How to Scan WordPress for Malware

Malware on a WordPress site can redirect visitors, steal data, or cause your site to be flagged by search engines. Regular scanning helps you catch and remove infections early. dotCanada recommends running malware scans as part of your routine site maintenance.

Using the Wordfence Scanner

Wordfence Security includes a built-in malware scanner that checks your WordPress core files, themes, and plugins against known clean versions.

1. Install and activate Wordfence Security from Plugins > Add New if you have not already done so.
2. Go to Wordfence > Scan in your dashboard.
3. Click Start New Scan. The scan checks file integrity, looks for known malware signatures, and flags suspicious code.
4. Review the results. Items marked as threats will show a description and options to Repair or Delete.

What to Do If Malware Is Found

• Use Wordfence’s repair option for modified core files — this replaces them with clean originals.
• For infected themes or plugins, delete and reinstall from official sources.
• Change all passwords: WordPress admin, cPanel, FTP, and database.
• Check your .htaccess file for unexpected redirect rules.

Preventing Future Infections

Keep WordPress core, themes, and plugins updated. Remove unused plugins and themes. Use a firewall plugin and strong passwords. dotCanada’s JetBackup service keeps daily backups so you can restore a clean version if needed.

If you suspect your site is compromised, contact our support team immediately for assistance.