Which WordPress Malware Scanner Can You Trust?

Jul 19, 2020

Which WordPress Malware Scanner Can You Trust?

Jul 19, 2020

Are you:

  • Worried that your WordPress site has been hacked?
  • Looking for the best WordPress malware scanner online?
  • Not sure of what malware scanner plugin to use?

Good. You’re in the right place!

Let’s get a few things out of the way as early as we can:

  • WordPress behaves weirdly sometimes.
  • And that doesn’t mean your site has been hacked.

But, you should make sure right now.

If you want to skip ahead to just making sure that you’re not hacked and that’s the only reason you came here, might as well get it over with:

Use MalCare to get a FREE scan of your WordPress site for malware now.

But if you’re here to ask, “What’s the best WordPress malware scanner?” then you should keep reading. We have a leaderboard that addresses this question and it’s up next.

Our leaderboard ranks the top WordPress malware scanner plugins and gives a way to make a quick pick.

Here’s a question, though:

Are you interested only in marketing fairy dust?

If not, you’re also going to be interested in:

  • Understanding the risks of relying on a malware scanner;
  • Knowing how popular malware scanners are not the most competent ones;
  • Why you are spending the money and investing in a particular brand;

In that case, you should definitely check out our detailed breakdown.

Why should you care?

Here’s the truth…

There’s a tidal wave of misinformation on WordPress malware scanner plugins out there.

It’s downright harmful to trust most articles on WordPress security out there.

The worst part?

It’s all too easy to get swept up in marketing fairy dust and lose a ton of money in the process.

But enough venting, let’s give you the leaderboard that you’ve been waiting for.

Our WordPress Malware Scanner Leaderboard

Let’s take a quick look at:

    • The best malware scanner in the industry,
    • The runner up in our ranking system,
    • And some other options that you should NOT fall for.


In the upcoming segments, we break down some of the top plugins in the market and look at them critically.

This does not mean that those plugins are “bad” per se. But security is a vast topic and not everyone can invest in every aspect of the business no matter how frequently they update the plugins.

At the same time, it’s easy to get complacent once you hit a certain number of users.

The objective of this article is not to demean the plugins or to assume why the plugins don’t do a better job. We are simply commenting on what can be done better and what we do better than the rest.

#1 MalCare

MalCare stands on top of the leaderboard because of the sheer depth of the scan it provides. It’s smarter than a remote scanner and lighter than a server-scanner.

Bringing together the best of both worlds, MalCare is the best choice because of:

  • Deep scanning with 100+ Smart Signals
  • Zero load on your servers
  • Pinpoints the exact malware and makes it simple to remove or clean malicious code
  • Diverse scanning options – both automatic and on-demand
  • Learning algorithm that keeps evolving
  • No false alarms
  • Auto-clean and auto-repair capabilities built in
  • Unlimited scanning and cleaning

All in all, it is highly recommended that you choose MalCare even if you have another security plugin installed. MalCare will work around other plugins as if they don’t exist.

Read How MalCare Works and Why the Malware Scanner Is So Powerful

Pricing: Starts from $99/year

Buy MalCare Now

#2 Wordfence

Wordfence is by far one of the most popular options for WordPress security. While Wordfence also has some issues in the way it handles malware scanning, this behemoth’s capabilities also has merit:

  • Server-based scanning capabilities
  • Malware signature updates and scanning
  • Full control over scan depth, frequency, and timing
  • Scans for malware in all database and files
  • Website reputation checks

We recommend Wordfence as the second option. If you already use Wordfence, then you may be quite safe. However, there are threats that Wordfence can’t find and recognize and it raises too many false alarms that require manual resolution.

To top it all off, it overloads a WordPress site and bloats the databases. In simple words, your site starts running real slow after a while.

While we have nothing but respect for Wordfence, MalCare is a better option in our books any day. Before making a financial investment we would ask you to read a little about why we put Wordfence in second place.

Read A Detailed Breakdown of How Wordfence Works and Where it Fails

Pricing: Starts from $99/year

Buy Wordfence Now

#3 Sucuri

Sucuri is one of the biggest names in the WordPress security niche. However, their free version (Sucuri SiteCheck) is painfully limited.

The scans that Sucuri SiteCheck can handle are complemented by their premium version that comes with a server-based scanner. But we will only recommend using Sucuri if you have already purchased Sucuri. In reality, their scanners are limited and flag false alarms quite a bit.

We also put Sucuri to the test with our engineers. We were shocked by how much of a let down this mega-brand actually is.

Even the premium version with its server scanner fails to catch some very basic malware.

