How to Scan Your WordPress Site for Potentially Malicious Code

Learn how to scan your WordPress blog or website for potentially malicious code with free tools. It’s not something web admins like doing, but it’s a procedure that every site owner should do. Why? Because thousands of vulnerable websites get hacked every single day.

When to Scan Your Website

Most WordPress administrators start with good intentions when it comes to site security. But here’s the problem. Site owners tend to get complacent and negligent if they never run into issues. But it’s never wise to let one’s guard down when it comes to site security.

The bad actors who deploy malicious code and malware are relentless. They never give up in the search for vulnerable websites until they find them.

Dealing with a hack is more time-consuming and taxing than a preventative maintenance routine. Sadly, too many WordPress owners only get serious about site security AFTER an incident.

Signs You’ve Been Hacked

You may not even be aware of malicious code on your WordPress blog or website. There are telltale signs for potential hacks, as you’ll see in a moment.

Malicious code could be infecting your site if you notice any of these 7 signs:

  1. Locked out of your admin area
  2. WordPress send/receive email feature stops working
  3. Notice a sudden and drastic drop in web traffic
  4. Site theme becomes consistently slow or unresponsive
  5. Bad links appear on your webpages
  6. Pop-up or pop-under ads start appearing on the site
  7. Unrecognisable or suspicious user accounts appear

Less obvious issues could be unknown files and or scripts on the web hosting server. Most amateur site owners won’t recognise unusual activity in the site’s server logs. Some admins set up cron jobs to schedule specific tasks, but hackers can attack these too.

What Do Hackers Want?

Some people hack for the hell of it, just for kicks, especially those in training. The serious bad actors have definite goals and may hijack your WordPress website for their own aims.

Here are the 6 most common reasons and tactics used to infect WordPress websites.

  1. Pharma hacks inject spam into databases and or files
  2. Drive-by downloads place malicious files on the user’s computer
  3. Backdoor programs give hackers access to areas secured by logins
  4. File and database injections reassemble as malicious commands
  5. Redirects send visitors to the hacker’s site via your website links
  6. Phishing uses fraudulent pages or forms to ask for sensitive data

No one wants to clean up the infected mess caused by hackers, and many site owners can’t.

Free Tools that Scan for Malicious Code

Proper site maintenance and regular scans drastically reduce the risk of malicious code infections. There are no technical skills needed to improve the security of your WP website.

This section looks at some of the best products available. These are premium WordPress plugins and services that offer some excellent free tools, which we focus on here.

The two free tools that can scan your website or blog for malicious code are:

  1. Sucuri | free security scanner
  2. Wordfence | free firewall and malware scanner

You might want to read my beginner’s plugin guide first if you’re a WordPress newbie.

The WordPress White Screen of Death

Users occasionally report the WordPress White Screen of Death with security scanners, though it’s less common than it used to be. New versions of WordPress should send an email that points to the plugin triggering the problem. That email includes a link that lets you log into WordPress in recovery mode. You would then deactivate the defective program.

OK, now let’s look at how to scan your site using the free tools.

#1 Scanning your site with the Sucuri plugin

Sucuri is a world leader in helping WordPress site owners detect and fix hacked websites. Their premium services are first-rate, but they also have a free plugin that does a deep site scan. It’s a beginner-friendly tool that comes with a range of helpful customisations.

The Sucuri plugin features include:

  • WordPress Hardening: preventative options that help secure a vulnerable site
  • Malware Scan: checks for malicious content, blocklists, site errors, outdated software
  • Post-Hack: What to do after a site has been compromised
  • Core Integrity Check: inspects the integrity of all core WP files
  • Email Alerts: these are enabled by default, but you can customise the options

OK, let’s get started and give your WP site some extra protective layers.

Log in to your admin area.

Install and activate the Sucuri Security plugin.

Tip: Read my quick plugin guide here first if you’re new to WordPress.

Notice the new Sucuri option in your Dashboard side menu.

We now need to generate an application programming interface or API key. This step is necessary to connect your WordPress account to the Sucuri server.

Go to Sucuri Security => Settings.

You’re now at the General Settings screen.

Click Generate API Key

A short registration form comes into view.

Make sure the website address and email field have the correct data.

Put a tick (check) into the Terms of Service and Privacy Policy boxes.

Click the Submit button.

You now get a “Site registered successfully” message.

Click on the X (top right) to close the message and return to the General Settings screen.

You will notice that Sucuri has now automatically added your new API key.

