3 Methods to Scan WordPress Website for Malware Free

Are you looking for a free and quick way to Scan WordPress Website for Malware? Are you excited to know how to clean and secure your website? Well in this article, we cover it all. First, you will see the process to clean your website, and then we will discuss the important parameters you should take to secure your website. Lastly, we will practically explain the malware scanning process. Whether you wanted to scan your site online or with the help of a free plugin, we have covered both methods in this post.

How to Scan WordPress Website for Malware Free?

In this section we are going to discuss the top 3 easiest way to scan WordPress website for Malware:

  • Use a free online malware scanning tool. Example Sucuri SiteCheck
  • Update to Rocket.net hosting and forget about manual scanning.
  • Use a free WordPress plugin to scan the WordPress website for malware. Example Sucuri Security

In the next section, we are trying to explain all the above methods in a practical approach so you can easily scan your WordPress website without any problem.

Method 1: Using Sucuri SiteCheck Online Malware Scanning Tool

Method 1: Using Sucuri SiteCheck Online Malware Scanning Tool

Sucuri SiteCheck is the free online-based website scanning tool created by Sucuri – The best web-based security organization. This tool audit and scans your website for malware, viruses, malicious code, outdated software, blacklisting status and give you the results which showing how secure your website is based on the different parameters. It also gives you suggestions to deal with malware and failed audits. 

However, it is a very complicated process to deal with failed audits detected during malware scanning unless you are a web developer. We recommend implementing a Sucuri premium security solution on a WordPress website which not only just scan but remove all malware detected during the scanning process.

Remember, this free tool only scan WordPress website for malware. To remove those malware and threats consider upgrading to the premium version of Sucuri.

Sucuri Premium Features

  • Sucuri security solution can be easily implemented using the WordPress plugin on any WordPress website
  • Adding a Web Application Firewall (WAF) for advanced protection
  • Protect your website from DDoS attacks and brute force attacks
  • Protect website pages and posts by enabling CAPTCHA, 2FA, IP allowlisting
  • Block bad bots
  • It has a signature detection mechanism that inspects and block all malicious incoming web traffic
  • Provide free SSL Certificate 
  • Website server-side scanning support
  • Harmful Link injection can be detected to avoid SEO Spam
  • 24*7 DNS monitoring
  • Email and SMS alerts are available to notify any detected malware
  • Ongoing malware Monitoring
  • Advance cleanup to remove malware and viruses after the website got hacked.
  • Sucuri doesn’t ignore database cleaning. It offers unlimited database malware scanning and removal.
  • No need to install the external backup plugin. Sucuri also backup your website if you are interested in their backup solution. However, they do back up only those files which they touch during malware cleaning.
  • Support inbuilt CDN and Caching to improvise the website performance and also ensure 24 hours website uptime.
  • HTTP/2 Support is available
  • Ensures cleaning process would not take more than 24 hours. Only in some cases, this would take longer.
  • 24*7 live assistance over chat is available
  • Finding website backdoor and eliminate them using different techniques including Whitelisting, Blacklisting, and Anomaly Checks.

Sucuri Premium Plans

The Sucuri offers website security solutions in 3 plans. All 3 plans including support for only 1 website.

  • Basic: Starts from $199.99/per year
  • Professional: Starts from $299.99/ per year
  • Business: Starts from $499.99/ per year.

How to use Free Sucuri Scan to Scan WordPress Website for Malware Online Free

In this section, you will learn how to use the free Sucuri SiteCheck tool to Scan WordPress websites for malware online free.

Total Time: 2 minutes

Step 1: Open up the Sucuri SiteCheck free website malware scanner tool

Visit Sucuri SiteCheck free web-based tool. Enter your site url.

Step 2: Enter your website URL in the empty field and tap on the scan website button

As soon as you hit the scan website button, the Sucuri SiteCheck tool starts scanning your WordPress website for malware and threats. The scanning process will not take more than 1-2 min to complete. After it completes, you will see the malware scan report of your website similar to the image showing at the top. Basically, Sucuri SiteCheck showing the level of threat and malware with the “security risk bar”. If it points at high or critical, you should take immediate steps to protect your site. We recommend installing the Sucuri premium scan on your site which will help you to recover your website. Under the “security risk bar,” you will see the failed or passed security parameters and also suggestions to take in future.


