solution for Cloudways and WP Buffs, we can find the right plugin to do a WordPress security scan of your website too.

Before we start, let’s get a few things out of the way:

  • WordPress behaves weirdly sometimes.
  • And that doesn’t mean your site has been hacked.

But, you should make sure right now.

Here’s some more truth… 

There is a tidal wave of misinformation regarding what a WordPress security Check can do for you. Just to be clear, a scan only discovers malware and vulnerabilities. It does not automatically fix the problem for you.

But you still need the best plugin you can find for a WordPress security scan.

TL;DR: If you’re really serious about protecting your business from hackers and malware, a hybrid malware scanner is a perfect solution for you. It provides the right depth without straining your servers. 

Sounds good? Let’s dive in.

What to Look for in Malware Scanners

Not all WordPress security scans are created  equal. There are different types of malware scanners that you can have.

The good news is that most WordPress malware scanners are free.

The bad news is that most popular scanners are not really worth your time. They are either:

  • Too simplistic in the way they analyze code;
  • Or generate very complicated reports, and no one understands the scan results.

So, we’re going to make this real simple for you.

Look for a malware scanner that:

  • Scans all WordPress files and database tables
  • Doesn’t slow down your site with its operations
  • Pinpoints the origin of the malware
  • Gives you easy malware removal options
  • Comprehends the malicious intent of code and only raises legitimate alarms

We’ll give you our recommended plugin in the next section. And if you want a quick fix, trust us when we say it — we eat, sleep, live, and breathe security. We’ve put in all the necessary thought to give you a recommendation so that you don’t have to waste your time.

After that, we’ve listed out 2 more plugins that you could use, but only under specifc conditions (more on that later).

Finally, we’ve compiled 3 wildly popular WordPress security scan plugins that you should never opt for.

But if you’re genuinely interested in how we got to our recommendations, we have sections that explain our recommendations in detail right after the list of WP security scan plugins. You’ll also find explanations for what we mean when use the terms:

  • Remote Malware Scanner
  • Server-Based Malware Scanner
  • Hybrid Malware Scanner

If these seem like jargon to you, skip ahead and read all about these terms first.

Cool? Let’s dive in.

Using MalCare’s WordPress Security Scan: Our Recommended Plugin


If you haven’t already, install MalCare and clean your WordPress hacked website today. MalCare has an ultra-powerful malware scanner that checks all the boxes on our recommendation criteria:

  • Scans all WordPress files and database tables
  • Doesn’t slow down your site with its operations
  • Pinpoints the origin of the malware
  • Gives you easy malware removal options
  • Comprehends the malicious intent of code and only raises legitimate alarms

Here’s how you can use the security scanner to find malware on your website:

Step 1: Sign up for MalCare

Sign up for MalCare plugin from our site.

upload plugin

Step 2: Scan Your Site

Use MalCare to Scan Your Site automatically:

malcare security

Step 3: Clean Your Site in 1 Click

Click on ‘Auto-clean’ to clean instantly:

malcare auto clean

The best part?

MalCare’s WordPress security scan is 100% free!

Join 250,000 other sites and install MalCare today.

The 2 Most Popular WordPress Security Scan Plugins That We Recommend Conditionally

We’d like to be very upfront and clear with these two recommendations.

They are better than the other plugins that follow. But only use them if you’re very familiar with how WordPress security works. If not, these are NOT the right fit for you. Stick to MalCare instead.

But if you can analyze malware reports and tell the difference between false alarms and real malware, then go ahead and install either or these scanners.



Wordfence is by far one of the most popular options for WordPress security. 

While Wordfence also has some issues in the way it handles malware scanning, this behemoth’s capabilities also has merit:

  • Server-based scanning capabilities
  • Malware signature updates and scanning
  • Full control over scan depth, frequency, and timing
  • Scans for malware in all database and files
  • Website reputation checks

We recommend Wordfence as a  second option. If you already use Wordfence, then you may be quite safe. However, there are threats that Wordfence can’t find and recognize, and it raises too many false alarms that require manual resolution.