The remote API service provides a safe place to store your site’s activity logs, aka audit trail and audit logs. Any bad actor that hacks your site cannot access the activity logs, but YOU can. They’re vital for keeping your WordPress site safe and secure. These logs can tell you if the site has undergone any malicious attacks and how hackers gained access.

Here’s what a security alert looks like from the free Sucuri plugin:

A table below the alert shows the modified file(s), including the time, date, and file path.

You also get a Sucuri update each time you log into WordPress as Administrator.

Here’s how that looks on the test site.

#2 Secure your WordPress site with Wordfence

Wordfence is another popular plugin with a suite of tools to keep your project safe. It currently has over 4 million active installations and a 4.5 out of 5-star rating.

Wordfence includes the following features:

  • Malware WordPress security scanner
  • Web application WordPress firewall
  • Login security using 2FA, login page capture, blocks logins
  • WordPress Central for managing multiple sites in one place
  • Security tools, e.g., monitor and block hack attempts

Let’s install the plugin and look at some of its free tools.

Log in to your WP admin area.

Install and activate the Wordfence Security | Firewall & Malware Scan plugin.

Please read my quick plugin guide here first if you’re new to WordPress.

The first thing Wordfence needs to know is where to send security alerts.

  1. Enter your email address.
  2. Choose whether to join the optional WP security mailing list (recommended)
  3. Agree to the Terms and Privacy Policy
  4. Click Continue.

The next screen encourages you to Activate Premium.

Click the No Thanks link as this tutorial only focuses on the free version.

Wordfence Protection is now activated and should take you to the Dashboard. If not, select Wordfence => Dashboard from the admin side menu.

The Wordfence Dashboard gives important information about your site’s current security condition. It includes summarised data, essential status updates, and helpful notifications.

Wordfence introduces you to the Dashboard features.

The Dashboard is easy to grasp and offers a snapshot of what features are enabled/disabled or need your attention. The Notifications area tells you what actions to take to fix issues.

We have two alerts on the test site. You can click the notification to get more details. You can also dismiss a notification by clicking the X on the right side.

There are limitations to the free version. Even so, it’s an excellent tool to get an understanding of your site’s security status. You also have an option to run a manual scan at any time.

The free scan includes the following 8 checks:

  1. Server state scan
  2. File changes scan
  3. Malware scan
  4. Content safety scan
  5. Public files scan
  6. Password strength scan
  7. Vulnerability scan
  8. User & Option Audit

On the left of the status bar (bottom) is an update on the scan progress. On the status bar’s right side are links to view the activity logs (see next image).

Wordfence’s Vulnerability Scan found a few issues of medium severity on the test site. It sent an instant automated email notification to explain what those issues are and how to fix them.

Here’s what the scan results looked like for the test site.

The premium version of Wordfence includes all the above scans plus:

  • Spamvertising checks
  • Site spam check
  • Blocklist check

There’s a lot to explore from your Wordfence Dashboard, but it’s easy to follow, even for beginners. Go to Wordfence => All Options to get familiar with the available features.

Wordfence divides all the available options into 5 sections:

  1. Wordfence Global Options (6)
  2. Firewall Options (5)
  3. Blocking Options (1)
  4. Scan Options (5)
  5. Tool Options (3)

Clicking the right-side arrow of an option opens its properties and customisations.

Here’s a snapshot from the top of the All Options screen.

Wordfence Other Premium Features

Other premium features include the following:

  • Real-time firewall & scan engine rule updates protect as new threats emerge
  • Real-time IP Blocklist: blocks malicious IPs accessing the site
  • Country blocking
  • IP reputation monitoring
  • Schedule scans
  • Premium support
  • Discounts for multi-year/multi-licenses

Wordfence also offers a WordPress Site Security Audit conducted by industry experts. If they find that your site has been hacked, there’s a service to fix that too.

The Complete WordPress Site Cleaning Service’ cleans the infection and secures the site from future attacks. It also advises on post-clean-up security, antivirus programs, backups and monitoring, etc.

That concludes this tutorial on how to scan your WP blog or website for malicious code.

Want to Learn More About Security and Set Up a 100% Free Security Plugin?

My WordPress Security Course will help you stop hackers in their tracks.  

Want to Learn WordPress?

WordPress is an amazing platform for building any type of website.   It’s used by large corporations and small mom & pop sites.

You may also like


Leave a Comment

Your email address will not be published.

Hello, I'm
Andy Williams!

You can get up to 90% off my Online Courses for webmasters, marketers & affiliates (plus a free course on Gutenberg).

Create your own WordPress Theme

It's built in to WordPress using Gutenberg, and my new course shows you how.