How to check your site for malicious software and code, and the most important tips to secure it completely

How to check your site for malicious software and code

table of contents

Perhaps one of the most difficult situations that WordPress site managers may encounter is sudden hacking, or exposure to attacks aimed at that. According to statistics , WordPress sites are exposed to nearly 100,000 hacks every minute, which is a very reasonable number in light of millions of websites using WordPress.

In this case, if you neglect the security and protection of your WordPress site, you may eventually be hacked, and this hack may lead to the leakage of your site’s database, or your site’s users’ personal information, which is dangerous especially if you run an online community or online store, because This type of site is full of members and users.

But it is not a matter of concern, as most of the attacks come by relying on malware, and fortunately, site owners are able to scan their sites against this type of software and then fully treat their sites, and in this article we will talk with you about the correct way to do so. So, we will take a tour of the most important easy security and protection practices.

What is Malware

The phrase (malware) comes as a translation of the two most commonly used English phrases in this regard, which are (Malware) and (Malicious Software), and these terms generally express any software, code, or code used by hackers to harm your site on the one hand, or accessing and modifying it without your permission on the other hand.

As mentioned above, the dangers of malware are not only reflected on you, but on your visitors as well, and if your site is infected with malicious software, visitors may face some problems, in addition to that you may notice some symptoms, which are as follows:

  • Your site’s performance drops suddenly
  • Site visitors see the message (the site ahead contains malware)
  • Site visitors who use virus protection software may not be able to visit your site in the first place
  • In the event of infection, you can notice the appearance of new files within the site’s files
  • In severe cases, the administrator may not be able to log into the WordPress dashboard
  • In some other critical cases, site visitors begin to see annoying pop-up ads, which were placed by the hacker, of course.

This is an example of the alert shown to visitors

Related article: htaccess file in WordPress and how to use it fully

How does malware get into your wordpress site?

We cannot disagree on the great damage that malware causes to websites, and the above are examples. But when a visitor sees these alerts or notices these symptoms, he may offer to visit your site again, which is something you do not want, and the risks increase if your WordPress site is actually a WooCommerce store .

But the most important and interesting question here is: how did the malware get to your site in the first place? — WordPress sites are exposed to malware in different ways, it may happen manually by a hacker, or through (injecting) malware into your site in more than one way on your part, such as using stolen templates or plugins. 

In addition, your site may be infected by a certain bot, and the uses of these bots appear in the event that you do not set a limit on the number of attempts when logging in to the admin control panel, in which case a small bot application can try millions of options so that it can register Login, which is normal because the site system will not prevent him from trying again and again.

And the owner of the WordPress site can be exposed to this malicious code in the event that he does not delete unused templates and applications, which sometimes happens that their developers use (backdoors) to access the sites that you use, and of course this applies strongly to unofficially loaded templates and plugins.

Of course, your site will not be delivered in the event that you have been hacked, as if your device is hacked – by clicking on a misleading link or downloading an unofficial program – the hacker will be able to access everything you do on your personal computer, including your management of your site .

The importance of checking your site continuously against Malware

We have previously talked about some obvious symptoms of your site being infected with malware or malicious code, but sometimes no symptoms appear at all, so any site manager should check his website continuously.

Therefore, the greatest importance lies in resisting hidden malware, in order to avoid the aforementioned damages, but there are other damages that your site may suffer if you neglect to check it, especially if you know that 83% of CMS content management sites that are hacked already work on WordPress!

But this is not due to the weakness or humiliation of WordPress, but rather because it is the most common, and we now tell you about the main damages that your site may suffer if the examination is neglected: (Note to the editor: the following titles are H4)

1. Significant harm to SEO performance 

Your site mainly benefits from its SEO performance, and what is meant by SEO is search engine optimization, and therefore any damage to SEO performance leads to poor performance of your site in appearing in search results, simply because Google may give your site (violations) if it is discovered That your site includes malicious software, and if you think about it, you will find that it is logical, because Google leads visitors to your site … which includes malicious software!

You may be interested to read: SEO Guide for WordPress Sites | WordPress SEO

2. Decreased website performance 

We talked earlier about the low performance of the site due to its exposure to malware, but the main reason behind this may lead to very difficult results, which is simply that the hacker uses your server / hosting resources to hack other sites! In addition to reduced performance, this event may lead to problems between you and the hosting or server provider.

