Threat Intel
43% of all websites run WordPress — making it the #1 attack surface worldwide 1 in 25 WordPress sites is actively infected with malware right now 97% of CMS-based attacks specifically target WordPress plugins & themes 50,000+ vulnerabilities indexed · WPScan threat database 71% of hacked WordPress sites had a backdoor silently installed 4,000+ plugins carry known, unpatched security vulnerabilities Average breach goes undetected for 197 days — is your site clean? Outdated plugins are responsible for 52% of all WordPress infections SQL injection & XSS remain the top two WordPress attack vectors 60% of infections exploit a vulnerability that already had a patch available 43% of all websites run WordPress — making it the #1 attack surface worldwide 1 in 25 WordPress sites is actively infected with malware right now 97% of CMS-based attacks specifically target WordPress plugins & themes 50,000+ vulnerabilities indexed · WPScan threat database 71% of hacked WordPress sites had a backdoor silently installed 4,000+ plugins carry known, unpatched security vulnerabilities Average breach goes undetected for 197 days — is your site clean? Outdated plugins are responsible for 52% of all WordPress infections SQL injection & XSS remain the top two WordPress attack vectors 60% of infections exploit a vulnerability that already had a patch available
Scan Free →
wp-scan.org
Get started
Free WordPress Security Scanner

Is Your WordPress Site
Compromised?

Deep security scan — no plugin, no signup, instant results. 22+ checks: backdoors · webshells · spam injection · malicious JS · security headers · user exposure and more.

By scanning you agree to our Terms. We never store your site's source code.

22+
Security checks per scan
30s
Average scan time
Free
No plugin, no signup needed
A–F
Instant security grade + fixes
How It Works

Scan your WordPress site in 4 steps

No plugin. No server access. No login. Just enter your URL and get a full security report in under 30 seconds.

1

Enter Your URL

Paste any live WordPress site URL. Works with any hosting provider, worldwide.

2

Start the Free Scan

Click "Scan Free". Our engine runs 22 security checks against your live site immediately.

3

Review Your Report

Instant risk grade A+ to F, findings by severity, tech fingerprint, and header security grid.

4

Unlock Full Fix Guide

Enter email to unlock every finding with exact fix commands — shell scripts, PHP snippets, .htaccess rules.

22 Security Checks

What the WP scanner checks

Every scan runs all of these checks automatically — no configuration needed.

🕵️ PHP obfuscation & eval() backdoors
🔗 Hidden spam & SEO injection links
Malicious JavaScript & cryptominers
🐚 Webshells (c99, r57, alfa, WSO)
📁 Dangerous exposed files (.env, phpinfo)
🔒 Security headers (HSTS, CSP, XFO)
👤 User enumeration via ?author= & REST API
📂 Directory listing enabled
🔑 XML-RPC brute force exposure
🐛 WordPress version & outdated core
🛡️ SSL/HTTPS misconfiguration
⚙️ wp-cron public access (DoS vector)
🪲 PHP debug mode & error leakage
💥 Timthumb RCE vulnerability
🔀 Mixed content (HTTP on HTTPS)
🤖 Robots.txt security audit
🔍 Core file integrity (wp-login.php)
🎯 .htaccess exposure & redirects
📦 PHP files in /uploads/ (webshell)
🖥️ Tech fingerprint (WP, PHP, theme)
📬 Server header info leakage
🌐 readme.html & license.txt exposure
Is Your Site Hacked?

Signs your WordPress site has been compromised

If you notice any of these warning signs, your site may already be infected. Run a free scan to confirm and get a precise fix guide.

🔍 Scan My Site Free →
No plugin · No signup · Results in 30 seconds
  • 🔴
    Google shows "This site may be hacked"
    Safe Browsing has detected malicious content or spam links on your pages.
  • 🔴
    Visitors redirected to spam or phishing sites
    A hidden redirect script activates for mobile or first-time visitors.
  • 🔴
    Hosting provider suspended your account
    Hosts automatically suspend sites sending spam or running malicious code.
  • 🟠
    Unknown admin users appeared in WordPress
    Attackers create hidden admin accounts to maintain access after password changes.
  • 🟠
    Antivirus tools or browser flags your site
    Tools like Sucuri SiteCheck, VirusTotal, or Chrome are blocking your site.
  • 🟠
    Google Search Console shows "Security issues"
    GSC is reporting detected malware, deceptive pages, or harmful downloads.
  • 🟡
    Spam pages indexed under your domain
    Your site is being used for SEO spam — casino, pharmacy, adult content.
  • 🟡
    Site is unusually slow or sending unexpected emails
    Malicious PHP scripts running crypto miners or spam servers on your host.
FAQ

Frequently asked questions

How do I know if my WordPress site is hacked?
Signs include: Google showing "This site may be hacked", your hosting suspending your account, visitors being redirected to spam sites, unknown admin users appearing, and antivirus tools blocking your site. Use wp-scan.org to confirm instantly — it detects backdoors, spam injection, malicious JavaScript, and webshells in 30 seconds.
Is this WordPress scanner free?
Yes. The scanner at wp-scan.org is completely free. Enter any WordPress URL and get an instant security report — no account, no plugin, no credit card required. Free scans run 22 security checks including malware detection, backdoor scanning, and security header analysis.
What does the WP scanner check for?
The scanner runs 22+ checks: PHP obfuscation & eval() backdoors, hidden spam links, malicious JavaScript, webshells (c99, r57, alfa.php), exposed .env and config files, security headers (HSTS, CSP, X-Frame-Options), XML-RPC exposure, user enumeration via REST API, directory listing, wp-cron abuse, Timthumb RCE, mixed content, WP version exposure, and more.
How long does a WordPress malware scan take?
A full scan typically completes in 15–30 seconds. The scanner makes HTTP requests to your live site to run each of the 22 security checks, then delivers an instant graded report with A+ to F grade.
Do I need to install a plugin to scan my WordPress site?
No. wp-scan.org is an external scanner — it checks your publicly accessible website from the outside, exactly like a hacker or Google would. No plugin, no server access, no WordPress login required. Just enter your URL.
What should I do if my WordPress site is infected?
1) Run a free scan to identify exactly what is infected. 2) Take the site offline or enable maintenance mode. 3) Change all passwords (WordPress admin, FTP, database, hosting). 4) Delete infected files identified in the report. 5) Update WordPress core, plugins, and themes. 6) Add a web application firewall. Every finding in the report includes a specific fix guide with exact commands.
Can this scanner detect Google blacklisting?
The scanner detects the malware that causes Google to blacklist sites — injected spam links, hidden redirects, malicious JavaScript, PHP backdoors. If Google has flagged your site, a scan shows exactly what triggered it so you can fix it and submit a review request in Google Search Console.
Is it safe to scan someone else's website?
wp-scan.org only makes standard HTTP GET requests to publicly accessible pages — the same as any browser or search engine. It does not exploit vulnerabilities or access private areas. It is safe and legal to scan any site you own or manage. Do not scan sites without permission.
Ready to check your site?
Free scan · 22 checks · No plugin needed · Results in 30 seconds
🛡️ Scan My WordPress Site Free →