Here’s what you can expect out of Sucuri:

  • Quick scanning for common, known malware
  • Signature scanning for quick scans
  • Emulates Googlebot to detect hidden malware with specific triggers
  • SSL Certificate Monitoring
  • Automated and manual scanning

There’s no denying that Sucuri has done a good job of being a security plugin for ages now. But times are changing.

Malware is no longer as simple as it used to be.

Sucuri simply seems to be behind the times and unable to catch up.

We do not recommend using Sucuri as your only security measure. In fact, considering the price range for Sucuri’s Premium version, we would recommend switching to MalCare instead.

Read A Detailed Breakdown of How Sucuri Works and Why it Fails

Pricing: Starts from $199/year


#4 iThemes Security

Of all four plugins that we took to comparing, iThemes is last on our list. This is simply because iThemes does not have its own security algorithm. It uses Sucuri SiteCheck’s API to provide a security scanner.

The only good thing about iThemes is the fact that it carries Sucuri’s algorithm. But even that fails as they only use Sucuri’s free scanner which lacks the depth of a server-based scanner.

In short: we do not recommend using iThemes Security.

Read A Detailed Breakdown to Understand the Limitations of iThemes Security

Pricing: Starts from $80/year

Protecting your site from hackers is not just a need. Security is your fundamental right as a business owner. And you deserve only the best.

How secure is the security solution that you want to buy? Is it even worth the money you spend on it? Should you trust a plugin simply based on the number of people using it?

That’s what we break down in the rest of this article:

Why Trust Us?

We are MalCare – a team of cybersecurity experts and WordPress developers who care about making real change in WordPress security.

Today, we are going to compare the 4 best malware scanners there are:

  • iThemes Security
  • Sucuri
  • Wordfence
  • MalCare

We’ll be doing a deep dive into how these plugins work and where each of them might be limited. Our team of WordPress engineers comprises some of the leading experts in WordPress security.

Together, we took on this exercise of comparing the plugins to prove to ourselves that we deserve the same respect as the other three on this list.

Why Should You Even Care About Getting the Best WordPress Malware Scanners?

Isn’t the plugin with a million users the best one?

Hell, no! This is something that everyone has been getting wrong forever.

Very few people actually understand WordPress security.


Simple – most people think that it’s:

  • Not essential – who would want to hack my site?
  • Too technical – it’s only for geeks to know.
  • Too vast a topic – I can’t become an expert overnight.
  • It’s boring – it’s not as cool as watching sales numbers go up.

But here’s reality for you:

  • Stealing your financial data is not the only thing that hackers are interested in. Your site could be hacked today and some hacker could be misusing it in a hundred different ways without you even realizing it.
  • To understand WordPress security you don’t need to be a bonafide coder or read every article on security there is. All you need to know is how to choose the best solution for your protection and recovery from dire situations.
  • Sales numbers are definitely the right thing to focus on. And security helps you get there safe and sound. A hacker could place malware on your site that could steal your entire traffic. Or get you blacklisted from Google. That’s where security plugins step in.

It makes us sad when security companies don’t make a conscious effort to educate their consumers about real risks and threats just so that they make a few extra bucks.

Which is why we’ll start with the most important question:

What is malware?

When a site gets hacked, the hackers can damage the site in many different ways. One of the most common things hackers do is to install malware.

“Malware can be best described as code that exploits your system resources to typically do malicious activities. In other words, malware is code that gets into your website, hides in plain view, and systematically does harm to your business.”

Akshat Choudhary, CEO of MalCare

Here’s the problem with most malware:

If you’re not a techie, it’s impossible to understand if your site is infected. Your site is made of code. Malware is a piece of code. It’s like looking for a needle in a pile of other needles.

Try finding the other one. We dare you!

Take a look for yourself:

Regular PHP Code
This is regular PHP code

Hard to understand for non-techies, right? Wait till you see the next one:

PHP malware
This is malware code written in PHP


What’s even worse is that even if you are a coder, it’s challenging to find malware manually. WordPress sites have piles of code and the malware could be literally anywhere on your site.

Hackers who install malware usually take extra care to make sure that it’s hidden completely from view.

