TLDR: You can detect and clean most WordPress malware without spending money by combining free online scanners, trusted free plugins, manual checks, and a careful cleanup and hardening routine. I’ll walk you through the exact tools and steps I use, what to avoid, and how to recover safely if things go wrong.
How to scan WordPress for malware: a free, reliable workflow
I’ll be honest — the first time my site got infected I panicked. I saw unexpected redirects, a sudden traffic drop, and spammy content showing up on pages I never edited. That experience forced me to learn how to scan WordPress for malware free of charge. Over time I created a repeatable process that helped me identify infections quickly and recover without paying for expensive services. In this guide I share that process so you can protect and clean your site with confidence.
What is a malware scan for WordPress?
A malware scan is a set of automated and manual checks that look for signs of compromise in your WordPress installation. Scanners flag suspicious files, injected code, modified core files, unknown admin users, malicious database entries, unauthorized redirects, and backdoors that attackers use to regain access. However, no single tool finds everything. That is why I combine multiple free tools and manual inspection steps.
Why does scanning WordPress for malware matter?
Malware ruins trust and ranking fast. Search engines can blacklist your site, visitors may see malicious popups or redirects, and attackers can steal data or use your server to send spam. As you know, early detection reduces damage: you can quarantine infected files, restore clean backups, and stop fresh payloads before they spread. I treat scanning like routine maintenance — part of keeping a site healthy.
Let’s break it down: the free toolset I use
Here are the no-cost tools I use in combination. Each finds different things, so using several increases coverage.
- Free online scanners (Sucuri SiteCheck, VirusTotal URL scan) — great for surface-level issues like blacklist status, injected scripts, and known malware signatures.
- Free security plugins (Wordfence Free, iThemes Security Free) — local scanning of files, plugin/theme signatures, and login activity.
- Command-line utilities (WP-CLI, if you have SSH) — to check file integrity and list plugin versions quickly.
- Manual file inspection — open suspicious PHP files, check modified dates, and grep for base64, eval, gzinflate, and long strings.
- Database queries — search wp_posts and wp_options for injected scripts or spam content.
How do you scan WordPress for malware free? A step-by-step method
Follow these practical steps. I use them in the same order every time because they reduce risk and make rollback easier.
1) Snapshot and backup before you touch anything
First, create a full backup including files and database. I use my host’s backup tool or a plugin like UpdraftPlus (free). If the site is actively serving malware, consider downloading a copy to a local machine rather than storing it on the server. Backups save you from accidental data loss while cleaning.
2) Run quick online checks
Before logging into WordPress, run Sucuri SiteCheck and VirusTotal on your homepage and a few suspect URLs. These free scanners will show if your site is blacklisted, display injected JavaScript, or point out suspicious external calls. Take screenshots of findings for your records.
3) Scan with a local security plugin
I install Wordfence Free or iThemes Security Free and run a full scan. These plugins check core, plugin, and theme files against the WordPress repository, look for known malware signatures, and report suspicious modified files. They also reveal unknown admin accounts and recent file changes. If you prefer not to install a plugin on a live site, use a staging copy.
4) Check file integrity and unusual files
Next, inspect the filesystem. Look for recently modified files with strange names, duplicate PHP files in uploads, or PHP files in folders that should not contain executable code. On servers with SSH I run simple commands to list files sorted by modification date. I search for common obfuscation techniques: base64_decode, eval, create_function, gzinflate, and long concatenated strings.
5) Scan the database and search for injected content
Attackers often inject scripts in the database, hidden in wp_posts, wp_options, or user meta. I use phpMyAdmin or WP-CLI to run targeted queries and search for suspicious strings like script src, iframe, onload=, or eval. If you find malicious rows, export them and review before deleting. You may need to clean extraneous admin users or suspicious cron jobs.
6) Clear caches and regenerate static files
Malicious pages can persist in caches. I always purge caches on the server and any CDN. If you use a caching plugin or Cloudflare, purge the cache after cleanup. That step often removes injected assets being served from cache. If you want guidance on how to purge cache WordPress I found a focused walkthrough helpful early on.
7) Quarantine or remove infected files
If a plugin flags a file or you find a backdoor, move the file out of the webroot to a quarantine folder (don’t delete immediately). Quarantining keeps the evidence intact for later comparison. Replace modified core files with fresh copies from WordPress.org, reinstall plugins/themes from trusted sources, and remove any abandoned or nulled plugins that commonly contain malware.
