Best Way to scan WordPress themes & Plugins to remove Malware

Many times people get hacked their WordPress based website due to lack of enough web security implementation. It is one case of gettings malware, hacked content, backdoor or injections to the websites. Another which lots of bloggers get the malicious code on their blog is via using the nulled themes and plugins. I know when you have just started your own blog based on WordPress and not have enough money to buy the costly plugins and themes to make your website better by looks and performance wise; most of the bloggers opt the nulled.

So, to make sure that your blog is always free from the malicious code and viruses then please avoid installing the nulled WordPress theme and plugins. However, also check the free WordPress theme those are from outside the WordPress repository, before installing them on the blog. Sometimes, coder put the hidden malicious code like rogueads unwanted_ads?1 which secretly making money from your website or blog by showing the pop-up ads to the users.

Other harmful effects of the infected WordPress website are White screen death, Malware Warning, WordPress .htaccess hijack, Popup ads and redirects and more. So, there are many ways to scan the WordPress website online to find out the malware and fix the infected websites.

The most popular way to detect the Malware or infected website is the scanning of your blog on the most popular online malware scanning tool called Sucuri – Free Website Malware and Security Scanner. But after scanning, if your website found infected then how to clean it free of cost using the WordPress plugin, that we will show in this article.

Scan WordPress website for Malware or Malicious Code online Free

Three ways two scan WordPress theme and plugins for malware or malicious codes, here are those:


The Sucuri is the best way to scan WordPress based websites to detect the malware, Website Blacklisting, Injected SPAM, Defacements and malicious code free of cost online. However, the free online malware scanner version of the Sucuri is very basic but still effective. You just need to go the following URL: and enter your website address in the SCAN WEBSITE search box.  In a very short time, the Sucuri will scan and give results that whether your website infected or not.

If your website is clean and doesn’t infect by any kind of Virus, malicious code or malware it will show a green color in the result of a message that your website is cleaned. However, in case of infection you will get something like below:

Free online Website Malware and Security Scanner


Theme Authenticity Checker (TAC)

TAC stands for Theme Authenticity Checker. If you just want to scan the malicious code in theme installed on your system. It displays a small snippet of the suspect code.

Theme Authenticity Checker (TAC) malacious code checker


Anti-Malware Security and Brute-Force Firewall

Anti-Malware scanner Security plugins

It one of the best plugin to find out the malware, Viruses or Malicious code present in your theme, Wp core files or Plugins. Not only it detects the infection but also gives you an option to automatically quarantine and remove them without breaking the plugins or themes of your WordPress website.

How to Remove or Clean hacked WordPress website using the plugin

To check whether your website is hacked or not; the first scan it through the Sucuri and after that, if you get the potential malicious code then install the Anti-Malware Security and Brute-Force Firewall plugin.

Once you have installed & activated this WordPress malware removal plugin; perform the following steps to find out which file on WordPress website is infected and an option to remove it.

Step 1: After installing the Anti-Malware removal plugin.

Anti-Malware Security plugin installation

Step 2:  Go to Scan Settings and from the right side click on the update signatures.

Now, from the Scan settings check all the malware removal services provided by this WordPress plugin such as .htaccess Threats, TimThumb Exploits, Backdoor Scripts, and Known Threats. After that go to what you want to scan option: public_html directory where your complete WordPress and other files are situated including plugin, themes, and other content. Or just want to scan the particular WP-content folder and installed plugins.

To scan complete full WordPress website just click on the Run Complete Scan option. 

The AntiMalware from the GOTMLS.NET also provides the Quick scan option which can quickly check the Plugins, WP-Core, and Themes.

wordpress malware scan plugin

Step 3: We have scanned a malicious website to check this plugin it successfully able to find out the threats. You can see in the below-given plugin.

Once the scanning is done, select all the Known Threat and click Automatically Fix Selected Files Now and remove the malicious code from your files without breaking them.

scan WordPress site hacked how to fix

Step 4: Now Again click on the Anti-Malware plugin from the right side of your WordPress dashboard and click on the View Quarantine and delete all the Infected files malicious code Permenatley!!. But before deleting them, be sure that everything is working fine at the front end and back end of your website.

For proper security please install two plugins this Anti-Malware we used above and Wordfence security.

Bonus tip



If you looking for paid Malware security for your WordPress blog then you can go for Malcare which provides some better feature than Sucuri. They also offer a free plugin that you can install to try before purchasing a subscription…


Also See:

How to Remove Malware From My WordPress Site Manually From the Core files