Typically, malware infects:

  • Files
    • Core files
    • Theme/plugin files
    • Existing plugin/theme
    • New/fake plugin theme
    • Uploads
    • wp-content
    • New folder
    • Outside WordPress folder
    • Existing files/New file
      • PHP
      • JS
      • Htaccess file
      • wp-config.php
      • Or any other file
  • Database
    • Typically in posts/postmeta tables
    • Sometimes in options table
    • In rare cases in any part of database

In short: Malware can infect any file or database that is on your website. Take a look:

Screenshot of WordPress folder structure from MC dashboard

Typically, you’re looking at damage such as:

  • A hidden backdoor that makes it seem that the site is not hacked at all. Typically PHP code that allows a hacker to access a hacked site at any time.
  • SEO content such as links to illicit websites in spammy comments.
  • Redirect visitors (all/some/random/Google) to illicit websites.
  • Serve viruses to visitors’ computers using Javascript.
  • Javascript malware that steals credit card info from a WooCommerce webstore.

Over the course of this article we are going to break down the most important aspects of any WordPress security scanner plugin and help you find the best fit for your website.

Let’s dive right in.

What to Expect from WordPress Malware Scanners

One of the most important features in any security plugin is the malware scanner. The depth and intelligence of your scanner is what makes your site secure.

At the same time, a good scanner will pinpoint exactly where the problem areas are and how to clean up the site. But that’s a property associated with cleaners and not scanners.

What is a Malware Scanner?

The simplest way to put it is that a malware scanner scans files and databases on your WordPress website and finds malware that you can’t otherwise find manually.

The whole point and purpose of a malware scanner is to look for vulnerabilities in your site and spot the parts that have been compromised.

For the techies:

A WordPress malware scanner is a plugin that can be used to scan any WordPress website for:

  • Malicious code
  • Hidden iframes
  • Vulnerability exploits
  • Infected files
  • Other suspicious activities

After performing an in-depth investigation the malware scanner reports infected files, vulnerabilities, and blacklisting status so that you can clean it up.

Why Is a Malware Scanner Important for Your Business?

If you’re new to the world of WordPress security, using a malware scanner will be unchartered territory to you.

There are many ways to improve WordPress Security. But there is no foolproof way of protecting a site from getting hacked. We feel that it’s important to be the first to know when your site gets hacked. It is important to discover that your business is under attack before Google does and bans your site.

You need the best WordPress malware scanner to identify threats even before they start causing any damage at all.

But no amount of preventive measures can fully secure any website. There will always be new vulnerabilities and exploits that your existing security won’t be able to defend against.

Having a malware scanner will help you determine if some malware has slipped past your defences.

Not Every WordPress Snag Is a Hack

Think of the panic that hits you every time WordPress behaves even a little bit weirdly. The first thing that you think of is that your site has been hacked.

The thing is:

WordPress behaves abnormally on many instances even if your site isn’t hacked.

Defuse that fear and paranoia by installing a malware scanner. This way, you’ll be able to get in front of the situation and start debugging.

Wait, what?

You’re looking for the best WordPress malware scanner for your site?

OK, then!

Let’s take a quick look at how a security plugin’s malware scanner works.

We’ll leave it to you to pick one. But we’re also giving you our honest opinion.

P.S. – If your site has been hacked and you’re looking for a full cleanup, then you should read about how to use the scanner and use cleanup options before you get into the other details.

When Should You Use a Malware Scanner?

Short Answer: Always.

The malware scanner in your security plugin should always be scanning for threats throughout your website. But with most scanners, you can set the scan depth along with the schedule of the scan. This is mainly done to preserve server resources and plan for scans ahead of time.

If you installed the plugin for the first time on your site, then you should definitely go for a full site scan immediately. This will help you get a clear picture of your website’s health. Most scanners will offer an automatic scan on installation and it’s highly recommended that you take them.

After the initial scan and cleanup, you should ideally set up a powerful firewall and keep the scanner scheduled for regular scans.

P.S. – This is true no matter what plugin you go for. You should always have a clear picture of your website’s health.

What Should You Expect from a Malware Scanner?

A malware scanner can give you a bunch of useless information just to make it “look cool” or make you feel justified in spending money on nonsense.

We’re drilling down to the features that you absolutely need in a malware scanner:

  • Hack Status: A scanner will find the hack before Google does and blacklists your site. A malware scanner needs to fire a warning as soon as your site is infected.
  • Pinpoint the Malware: A hacker can install malware virtually anywhere on your site. A good malware scanner will pinpoint exactly which files and databases are infected.
  • Severity/Impact of the Infection: What kind of harm is the infection causing? What does it mean for your business? Is it a common malware or a rare one?
  • The Difficulty of Resolution: Is it easy to clean the infected files from your website? Does that require any additional access protocols? What happens to the site after the cleanup?
  • One-Click Cleanup Options: What can you do to make the cleanup process as simple as possible? Do you need some access credentials to access the cleaner from the scanner? Does the scanner even come with a cleaner?
  • Ways to Prevent it in the Future: What can you do to secure your site after the cleanup so that this doesn’t become a recurring problem? What are the chances that your site gets infected by the same malware again?