To top it all off, it overloads a WordPress site and bloats the databases. In simple words, your site starts running real slow after a while.

While we have nothing but respect for Wordfence, MalCare is a better option in our book any day. Before making a financial investment we would ask you to read a little about why we put Wordfence in second place.

Sucuri Pro


There are security plugins that use both types of malware scanners. For instance, Sucuri offers a cloud-based scanner called SiteCheck for free, and a plugin-based server scanner with its premium version to complement SiteCheck.

Sucuri SiteCheck typically sends a request to the homepage to check the content against known signatures; this could be any content and not just comments. It also emulates Googlebot to try and understand if there is any malware that caters only to Google traffic.

Here’s how Sucuri SiteCheck works:

  • Visit the homepage and crawl all the links, JavaScript files, and iframes 
  • Check 8-10 of these links and visit them using different user agents and referrers
  • Extract and scan all JavaScript files and iframes
  • Check the links for malware against a database of known malware signatures
  • Compare the results for different referrers and user agents to check for hidden malware
  • Revisit the home page as Googlebot and reiterate this process
  • Check the blacklisting status against blacklisting agencies such as Google and Norton

In short, if the malware doesn’t render anything on your browser, then Sucuri SiteCheck won’t be able to see it. The real pride and joy of Sucuri SiteCheck is really their signature matching database.

Now, signature matching is based on historical data and it can’t recognize new malware, which is a huge problem.

Also, it only sees malware that affects HTML. This is flawed because the vast majority of malware does not manifest themselves in the HTML. In fact, most malware manifests itself in either the files or the database of WordPress.

The bottom line is that: Sucuri SiteCheck fails to spot almost all major malware that is even slightly complex in nature. It also does nothing to take action and repair hacked files.

Top 3 WordPress Security Scan Plugins That We Do Not Recommend At All

That’s right. We said it.

We do NOT RECOMMEND any of these plugins.

And no, we don’t care about how popular they are. The fact that they’re popular makes it even worse because they do a shoddy job.

Sucuri SiteCheck


Sucuri is one of the biggest names in the WordPress security niche. However, their free version (Sucuri SiteCheck) is painfully limited.

The scans that Sucuri SiteCheck can handle are complemented by their premium version that comes with a server-based scanner. But we will only recommend using Sucuri if you have already purchased Sucuri. In reality, their scanners are limited and raise false alarms quite a bit.

We also put Sucuri to the test with our engineers. We were shocked by how much of a let-down this mega-brand actually is.

Here’s what you can expect out of Sucuri SiteCheck:

  • Quick scanning for common, known malware
  • Signature scanning for quick scans
  • Emulates Googlebot to detect hidden malware with specific triggers
  • SSL certificate monitoring
  • Automated and manual scanning

We do not recommend using Sucuri SiteCheck as your only security measure. It is quite likely for  Sucuri SiteCheck to  miss out on almost all complex malware. Additionally, it can barely keep up with Google Safe Browsing even though it works on the same principles.

iThemes Security Pro

iThemes Security (formerly Better WP Security) – WordPress plugin |  WordPress.org

iThemes Security simply licences and uses Sucuri Sitecheck’s API to scan for known malware. It does not have its own tech to scan for malware.

Being a plugin scanner would have given it a lot of depth for its scans. However, the plugin uses a remote scanner to detect malware and does not have any of the advantages of a server scanner such as Wordfence or a hybrid scanner such as MalCare.

Push comes to shove, we’d recommend Sucuri over iThemes Security Pro, and we don’t really recommend Sucuri at all.

Enough said!

Google Safe Browsing

According to Google, as of September 2017, over 3 billion Internet devices are protected by Google Safe Browsing.

Google Safe Browsing is a blacklist service provided by Google that provides lists of URLs for web resources that contain malware or phishing content. Of course, this comes with a remote scanner and its own transparency report as well.

Like all remote scanners, Google Safe Browsing is limited in its scope and blacklists only malware that manifests itself in the website’s content.