  • Website URL


  • Sucuri SiteCheck Scanner

Materials: Software

Method 2: Using Rocket.net Highly Secured Website Hosting

Method 2 Using Rocket.net Highly Secured Website Hosting

Rocket.net is one of the rare web host service providers that have inbuilt WAF (web application firewall) and advanced secure servers which eliminates the need of premium security plugins like Sucuri. Under Rocket.net security suite, you will find these features inbuilt in your web hosting:

  • Free SSL
  • Free CDN
  • Website Application Firewall (WAF) in all plans
  • 24*7 Automatic malware scanning and patching
  • Brute Force Protection
  • Automated Bot Protection
  • Weak Password Protection
  • SFTP support for secure file transfer
  • Migration support for the infected website.

Rocket.net plans start from just $25 per month which would cost you $300 an annum which is still cheaper than the Sucuri Business plan.

Further, the main benefit you get by upgrading to Rocket.net is automatic security configuration. In Sucuri, the clean-up process still requires some manual actions. It is not a fully automated process as compared to the Rocket.net security solution

Method 3: Using Scuri Free WordPress Plugin to Scan WordPress Website for Malware

Method 3 Using Scuri Free WordPress Plugin to Scan WordPress Website for Malware

Sucuri also has a Free WordPress plugin for users who like to Scan their WordPress website with the help of a free plugin. This plugin works exactly like the Sucuri SiteCheck online malware scanning tool. However, it has few extra features like security hardening and security notifications which you cannot able to find in Sucuri online malware scanning tool.

If you are planning to install WordFence – another free security plugin, we suggest you to avoid it. WordFence consumes your server resources which impacts badly on your WordPress website performance. Unlike WordFence, Sucuri uses their SiteCheck online scanning engine to scan WordPress website for malware, and hence it does not impact your website speed in any way.

Let’s see the actual process of how this plugin works.

How to Scan WordPress Website for Malware using Free Sucuri WordPress Plugin

Video Tutorial:

For the reader’s convenience, we always create a video tutorial. Either you can watch and learn or simply skip the video and continue with the steps mentioned afterward.

Step 1: Install and activate the Sucuri Security Free Plugin from the WordPress Plugin Repository

Step 1 Install the Sucuri Security Free Plugin from the WordPress Plugin Repository

Step 2: Navigate to the Sucuri Security > Dashboard.

Now you do not require to scan your website for malware manually. The process is automated and Sucuri has already scanned your website. You can see the scanning results on the dashboard.

Step 2: Navigate to the Sucuri Security > Dashboard.

Step 3: Enable Security Alerts

In a Sucuri free version, you must enable security alerts to receive notification of any threat and malware that may detect in future scans. To set up alerts, Navigate to Sucuri Security > Settings. Under settings, open up the Alerts Tab. Here you need to insert an email address on which you want to receive future security alerts. After inserting an email address click on the “submit” button, Then you have the option to test if the Sucuri alerts function is working on it. Tap on the “Test Alerts” button for testing, this will send you a demo mail on your email address.

Step 3 Enable Security Alerts

Step 4: Schedule Scanning time

This is an optional step if you want to change how frequently a Sucuri Malware Scanner should scan your website, navigate to the Sucuri Security > Settings > Scanner. Here you will find a list of all Scheduled tasks. To change schedule time, first, select single or multiple tasks and then you will find an action button at the bottom of it, use it to change the scanning time of selected tasks.

Step 4 Schedule Scanning time

Step 5: Enable Security Hardening

Under security hardening, there are a lot of options to configure. First, navigate to Sucuri Security > settings > Hardening tab. In a free plugin, you can enable all options (showing in green) except the first: ” Enable Website Firewall Protection”. The firewall protection comes in the Sucuri premium version.

Step 5 Enable Security Hardening

Step 6: Enter Firewall API Key

This is an optional step, only for users who have a premium subscription of Sucuri. When you purchase the Sucuri subscription, you get an API key. To activate WAF advanced protection navigate to Sucuri Security > Firewall (WAF) and then enter your API Key and activate the secure firewall on your website.

