Scanning WordPress for malware

“Scan my site” sounds like a single action, like running an antivirus on a computer. In reality there’s no one WordPress scan, but three families of tools that look at different things, from different places. An external scanner sees what Google sees. A security plugin digs through the server’s files. Manual verification compares your install against a known reference. Each has blind spots, and combining them is exactly how you get a reliable diagnosis. Here’s how to scan properly, and why a “clean” scan never proves a site is.

Family 1: external scanners, what a visitor sees

These tools load your pages from the outside, exactly as a browser or Google’s crawler would. They have no access to your files: they analyze only the site’s public output.

The most useful ones:

• Sucuri SiteCheck: you enter the URL, it loads the site and flags suspicious redirects, visible injected content, malicious JavaScript, and presence on blacklists.
• VirusTotal: submit the URL, it aggregates the verdict of dozens of antivirus engines and reputation services.
• Google Safe Browsing: go to https://transparencyreport.google.com/safe-browsing/search and enter your domain to find out whether Google considers your site dangerous. That status is what triggers the red warning screen in Chrome.

What they catch well

External scanners excel at anything visible on the visitor side: a redirect to a casino site, a script injected into the <head>, a page stuffed with spam, a blacklist alert. If your site sends visitors elsewhere or shows content you never wrote, they spot it fast.

Their blind spot

They are completely blind to the server’s files. A PHP backdoor tucked away in wp-content/uploads, a rogue admin account, malicious code that only fires for Google’s crawler (cloaking) or only at certain hours: none of that shows up to an external scanner loading your homepage at a single point in time. A site can show “no threats detected” on the visitor side while being deeply compromised on the server.

Family 2: scan plugins, what’s happening on the server

Here the vantage point changes. A security plugin installs inside WordPress and inspects the files from within: it reads the disk, compares, and looks for suspicious patterns.

The reference tools:

• Wordfence: compares core, plugin, and theme files against their official versions, and looks for known malware signatures.
• MalCare: scans on its own servers (to avoid weighing the site down) and catches malicious code that signature-based scans sometimes miss.
• The Sucuri scanner (the plugin, separate from SiteCheck): checks file integrity and monitors for changes.

What they catch well

A plugin sees what the external tools never do: a modified core file, a foreign .php in uploads, a known backdoor signature, an unexpected recent change. For a first pass on the server without SSH access, that’s valuable. It’s often the tool that confirms a hunch when you’re trying to tell whether your WordPress is hacked.

Their blind spot

The trap is structural: the plugin runs inside the infected site. If the attacker already controls the server, they can hide their files from the scanner, exclude their own paths, or quietly disable the plugin. And since these tools rely heavily on signatures, an obfuscated or never-seen backdoor slips through. False positives happen too: a legitimate plugin that uses base64_decode for valid reasons can be flagged by mistake. A “clean” plugin scan is reassuring, never proof.

Family 3: manual inspection, verification against a reference

This is the most reliable approach, because it doesn’t try to recognize what’s bad: it verifies that what’s good is intact. The principle: compare your install against a version known to be clean, then hunt down whatever sticks out.

Verify core integrity with WP-CLI

If you have SSH access and WP-CLI, a single command compares every WordPress core file against its official checksums:

wp core verify-checksums

Any modified, added, or missing core file surfaces immediately. It’s the fastest way to know whether the WordPress core has been altered, without depending on any signature database.

Spot recently modified files

If you know roughly when the intrusion happened, list the PHP files modified in the last fifteen days:

find . -name '*.php' -mtime -15 -ls

A core or plugin file modified recently, when you haven’t touched anything, is a strong signal.

Search for malicious code patterns

Backdoor code is almost always obfuscated. A handful of functions come up constantly and can be searched in one command:

grep -rEl "eval\(|base64_decode\(|gzinflate\(|str_rot13\(" wp-content/

eval( runs a string as PHP code, base64_decode( decodes a hidden payload. Their combination, in a file with no comments or header, leaves little doubt. For the details of hiding spots and patterns, see our guide to finding and removing a backdoor.

Its blind spot

Manual inspection requires server access, time, and the eye to tell a real positive from a false one. Above all it’s still fallible: a grep won’t catch obfuscation it doesn’t know about, and a modification date can be faked to make a file look old.

Which scan for which situation

No need to run everything blindly. Depending on what you’re seeing:

• Your visitors are being redirected, or Google shows a warning: start with an external scanner (Sucuri SiteCheck + Safe Browsing status). It’s the fastest way to confirm a visible problem.
• Everything looks normal on the surface but you have a doubt (an odd file over FTP, strange behavior): a server-side scan plugin, then a checksum verification.
• You want a serious verdict before cleaning: manual core verification (wp core verify-checksums) is non-negotiable, because it’s the only one that doesn’t depend on any signature.

The limit every scanner shares

Here’s the truth few tools state clearly: a “clean” scan doesn’t prove a site is clean.

External scanners don’t see the server. Plugins run inside the infected site and rely on signatures that an obfuscated or never-seen backdoor gets around. Even manual inspection only catches what it knows to look for. None of the three families, on its own, guarantees nothing is left.

A well-made backdoor is designed for exactly this: getting past scans. Split across several files that look harmless on their own, encoded in a nonstandard way, or hidden in the database rather than the files, it survives a scanner looking for known signatures.

The practical consequence: never trust a single tool. Combine all three angles. An external scan for the visitor side, a server scan for the files, a checksum verification for core integrity. Three “nothing to report” verdicts give far more confidence than one. And if the slightest sign persists (spam that reappears, an intermittent redirect, unknown accounts), assume something got past the scan, not that the site is healthy.

FAQ

Is an online scan enough to know whether my site is infected? No. An external scanner only sees the site’s public output: redirects, injected content, blacklisting. It’s blind to the server’s files, and therefore to most backdoors. You need to back it up with a server-side scan and a core integrity check.

Why does my security plugin find nothing when the site is clearly hacked? Because the plugin runs inside the infected site and relies on known signatures. An attacker who controls the server can hide their files, and obfuscated or never-seen code escapes the signatures. A negative plugin scan is not proof of innocence.

How do I check the WordPress core files myself? With SSH access and WP-CLI, the command wp core verify-checksums compares every core file against its official checksums and flags any discrepancy. It’s the most reliable check, because it doesn’t depend on any signature database.

Does a “no threats detected” scan mean my site is clean? Not necessarily. No scanner guarantees the complete absence of a threat, especially against an obfuscated or fragmented backdoor. If symptoms persist despite a clean scan, assume something was missed and push the inspection further.

---

At WP-Detox, we don’t settle for a single scan: we cross-check all three angles (external, server, core integrity), precisely because no single tool is enough. We look for what automated scanners miss, we replace files rather than trust them, and we regenerate every access credential. The scan is free, the cleanup takes about 30 minutes, it’s €149 all-in, we back up before any action, and you’re refunded if we can’t get the site clean. For the full picture, start with the complete guide when WordPress is hacked.