How to Scan Your WordPress Site for Potentially Malicious Code
August 11th, 2014
If you don’t like the video or need more instructions:
Theme Authenticity Checker (TAC)
Theme Authenticity Checker is a free plugin that scans all of your WordPress theme files for potentially malicious or unwanted code.
Often hackers target themes to inject links, so this plugin is a good way of checking for that.
Exploit Scanner is another free WordPress plugin that is much more robust than the Theme Authenticity Checker because it search all files and database of your WordPress install. It checks for signs that may indicate if your installation has fallen victim to malicious hackers.
Note: this does return a lot of false positives, so you have to know what you are doing to see if the error is really malicious or if it is ok.
Sucuri is by far the BEST WordPress security scanner out there. They have a very basic free site scanner, which checks your site to see if your site is doing ok. But the real value is in their paid version. See our article: 5 reasons why we use Sucuri to improve our WordPress security for detailed overview. In short, once you install Sucuri, it automatically monitors your website 24×7 against all threats. It audits all the activities that happen on your site to keep track of where things went wrong. If something looks fishy, Sucuri blocks the IP. They also send you alerts if they notice something going on with your site. Last but not least, they offer a malware cleanup service which is included in the price of their service (no matter how big or small your site is).
Not mentioned in this article is WordFence, another free WordPress plugin which I personally use (there is also a Pro version).
Wordfence starts by checking if your site is already infected. We do a deep server-side scan of your source code comparing it to the Official WordPress repository for core, themes and plugins. Then Wordfence secures your site and makes it up to 50 times faster.
Wordfence Security is 100% free and open source. We also offer a Premium API key that gives you Premium Support, Country Blocking, Scheduled Scans, Password Auditing and we even check if your website IP address is being used to Spamvertize. Click here to sign-up for Wordfence Premium now or simply install Wordfence free and start protecting your website.
You can find our official documentation at docs.wordfence.com and our Frequently Asked Questions on our support portal at support.wordfence.com. We are also active in our community support forums on wordpress.org if you are one of our free users. Our Premium Support Ticket System is at support.wordfence.com.
Here’s a somewhat lengthy description and independent review of WordFence: