How to Scan WordPress Plugins and Themes for Malware and Viruses

To protect your WordPress site from potentially malicious codes and viruses, you need to verify each plugin before installing it. This can be done by installing the most rated ones, but once you have the problem, it’s too late to protect yourself.

Today, I’ll show you how to scan WordPress for malware using simple and free tools to protect your website and make it clean all the time.

One of the main reasons why I recommend buying a premium theme is that you protect yourself from unknown sources where you download free plugins or themes. You should make sure that your theme is clean from links and hidden codes.

Scan WordPress themes

There are many tools to scan your WordPress theme, but the best way is to scan the theme file before uploading it to your site. So, make sure to take a virus test with Virustotal which is a free professional tool that uses all the popular security programs to check the theme.

This tool checks the file separately for over 49 antivirus and malware checker programs and gives you a red signal if any of those programs find a virus or hidden code. This tool works for any type of file, not themes only, so use it when you need it.

scan wordpress site for malware

The next step after uploading the theme is scanning it directly after the activation. You can install the Theme Authenticity Checker (TAC) from the WordPress directory.

It’s one of the most popular plugins used to scan the themes. The TAC plugin will show you any hidden links found in the theme.

Best of all, it will scan all your themes in a few seconds. If the theme is clean, then you get a green “OK” near the theme thumbnail. It’s an online tool to scan your website for malicious code.

AntiVirus is another tool to scan WordPress files for malware. The plugin you need to install, there are over a half-million downloads for it. It scans your theme files and shows you any problem.

All you have to do is install, activate it, then run a theme scan, from your “Settings” menu, clean theme files will be shown in green.

These free tools will verify your themes and take the website security to a better level.

Related:  Can't Access WordPress Admin After Changing URL? Here is the Fix

Scan WordPress plugins and the entire website

To scan your blog plugins, you can start first with VirusTotal before the upload, but then you need some specific plugins to search for malware and viruses.

1. Wordfence Security

This is the top WordPress security plugin that you should install, without a doubt, Wordfence is not a regular plugin that scans your website. But, it will do what you can imagine protecting your website, for example, if a plugin author adds a single letter in the plugin files just for an update.

You will get an alert from Wordfence telling you about the exact location, and the line where there is a modification in the plugin.

Not all security plugins can do that. At the same time, this plugin will scan your entire website every day.

If there is a new version of a plugin and you need an update, WordFence will send you an email about the plugin that needs an update. All the website files will be scanned periodically. If there are new attacks, the plugin will update your security automatically.

By the way, the plugin author is really active and send an instant email to webmasters when there is a new attack around the world. They compare the average attack number and alert people when an automatic manipulation detected from servers.

If you have problems with some IP or networks, you can block them with WordFence. It’s a powerful tool to protect and scan your entire website, in other words, it’s a plugin that every website should have.

2. Anti-Malware

Anti-Malware is a free WordPress malware removal plugin with powerful functions. It scans your entire website for malware, threats, and vulnerabilities in the server, it shows you a summary after the scan.

If the site is OK, you see it all in green. The best part of this plugin is to remove Known Threats.

So, you don’t need to search if what you see is normal or a problem after the scan. They get signals from their network and mark the common viruses as “known”, to remove them automatically after verifying their hidden codes.

If there is new information about new threats and malware, the WordPress antimalware plugin gets the update automatically, you can edit the scan settings or even run a scan from your dashboard.

Related:  How to Move a WordPress Blog Post to Another Page

3. Sucuri Security

Sucuri Security is a WordPress malware removal service that will take care of your plugins and website in general, but its great work will be to scan all your plugins and search for hidden codes where your files can be opened without your permission.

This is the best way to remove malware from the WordPress site. But also, it checks the website files for malicious redirects and PHP scripting that can affect your website.

This plugin gets details about any attack from different sources and compares results with theirs. Make sure to install this free plugin and run a scan.

4. Exploit Scanner

Exploit Scanner is a WordPress malware scanner and it’s known for searching for the “hide” functions in WordPress. People can insert their malware and hidden them with known options. So, this plugin understands exactly who they hide codes in your website and find them. Best of all, it shows you the hidden function.

Please don’t confuse the normal hide option in your theme and normal functions with the others. You will get many of the alerts, and you should delete only codes with URLs or negative impressions.

These are the most important tools you need to scan your site for malware, and other types of viruses. They can be installed instantly from your Dashboard, and you don’t need to pay for that great security level.

Of course, some of them offer an upgrade for a more special operation, because their server will take more resources with advanced protection.

Please remember to install only trusted plugins and themes, there are popular companies that you can search for themes or plugins. They secure your website and never add hidden codes like unknown sources.

If you don’t care about your blog, you will be a victim of many attacks, and you should avoid that by installing verified plugins on your WordPress site.

Avatar for Fathi Arfaoui
About Fathi Arfaoui

Fathi Arfaoui is a Physicist, Blogger and the founder of He shares Business, WordPress and Blogging tips to build a better blog and succeed online.

Disclosure: The recommendations on this page are my own based on my tests and analysis. We may earn a small commission from web hosts and other partners if you use my referral link to make a purchase. That’s what helps us to maintain the site and add fresh content, Thanks for your support.

Leave a Comment