Malware on a website rarely announces itself. It does not crash your site or leave obvious signs - because the entire point is to operate silently, either serving spam to your visitors, redirecting them to phishing pages, or using your server to send mass emails. Often, the first signal a site owner gets is when Google Search Console sends a notification that the site has been flagged, or when a customer calls to say their antivirus blocked your website.
Regular scanning is the only way to catch an infection before it reaches that point. Here are the tools worth knowing about.
External Scanners: No Installation Required
External scanners check your site from the outside, the same way a visitor's browser or a search engine crawler would see it. They are quick to run, require no login or server access, and are a good first check.
Sucuri SiteCheck (sitecheck.sucuri.net) is the gold standard for external scanning. Enter your URL and it checks your site against multiple malware and blacklist databases, scans your visible HTML for malicious code injections, checks your security headers, and reports whether you appear on any major blacklists (Google Safe Browsing, Norton Safe Web, McAfee, Spamhaus, and others). It is free and takes about 30 seconds to run.
VirusTotal allows you to submit a URL and have it scanned by over 90 different antivirus and URL analysis engines simultaneously. If even a handful of those engines flag your URL, it warrants investigation. VirusTotal is particularly useful for checking whether a specific URL (not just your homepage) is flagged.
Google Safe Browsing check - type https://transparencyreport.google.com/safe-browsing/search?url=yourdomain.ca into a browser - shows you exactly what Google's systems have on file for your domain. If Google has flagged your site, this is where you will find the details needed to submit a reconsideration request once cleaned.
What external scanners miss: Malware that is not visible in HTML output - such as infections hidden in PHP files that execute server-side - cannot be detected externally. External scanners see what a browser sees; they cannot inspect your server's file system.
WordPress Plugin Scanners
Plugin-based scanners have server-side access and can examine your actual PHP files, database content, and configuration - catching threats that external scanners miss entirely.
Wordfence Security is the most widely used WordPress security plugin. Its free version includes a malware scanner that compares your WordPress core files, themes, and plugins against known clean versions from the WordPress repository, flagging any files that have been modified. It also scans for known malware signatures and checks your URLs against a threat intelligence feed. The scan results include a risk rating and explanation for each flagged item.
MalCare uses a cloud-based scanning approach where the heavy processing happens on MalCare's servers rather than yours, which means less impact on your site's performance during scans. Its detection uses pattern analysis rather than just signature matching, which helps catch new and obfuscated malware that signature-based scanners miss. The free version scans and detects; automated cleaning requires a paid plan.
Sucuri Security plugin provides file integrity monitoring (alerting you when files change), security hardening recommendations, and basic malware scanning. Like MalCare, full cleaning features require a paid subscription, but the detection and monitoring are useful at no cost.
Interpreting Scan Results
Not every flagged item is an active threat. False positives are common, especially from Wordfence, which may flag legitimate customizations in your theme files as "modified" because they differ from the repository version. Before taking action on a flagged file:
- Check whether the modification is one you or your developer made intentionally
- Compare the flagged code against what the file should contain (Wordfence shows you a diff)
- Search for the flagged code snippet in security forums to see if it is a known false positive
Genuine infections typically look like: injected eval(base64_decode(...)) calls, hidden iframe or script tags, unfamiliar administrator accounts in your WordPress user list, or unexpected changes to core WordPress files that you did not make.
What to Do After Finding Malware
If a scan confirms a real infection:
- Take your site offline or password-protect it to prevent further harm to visitors
- Restore from a clean backup if you have one from before the infection - this is the fastest and most reliable path to a clean site
- Change all passwords - WordPress admin accounts, FTP credentials, database passwords, and your cPanel password
- Identify the entry point - out-of-date plugins and themes are the most common vector; patch everything after restoring
- Contact your host - dotCanada support can assist with identifying compromised files and server-level cleanup
Professional malware removal services (Sucuri, Wordfence, and others offer paid cleanup) are worth considering for complex infections or if you lack the technical confidence to clean manually. Prevention - keeping WordPress core, themes, and plugins updated, using strong passwords, and running regular scans - is always cheaper than remediation.