Step 6 Enter Firewall API Key

How do I clean my WordPress website?

What does website cleanup sound to you? Are you looking to remove malware? or Are you looking to remove unwanted things from your website like unused media, broken links, etc? Well in this section we are going to discuss all of the clean-up tasks which you can consider for cleaning the WordPress website.

Cleaning WordPress Website by Removing Malware: 

To remove malware to clean up your site, you have two options either reset your WordPress website fully or use a security plugin like Sucuri which helps you to clean and repair your hacked website without deleting any data. If your site already got affected, We recommend using Sucuri.

To clean or reset the website fully, you need to delete the existing database and all website files. The existing database can be found inside cPanel by navigating to databases > MySQL. And you can use FTP clients like Filezilla to get access to the website files for further cleaning.

Cleaning or resetting the website fully is only required when your website becomes irrecoverable after getting hacked. Well, this happened rarely security plugins like Sucuri is capable enough to recover any website back to normal.

Cleaning WordPress Website Manually – The Checklist

Apart from malware removal, cleaning the website manually requires a lot of time. If you want to do things manually then you should perform the following steps to clean your WordPress website:

  • Clean up the cluttered database. You do not require an additional plugin if you already have the Sucuri premium plugin installed on your website.
  • Clean up the in-active as well as updated WordPress plugins and themes from your WordPress dashboard directly.
  • Optimize the website database by removing revisions of old posts and pages. You can use the “Optimize Database after Deleting Revisions” plugin for this purpose.
  • Clean unused tags and categories
  • Clean spammed and trashed comments
  • Clean trashed post and pages from your website
  • Clean unused media. You can either do it by yourself from the WordPress media library or use a free plugin called “Media Cleaner”
  • Clean broken links manually or use a broken link plugin to identify and remove broken links.
  • Clean old users profile who don’t need access to your website by navigating to WordPress dashboard > users section
  • Clean up or update outdated posts
  • Clean up the website’s ping-backs and trackbacks. Use the WP-optimize plugin for this task.
  • Clean up unused CSS and JavaScript. You can use Assets CleanUp free plugin for this task.
  • Clean up unwanted third-party scripts from posts. You can use the Pingdom Website Speed Test tool to determine which scripts cause the problem and slow down the website.

How can I secure my WordPress website?

Similar to website cleaning, securing a website requires a lot of points to take care of which is not limited to installing an SSL certificate, enabling CAPTCHA, etc. 

In this section, we are trying to cover up all those points which help you to secure your website at maximum level.

Enable a Premium Security Solution – A Complete Solution

Implementing a single premium security solution on your WordPress websites like Sucuri which uses an advanced web application firewall (WAF) and constantly monitoring and protecting your entire website from malware, bots, spammers, brute force attacks, and much more. The main benefit of implementing such a single security solution is that it bypasses the additional tasks you require to perform otherwise manually such as installing SSL, enable Captcha, IP allowlisting, signature detection, etc.

Upgrade to the Secured Web Hosting: 

There are a tremendous number of web hosting available in the market. It is very difficult to determine which is best. We highly recommend you upgrade to Rocket.net, as we are using it, this is the first reason and the second reason is that Rocket.net is designed by keeping web security as the top priority. You can find more details about Rocket.net malware scanning in the next section.

Rocket.net will help you to run your site on Cloudflare enterprise plan so that you need not use any premium services for security, caching, CDN, image compression. They provide you all features for free.

Avoid Nulled plugins and themes at any cost: 

This is the most vulnerable source hackers used to spread malicious code on WordPress websites. Always purchase the original plugin/theme from the official website. Even, do not use another person’s license just for the sake of saving little money.

Install hCaptcha:

hCaptcha is the best free solution to protect your website from bots. It adds an additional layer to website forms that help in human and bot identification. The implementation is very simple, you can protect all your WordPress forms by installing WPForms plugin on your site which can be easily integrated with hCaptcha. Further, you can earn also by installing hCaptcha on your website.

Set Plugins to Auto Update:

Outdated plugins, as well as themes, are another popular way for hackers to enter inside your website. The latest WordPress version supports automatic updates to all plugins. Make sure to enable auto-updates on all plugins.