3. Harm to email performance 

Hackers can use your site’s resources, specifically your IP address, to randomly send spam emails, and this may eventually lead to your site being banned from larger email providers, such as Google and Microsoft.

4. Visitors were harmed 

We’ve talked about this point before, but because of its importance, we’re talking about it again. Malware planted inside your site can cause great harm to visitors, and in some advanced cases, visitors themselves can become infected with this software.

When is a good time to check your site?

You should never wait for symptoms to appear on your site or for your site to be damaged before you start scanning it, in fact you should do it immediately, and regularly, especially since we mentioned that some malware is very stealthy.

We recommend that you scan your site for malware at least once a week, and that you do so immediately after installing any new theme or plugin or uploading a file to your site.

How to scan your site against malware

Fortunately, the process of checking your site for malicious files or Malicious Software can only be done by relying on some reliable plugins, and there are a number of reliable plugins that provide this service to WordPress site owners, and as usual, the features and characteristics may differ from one plugin to another.

Although there are a number of plugins, we will start with our first look at the Wordfence plugin due to its good reputation on the one hand, and its high performance, and as usual, WordPress plugins are available in a free and paid version, but you can start with the free version.

Start using the Wordefence add-on

Our first step is to download and install the plugin, and you can download the plugin through the WordPress plugin platform and then upload it manually, via the plugin page .

However, the easiest solution is to install it directly through the control panel, by following these steps:

  1. Login to your WordPress site control panel in the usual way
  2. Go to the Add-ons section, and then go to the (Add New) option.
  3. From there, search for the extension by typing its name in the search bar, then click on install, and after the installation is complete, do not forget to activate:

Currently, the extension has been installed and activated, and indeed you can see it appearing within the settings in the right menu, and once installed, the extension will ask you to enter your email, as it will receive warnings related to your site directly, and we are now ready to work, but before that you must create a copy Site backup.

Previously we explained this point extensively , but you and I are here, so feel free to take a quick look at how to create a backup of your entire site in minutes:

Create a site backup

You can back up your site in more than one way, most notably by uploading your entire site files and uploading the database files! It is the traditional way, but now there are easier ways.

In order to create an integrated backup copy of the site, we will rely on an add-on called UpdraftPlus Backups, which you can download and install exactly as we explained about adding Wordefence.

And you can learn about the extension fully through our previous article How to use the UpdraftPlus extension to backup your site , and whether you use it or use another one, the essential step is to create a backup before proceeding. 

Scan your site with Wordefence plugin

Now that we have created a backup, we return to adding Wordefence, and the option that we need to deal with now is the Scan option, and you can start a new scan of your entire site easily through the main page of the extension, or follow these steps:

  1. Go to the Add-ons section of the Control Panel
  2. Head to the (Scan) option to start the scan
  3. Click on the option (Start Scan Now) to start the scan

At this point Wordfence starts a full site scan, which of course also includes looking for Malware files within your site, and besides that it also keeps track of changes made to any of your site’s files, along with any other items that the plugin might suspect.

The add-on takes some time, especially if your site is huge, and after completion, it displays a report on what has been reached, and the add-on also classifies the risks as light, medium, or severe.

And when you deal with the plugin, you should know that the appearance of (unknown file in WordPress core) in the report means that your site is most likely infected with malware, because this alert means that the plugin has found a strange file within the main WordPress files.

Fortunately, through Wordefence, you can directly delete all files that can be deleted, with just one click. Of course, deleting these files may eventually lead to damage to your site’s performance in the event that an important file has been deleted, so be sure to Read warning messages carefully.

Professional use of Wordfence plugin

We return to the main page of the Wordfence plugin, which can be accessed by clicking on the name of the plugin that appears under the settings menu in the WordPress dashboard:

As you can notice, the home page displays more than one option, and in the middle we see the Scan option, which we got to know earlier, and next to it we find the security wall option, which we can control its settings by clicking on (Manage Firewall), as in the picture:

We notice through the security or firewall options that the wall can be activated because it is not activated, as it is now in the learning mode and can be activated by choosing activation within the menu, or leaving it in automatic mode so that it works automatically on the date shown.

