WordPress Malware Scanning: How to Detect & Remove Infections

The Reality of WordPress Malware

WordPress malware infections are far more common than most site owners realize. Security research consistently shows that tens of thousands of WordPress sites are compromised every week. The majority of these infections are not immediately visible — they do not deface the site or take it offline. Instead, modern WordPress malware operates covertly: injecting spam links into your content for SEO manipulation, redirecting visitors to phishing sites, mining cryptocurrency using your visitors’ browsers, stealing customer data from forms and checkout pages, or using your server as a launchpad for attacks against other targets.

The longer malware remains undetected, the more damage it causes. Search engines may blacklist your domain, hosting providers may suspend your account, and your visitors may have their data compromised. Regular malware scanning is the single most effective way to detect infections early and minimize their impact.

This guide covers the types of WordPress malware you are likely to encounter, how detection works, and how to use VistoShield’s Security Scanner to protect your WordPress installation.

Types of WordPress Malware

Backdoors

Backdoors are the most common type of WordPress malware. They provide the attacker with persistent access to your site even after you change passwords or patch the initial vulnerability. Backdoors are typically PHP files uploaded to locations like wp-content/uploads/, hidden inside legitimate-looking filenames (e.g., wp-config-backup.php, class-wp-cache.php), or injected as obfuscated code into existing plugin or theme files.

Common backdoor patterns include:

• eval(base64_decode(...)) — Executes decoded PHP code
• preg_replace with the /e modifier — Evaluates replacement as PHP code
• assert() used with user input — Alternative code execution method
• create_function() with obfuscated parameters
• Web shells disguised as image files with .php extensions

SEO Spam Injection

SEO spam (also called pharma hacking) injects hidden links, text, or entire pages into your site to boost the search rankings of the attacker’s other sites. This type of malware is particularly insidious because:

• It is often invisible to logged-in administrators (the malware checks user roles)
• It only shows the spam to search engine crawlers (user-agent cloaking)
• It can be inserted into your database rather than your files, making file-based scanning less effective
• It may not be discovered until Google Search Console reports keyword anomalies

Malicious Redirects

Redirect malware sends your visitors to a different website, typically a phishing page, tech support scam, or malicious download site. Redirects can be implemented via:

• JavaScript injected into your theme’s header or footer
• PHP redirects in .htaccess or wp-config.php
• Database modifications (typically in the siteurl or home options)
• Conditional redirects that only trigger for mobile users or specific referrers

Cryptominers

Cryptomining malware injects JavaScript that uses your visitors’ CPU power to mine cryptocurrency. While less common than it was during the 2017–2018 crypto boom, it still appears. The primary indicator is visitors complaining about slow page loads or high CPU usage while on your site.

Mailer Scripts

Mailer malware uses your server’s email capabilities to send spam or phishing emails. These scripts are typically uploaded as standalone PHP files and can send thousands of emails before detection. Signs include your server being blacklisted by email providers and your hosting provider alerting you to unusual outbound email volume.

Skimmers (Formjacking)

The most dangerous type for e-commerce sites. Skimmer malware intercepts data entered in forms, particularly checkout and payment forms, and sends it to the attacker. This can result in massive data breaches and severe legal consequences. Skimmers are often injected as small JavaScript snippets that are difficult to spot in minified code.

How Malware Scanning Works

WordPress malware scanners use several detection techniques, each with different strengths and limitations.

Signature-Based Detection

Signature-based scanning compares files against a database of known malware patterns (signatures). When a file contains a sequence that matches a known malware signature, it is flagged. This method is fast and has low false positive rates for known malware, but it cannot detect new or modified malware variants that do not match existing signatures.

Heuristic Analysis

Heuristic scanning looks for suspicious code patterns that are commonly associated with malware, even if the exact pattern is not in the signature database. Examples include heavy use of encoding functions (base64_decode, str_rot13, gzinflate), dynamic function calls (call_user_func, $$variable()), and code that attempts to hide its purpose through obfuscation. Heuristic analysis catches more threats but has a higher false positive rate.

File Integrity Checking

This technique compares your WordPress core files, plugin files, and theme files against known-good checksums from the official WordPress repository and plugin/theme developers. Any file that does not match its expected checksum has been modified and warrants investigation. This is highly effective for detecting modifications to known files but does not catch malware uploaded as entirely new files.

