Even still, cybercriminals know that many WordPress users either don’t understand proper security or don’t take it seriously, making their websites easily hackable.
Want to prove them wrong? One of the first steps to strengthen security on a WordPress site is a security scan.
What Is a WordPress Security Scan?
A WordPress security scan reviews the files that run your website and detects harmful or potentially harmful code placed by attackers. Some scanners also flag potential security vulnerabilities like weak passwords or outdated files, and provide users with recommendations to fix them.
A thorough security scan will check your WordPress core (the files WordPress itself uses to run), your current theme, and all installed plugins for dangerous code and security vulnerabilities. These comprehensive scans are safest since you never know what part of your website could be compromised.
Why You Should Scan Your WordPress Site
Cybersecurity should be a top priority for any website, since a successful attack could mean disaster for your business’s growth and reputation. It doesn’t help that the security battlefield changes so often, with new technologies always being implemented to both harm and protect unsuspecting website owners.
Even after taking the proper measures to block out attacks, it’s impossible to eliminate the chance of a successful hack on any website, including those built with WordPress. Even worse, an attack gone undetected will continue to cause damage long after the initial breach. Without security scanning, you leave your visitors and customers susceptible to a variety of attacks from undetected intrusions.
You could review your website files for harmful code yourself, but this requires time and expertise that you may not have, not to mention it carries the risk of accidentally damaging your files in the process. To clean up your WordPress site and keep it that way, leave it to a proper security scan.
How to Scan Your WordPress Site for Malware
As is with many functions in WordPress, you need a plugin designed for WordPress security in order to conduct scans. But not just any plugin will do — choose one that’s reputable and properly maintained, since new security vulnerabilities are always popping up and require competent developers to address them.
Even with the right plugin, security scans are not one-and-done. According to web hosting provider Bluehost, you should scan your website for problems at least once a month, and the frequency of scans should increase based on the popularity and visibility of your website, as well as what content you store online. It’s also a good idea to conduct a scan after an update to WordPress core, your theme, or any of your plugins.
Defender is an all-in-one security plugin for WordPress, offering both free and paid versions. Among its many security features, the free version offers WordPress core malware scans to detect malicious code and quickly restore damaged files. It also contains tools for two-factor authentication (2FA) from Google, login protection to combat password-guessing bots, login screen masking, and an IP blacklist manager
To get the most from Defender, we recommend upgrading to Defender Pro. With it, you’ll receive security update reminders, firewall protection (for filtering traffic from outside networks), advanced reporting, and audit logging. Defender Pro also scans your plugins and themes in addition to WordPress core.
Pricing: Defender offers afree version and a paid version for $6 per month. Alternatively, you can sign up for a WPMU DEV membership ($19 per month) which grants access to all other premium WordPress plugins offered by WPMU Dev.
Wordfence is a widely used plugin for comprehensive protection of your WordPress website — many WordPress site owners consider it the best of its kind.
The free version of Wordfence offers an integrated malware scanner that checks WordPress core, themes, and plugins for security vulnerabilities and eliminates harmful code, spam, and injections. It also includes brute force login protection measures, 2FA, website monitoring tools, and a powerful firewall. While the free benefits are enough for many, note that malware detection updates are delayed by 30 days, meaning you won’t get real-time alerts of potential security issues.
The premium version of Wordfence enables live malware detection updates, an IP blocklist, and the ability to check whether your website or IP has been blocklisted, and for what reason.
Notable, if you manage multiple websites built with WordPress, Wordfence also offers the free “Wordfence Central” feature, which allows users to oversee security for all websites using the Wordfence plugin.
iThemes Security is another highly reputable option for WordPress users seeking better security. The free version of the plugin is capable of fundamental security measures including basic security scans, content backup, login protection against brute-force attacks, and spam prevention.
However, the paid version is where iThemes Security shines, with more advanced malware scans (including scheduled scans and a dashboard widget that lets you scan instantly), 2FA, tools for closely monitoring user accounts, password strength checking and expiration, Google reCAPTCHA integration for login and website forms, and a lot more.
For a more hands-on plugin solution, try Bulletproof Security. The free version alone offers an abundance of features including malware scanning, login protection and monitoring, maintenance mode, update reminders, error logging, and tools to modify specific files to your liking. If that’s not enough, the pro version essentially doubles the number of available features.
BulletProof Security is aimed at experienced WordPress admins who are comfortable toggling the most minute aspects of their website, so it’s not recommended for beginners. If you want a plugin that does most of the work for you, we recommend looking elsewhere. But, if you want tighter control and aren’t afraid of a slightly steeper learning curve, give BulletProof a shot (pun intended).
