Top WordPress malware scanner

Are you looking for an offline or online malware scanner tool to scan your WordPress website? Here, we’ve shared five great tools you can use.

Before looking at the tools, let’s first find out what malware can do. WordPress core PHP files are clean, but the plugins you may download from an untrusted website may not be safe. If the extension ships with malicious code, it may inject the code into the important WP core files and make your site behave strangely. For example, the code may create hundreds of thousands of junk pages or pages in a completely different language, and the sitemap file will have links to these pages.

The code may also redirect the pages you’ve created to these junk pages. When search robots come across these pages, they will index them. If you don’t do anything about this and your portal did well in search results before being infected by a virus/malware, its traffic may plummet. Malware may do things that you can’t imagine. Thus, it is always wise to beef up your WP site’s security manually or with a WordPress security plugin.

Malware may affect all or only some of the pages of your web portal. Here are the five great online or offline tools you can use to find malicious code on your website. Most of the tools we’ve shared below can scan a single or all of the pages on your site.

Virus Total

Virus Total

Virus Total’s free online scanner can detect malware or viruses in a file or on a page. It is very easy to use. It can scan a file, URL, and IP address for security threats. When you enter these three things in its form, the tool will begin scanning the file/URL and show a table with the list of security services and the scan result. Yes! That’s right. Your portal/file will be checked with multiple services.

VirusTotal scans a website and shows the following:

  • HTTP status code that the server hosting the site returned when VirusTotal requested it.
  • The web page size.
  • The server’s IP address.
  • External links on the page.

If any of the services displayed in the table have flagged the portal, VT will instantly make you aware of this.

Sucuri SiteCheck

Sucuri Site Check

Sucuri SiteCheck is a popular online WordPress malware scanner. It has a blacklist checker function that checks the database of these services – McAfee, ESET, Opera, Yandex, PhishTank, Sucuri Labs, and Google Safe Labs, to find out whether your portal is blacklisted or not. It also checks the WordPress generator version of the website and displays a warning if the website is using a lower version of WordPress.

Sucuri detects malicious code and potential spam on a WP web portal. It checks whether any firewall is protecting a website or not. Sucuri also shows some tweaks you can implement on your site to make it more secure. For example, when we checked a portal with Sucuri, the tool advised us to add some security headers.


Wordfence Scan

Wordfence is different from the malware scanning services we have shared above. It is a feature-packed plugin that supports on-demand site scans. The extension checks if a PHP file required for the website to keep functioning is comprised or not. It also detects and blocks many attacks using its built-in firewall tool.

Wordfence is the only tool on this page that can automatically replace a malicious WordPress core file. Sucuri is also available in the WordPress repository. Go through our comparison of Sucuri and Wordfence to find out which extension is better. Wordfence is a great plugin. Its development team not only works on it but also finds and reveals possible exploits in extensions/themes available in the WordPress repository.

Security & Malware Scan by CleanTalk

Security and Malware Scan by CleanTalk

Unlike Wordfence, which starts working straightaway, users of this plugin are required to enter an API key. You can get the key manually by registering an account on the plugin’s official website or clicking the “automatic retrieval” button. On CleanTalk’s settings page, you’ll find six tabs – Malware Scanner, Backups, Security Log, Firewall, General Settings, and Summary.

The 1st tab features a button “Perform scan”. If you click this button and the extension finds malicious files on your portal, you can view the file, send the file for analysis, delete this file, or see the malicious code the plugin has found on the web portal. CleanTalk can take up to a minute to scan your website files. Once the scan task is complete, it shows a table containing a list of files of CleanTalk found in the website’s root directory and various folders and their “scan” status. The extension lets users pause the scan.

Anti-malware Security and Brute Force Firewall


This plugin’s UI is not very attractive, but it identifies malware or any other malicious code on a website well. Like CleanTalk, it requires an API key to function. The plugin can generate the key automatically. Once an API key is ready, you should install the latest definitions by clicking on the “download new definitions” button. Then, click the “Run Complete Scan” button. You can activate the following features of the Anti-malware extension only if you download the latest definitions:

  • Database injections, htaccess threats.
  • TimThumb exploits, known threats.
  • Core file changes.

Anti-malware allows users to choose the directory the plugin should scan. It also lets users set the “scan depth level”. You can set one of these values as the scan depth level – -1 and 0. If you enter -1, the extension will scan all directories inside the chosen folder. You can also configure Anti-malware not to scan files of specific extensions and folders whose names contain words of your choice.

Note: The WordPress plugins on our list of top WordPress malware scanner tools offer many website security-related features. For example, they ship with a firewall, block brute force attacks, block IP addresses, can back up your site, etc.

So, these are the best free malware scanner plugins for WordPress.


Pramod is the founder of wptls. He has been using WordPress for more than nine years. He builds web applications, and writes about his experiences with various WP products on this site.

Leave a Reply

Your email address will not be published. Required fields are marked *