We note from the same page that there is another option, which is (Real-Time IP Blocklist), but it is a paid option, which allows you to block the site from specific IP addresses. 

Returning to the security wall settings page again, we note the ( Protection Level) option, which allows experienced users to modify the way the firewall works, but we do not recommend modifying the settings in the absence of experience to do so:

We point out that the default settings for adding Wordfence are sufficient, and we recommend modification only in the presence of experience to do so, and within the same firewall options page we can notice a set of other options:

The options are divided (in order) into:

  1. Advanced firewall options
  2. Brute-Force protection options described within the article
  3. Options for controlling data consumption rates by users – or bots in particular
  4. White link options, which are links that the firewall settings do not apply to

The options within the Wordfence add-on do not stop there, as the Tools section within the add-on offers other very important options, as follows:

Live Traffic options :

The options within this tool allow you to follow what is happening on your site in real time – that is, directly – and through this tool you can see login attempts, hack attempts, or any requests made through the site, whether they are rejected by the firewall within Wordfence Firstly.

Whois Lookup options

This tool, based on the Whois database, allows you to see which domain owner or IP address is trying to publish deceptive or malicious content or even trying to hack your site, in light of the fact that the IP address is already appearing in Wordfence reports and in the comments on your site.

Import/Export options :

These options allow you to save a copy of the settings made within the Wordfence plugin for later use in case the plugin is deleted and reinstalled or to another location.

Diagnostics options :

This is the last list in the options under the (tools) category, and through it Wordfence gives you a report on the site:

You can take advantage of a large number of features for free, but the rest of the features require a paid subscription, and there is no doubt that you will need some time to fully benefit from this addition.

WordPress plugins to scan and delete malicious files

The Wordfence add-on achieves excellent results and provides more than good performance, but it is not the only add-on that allows website owners to scan it against malware and then clean their site from those files. Below we learn about some alternative add-ons that are also worth trying:

MalCare plugin for checking WordPress websites

BlogValut’s MalCare as a service is a paid add-on that costs $99 per site, while its developers also offer a service to fix hacked sites at a separate cost.

This add-on allows tracking of penetration and malware before it causes significant damage to the site, in addition to that it does not consume a lot of server resources. The add-on was developed based on the analysis of more than 240,000 sites and relies on more than a hundred indicators to detect damage.

In addition, the add-on also provides a one-click malware removal feature, as well as the ability to create backups through it. You can purchase it via the official website .

Add Titan Anti-Spam & Advanced Security

This add-on offers all the features that you might expect from an integrated security add-on, as it protects your site from spam on the one hand, and protects your site from hacking and malicious files on the other hand.

The extension offers an attractive user interface, and it also allows you to continuously scan your site and then clean it. The extension is available in a free version, but its most powerful features – as you can expect – come in the paid version, including:

  • Prevent spam
  • Firewall security feature
  • The feature of checking professional WordPress sites
  • Professional Malware Scan feature
  • Possibility to block any IP address
  • Malicious code and code tracking
    within theme and plugin files
  • Site checking feature

The paid version is available at $55 per year, and can be downloaded via the WordPress plugin platform , and later the paid version can be purchased.

Sucuri plugin to protect and inspect WordPress sites

Sucuri is known as one of the most prominent Wordfence alternatives out there, and Sucuri is generally recognized for its contributions in the security fields as it offers a number of other products and services beyond the plugin.

The extension allows features such as full site security scanning, file security scanning, site scanning for malware, malware files, and more, with the ability to block intrusions before they happen.

The plugin is available in two versions as usual, one free and the other paid, and it is available through the WordPress plugin platform .

add iThemes Security

Previously known as Better WP Security, this plugin offers more than 30 security features that you can take advantage of, and the plugin effectively protects your site from attacks before they even happen.

You can use the paid version to get even more features including continuous scanning or emailing reports, and you can download and start using it for free to decide whether you need to upgrade or not.

other extras

We previously talked about adding Wordfence and alternative plugins, but there are still many plugins that serve the same goals, and below we list them for you in case you want to expand the experience and comparison:

  1. Anti-Malware Security and Brute-Force Firewall
  2. Cerber Security, Anti-spam & Malware Scan
  3. SecuPress
  4. Clean Talk
  5. Astra Security Suite
  6. BulletProof Security

What after deleting the malware?