Jetpack has become a staple of the WordPress ecosystem, so much so that many hosts will automatically install Jetpack on new WordPress websites. This is all for good reason: Jetpack is a suite of tools that handle most of your WordPress needs in one place, including marketing, speed, design, and, relevant here, security.
Jetpack is developed by Automattic, the team behind the WordPress CMS, so they understand WordPress’s inner workings and how to harden them. In addition to automated backups and spam protection, Jetpack’s security module comes with an automated malware scanner.
To get the full extent of Jetpack security, you can subscribe to the Daily plan ($11.97 per month) or the Real-time plan ($33.57 per month). The difference between these plans is the frequency of backups and scans, with Real-time allowing multiple per day.
Pricing: Jetpack offers a free version and two paid versions priced at $11.97 per month and $33.57 per month. You can also subscribe to the full Jetpack suite for $47.97 per month, which gets you all features from the Daily security plan.
For a powerful free option, try to All In One WP Security & Firewall. This plugin emphasizes its user-friendliness and wide range of free offerings, including malware scanning, a firewall feature with adjustable filter levels, login protection, close user monitoring, automatic and manual database backups, and many other features to toggle smaller security details in your website, all tied together with a highly visual interface.
If you’re looking for a wider selection of premium features, you’ll need to spring for a paid tool. But, for a free plugin, All In One WP Security & Firewall is quite versatile.
Pricing: All In One WP Security & Firewall is free.
WP Cerber Security is a robust freemium solution trusted by thousands of WordPress website owners. This plugin packs an extensive list of benefits to ensure your website sticks to best practices. One of these is its automated malware scanning, which is included in paid plans.
WP Cerber’s malware scanner and integrity checker evaluates all website files for backdoors, code injections, and altered code. It also compares your core files to those in the official WordPress repository and verifies plugins and themes that you install manually on your site.
The tool also lets you schedule and automate malware scanning and sends you alerts to email and mobile if an issue is ever detected. It should go without saying, but WP Cerber deletes malware and fixes files when it locates these issues. Finally, you have the option of receiving an email report with scan results.
Pricing: WP Cerber is available as a free version (for spam protection only). For malware scans, purchase a subscription starting at $29 per quarter for one website.
The Titan Anti-spam & Security plugin started as a spam-blocker, but has since expanded into a comprehensive freemium security plugin and malware scanner. The free version of the Titan plugin includes basic functionality including simple scans — it will compare your core, theme, and plugin files to those in the WordPress repository, and allows you to delete unnecessary files from your admin dashboard. Titan will also scan messages and comments on your website for harmful and suspicious URLs and code.
Like other recommendations here, your scans won’t be as powerful as they could be if you’re using the free version of this plugin. After upgrading to a paid plan, you’ll have access to a more thorough malware scanner (with 6,000+ signatures, as opposed to 1,000+ in the free version) that can be scheduled and automated. Another unique bonus of Titan’s scanner is the option to scan at three different speeds — a slower scan is less likely to temporarily affect the performance of your live site.
Sucuri is known for its standout cybersecurity products and services, including its free WordPress security plugin. In addition to free resources like email alerts, WordPress core integrity checks, and guides for a post-hacking scenario, Sucuri’s plugin includes a scanner that detects malware, errors, outdated code, and blacklisting status.
However, the scanner itself is remote, meaning it can only find vulnerabilities in your WordPress website pages. It cannot check the core files that control your site’s backend, so it won’t scan as thoroughly as other options on this list. You can also use the same scanner toolon this page without having to install the plugin.
Pricing: The Sucuri WordPress plugin is free, and integrates with Sucuri’s paid security features.
Security Ninja is an excellent option for WordPress users who want a security plugin focused on extensive checks and detailed reviewing. Besides having the best name on this list, Security Ninja runs over 50 different security checks on the safety of your login procedures, plugins, and more. After a scan, it presents the results in detail, making it easy to run down the list and pinpoint vulnerabilities.
Security Ninja is unique among the premium plugins listed here for offering both a subscription service and a one-time purchase of the product. If you think you’d prefer the plugin’s highly visual means of reporting, sample the free version and decide if you’re up for paying the lifetime, one-time charge.
Pricing: Security Ninja offers afree version and a paid version with monthly, annual, and lifetime subscription options. A paid subscription starts at $49 per month, while lifetime purchases start at $119 for one website.
Malware scans protect your website.
There are many plugin options for hardening your WordPress site, and some will certainly work better for your needs than others. As with any plugin, take the time to research and weigh your options before settling on one. Of course, switching out one for another is okay, too.
If you use any of the plugins I’ve listed here, be sure to update them when needed and run scans regularly. By staying on top of your scanning, you’ll keep a clean website and a clear head.
Editor's note: This post was originally published in May 2020 and has been updated for comprehensiveness.
Originally published Apr 21, 2021 7:00:00 AM, updated March 24 2022