So you’re worried that your WordPress site picked up some malware, huh? There are all kinds of reasons people might want to infect your site with malware – injecting links for SEO, inserting their own ads, etc. – and none of them are good for your site, which is probably why you’re looking for how to scan WordPress for malware.
To help you find any nasties on your site, I’m going to go over three ways that you can scan WordPress for malware using either free or paid tools. Your options range from getting your host to do it, using a cloud-based tool, or using one of the free or premium plugins that I’ll mention.
Let’s jump in!
1. See If Your Host Offers Malware Scans (Or Find One That Does)
Depending on where you host your site, you might not need an external tool to scan WordPress for malware.
One of the reasons is because of awesome tools like SG Site Scanner. This tool, powered by Sucuri (you’ll see Sucuri again in a second), scans your site for malware automatically every day, or you can also run a manual scan when needed.
Unfortunately, it’s not free (at least not at SiteGround). But it is pretty affordable at just $1.65 per month.
2. Scan WordPress For Malware With A Cloud-Based Tool
Ok, the tools in this section are by no means foolproof because they don’t have access to any hidden files on your server. But I like them because they’re easy to use and they can catch some of the worst malware just by inputting your URL.
- Just because your site comes back clean doesn’t 100% guarantee you don’t have any malware
- But if you do have nasty front-end malware (like link injections), these tools should be able to help you quickly find the issue
You can find a bunch of these tools out there. But as a first stop, I’d recommend the Sucuri SiteCheck tool.
To use it, you literally just plug in your site’s URL and click Scan Website:
After a short wait, Sucuri will spit back a report telling you how your site is doing:
Yay! WPLift is clean!
Beyond Sucuri SiteCheck, two other good web-based tools like this are:
3. Use A WordPress Malware Scanner Plugin
If you want a deeper scan than you can get with one of the cloud-based tools above, some of the popular free security plugins also offer malware scans as part of their feature lists. There are also some great paid WordPress malware scanner plugins.
Here are some good options:
Wordfence Security, a massively popular plugin that’s active on over 2 million sites, includes a malware scanner in the free version. It scans your core files, themes, and plugins for malware, as well as a number of other nasties.
If it finds any issues, it can even help you remove the malware.
To scan your WordPress site for malware with Wordfence, get started by installing and activating the free Wordfence plugin.
By default, Wordfence will scan your site daily. But you can also manually run a scan by going to Wordfence → Scan and clicking on Start New Scan:
If you pay for Wordfence Premium, you’ll get additional malware signatures for even more effective scanning.
You’ve already seen Sucuri’s name a couple of times – but now they’re back with their own WordPress security plugin – Sucuri Security.
The plugin will monitor the integrity of your core WordPress files and it also runs a malware scan powered by Sucuri SiteCheck. If you want a more in-depth malware scan, you will need to upgrade to the paid version of Sucuri, though.
To use the plugin’s malware scanning, just install and activate it and then head to the Sucuri Security tab in your WordPress dashboard:
If you’re not familiar with Greek mythology, Cerberus is the multi-headed dog that guards the gates to the underworld. Cerberus did a pretty good job of keeping things safe…and Cerber Security is like that for your WordPress site.
Though it’s not quite as popular as Wordfence or Sucuri, it has a great 4.9-star rating on over 250 reviews.
To use Cerber Security’s malware scans, install and activate the free plugin.
Then, go to WP Cerber → Site Integrity in your WordPress dashboard. From there, you can choose to run either a quick scan or a full scan:
Once the scan is done, you’ll see a summary of the results:
If you’re not already familiar with VaultPress, it’s a subscription-based service from Automattic. A big part of what it does is automatically back up your site every day. But as it backs up your site, VaultPress will also scan your files for malware, viruses, and other issues.
So basically, it’s just great peace of mind for keeping your site’s data safe and secure. It’s also the same subscription as Jetpack – so you’re getting all the other helpful Jetpack premium features, as well.
If you want VaultPress’ malware scanning functionality, you’ll need to pay for at least the $99 per year Jetpack Premium tier.
One of the nice things about MalCare is that it does all of its scanning off-site, which means it never slows down your server during the malware scan.
It also tries to limit false positives so that you don’t panic over nothing.
All in all, I find the interface easy to use and really like how this one works:
There’s a free version that can handle malware scans. Then, the Pro version can actually help you remove any malware that those scans find.
For the paid plans, plans start at $99 per year for a single site. You can also get a combined MalCare + BlogVault plan for $149 per year.
ManageWP Security Check
If you run a lot of different WordPress sites, you might already be familiar with ManageWP. If you’re not, it’s basically a unified dashboard that makes it easier to manage all your WordPress sites.
One of its modules is Security Check. As part of this module, ManageWP can scan your WordPress sites for malware.
The free version of this module lets you perform manual scans. And if you pay for the premium version, you can set up automatic malware scans, including an option to receive email or Slack alerts for any issues.
The premium plan starts at $1 per month per website.
Things To Remember With WordPress Malware Scans
It’s important to remember that many of these solutions won’t actually fix malware that they find. Some paid tools will – for example VaultPress and MalCare include easy malware fixes. But if you’re using one of the free scanners, it will probably just alert you to issues that you’ll then need to fix.
For help with that, we’re going to write a follow-up post on how to remove malware from WordPress.
Additionally, it’s not that uncommon to get false positives. So just because a tool finds a potential issue doesn’t mean you definitely have malware. Similarly, if you’re using a cloud-based tool, it won’t be able to find all potential issues.
With that in mind, I hope you found this post useful, and here’s to hoping all the tools report back that your site is clean!