In the previous steps, we have succeeded in creating a backup copy of the site and then checking the site against malicious files and finally deleting them, and thus your site has become in good condition, but there are still some steps that you must take after completing this, as follows:

Change passwords

You should change all of your passwords for yourself and other users after you have cleaned your site of malware, because the hacker of your site is likely to know your passwords by now.

Turn on the two-factor authentication system

Even if your passwords get leaked, having a Two-Factor Authentication system will prevent a hacker from logging into your site unless they hack your email too! In general, we recommend that this system be adopted continuously on your site, and this can be implemented by relying on any reliable plugin, or through Wordfence itself.

Also read: 10 profitable online business ideas that you can start using WordPress

Ensure the ranks of users and their accounts

Once your site recovers from its infection, you should look directly at the ranks of the users and their accounts, by going to the Members section within the control panel:

From the same place, you can view the existing ranks, by selecting any account and then pressing (Change Rank To), so that the site will show you all the existing User Roles:

Take an extra backup

Once you have completed all the previous steps, there is no objection to taking a new backup copy, because in this way you take it in light of the fact that the site is completely clean.

How to make sure your WordPress site is secure

You should never take the security of your WordPress site lightly, because the worsening consequences of neglecting the site can be truly catastrophic, and may reach an irreversible stage.

There are a number of basic tips that you must follow to ensure that your WordPress site is constantly secure, which will be mentioned next, but we recommend that you review the Security and Protection section in WordPress in Arabic because of the important articles it contains.

Choose a suitable hosting company

You cannot choose the cheapest offer available from an unknown hosting company and then complain about hacking the site or the occurrence of any problems. The beginning is always with choosing an appropriate and reliable hosting company, and Digital Ocean is an example of that.

Do not use stolen themes and plugins

Most of the professional plugins and templates come with a paid fee, but some WordPress site owners are looking for stolen (cracked) versions of them to use for free, and in addition to the extreme prohibition of this act, the results will never be good.

This is because the site or the person who made this addition available to everyone had previously purchased it, and certainly has his own goals in making it available for free… such as injecting it with malware!

Rely on security add-ons and strong passwords

We talked previously about one of the most prominent security additions, and we recommend relying on one continuously, and indeed there are many alternatives (which we will talk about next), but the idea lies in the principle of keeping the addition and paying even for the paid version of it. As for passwords, we are now in 2021. You cannot use your date of birth or phone number. Always try to use complex passwords that are difficult to guess, such as: GhY@12200@z

Prevent modification of files from the control panel

When you create a new WordPress site, it automatically includes a feature that allows code modification through the control panel itself, and that includes template files and plugins. This feature is known as (File Editing) and you can access it by going to the Appearance section, then the editor:

Once you have completed setting up your site and completing its properties and modifications, immediately stop this editor, because it allows anyone who accesses your control panel to modify the codes directly, which is something you do not want.

To deactivate this feature, put the following code at the end of the wp-config.php file:

define(‘DISALLOW_FILE_EDIT’, true);

Change the login link

By default, the login link is example.com/wp-admin, and sometimes the user needs to change this path, just to avoid the Spam attacks, also known as Brute Force, which we talked about above.

Add a confirmation code

In order to avoid the aforementioned type of spam attacks, which keep trying many variants to guess the password, also do the confirmation code known as CAPTCHA.

Now start the application: change the wp-admin login page URL and enable reCAPTCHA

Scan your entire site without plugins

There are a group of sites and platforms that allow the user to check his site remotely, and they analyze your site in an integrated manner without the need to install add-ons, but as you can expect, these sites only succeed in catching very clear symptoms, and in the end the user needs to use a specialized add-on such as Wordfence aforementioned.

But we will share with you the following platforms for important reasons, which is to check the site more than once after the completion of the cleaning process, and on the other hand, it is also useful even before the start of the examination.

1. Sucuri SiteCheck

The Sucuri platform is one of the most prominent platforms for checking and securing websites, and it allows the user to check his site directly by entering the link on the main page of the site, so that it later tracks malicious code and others:

1- Enter the main page of the tool
2- Enter your website link and then click on search

After the scan is completed, the site will give you a report:

2. Scan the site via IsItWP Security Scanner

This tool gives you the same options, as it scans your WordPress site for any vulnerabilities or malware and then gives you a quick report, and later you can start solving problems based on the details we talked about earlier.

