WPLift is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission.

WordPress Malware Scanner: How To Scan WordPress For Malware

Last Updated on April 13th, 2020

Published on July 18th, 2018


Share This Article

So you’re worried that your WordPress site picked up some malware, huh? There are all kinds of reasons people might want to infect your site with malware – injecting links for SEO, inserting their own ads, etc. – and none of them are good for your site, which is probably why you’re looking for how to scan WordPress for malware.

To help you find any nasties on your site, I’m going to go over three ways that you can scan WordPress for malware using either free or paid tools. Your options range from getting your host to do it, using a cloud-based tool, or using one of the free or premium plugins that I’ll mention.

Let’s jump in!

1. See If Your Host Offers Malware Scans (Or Find One That Does)

Depending on where you host your site, you might not need an external tool to scan WordPress for malware.

For example, we recommend SiteGround a lot here at WPLift. It’s where WPLift is hosted, and I also personally host my own sites at SiteGround.

One of the reasons is because of awesome tools like SG Site Scanner. This tool, powered by Sucuri (you’ll see Sucuri again in a second), scans your site for malware automatically every day, or you can also run a manual scan when needed.

Unfortunately, it’s not free (at least not at SiteGround). But it is pretty affordable at just $1.65 per month.

Some more premium managed WordPress hosts will also have built-in malware scans. For example, both Kinsta and Flywheel have malware scans included in their prices.

2. Scan WordPress For Malware With A Cloud-Based Tool

Ok, the tools in this section are by no means foolproof because they don’t have access to any hidden files on your server. But I like them because they’re easy to use and they can catch some of the worst malware just by inputting your URL.


Article Continues Below

  • Just because your site comes back clean doesn’t 100% guarantee you don’t have any malware
  • But if you do have nasty front-end malware (like link injections), these tools should be able to help you quickly find the issue

You can find a bunch of these tools out there. But as a first stop, I’d recommend the Sucuri SiteCheck tool.

To use it, you literally just plug in your site’s URL and click Scan Website:

how to scan WordPress for malware with Sucuri SiteCheck

After a short wait, Sucuri will spit back a report telling you how your site is doing:

wordpress malware scanner results page

Yay! WPLift is clean!

Beyond Sucuri SiteCheck, two other good web-based tools like this are:

3. Use A WordPress Malware Scanner Plugin

If you want a deeper scan than you can get with one of the cloud-based tools above, some of the popular free security plugins also offer malware scans as part of their feature lists. There are also some great paid WordPress malware scanner plugins.

Here are some good options:


Wordfence Security, a massively popular plugin that’s active on over 2 million sites, includes a malware scanner in the free version. It scans your core files, themes, and plugins for malware, as well as a number of other nasties.

Article Continues Below

If it finds any issues, it can even help you remove the malware.

To scan your WordPress site for malware with Wordfence, get started by installing and activating the free Wordfence plugin.

By default, Wordfence will scan your site daily. But you can also manually run a scan by going to Wordfence → Scan and clicking on Start New Scan:

wordfence malware scan

If you pay for Wordfence Premium, you’ll get additional malware signatures for even more effective scanning.

Get Wordfence Security

Sucuri Security

You’ve already seen Sucuri’s name a couple of times – but now they’re back with their own WordPress security plugin – Sucuri Security.

The plugin will monitor the integrity of your core WordPress files and it also runs a malware scan powered by Sucuri SiteCheck. If you want a more in-depth malware scan, you will need to upgrade to the paid version of Sucuri, though.

To use the plugin’s malware scanning, just install and activate it and then head to the Sucuri Security tab in your WordPress dashboard:

sucuri malware scan

Article Continues Below

Get Sucuri Security

Cerber Security

If you’re not familiar with Greek mythology, Cerberus is the multi-headed dog that guards the gates to the underworld. Cerberus did a pretty good job of keeping things safe…and Cerber Security is like that for your WordPress site.

Though it’s not quite as popular as Wordfence or Sucuri, it has a great 4.9-star rating on over 250 reviews.

To use Cerber Security’s malware scans, install and activate the free plugin.

Then, go to WP Cerber → Site Integrity in your WordPress dashboard. From there, you can choose to run either a quick scan or a full scan:

cerber security

Once the scan is done, you’ll see a summary of the results:

cerber results

Get Cerber Security


If you’re not already familiar with VaultPress, it’s a subscription-based service from Automattic. A big part of what it does is automatically back up your site every day. But as it backs up your site, VaultPress will also scan your files for malware, viruses, and other issues.

So basically, it’s just great peace of mind for keeping your site’s data safe and secure. It’s also the same subscription as Jetpack – so you’re getting all the other helpful Jetpack premium features, as well.

If you want VaultPress’ malware scanning functionality, you’ll need to pay for at least the $99 per year Jetpack Premium tier.

Get VaultPress


MalCare is a new’ish malware scan and security plugin from the same team behind BlogVault. I managed to pick this up on an AppSumo deal and am really happy with the purchase.

One of the nice things about MalCare is that it does all of its scanning off-site, which means it never slows down your server during the malware scan.

It also tries to limit false positives so that you don’t panic over nothing.

All in all, I find the interface easy to use and really like how this one works:


There’s a free version that can handle malware scans. Then, the Pro version can actually help you remove any malware that those scans find.

For the paid plans, plans start at $99 per year for a single site. You can also get a combined MalCare + BlogVault plan for $149 per year.

Get MalCare

ManageWP Security Check

If you run a lot of different WordPress sites, you might already be familiar with ManageWP. If you’re not, it’s basically a unified dashboard that makes it easier to manage all your WordPress sites.

One of its modules is Security Check. As part of this module, ManageWP can scan your WordPress sites for malware.

The free version of this module lets you perform manual scans. And if you pay for the premium version, you can set up automatic malware scans, including an option to receive email or Slack alerts for any issues.

The premium plan starts at $1 per month per website.

Get ManageWP

Things To Remember With WordPress Malware Scans

It’s important to remember that many of these solutions won’t actually fix malware that they find. Some paid tools will – for example VaultPress and MalCare include easy malware fixes. But if you’re using one of the free scanners, it will probably just alert you to issues that you’ll then need to fix.

For help with that, we’re going to write a follow-up post on how to remove malware from WordPress.

Additionally, it’s not that uncommon to get false positives. So just because a tool finds a potential issue doesn’t mean you definitely have malware. Similarly, if you’re using a cloud-based tool, it won’t be able to find all potential issues.

With that in mind, I hope you found this post useful, and here’s to hoping all the tools report back that your site is clean!

Colin Newcomer is a freelance writer and long-time Internet marketer. He specializes in digital marketing, WordPress and B2B writing. He lives a life of danger, riding a scooter through the chaos of Hanoi. You can also follow his travel blog.