Free WordPress Malware Scanner
WordPress malware is typically injected into theme or plugin PHP files as obfuscated, base64-encoded code that downloads payloads, redirects visitors, or installs backdoors. It's designed to be invisible — standard file managers won't catch it. WP Scan reads every PHP, JS, and HTML file in your upload and matches against 40+ malware signatures including eval/base64 shells, iframe injectors, and known backdoor patterns.
What WP Scan detects
- ✓ Base64-encoded eval() shells (the most common backdoor type)
- ✓ PHP web shells with command execution capabilities
- ✓ Injected iframe redirects to malicious domains
- ✓ Obfuscated code using str_rot13, gzinflate, or hex encoding
- ✓ Fake plugin/theme wrappers that execute hidden payloads
- ✓ Remote file fetch patterns (file_get_contents with external URLs)
Scan your WordPress files now — free
Want to see what a Premium report looks like?
View a real scan with line numbers, fix guides, and secure code for every finding.
Common questions
WP Scan detects code-level malware patterns: eval shells, base64 backdoors, iframe injectors, command execution functions, and obfuscation techniques used in WordPress-targeted attacks. It doesn't scan running processes or network traffic.
Yes — most WordPress hacks inject PHP into existing files (functions.php, header.php, common plugin files). WP Scan reads these files and flags the injection patterns.
Often yes. Google Safe Browsing flags sites containing obfuscated JavaScript or iframe redirects. WP Scan will identify those patterns in your theme and plugin files so you can remove them.
See exact line numbers and fix guides for every finding
Upgrade to Premium — from $7.99/mo →