3. Use the Google Safe Browsing tool

This tool is characterized by the fact that it comes directly from Google, and it allows you to know whether your URL is safe or not, specifically if Google itself has classified it as a malicious link.

If this happens, you should immediately go to Google Search Console to resolve the issue.

4. Reliance on the WPSec platform

Now that you understand, this tool scans your site for any known code, malware, or even known vulnerabilities, and gives you tips on how to fix those problems.

5. Other tools

These tools are useful, and we would not exaggerate if we advised you to access all of them and put links to your sites and check them, as it is a free service that will not cost you anything and does not require time or effort.

Remove malware from WordPress manually

In the previous points, we talked about how to scan the site for malware and malware, depending on a variety of add-ons and platforms, and we talked about the ability of these add-ons to delete that software as well.

But a large number of WordPress site administrators, especially those with a technical background, may prefer to try to remove the malware manually, especially when they know about the severe damage that can occur in the event of delay in implementing it.

We can follow the following steps to delete malware manually, which can also be done in addition to relying on add-ons and other tools:

1. Create an integrated backup

The first step – as usual – is to create an integrated backup copy of the site, and this can be created either through add-ons as mentioned above, or manually by saving a copy of the database and site files through the hosting control panel.

2. Check the backup

The backup that you created often reflects all the problems that already exist in your site, and you can check it in more than one way, but you can start by comparing its files with the official WordPress files, which you can find when downloading the script from the official site .

At this point, you should make sure that the files in your backup copy of the site are the same as those that appear in the WordPress folder that was downloaded from the official site.

Later, you should comprehensively scan the wp-content folder, which includes all files and images uploaded to the site, along with templates and plugins as well. Of course, scanning all of these files with an antivirus application is an excellent option.

3. Clear all files in public_html folder

Now, after making sure that the backup you took for your site is complete, you must delete all files and folders in the main public_html folder within the hosting, except for the cgi-bin folder and the rest of the folders related to the server itself.

And in the event that you run more than one site on one hosting, you must take all steps for all hosted sites, because it is easy for malware infections to spread between sites that share the same hosting.

4. Reinstall WordPress

At this point, you have made sure that your hosting is completely empty and that you have checked your site files that you downloaded in the backup copy. Now you have to install WordPress again, but from scratch.

Install WordPress in the same place as the original version, and after completing the installation, go back to the wp-config file in the downloaded version to transfer the database data from it to connect the new version of WordPress directly.

5. Reset passwords

Now you have to return all passwords for all accounts registered within the site, and if you happen to find a new account that you do not know and at the same time has great powers, this is an indication that the site has been hacked.

Change all passwords, delete all fake accounts, and you should also go to the permalinks page within the control panel and press directly on save modifications without changing anything, in order to restore the .htaccess file.

6. Reinstall themes and plugins

Remember with me, we have downloaded a backup copy of the site as a whole, but we did not upload it after that, and until this stage there is no good reason to upload it again, and instead you have to install your templates and plugins manually as if you are starting a new site.

There is no need to upload template and plugin files from the backup, as they may have been compromised in one way or another.

7. Upload photos

Well, inside the wp-content folder within the backup uploaded to your site, you will find the image files arranged in the correct order based on the month and year, and after all these previous steps, you do not want to upload malicious files again.

Therefore, you will have to check all the folders within the Uploads folder manually, and make sure that all the contents of the folder are image files only and there are no PHP files.

Also read: Jannah Template Review For Blogs And News Sites

8. Scan your computer and install a security add-on

Always scan your computer for malware and viruses in general, whether before, in the middle, or at the end of the previous steps. 

After completing all of the above, you will also have to install a security addition to check your site after renewals on the one hand, and to protect it in the coming period on the other hand against any re-penetration.


You should always ensure the security of your website. This step is not a luxury, but rather a necessity in our modern era, especially since Google may give your site severe violations in the event that your site poses any dangers to visitors.

When you follow the previous steps, your site will be safer by a clear difference, and there is no doubt that using a security add-on will improve the overall experience. Penetration and then try to solve its problems, but prevention is better than cure in these cases.

What is your admiration?

Back to top button