Behavioral Analysis

Advanced scanners can analyze what code actually does rather than just what it looks like. This includes tracing data flow from user input to dangerous functions, identifying files that accept and execute arbitrary input, and detecting files that make outbound connections to known malicious domains.

VistoShield Security Scanner: Features & Capabilities

VistoShield’s Security Scanner combines multiple detection methods for comprehensive WordPress malware protection.

Multi-Engine Detection

The scanner uses a layered detection approach:

Detection Method	What It Catches	False Positive Rate
Signature matching	Known malware families, web shells, backdoors	Very low
Heuristic analysis	Obfuscated code, new variants, suspicious patterns	Low-moderate
Core integrity	Modified WordPress core files	None (exact checksum match)
Plugin/theme integrity	Modified plugin and theme files	None for official repo plugins
Permission analysis	Files with dangerous permissions (777, writable by web server)	Low

Scanning Scope

The scanner inspects all areas where malware typically hides:

• WordPress core: All files in the WordPress root and wp-admin/ and wp-includes/ directories
• Plugins: Every file in wp-content/plugins/ including inactive plugins
• Themes: Every file in wp-content/themes/ including inactive themes
• Uploads: The wp-content/uploads/ directory, which attackers frequently use because it is writable
• Must-use plugins: wp-content/mu-plugins/, a location often overlooked by other scanners
• Drop-ins: wp-content/ root files like object-cache.php and advanced-cache.php
• Configuration files: wp-config.php, .htaccess, .user.ini

Quarantine System

When the scanner detects a suspicious file, it does not immediately delete it. Instead, it moves the file to a quarantine directory where it cannot be executed but can be reviewed. This approach is critical because:

• False positives happen. Deleting a legitimate file can break your site.
• Forensic analysis may be needed. Preserving the malware file helps understand the attack vector and scope.
• Recovery is possible. If a quarantined file turns out to be legitimate, it can be restored with one click.

Quarantined files are stored in a non-web-accessible directory with their original path and permissions recorded for potential restoration.

Scheduled Scanning

Regular automated scans catch infections early. VistoShield supports configurable scan schedules:

• Daily quick scan: Core integrity check and signature scan of recently modified files (runs in under 30 seconds on most sites)
• Weekly full scan: Complete scan of all files with all detection methods enabled
• On-demand scan: Manual full scan triggered from the dashboard whenever needed

Scan results are recorded in the Activity Log and can trigger email notifications when threats are detected.

What to Do When Malware Is Detected

Finding malware is only the first step. Proper response is critical to ensuring the infection is fully eradicated and does not recur.

Step 1: Do Not Panic — Assess

Review the scanner’s findings carefully. Determine:

• How many files are affected?
• Are the infected files in core WordPress, plugins, themes, or uploads?
• Is the malware a known type (backdoor, SEO spam, redirect)?
• How long ago were the files modified? (Check the timestamps)

Step 2: Check the Activity Log

If you have VistoShield’s Activity Log active, review it for the period leading up to the infection. Look for:

• Suspicious logins from unknown IPs
• Plugin installations or activations you did not perform
• Theme file editor usage
• Settings changes (particularly site URL or user registration settings)

Step 3: Quarantine and Remove

Use the scanner’s quarantine feature to isolate infected files. For files in WordPress core, the safest approach is to replace them with fresh copies from the official WordPress download rather than trying to clean them. For plugin and theme files, check if the modifications are to files that should not have been changed (comparing against the official repository checksums).

Step 4: Identify the Entry Point

Removing the malware without finding and closing the entry point means reinfection is likely. Common entry points include:

• Vulnerable plugins or themes (check for available updates)
• Compromised admin passwords (change all admin passwords immediately)
• Stolen FTP/SSH credentials (change server passwords)
• Nulled (pirated) plugins or themes (remove all nulled software)
• Outdated WordPress core (update to the latest version)

Step 5: Harden Against Reinfection

After cleanup, strengthen your defenses:

• Enable the WAF to block common exploit patterns
• Set up Login Guard with 2FA for all admin accounts
• If you have server access, install the VistoShield Server Edition for iptables-level protection
• Update all plugins, themes, and WordPress core
• Change all passwords (WordPress, FTP, SSH, database)
• Regenerate WordPress security keys and salts in wp-config.php
• Configure scheduled scans to catch any future infections early

Step 6: Verify and Monitor

After cleanup, run another full scan to confirm all malware has been removed. Monitor your site closely for the next few weeks:

• Check Google Search Console for security issues and crawl anomalies
• Monitor server resource usage for unexpected spikes
• Watch the Activity Log for any suspicious actions
• Run weekly full scans for the next month

Prevention: Keeping Malware Off Your Site

The best malware incident is the one that never happens. Prevention requires a multi-layered approach:

Keep Everything Updated

The majority of WordPress compromises exploit known vulnerabilities in outdated plugins, themes, or WordPress core. Enable automatic updates for security releases and review pending updates weekly.

