How to Scan WordPress for Malware: A Practical Detection Guide for 2026

Written by: Abigail Ivy
Published on:

How to Scan WordPress for Malware

Knowing how to scan WordPress for malware helps you detect hidden backdoors, injected scripts, and compromised files before they damage rankings, user trust, or revenue.

This guide shows the most reliable ways to inspect a WordPress site and identify suspicious activity without relying on guesswork.

WordPress security issues often involve a mix of infected core files, vulnerable plugins, weak credentials, and malicious code inserted into themes or the database.

The fastest path to a clean site is a layered scan that checks the filesystem, the database, and site behavior together.

What malware looks like in WordPress

Malware on WordPress sites rarely announces itself.

Attackers usually try to stay hidden so they can steal data, redirect traffic, send spam, or maintain persistence after a cleanup.

  • Injected JavaScript or iframe code in posts, widgets, or theme files
  • Hidden administrator accounts in the WordPress database
  • Modified core files such as wp-config.php or wp-load.php
  • Suspicious PHP files in uploads directories
  • Redirects to spam, phishing, or malware domains
  • Unusual cron jobs or scheduled tasks
  • New files with random names in wp-content or /tmp

Common infection vectors include outdated plugins, nulled themes, credential theft, SQL injection, cross-site scripting, and insecure hosting environments.

A proper scan should check for both the malware payload and the entry point that allowed it in.

How to scan WordPress for malware with trusted plugins

Security plugins are the easiest starting point because they compare files against known-good versions and flag suspicious patterns.

They are especially useful for non-technical site owners who need a fast baseline assessment.

Popular WordPress security scanners

  • Wordfence Security — file integrity checks, malware signatures, login monitoring, and firewall alerts
  • Sucuri Security — remote site scanning, blacklist monitoring, and integrity auditing
  • MalCare — cloud-based scanning with deep file inspection and one-click cleanup options
  • Jetpack Scan — automated monitoring with file change detection and vulnerability alerts

To get meaningful results, run a full scan rather than a quick scan.

Review the report for modified core files, suspicious PHP functions such as eval, base64_decode, gzinflate, and str_rot13, and any unexpected changes in plugin or theme directories.

What plugin scans can miss

Security plugins are useful, but they are not perfect.

A scan may miss malware that is heavily obfuscated, stored outside standard WordPress directories, or delivered through a compromised server account.

For that reason, use plugin scans as one layer in a broader security review.

How to scan WordPress for malware manually

Manual inspection is slower, but it is often the best way to confirm a compromise and understand how it happened.

It also helps if security tools disagree or if you need evidence before restoring from a backup.

Check recently changed files

Start by identifying files modified around the time you noticed the problem.

On Linux hosting, tools like find, ls, and stat can help reveal files changed recently in wp-content, wp-admin, and wp-includes.

Pay close attention to:

  • wp-config.php
  • .htaccess
  • index.php files with unexpected code blocks
  • theme functions.php files
  • plugin files that were not updated recently
  • uploads folders containing PHP files

Look for suspicious code patterns

Search file contents for common malware indicators.

Attackers often use obfuscation, long encoded strings, or functions that execute remote code.

High-risk patterns include eval, assert, preg_replace with /e, base64_decode, str_rot13, and shell_exec when they are not needed by legitimate code.

Also inspect for unusual network calls, especially requests to unfamiliar domains, since malware commonly fetches payloads or sends stolen data to an external server.

Review the database

Malware can hide in wp_posts, wp_options, wp_users, and wp_usermeta.

Look for spam links, injected HTML, unexpected admin users, and strange autoloaded options that contain encoded content.

The wp_options table is especially important because attackers often store payloads there to reload malicious behavior on every request.

Use server-side tools to inspect deeper

If you have SSH or hosting control panel access, server-side tools can reveal threats that WordPress plugins cannot see.

This level of inspection is valuable for high-traffic sites, WooCommerce stores, and sites with repeated reinfections.

Useful commands and checks

  • Run a recursive search for suspicious functions across wp-content and custom code directories
  • Compare WordPress core files with known official checksums
  • Inspect cron jobs for unexpected scheduled execution
  • Review web server logs for suspicious POST requests, repeated login attempts, and access to unusual PHP files
  • Check file ownership and permissions for anomalies that allow unauthorized writes

On managed hosting platforms, ask support for malware scanning, file integrity reports, and recent access logs.

Reputable hosts often maintain server-level security tools that detect malicious patterns more accurately than a plugin alone.

How to verify whether WordPress core files are clean

WordPress core files should match the official release for your installed version.

Any change in wp-admin or wp-includes should be treated as suspicious unless it is part of a legitimate update.

You can verify integrity by downloading the same WordPress version from WordPress.org and comparing checksums or file hashes.

If a core file is modified, replace it with a fresh copy rather than editing it in place.

Be careful not to overwrite wp-config.php or the wp-content directory during cleanup, since those usually contain site-specific settings, themes, media, and plugins.

Signs your scan found a real infection

Some warnings are false positives, but certain findings strongly suggest compromise.

Treat the site as infected if you see any of the following:

  • Unknown admin or editor users with recent login activity
  • Files added to uploads folders with executable PHP code
  • Core WordPress files changed without a valid reason
  • Injected links appearing in content, headers, or footers
  • Search engine warnings or blacklist notifications from Google Safe Browsing
  • Traffic spikes from strange referrers or geographic locations
  • Spam emails sent through contact forms or server mail logs

When multiple signals point to the same issue, do not limit the response to deleting a single file.

Malware often plants backup mechanisms, so the cleanup must cover entry points, persistence files, credentials, and exposed vulnerabilities.

What to do after you scan WordPress for malware

Once you find suspicious code, isolate the site if possible and change passwords for WordPress, hosting, FTP, SSH, and database accounts.

Then remove malicious files, restore trusted backups if available, update WordPress core, plugins, and themes, and rotate authentication keys and salts in wp-config.php.

After cleanup, rescan the site from multiple angles: a security plugin, a database review, and a manual file comparison.

Monitor access logs and search engine status to confirm that the infection does not return.

How to reduce the chance of reinfection

Scanning is only part of WordPress security.

Long-term protection depends on reducing the attack surface and making future compromise harder.

  • Keep WordPress core, plugins, and themes updated promptly
  • Delete unused plugins and themes instead of deactivating them
  • Use strong, unique passwords and enable two-factor authentication
  • Limit admin accounts and review user roles regularly
  • Restrict file editing in the dashboard
  • Use a web application firewall such as Cloudflare or a WordPress security firewall
  • Back up the site daily and store backups off-site
  • Monitor uptime, file changes, and login activity

A well-maintained site is much easier to scan and far less likely to suffer repeat infections.

The combination of layered scanning, disciplined updates, and log review is what keeps WordPress sites resilient in 2026.

How often should you scan WordPress for malware?

For most sites, weekly scans are a reasonable minimum, while ecommerce, membership, and high-traffic publishing sites benefit from daily automated checks.

After any plugin update, suspicious login event, or unexplained performance issue, run an immediate scan.

If your site has already been compromised once, increase monitoring frequency and keep a close eye on file changes, new admin accounts, and server logs.

Recurring infections usually mean the original entry point was never fully removed.