Free WordPress Malware Scanner
WordPress malware is typically injected into theme or plugin PHP files as obfuscated, base64-encoded code that downloads payloads, redirects visitors, or installs backdoors. It's designed to be invisible — standard file managers won't catch it. wp-scan.org reads every PHP, JS, and HTML file in your upload and matches against 40+ malware signatures including eval/base64 shells, iframe injectors, and known backdoor patterns.
What wp-scan.org detects
- ✓ Base64-encoded eval() shells (the most common backdoor type)
- ✓ PHP web shells with command execution capabilities
- ✓ Injected iframe redirects to malicious domains
- ✓ Obfuscated code using str_rot13, gzinflate, or hex encoding
- ✓ Fake plugin/theme wrappers that execute hidden payloads
- ✓ Remote file fetch patterns (file_get_contents with external URLs)
Scan your WordPress files now — free
Want to see what a Premium report looks like?
View a real scan with line numbers, fix guides, and secure code for every finding.
Common questions
wp-scan.org detects code-level malware patterns: eval shells, base64 backdoors, iframe injectors, command execution functions, and obfuscation techniques used in WordPress-targeted attacks. It doesn't scan running processes or network traffic.
Yes — most WordPress hacks inject PHP into existing files (functions.php, header.php, common plugin files). wp-scan.org reads these files and flags the injection patterns.
Often yes. Google Safe Browsing flags sites containing obfuscated JavaScript or iframe redirects. wp-scan.org will identify those patterns in your theme and plugin files so you can remove them.
See exact line numbers and fix guides for every finding
Upgrade to Premium — from $9.99/mo →