How to Scan a Website for Malware Safely in 2026
Website malware can hide in theme files, plugins, scripts, databases, and even injected redirects that only appear to search engines.
If you need to inspect a site without making the problem worse, the safest approach is to combine reputable scanners with controlled access and careful verification.
This guide explains how to scan a website for malware safely, what tools to use, which checks matter most, and how to reduce the risk of false positives or accidental damage.
Why safe scanning matters
Scanning a live site is not the same as scanning a personal laptop.
A website may be serving customers, collecting form submissions, or connecting to a content management system such as WordPress, Joomla, Drupal, or Magento.
Aggressive scanning can trigger outages, lockouts, rate limits, or security alerts from a hosting provider.
Safe scanning helps you:
- avoid breaking production pages or checkout flows
- reduce the chance of alerting attackers before you gather evidence
- protect administrator credentials and API tokens
- preserve logs and indicators of compromise for later analysis
- minimize false positives from reputation-based tools
What malware on a website usually looks like
Malware on a website often shows up as obfuscated JavaScript, hidden iframes, phishing forms, spam links, PHP backdoors, rogue admin users, or file changes in core directories.
On infected WordPress sites, attackers frequently alter wp-config.php, inject code into functions.php, or place malicious PHP files in uploads folders.
Common signs include:
- unexpected redirects to unrelated domains
- browser warnings from Google Safe Browsing or other reputation systems
- new files with random names or recent timestamps
- unfamiliar plugins, themes, or scheduled tasks
- base64-encoded or heavily compressed code
- spam content indexed by search engines
How to scan a website for malware safely?
The safest method is to scan from a trusted environment, use read-only or low-impact tools first, and confirm results before changing anything on the server.
Start with external checks, then move to file-level inspection, then analyze logs and database content if needed.
1. Use a clean device and trusted network
Begin from a malware-free computer with updated operating system patches, browser security, and endpoint protection.
If possible, use a separate admin workstation or a virtual machine for investigation.
Avoid public Wi-Fi and unknown proxy services when accessing sensitive dashboards or backups.
Before logging in, verify that:
- the domain resolves to the expected IP address
- the SSL/TLS certificate is valid and issued to the correct site
- you are on the legitimate login page, not a lookalike domain
2. Start with passive external scanners
Passive scanners check the public-facing website without hammering the server.
Tools such as Google Search Console, Sucuri SiteCheck, VirusTotal URL checks, and security vendor reputation services can reveal blacklisting, injected spam, or suspicious resources.
These scans are useful because they:
- do not require file-system access
- show reputation status from multiple sources
- identify infected pages that search engines have already indexed
- help confirm whether the problem is visible to visitors
Review scanner results carefully.
A reputation warning does not always mean the site is infected; it can also reflect a compromised external script, an expired domain, or a past incident that has not been cleared from cache.
3. Download a verified backup for offline inspection
If you have server access, create a full backup before modifying anything.
Inspect the backup offline whenever possible.
This avoids exposing the live site to a heavy recursive scan and lets you compare current files with known-good versions.
A good backup process includes:
- database export
- all web root files
- plugin and theme directories
- server configuration files, if permitted
- timestamps and checksum records
Offline review is especially valuable because malware often hides in files that security plugins skip or in directories the web server can still execute.
4. Check file integrity against trusted baselines
File integrity checking is one of the best ways to detect tampering.
For WordPress, compare core files against official checksums.
For custom applications, compare current files against a clean deployment or version control history.
Unexplained differences in application code deserve closer review.
Look for:
- files modified outside normal deployment windows
- unexpected PHP in image or upload directories
- altered .htaccess or web.config rules
- scripts with obfuscated functions such as
eval,gzinflate, orbase64_decode
5. Scan with a reputable security plugin or server-side tool
For CMS platforms, a trusted malware scanner can help identify known malicious signatures, suspicious code patterns, and outdated components.
On WordPress, options such as Wordfence, Sucuri Security, and similar server-aware scanners can inspect files and compare them to known clean versions.
Choose tools that support:
- signature-based detection
- file integrity monitoring
- login audit trails
- malicious URL and redirect detection
- manual review instead of automatic cleanup only
When scanning a live site, configure the scanner to minimize resource use.
Schedule scans during low-traffic periods, and avoid simultaneous bulk scans from multiple plugins.
6. Inspect logs for suspicious behavior
Server logs often reveal the first signs of compromise.
Review access logs, error logs, authentication logs, and application logs for unusual requests.
Attackers often probe upload forms, vulnerable endpoints, or admin panels before or after planting malware.
Pay attention to:
- repeated POST requests to login or upload endpoints
- requests for nonexistent PHP files in uploads folders
- odd user agents or high-frequency bot activity
- successive 200 responses from paths that should not execute scripts
- unexpected admin logins from unfamiliar IP addresses
7. Review the database for injected content
Malware is not always file-based.
Attackers may inject scripts or spam content into posts, widgets, options tables, or SEO metadata.
In WordPress, examine wp_posts, wp_options, and widget-related tables for suspicious code or hidden links.
Common database indicators include:
- encoded JavaScript inside content fields
- new administrator emails or password resets you did not request
- redirect URLs embedded in site options
- spam pages added for blackhat SEO
Tools that help without creating unnecessary risk
Use tools with a low operational footprint first, then move to more invasive checks only when needed.
A layered approach provides evidence without overwhelming the server.
- Google Search Console for security issues and indexing warnings
- VirusTotal for URL and file reputation checks
- Sucuri SiteCheck for external malware detection
- Wordfence or similar CMS security scanners for file comparison and signatures
- SSH and checksum utilities for manual integrity review
- FTP/SFTP only for controlled file access, with SFTP preferred over plain FTP
How to avoid false positives
False positives are common because legitimate code may be minified, compressed, or heavily encoded by a performance plugin, payment gateway, or analytics provider.
A single suspicious pattern should not be treated as proof of infection.
To verify findings safely:
- check whether the file is part of a known plugin or theme update
- compare against vendor documentation or clean package hashes
- confirm whether the code is being loaded from a legitimate third-party service
- test in a staging copy before deleting or replacing anything
Best practices before and during scanning
Good preparation lowers the risk of disruption and improves evidence quality.
If the website is business-critical, create a staging environment and scan that clone first whenever possible.
- back up files and the database before any scan
- document the site’s current plugins, themes, and versions
- record current DNS, SSL, and hosting details
- limit full recursive scans to off-peak hours
- keep admin credentials in a password manager
- use multi-factor authentication on hosting and CMS accounts
What to do after you confirm malware
Once malware is confirmed, isolate the site, preserve evidence, and remove persistence mechanisms before restoring content.
Changing passwords alone rarely solves the issue if backdoors, cron jobs, or malicious admin accounts remain.
Priority response steps include:
- put the site in maintenance mode or restrict access
- rotate passwords for CMS, hosting, database, and SFTP accounts
- remove unauthorized users, plugins, themes, and scheduled tasks
- restore clean files from a trusted backup
- update the CMS, plugins, themes, and server packages
- request a review from Google Safe Browsing and other blacklists if the site was flagged
If you manage customer data or ecommerce transactions, consider a full incident response review and consult your hosting provider or a qualified security professional.
Scannable workflow to use in practice
- Check reputation and public warnings from external scanners.
- Create a complete backup and work from a copy if possible.
- Compare file integrity against a trusted baseline.
- Run a reputable CMS-aware malware scanner.
- Review logs, database tables, and scheduled tasks.
- Validate any suspicious finding manually before remediation.
Using this workflow keeps the process controlled and reduces the chance of damaging a healthy site while still identifying real infections quickly.