Key takeaways
- Table of Contents
- Why early detection is crucial
- Types of malware targeting WordPress
Why early detection is crucial
An undetected malware on your WordPress site can cause considerable damage for weeks, even months. Automated attacks target WordPress sites constantly — in 2024, 94% of malware infections observed on websites targeted WordPress (source: Sucuri WordCamp Report).
Consequences of untreated infection:
- Data theft: Login credentials, customer data, payment information
- Malware distribution: Your site distributes viruses to your visitors
- Google blacklist: Your site is marked as dangerous, eliminating your traffic
- Reputation damage: Your online credibility is destroyed
- Financial losses: Every day of infection impacts your revenue
This article will teach you to detect WordPress malware using the same methods as security professionals.
Types of malware targeting WordPress
To detect effectively, you need to understand what you're looking for. Here are the main categories of WordPress malware:
1. Backdoors
Backdoors are the most dangerous malware because they allow attackers to maintain permanent access to your site even after cleanup.
- Where they hide: PHP files with deceptive names (
wp-settings.bak.php,config-temp.php) - How they work: They evaluate base64-encoded PHP code or cleverly hidden WordPress functions
- Detection difficulty: Very high — often invisible to basic scans
2. Phishing
Your site is used to host phishing pages mimicking legitimate services (banks, social networks, online services).
- Where they're found: Usually in hidden folders like
/wp-content/uploads/random-name/ - How they work: Static HTML pages copying login interfaces
- Detection difficulty: Medium — detectable by checking recent files
3. SEO spam
Your site injects spam content into pages to promote third-party sites (pharmacy, gambling, pornography).
- Where it's found: Injected into WordPress pages, widgets, or database options
- How it works: Content invisible to visitors but visible to search engines
- Detection difficulty: Medium — requires checking source code
4. Defacements
Visible modification of your site's content to display the attacker's message.
- Where they're found: Theme files, homepage, or injection into the database
- How they work: Replacement of the site's visible content
- Detection difficulty: Low — immediately visible
Manual checks to perform
Before even installing a security plugin, you can perform these free manual checks:
Source code verification
- Open your site in your browser
- Right-click → "View Page Source" (or Ctrl+U)
- Search for the following elements:
| Element to search | Potential danger |
|---|---|
<script src="http://unknown-domain.com"> |
Injected external malicious script |
<iframe> with display:none |
Hidden iframe for malicious code or tracking |
eval(base64_decode(...)) |
Dynamically executed code — almost certainly malicious |
| Link to an unrecognized site | Redirect or third-party content injection |
File check via FTP
- Connect to your server via SFTP
- Navigate to
wp-content/uploads/ - Golden rule: No PHP files should exist in upload folders
- Check the modification date of each file — recent additions are suspicious
- Examine the
wp-config.phpfile for lines added after the last line
Database check
- Connect to phpMyAdmin from your hosting control panel
- Select your WordPress database
- Examine the
wp_poststable for suspicious content in posts - Check the
wp_optionstable for unknown scripts or URLs - Search for fields containing base64-encoded code
Malicious redirects are often hidden in the database — learn how to identify and stop them.
Security scanning tools and plugins
Automated tools are essential for complete detection. Here are the best options:
WordPress scanning plugins
| Plugin | Key features | Price |
|---|---|---|
| Wordfence Security | File scanning, firewall, brute force protection | Free / Premium from $99/year |
| Sucuri Security | File integrity, server-side scans, cloud WAF | Free plugin / Full service from $299/year |
| iThemes Security | Malware scanner, security hardening, 2FA | Free / Pro from $80/year |
| MalCare Security | Cloud scanning, auto cleanup, real-time protection | Free / Premium from $99/year |
Online scanning (no installation)
- Sucuri SiteCheck:
sucuri.net/scanner/— Free analysis of your URL for known malware - Quttera Web Malware Scan: Free scan with detailed report
- WPScan via command line: For advanced users with SSH access
How to interpret scan results
When your scanning tool detects suspicious files, here's how to evaluate them:
- ⚠️ Modified files: Comparison with WordPress originals — check if modifications are legitimate
- 🚨 Unknown files: Files not part of WordPress, themes, or plugins — examine manually
- 🔴 Evaluated code: Presence of
eval(),base64_decode(), orassert()functions — almost certainly malicious - 🟡 Upload files with PHP extension: High risk of backdoor
Google Safe Browsing and VirusTotal
Two powerful external tools to check your site's reputation:
Google Safe Browsing
- Go to Google Search Console (search.google.com/search-console)
- Add and verify your site if not already done
- Check the "Security & Manual Actions" section
- Google will notify you if your site is flagged as dangerous
Advantages: Detects known malware, phishing pages, and dangerous downloads.