SSL is mandatory:

If your web hosting doesn’t provide you a free SSL, you can either change your hosting provider to Rocket.net which offers free SSL and inbuilt WAF for further protection, or use a free WordPress plugin like “SSL Zen” which forces SSL on all web pages of your site.

Disable Plugin and Theme editing

As we all know that plugins and themes are some of the most vulnerable sources that hackers use to take control of a particular website. They inject malicious code to get access to the website. But WordPress allows users to disable plugin and theme editing functionality so that no one would be able to edit the source code of both plugins and themes from the WordPress dashboard. 

To disable, you just need to place this single line of code in “wp-config.php file”:

define(‘DISALLOW_FILE_EDIT’, true);

The “wp-config.php” file can be found inside your website’s root directory. You can use either cPanel or FTP to get access to your website files.

In case, if you want to enable the plugin and theme editing functionality in the future, simply remove this line of code from the “wp-config.php” file.

Protect WP-Admin Login Page:

WP-Admin login page is the main entrance to your WordPress website. Most hackers use brute force techniques to crack the username and password. Also if your website is membership-based then probably you will receive a lot of spammed registrations. To protect your website from such malicious activities you have few options:

  • Install a premium plugin like Sucuri which automatically blocks brute force attacks and spam registration.
  • Change your WP-Admin login page URL. Use the “WPS Hide Login free plugin” for this task.
  • Add a security question or enable hCaptcha on the login form
  • Enable 2-factor Authentication on your login page with the help of this free WordPress plugin called – Two Factor Authentication
  • Limit Login attempts: This could be a very helpful trick to protect your WordPress website from brute force attacks. Simply install the “Limit Login Attempts Reloaded” plugin and you are good to go.

Constantly Monitor and Scan Website for Malware:

Even though your site doesn’t have Sucuri premium protection, you still can take benefit of their SiteCheck free online tool to scan WordPress websites for malware and threats. We have explained the scanning procedure in the next section. A Daily or weekly website scan helps you to get aware of what’s going on your website behind the scene.

Other Steps to Secure WordPress website:

  • Force Logout Idle Users by installing an Inactive Logout free WordPress plugin.
  • Change default admin name to something else which cannot be crack easily by hackers
  • Set WordPress password as difficult as possible
  • Upgrade to the latest PHP version
  • Change Root directory files permission from 644 to 440 or 400 to prevent other users than the owner access those files. The number may be different on some hosting servers. Consult your hosting provider for further clarification.
  • Hide the WordPress version by adding few lines of code in the functions.php file. Consult your web developer first before proceeding to this. 
  • Hide domain information and the IP address from the Whois website directory: Some web hosts charge you extra to change this information. Ask your domain name registrar to update your Whois record. 
  • Use an undetectable database name. Your WordPress website database name starts with wp_
  • Transfer wp-config.php file from root directory to Non-WWW directory.


If you have made it this far, Great! Today you must have learned a lot of things related to website cleaning, website security, and how to scan WordPress website for Malware, etc.

Now let me tell you scanning websites regularly is very important to detect unwanted threats but this process is incomplete unless you take some steps to remove malware. Upgrade to Hosting which supports WAF like Rocket.net or Implement a Premium security solution service like Sucuri on your website has now become the essential part of every online business and you could not ignore it if you’re serious about your website security. So take a step today and protect your WordPress website from malware.

I hope this tutorial helped you to Scan WordPress Website for Malware Free. If you like this article, please share it with your friends. If you want more blogging tips, follow BlogVwant on FacebookTwitter, and YouTube.

FAQ – Methods to Scan WordPress Website For Malware Free

Would Sucuri SiteCheck online scanning tool remove malware?

No. It only scans and audits your website for security threats.

Which one to pick between Rocket.net or Sucuri Security Solution?

Go for Rocket.net and upgrade your web hosting when you want a fully automated security system for your website. Go for Sucuri premium service when you want to keep control of the security configuration settings.

Does WAF is available in Sucuri Free WordPress Plugin?


What is a Web Application Firewall (WAF)?

In simple words, WAF is the firewall specially designed to protect websites and web apps by monitoring and filtering malicious traffic.

Leave a Comment