All popular browsers including Google Chrome, Safari, Firefox, Vivaldi, and GNOME use the blacklists provided by Google Safe Browsing.

Google also provides information to Internet service providers, by sending e-mail alerts to autonomous system operators regarding threats hosted on their networks.

These are all some remarkable strides taken by Google, but have their own shortcomings.

For an overview of some really transparent malware attacks, Google Safe Browsing can help you locate malicious code. But for the purposes of a full WordPress security scan, Google still falls short.

How Remote Scanners Find Malware And Why They Are Not Good Enough

Remote scanners use cloud technology to scan websites and look for malware.

Typically, a remote scanner sends a request to the homepage of the site. It then scans the HTML elements, JavaScript files, and content for known malware infections.

How does this work?

Most WordPress security scanner plugins have a database of known malware signatures. The scanner runs your website’s browser-visible code against the database to check for known signatures.

The biggest advantage of using a remote scanner is that it causes almost zero database bloat and negligible server load.

But it’s not all sunshine and roses.

Remote scanners have limited access to your website and server. Most remote scanners only look into the code that is visible to a browser. In reality, most modern malware is too complex to be found by signature-matching and it’s not that visible. 

Powerful malware almost always infects files and databases. These are entities that cannot be seen by browsers. As a result, a remote WordPress security scan will miss out on all this malware, until they start affecting the visible code and content.

Not cool.

But hey, at least it runs on their servers and not yours. So, the site’s loading speed is never affected.

How Server-Level Scanners Work And What They Are Good At

A plugin-based server scanner has unrestricted access to your website’s files and database.

As such, a server-level WP Security security scan is much more comprehensive than a remote scanner can ever hope to be.

Let’s talk a little bit about how much deeper a WordPress security scan by a server scanner can go:

Checking WordPress Core Files

There are loads of vulnerabilities in older versions of WordPress. So, it’s always a good policy to keep your WordPress version updated.

But in any case, if your site got hacked, it’s highly likely that the hacker left malware in your WordPress core files.

So, most plugins will first do a WordPress security scan of the core files.

The way they normally do this is by checking for differences between the WordPress core files on your site against the original one in the WordPress repository.

The problem is: managed hosting services and WordPress installations in languages other than English often have different core files. Our partner, Flywheel, modifies wp-settings.php for added functionality. This mismatch by the WordPress security scan can lead to a false alarm.

Checking Theme and Plugin Files

Nulled themes and plugins come with malware. Even regular plugins can have cross-scripting vulnerabilities in them, but most nulled themes and plugins will have malicious code in them.

So, it only makes sense for the WordPress security scan to check theme files.

For instance, Wordfence can look at public plugins and themes, and check them against the WP repository. In principle, it’s the same as checking the core files against a repository. While this can be a good place to start, it can also flag too many false alarms.


Here’s the thing:

Premium themes, custom themes, and child themes do not have standardized code that can be checked for integrity. They are usually heavily customized and in many cases, privately held. So, there may be nothing to check against in the first place.

That’s not the only problem.

All premium plugins only release a free version of their solution to the WordPress repository. The paid version will have the same folder structure and directories, but with different or modified files.

A false alarm can be triggered by something as trivial as a new line feed or differences in grammar or syntax.

In other words, most server scanners can’t tell if the change in the file was good or bad. As long as there is a change, it will freak out completely.

Signature Checking

Of course, so far we have painted a rather bleak picture of server scanners. We’ve seen how they can goof up to understand their gaps and what to expect from them. But that’s a partial  view.

In reality, server scanners are quite powerful, and they perform several checks before they raise the alarm. One such check is signature checking.

This is an extension of what remote scanners do. Only, a server scanner can do a WP security scan that checks for malicious signatures in files and database tables, as well as the browser-visible content of the website.

So, what exactly is a signature and why do scanners check for them?

A signature is a piece of code that is synonymous with the backbone of the malware. For each malware, there is a unique signature. Think of it as a thumbprint, but for malicious code.