Use Strong Authentication

Brute-forced admin passwords are a primary infection vector. Use the Login Guard plugin to enforce strong passwords, enable two-factor authentication, and rate-limit login attempts. Combined with the VistoShield Server Edition’s LFD, brute-force attacks are blocked at the firewall level before they can consume server resources.

Remove Unused Plugins and Themes

Inactive plugins and themes are still vulnerable to exploitation. If a PHP file in a deactivated plugin has a vulnerability, attackers can access it directly via its URL. Remove anything you are not actively using.

Use Reputable Sources Only

Never install plugins or themes from unofficial sources, particularly “nulled” or “cracked” premium plugins. These almost always contain backdoors. Only install plugins from the official WordPress repository or directly from trusted developers.

Restrict File Permissions

Ensure WordPress file permissions follow the recommended settings:

# Directories: 755
find /path/to/wordpress -type d -exec chmod 755 {} \;

# Files: 644
find /path/to/wordpress -type f -exec chmod 644 {} \;

# wp-config.php: 600 or 640
chmod 640 /path/to/wordpress/wp-config.php

Enable WAF Protection

The VistoShield WAF blocks common attack patterns (SQL injection, cross-site scripting, file inclusion) that are used to upload malware. A properly configured WAF stops most automated exploit attempts before they can succeed.

Malware Scanning: Free vs Premium Tools

Feature	VistoShield Scanner	Typical Free Scanners	Premium Scanners
Signature detection	Yes	Basic	Yes
Heuristic analysis	Yes	No	Sometimes
Core integrity check	Yes	Yes	Yes
Plugin/theme integrity	Yes	Limited	Yes
Quarantine system	Yes	No	Sometimes
Scheduled scanning	Yes	Limited	Yes
Server-level integration	Yes (with Server Edition)	No	No
Price	Free	Free	$99–$299/year

Signs Your WordPress Site May Be Infected

While regular scanning is the most reliable detection method, knowing the common symptoms of infection helps you respond faster when something goes wrong.

• Unexpected redirects: Visitors (especially mobile users or those from search engines) are redirected to unfamiliar websites. This may only happen intermittently or only for specific user agents.
• Search engine warnings: Google Search Console reports security issues, or search results show your site with a warning label. Your site may appear in search results with unrelated keywords (pharma, gambling, etc.).
• Hosting provider alerts: Your host notifies you of suspicious activity, excessive resource usage, or outbound spam from your account.
• Unknown admin users: New administrator accounts appear in your WordPress user list that you did not create.
• Modified files: Files have recent modification timestamps that do not correspond to any updates or changes you made.
• Slow performance: Sudden, unexplained performance degradation can indicate cryptomining malware or a backdoor script consuming resources.
• Spam in outgoing email: Your server’s IP appears on email blacklists, or you notice bounce messages for emails you did not send.
• Unfamiliar files: New PHP files appear in your wp-content/uploads/ directory or other writable locations with names designed to look legitimate.

If you observe any of these symptoms, run an immediate full scan with VistoShield’s Security Scanner and follow the incident response steps outlined above.

Key Takeaways

• WordPress malware is extremely common and often invisible to site owners. Regular scanning is the only reliable way to detect infections early.
• Multiple detection methods (signatures, heuristics, integrity checks) provide comprehensive coverage that no single technique can match alone.
• Quarantine before deletion prevents data loss from false positives and preserves evidence for forensic analysis.
• Finding and closing the entry point is as important as removing the malware itself. Without remediation, reinfection is likely.
• Prevention is multi-layered: updates, strong authentication (Login Guard), WAF protection (Firewall & WAF), and regular scanning work together to keep your site secure.
• VistoShield’s Security Scanner provides enterprise-grade detection at no cost, with quarantine, scheduled scanning, and integration with the full VistoShield security ecosystem.
• See the Scanner documentation for setup instructions and configuration options.