What does WP Scan detect?

It detects malware, SQL injection, cross-site scripting (XSS), local and remote file inclusion, command injection, hardcoded credentials, base64 obfuscation, and 40+ other vulnerability patterns across PHP, JS, and HTML files.

Yes. The free tier supports 5 scans per hour, 40+ detection patterns, and ZIP uploads up to 20 MB. Premium plans unlock exact line numbers, fix guides, unlimited scans, and HTML export.

Do I need to install anything?

No. WP Scan runs entirely in your browser. Upload a ZIP or provide a server path — no WordPress plugin or server agent required.

How do I get my license key after purchase?

Your license key is emailed to you automatically within minutes of PayPal payment confirmation. Log in to your account and paste the key into the scanner to unlock premium features.

WordPress Security Scanner

Find malware in your
WordPress site
before Google does.

Scan any theme or plugin for backdoors, injected code, and 40+ known vulnerability patterns — full report in under 10 seconds.

40+

patterns

<10s

per scan

threat types

100%

server-side

No account needed — start scanning immediately Files never leave your server — 100% private ZIP is deleted automatically after the scan

Drop your ZIP here

or click to browse

Free up to 20 MB · Premium up to 150 MB

License Key (optional)

Get a key — unlocks line numbers, fix guides & unlimited scans.

5 free scans/hour · No account required

4.7M

WordPress sites attacked per year

83%

of hacked sites use outdated plugins

$200+

average cost of a single hack cleanup

Detection Engine

9 vulnerability classes. 40+ patterns.

Every pattern was reverse-engineered from real WordPress infections found in the wild — not generic rules.

Critical

Backdoors & Remote Code Execution

Hidden shell scripts that let attackers run arbitrary commands on your server. Often injected silently after a plugin vulnerability is exploited.

example.php

// Obfuscated backdoor detected:
$_=str_rot13('riny');
$_(base64_decode($GLOBALS['x']));

High

Obfuscated Malware

Malicious code disguised as legitimate PHP using multi-layer encoding. Passes visual inspection but executes harmful payloads at runtime.

example.php

// Layered encoding to hide malware:
eval(gzinflate(str_rot13(
  base64_decode($payload)
)));

High

SQL Injection & XSS Risks

Unsanitized user input passed directly to database queries or rendered in HTML. Common in legacy themes using deprecated mysql_* functions.

example.php

// Vulnerable: unescaped output
echo $_GET['search'];

// Vulnerable: raw SQL concat
$q = "SELECT * WHERE id=".$_GET['id'];

High

Spam & SEO Malware

Hidden links and cloaked content injected to boost other sites' rankings. Google penalises your domain — not the attacker's.

example.php

// Hidden pharma spam link:
echo '<div style="display:none">
  <a href="https://pills.ru">
    buy cheap meds</a>
</div>';

Medium

Weak Credentials & Hashing

MD5 password hashing, hardcoded credentials, and use of weak random number generators where cryptographic strength is required.

example.php

// Broken: MD5 is not a password hash
$stored = md5($password);

// Broken: weak random token
$token = rand(100000, 999999);

Medium

Server & Config Leaks

phpinfo() calls, error display enabled in production, and var_dump() left in live code expose server paths, PHP version, and loaded modules to attackers.

example.php

// Exposes full server config:
phpinfo();

// Exposes DB credentials path:
ini_set('display_errors', 1);

Process

How it works

Three steps. No technical knowledge required.

Upload your code

Drag & drop a ZIP of your theme or plugin, or provide the server path. Supports files up to 150 MB on premium.

Deep recursive scan

Every PHP, JS, and HTML file is checked against 40+ patterns — recursively through all subdirectories. Typical scan: under 10 seconds.

Actionable report

Issues are grouped by severity. Premium shows exact line numbers, step-by-step fix guides, and a secure replacement code snippet.

Pricing

Free is a good start.
Premium is the fix.

Free scans tell you something is wrong. Premium tells you exactly where it is and how to fix it — with a secure replacement you can paste straight into your code.

Get Premium Access

From $9.99/mo · Cancel anytime

Feature

Free

Premium

40+ vulnerability patterns

ZIP upload (20 MB)

ZIP upload (150 MB)

Severity filtering

Exact line numbers

Step-by-step fix guides

Secure code replacements

Unlimited scans

Export HTML report

From developers

Used by WordPress developers worldwide

"Caught a base64 backdoor in a client's old theme that had been there for over a year. The report was clear and the fix guide was exactly what I needed."

David Marchetti

Freelance WordPress Developer

"Google flagged my site as dangerous and I had no idea why. This tool found 3 injected scripts in under 10 seconds. Cleaned up, site unflagged within 48 hours."

Sarah K.

WooCommerce Store Owner

"We run this on every client site before delivery. It caught a Nulled plugin with a remote-include shell in it. Saved us a very awkward conversation with a client."

Mihail Ionescu

WordPress Agency, Bucharest

FAQ

Common questions

Your WordPress site might already be compromised.

Most injections go unnoticed for weeks. Upload your theme or plugin now and know for certain — it takes under 10 seconds.

Scan for Free View Pricing →

Find malware in yourWordPress site before Google does.

9 vulnerability classes. 40+ patterns.

Backdoors & Remote Code Execution

Obfuscated Malware

SQL Injection & XSS Risks

Spam & SEO Malware

Weak Credentials & Hashing

Server & Config Leaks

How it works

Upload your code

Deep recursive scan

Actionable report

Free is a good start.Premium is the fix.

Used by WordPress developers worldwide

Common questions

Your WordPress site might already be compromised.

Find malware in your
WordPress site
before Google does.

Free is a good start.
Premium is the fix.