Skip to content
What to do when you think your website has malicious code and malware

What to Do When You Think Your Website has Malicious Code and Malware

It’s no wonder that WordPress is secure and easy to control. However, sometimes you'll lose the power of managing your site by strange visitors - malicious code or malware - the malicious program that can infect websites, servers, networks, or even your computers with harmful programs.

Sometimes, your website seems to work properly but actually, it can be potentially hacked. Consequently, it takes a lot of time for WordPress owners to clean up this malware. After all, users need to scan regularly and find potential risks for their online system. Whenever you suspect that your website has malware or malicious code, there are two ways to check. The first way is to scan manually. And the second way is using a website scanner.

In this article, we will show you how to confirm your suspicion and remove these problems.

Threats of Malicious Code for Your WordPress Site

Here are some potential risks that your site may take if your website has malicious code and malware.

  • Malicious code and malware create some backdoors to let hackers access your website without your permission. They can steal your data or even make some changes in content or site. Even worse, not only your private information is leaked, but your customer’s data can be stolen.
  • They can affect the Google ranking of your site. Moreover, your site may be marked as an unsafe destination.

Threats of Malicious code for your WordPress site

Signs When the Website is Infected with Malicious Code

Before going into details about how to check the website, let's see what are the signs when your site is hacked:

  • You can’t log in and access your WP Admin Dashboard. That’s because your security information has been changed and private information is leaked.
  • You lose some files and some changes in content or site without your permission
  • When users access your website, they will see a sign that your website is on the Blacklist or warning of harmful content. Because Google needs to protect users from harmful websites, you will see a big red splash page and warnings next to your site when your site is blacklisted.
  • Slow loading site or display another website
  • Google marks your site as insecure
  • Your site shows an ERROR message.

How to Scan Your WordPress Site?

There are many ways to scan websites. We already have a detailed article about the best tool to Protect WordPress site from Malware that you can dive right in. So, in this article, we will have a more detailed guide on how to scan with the 2 most common tools - Sucuri and Wordfence.


Sucuri is considered as the best WordPress site checker. This paid security service offers users with advanced features such as cleaning your site at no additional cost, firewall protection, email alert, malware scanning, WordPress hardening. It also lets you know who has been using your site.

Sucuri offers users free service. However, the limit of the free version is that you have to check your site manually and the scan results are not as detailed as a paid version. To get the premium version, you just need to install the Sucuri security plugin.

Now, I will give you instructions to scan your site for free:

scan your site for free using Sucuri

  • Step 1: Go to Sucuri site check
  • Step 2: Enter your WordPress URL
  • Step 3: Click on Scan Website button
  • Step 4: Note any warning messages, backlist warnings, payloads, and locations.

After scanning with Sucuri, you may realize whether your site is on the website blacklist status or not. For instance, my website has low security risk:

Check if your site is on the website blacklist status or not

The risk will be visually displayed by the bar, from no risk to the highest risk. Depending on this level, you know if your website is secured or not and have proper actions.

Scrolling down, you will be announced with some warning messages, payloads, and locations. You should note down any problem such as internal server errors, defacement, injected spam, malware that Sucuri has found for your site.

note down any problem that Sucuri has found for your site


Another leader in the security industry is Wordfence that includes advanced functions such as endpoint firewalls and malware scanners. The endpoint firewall provides better protection for your system. It can access user identity information in more than 85% of firewall rules. Also, the scanner can check bad URLs, malicious code, malware, and more. Purchasing the Premium, you can enable real-time malware signature updates, reputation checks, and better control over scan timing and frequency. Otherwise, Wordfence also offers the basic plugin for free.

This is how to use free Wordfence plugin to scan your WordPress site:

Step 1: In your Admin Dashboard, select Plugins > Add new. Then enter Wordfence in the Search plugins box, click Install then activate it.

scan your WordPress site by activating Wordfence

Step 2: Go to Wordfence > Scan then click the “Start New Scan” button to start scanning your website.

 Wordfence starts scanning your website

After finishing, it lists all the problems in the Results Found tab. The more number of results found, the higher risk that your website has.

Wordfence lists all the problems in the Results Found tab

How to Remove Malicious Code and Malware?

Before Removing Malicious Code and Malware

Before removing the malware or malicious code, you need to do some actions first. They can help to prevent hackers from inserting the malicious code on your website again and save your data even when you remove files.

Protect Your Account

You should change all your private information including password, user account, hosting account, WordPress database password. Especially, this time you should use more complex and difficult passwords including uppercase letters, numbers, and lowercase letters so that hackers can’t figure it out.

After changing password, you can follow these steps to protect your WordPress admin area. These actions will prevent hackers from continuing to access your website.

Backup Your Website Data

If you haven’t had a WordPress backup, you absolutely need to create a complete one. WordPress backup is a backup of all files/folders, media as well as the entire database of your website. The reason we need a backup is that it helps you restore the data of the website when being hacked. Plus, this step makes sure that you can revert your content when something happens during the cleanup process. Here is our article for you to know all the steps to backup your WordPress site.

Remove Malicious Code and Malware

Now, it’s time to remove the malicious code and malware that you scanned. You can manually remove files from your website but it’s time-consuming and complicated to do. You may even lose your data if not be careful. So, I highly recommend that you should use a professional tool.

As I mentioned above, Sucuri and Wordfence site cleanup are two popular tools to scan and remove malicious code and malware.


Wordfence not only shows the problems, but it also suggests what you should do with each one. By clicking Detail of each result, you are able to know how to resolve it. Read the suggestions carefully and follow them. If you find any result not a cause of your risk, you can click Mark as Fixed to skip it.

Wordfence suggests solution to remove malicious code and malwar


After scanning with Sucuri, it will indicate all the causes of your problem and suggest the solutions. You just need to read and follow its guide carefully. For example, this site has outdated software, leading to a high risk. So Sucuri recommends that you should set up HTTPS.

Securi suggests the solution to remove malicious code and malwar

Wrapping Up!

With two easy-to-use plugins Sucuri and Wordfence, you can protect your system effectively. In addition to the above, you should also apply some tips frequently such as changing passwords, scanning regularly, keeping your WordPress plugins updated, and using a firewall to prevent your site from being hacked in the future.

This is the end of our article. We hope that with essential information we provide you can run your system perfectly and prevent your site from potential risks. If you have any questions, please feel free to comment below.

Leave a Comment

Scroll To Top