The way signature matching works is something like this:

  • Load all known signatures on the website database
  • Keep sending database queries to check for matching signatures
  • Save the results of each database query in the database

This sounds like a great process, right?

The only problem is:

There are only a finite number of signatures known to most malware scanners. As a result, it’s easy to miss signatures in a WordPress security scan.

Next, your database will get bloated. Most managed WordPress hosting providers will charge you based on the resources consumed by your site.

Even worse is the fact that signature scanning is a very resource-intensive operation. It can be a real pain to find, collect and curate malicious signatures in PHP. JavaScript is even more difficult to process.

This is not the worst part.

The worst part is that a server scanner will use a ton of your server’s resources to try and find signatures. And then, even if the scanner finds the signature, it’s really difficult to tell if the code really is malicious because a lot of functions used by malware are also used in regular code!

Not to mention, signature matching is utterly useless for new, complex, or obfuscated malware!

When signature matching fails, you need far more powerful algorithms to find the malware in your WordPress security scan. But a server scanner depends on your website’s available resources and it can rarely run complex algorithms to understand what code is truly malicious.

Keyword Searches

Keywords can certainly help narrow down the search for known malware.

Most common malware will use commonly used pieces of code such as:

  • eval
  • base64_decode
  • gzinflate
  • preg_replace
  • str_replace

But the problem is: those keywords are present in normal code also. The mere presence of the keyword proves absolutely nothing. 

And then there are malware where you don’t find these keywords at all.

Again, you need a WordPress security scan that goes beyond these methods for real protection. Sadly, this is the best that most server scanners can do because you are probably on shared hosting servers.

Final Verdict:

Server scanners can offer a much deeper WordPress security scan than any remote scanner out there. But is that necessarily a good thing?

Short answer: No.

Server-level scanners operate on your website’s server. If they operate at full capacity, you will burn through a chunk of your allocated server resources. This means that your actual users will find your site slow and unresponsive at times.

This is not the only problem with server-level scanners.

Most WordPress security scan plugins will use very simplistic algorithms to detect malware. This is because they are bound by the limitations of your server’s computational capabilities. 

Most shared hosting plans do not offer great computing power. As a result, your scan will be deeper, but it still operates on the same principles as a remote scanner.

Like remote scanners, a full WordPress security scan by most server scanners will rely on looking at:

  • Core file differences
  • Theme file differences
  • Plugin file differences
  • Signature matching against known malware
  • Malicious string patterns in the database
  • Backdoors and malware using keyword searches

These are all very rudimentary ways to look for malware. Most modern malware is hidden across multiple files and databases, and encrypted to look like a random string of harmless code, until a PHP script decodes the string to execute malicious code.

Needless to say, a WordPress security scan using these plugins will yield a bunch of false positives. And in many cases, all these scan results get stored in a custom database. Over time, this database will become incredibly bulky and will slow your site down even more.

What Hybrid Scanners Can Offer And Why We Highly Recommend Them

A hybrid scanner can offer the WordPress security scan depth of a server scanner and still operate remotely.

Here’s how a hybrid scanner works: 

Step 1: The scanner syncs your website with its own servers and creates a copy of it. This copy includes all files and the entire database.

Step 2: The scanner now does a full WordPress security scan of all its files and database tables on its own server.

Step 3: It pinpoints the exact location of the malware infection on your site. It does not matter if it’s unknown malware or extremely complex malware. The scanner can run a powerful algorithm to understand exactly what code is malicious.

Since the entire WordPress security scan happens on dedicated servers, hybrid scanners can run more complex algorithms than other types of scanners .

These servers are powerful enough to run machine learning algorithms and complex code testing software that can analyze any anomalies on your site and understand if that anomaly is malware or simply custom code.

The best part?

A hybrid scanner works as part of a network of sites. In other words, the more sites it protects, the more malware it encounters, and consequently the strength and acuity of its WordPress security test keeps growing.

If you run a WordPress security check of the same depth and complexity on your site, it will slow down quite a bit. You may even end up depleting all your allocated server resources!