Limitations: Doesn't detect zero-day threats or very recent malware.
VirusTotal
- Go to virustotal.com
- Select the "URL" tab
- Enter your site's URL
- Click "Scan"
- Review results from over 70 antivirus engines
Advantages: Cross-references results from many security engines for broad detection.
Limitations: Static analysis — may miss conditional infections.
Other verification tools
- Google Transparency Report:
transparencyreport.google.com/safe-browsing/search - Norton Safe Web: One-click reputation check
- MXToolbox: Email and domain blacklist verification
Concrete signs of infection to watch for
Beyond scanning tools, here are behavioral signs that indicate infection:
Visible signs
- 🚨 Your site displays content you didn't publish
- 🚨 Advertising pop-ups appear for your visitors
- 🚨 Your site redirects to unknown sites
- 🚨 Google shows a security warning for your site
- 🚨 You receive complaint emails from your visitors
Technical signs
- ⚠️ Site performance abnormally slowed
- ⚠️ Unexplained increase in server CPU/RAM usage
- ⚠️ PHP files in upload folders
- ⚠️ New entries in the wp_options table you didn't create
- ⚠️ Unknown administrator accounts in WordPress
- ⚠️ Modified .htaccess file without your intervention
Indirect signs
- Your host contacts you about suspicious activity
- Your site is removed from search engines
- Your traffic drops inexplicably
- Your emails go to spam
For a complete list of hack signs, read our article: Hacked WordPress site: 12 signs you must not ignore.
If you've already identified an infection, don't panic — our guide hacked site: what to do in 15 minutes walks you through the emergency recovery process step by step.
Scanning the database
The database is often the primary target for attackers. Here's how to scan it manually:
Checking the wp_options table
- Open phpMyAdmin and select your database
- Click on the
wp_optionstable - Examine the "option_name" and "option_value" columns
- Search for entries containing PHP code, suspicious URLs, or base64-encoded content
- The
homeandsiteurlfields should point to your legitimate domain
Checking the wp_posts table
- Search for posts containing suspicious HTML or JavaScript
- Check publication dates — recently modified old posts are suspicious
- Examine "post_content" fields for injections
Checking the wp_users table
- Count the number of users with "administrator" role (1-2 maximum)
- Verify emails associated with administrator accounts
- Search for accounts with suspicious usernames
Database scanning tools
- WP-CLI: Command
wp db checkto verify table integrity - WP-Optimize plugin: Database cleanup and verification
- Custom SQL queries: For advanced users with SSH access
What to do once infection is confirmed
If you've confirmed the presence of malware, here's the procedure to follow:
Step 1: Isolate the site
- Enable maintenance mode immediately
- Don't delete anything — preserve evidence
- Contact your host to report the compromise
Step 2: Backup and analyze
- Create a complete backup (files + database)
- Analyze server logs to identify the intrusion method
- Compare your files with a clean WordPress copy
Step 3: Clean up
- Remove all identified malicious files
- Clean the database of injections
- Change all passwords (WordPress, FTP, database, hosting)
- Update WordPress, themes, and plugins
Step 4: Secure
- Install a firewall plugin
- Enable two-factor authentication
- Configure automatic backups
- Enable real-time monitoring
Need a professional analysis of your site?
The WpDefender team uses advanced tools to detect even the most hidden malware. Complete analysis guaranteed in under 30 minutes.
Don't let malware destroy your site
Every day of infection increases the damage. Our team acts quickly to detect, clean, and secure your WordPress site.
📞 Emergency: call us directly · ⏱️ Analysis in under 30 min