8) Replace passwords and revoke keys
After cleaning, rotate all passwords: WordPress admin users, database user, FTP/SFTP, hosting control panel, and any API keys. I also change salts in wp-config.php, and regenerate any application passwords. This prevents attackers from reusing credentials harvested earlier.
9) Hardening and post-clean monitoring
To lower the chance of reinfection I implement several free hardening measures: run automatic updates, set file permissions properly, disable file editing in wp-config.php, limit login attempts, and enable two-factor authentication for admin users. In addition, set up regular scans with Wordfence or schedule Sucuri checks and monitor server logs for anomalous activity.
10) When to restore from a clean backup or reset
If infections are deep — multiple unknown admin accounts, widespread obfuscated code, or persistent backdoors that you cannot locate — restoring a known clean backup can be the safest option. If you cannot find a clean backup and the site remains compromised, consider a controlled reset. I once had to reset my site to a clean state and rebuild carefully. If you need a guide, you can follow a step-by-step reset WordPress site procedure to avoid losing content.
What should you avoid during a free malware scan and cleanup?
Simple mistakes can make things worse. Avoid these common pitfalls.
- Do not delete the entire site immediately. Deleting without a backup removes evidence and may complicate recovery.
- Do not blindly trust one scanner. False positives happen — cross-check findings before removing files.
- Don’t use pirated or nulled plugins to save a buck. They are a frequent infection source.
- Avoid making password changes on an infected machine. Use a clean device to set new credentials.
- Don’t forget to purge caches and CDN after cleaning. Otherwise visitors will still see malicious content.
Common free tools and what each finds
Here are the tools I use regularly and why I rely on them.
- Sucuri SiteCheck (online) — checks blacklist, injected JS, and known signatures on public pages.
- VirusTotal (URL) — aggregates many scanners for URL checks and shows whether the URL is flagged externally.
- Wordfence Free — server-side scanning, file comparisons, and login security controls.
- iThemes Security Free — file change detection and hardening recommendations.
- WP-CLI and grep — fast local searches for obfuscated code and file modification dates when you have SSH.
How I validated my cleanup worked
After cleaning I re-run online scanners, check Search Console for security alerts, and monitor traffic and server logs. It’s important to watch for reappearance of suspicious requests or file changes over the following weeks. If the site remains stable, you can relax, but continue scheduled scans as a precaution.
Frequently Asked Questions
Can I really scan and remove WordPress malware for free?
Yes. Most infections can be detected and removed using free scanners, free security plugins, and manual inspection. However, complex cases or attacks that persist may require paid services or professional help. I treat free tools as my first line of defense and escalate only when necessary.
Which free scanner is best for WordPress?
There is no single best scanner. Sucuri SiteCheck is great for public-facing issues and blacklist checks. Wordfence Free offers deeper server-side scanning. Use both for better coverage. In addition, online aggregators like VirusTotal help confirm findings.
Will malware always show up in scans?
No. Some backdoors and obfuscated payloads evade signature-based scanners. That is why I combine automated scans with manual file reviews, database searches, and log analysis. If you are not comfortable with manual steps, consider getting assistance or moving the site to a staging environment for deeper checks.
How can I prevent reinfection after I clean my site?
Harden your site: keep WordPress, themes, and plugins updated, remove unused plugins/themes, use strong passwords and two-factor authentication, limit login attempts, and monitor file changes. Also, avoid nulled plugins and use reputable hosts that offer isolation and backups.
My site is slow after a hack. Should I worry?
Yes. Malware can consume resources, inject extra scripts, or cause many external calls that slow pages down. After cleaning, audit your site speed and remove any leftover malicious scripts. If you need to speed things up, there are targeted performance steps to follow to fix slow WordPress site problems while ensuring you don’t reintroduce infected files.
Final checklist before you call it done
- Backups saved and stored off-server
- Online scanners show clean results
- Plugin/theme/core files replaced with clean copies
- All passwords rotated and API keys revoked
- Caches purged and CDN invalidated
- Ongoing scan schedule and hardening measures active
To summarize, scanning WordPress for malware free is a repeatable process of using multiple free scanners, manual inspection, careful cleanup, and solid hardening. I recommend you practice this workflow on a staging copy first, document changes, and keep reliable backups. If you hit a persistent infection, escalate to a professional to avoid prolonged damage.
Good luck. If you want, tell me what symptoms you’re seeing and I’ll suggest the next specific steps.