Like any other scanner, hybrid scanners work based on signals of compromise or being hacked.

A signal can be something as small and seemingly insignificant as a file being edited at the wrong time.

NOTE: A single signal is simply a red flag, and not significant enough to trigger an alarm on its own. A scanner will then work through a list of several other predefined signals, before an alarm is raised. On top of that, the learning algorithm also kicks in to offer a faster, deeper WordPress security scan.

This system ensures that there are few to no false alarms.

Let’s give you a simple example:

There are many plugins that update their files without updating the version. A simple mismatch like this can confuse most server scanners and result in a false alarm.

Imagine for a second that you’re managing 20 websites like most agencies do. It’s so tiresome to look at false alarms after a while that you’ll start ignoring all threats to your website.

True story. Happens everyday.

Using a hybrid scanner to do a WordPress security check essentially means that you only have to react to a threat that actually threatens your website.

On a side note, hybrid scanners come with instant malware removal as well. This is an indirect outcome of the advanced WordPress security scan. 

Just another reason to choose a hybrid scanner!

Let’s dive into which plugin you should choose for your WordPress security scan.

What Happens After the Scan

After a WordPress security scan, you get a report that leaves you with a few options:

  1. Your site contains no malware and in this case, you should simply leave the scanner plugin installed for regular scans.
  2. Your site has no malware, but your scanner raised false positives. Hire a security professional for threat assessment or buy a plugin that doesn’t raise false alarms.
  3. Your site is infected and your scanner missed it. If you’re seeing symptoms of a malware attack, get a better plugin pronto.
  4. Your site is infected and now you need to clean your site. Make sure you have a malware removal tool as well and start cleaning your site.

In either case, we recommend using MalCare’s full suite of security tools. As you have already seen, MalCare has a one-click malware removal tool that removes even complex, unknown malware in an instant.

Now, the WordPress security scan by MalCare is 100% free. But if you want to clean your website, you need to buy the premium version. Not to worry, it’s pretty affordable at only $99/year.

NOTE: There are manual ways of cleaning your website, but we do not recommend them. Manual cleanups are extremely risky and can wreck your site completely if you’re not careful. Also, we cannot guarantee that a manual cleanup will even work.

Once your site is thoroughly cleaned, we also recommend using MalCare’s WordPress hardening options to beef up your security. You should turn on the firewall for bot protection as well.

As an additional precaution, we highly recommend that you take regular backups of your entire site. This way, if your site goes down for any reason at all in the future, you can restore your site to a previous version instantly.

The Impact of Malware if Left Untreated

One of the major questions that we get all the time is – why does it matter if my website gets hacked? Unless it completely defaces the website, why should I even care?

Short answer: you really should care because a hacked website can severely damage your business, even if it isn’t visibly defacing your website.

A WordPress hacked website can damage your adwords account, traffic, revenue, and brand value. In other words, malware siphons your hard-earned money from your website.

cybercrime is Americans top concern
Image source: news.gallup.com

This is even more true for WooCommerce site owners. On an ecommerce site, you can literally see a decline in your sales and traffic right from your dashboard.

One of the most dreaded outcomes of a malware attack is the Google blacklist. Getting slapped with a URL blacklist by Google can tank your traffic by almost 95% in a matter of hours!

Drop in Traffic Because of Google URL:Blacklist

Think about it.

Do you still think that you should leave malware on your site?

What’s Next?

If you haven’t already, install MalCare for a quick WordPress security scan and an even quicker automatic cleanup.

One of the most important reasons we see for a website being hacked is that the owner knows nothing about WordPress security. Nor should they; that’s why we’re here. We create epic content on different security threats and vulnerabilities. So, the best thing you can do now is read more of our content.

Also, drop any questions that you may have on Twitter. Our engineers will find a way to resolve your problems.

That’s all for this one.

Until next time!


Pritesh is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Pritesh distils the wisdom gained from building plugins to solve security issues that admins face.

Copy link
Powered by Social Snap