How to Use a Malware Scanner on Your WordPress Site

Ideally, you want to be able to use a malware scanner with no added action. From the moment you install the plugin, it should be up and running in the background so that you get a clear report ASAP.

You should also have access to a cleaner that will help you take clear action.

We’ll walk you through Wordfence, Sucuri, and MalCare.

Let’s take a look at each in turn.

How to Scan for Malware Using Wordfence

For Wordfence, you simply sign into the dashboard and click the ‘Launch Scan’ button:

Wordfence Test Scan

That’s pretty much it. Before you start scanning, you have to setup the plugin on your WordPress website, though.

How to Use Sucuri to Scan for Malware

For Sucuri, you want to login to the dashboard and click on ‘Enable Scanner’ before anything else.

Sucuri Malware Test

This will allow you to connect the site via FTP/SFTP:

Sucuri Connect SFTP

That’s pretty much it:

Sucuri Scanner Enabled

You keep getting automated scans as you go.

How to Use MalCare to Scan for WordPress Malware

For MalCare, you want to:

Sign In >> Click on ‘Sites’ on the top menu bar >> Select the site you want to scan >> Head over to the ‘Security’ section >> Click on the ‘Details’ button.

Once you’ve done that, you’ll see this screen:

MalCare Scan

Click on ‘Scan Site’ and you’re done!

Just a heads up: MalCare automatically scans your website once a day even if you don’t scan manually.

How Do Malware Scanners Work?

There are two ways in which malware scanners typically work:

  • Plugin-based Server Scanners
  • Remote Scanners

Both of these have very different approaches to malware scanning along with their unique pros and cons.

But in essence, both types try to achieve the same end goal – scan your website and find if it has been hacked. But they do it in very different ways and have completely opposite approaches to security.

For instance, the scanner may find malicious scripts that redirect your website traffic to another site without your permission or knowledge. It may also find files that have been edited to carry out malicious activities.

Let’s take a look at each in turn:

Plugin-Based Server Scanners

Plugin-based server scanners will go through the servers with full access from the server. This means that they have the ability to do really deep searches to identify problems even in site performance.

The downside is that they tend to hog a lot of server resources. This ultimately slows down your website’s speed and can burn a hole in your budget for using server resources that are billed based on usage.

Remote Scanners

Remote scanners mostly use cloud technology to scan websites and look for malware. The biggest advantage of using a remote scanner is that it exerts almost zero database bloat and negligible server load.

Typically, a remote scanner sends a request to the homepage of the site. It then scans the HTML elements, Javascript files, and content for known malware infections and anomalies against a huge database of known malware signatures.

Remote scanners have limited access to your website and server. Most remote scanners only look into the code that is visible on the browsers. But most malware aren’t that visible. In fact, most malware infects files and databases which cannot be seen by browsers.

This is not really ideal for security. However, the scanner operates on a cloud server instead of your servers. So, the load is significantly lower than the plugin-based scanners. As a result, the site operates smoothly and the scanner keeps running without affecting the performance at all.

Now that you understand a little more about what a malware scanner is and why you need it, it’s time to compare the top dogs in the WordPress security market.

Why We Avoid iThemes Security Like the Plague

iThemes Security simply licences uses Sucuri Sitecheck’s API to scan for known malware. It does not have its own tech to scan for malware.

Being a plugin scanner would have given it a lot of depth into each of its scans. However, the plugin uses a remote scanner to detect malware and does not have any of the advantages of Wordfence or MalCare.

So, it might be a better idea to get right into Sucuri and how it works.

Why Sucuri Was a Severe Disappointment

There are security plugins that use both types of malware scanners. For instance, Sucuri offers a cloud-based scanner called SiteCheck for free and a plugin-based server scanner with its premium version to complement SiteCheck.

Sucuri SiteCheck typically sends a request to the homepage to check the content against known signatures – this could be any content and not just comments. It also emulates Googlebot to try and understand if there is any malware that caters only to Google traffic.

Here’s how Sucuri SiteCheck works:

  • Visit the homepage and crawl all the links, javascript files, and iframes present on it
  • Check 8-10 of these links and visit them using different user agents and referrers
  • Extract and scan all javascript files and iframes
  • Check the links for malware against a database of known malware signatures
  • Compare the results for different referrers and user agents to check for hidden malware
  • Revisit the home page as Googlebot and reiterate this process
  • Check the blacklisting status against blacklisting agencies such as Google and Norton

In short, if the malware doesn’t render anything on your browser, then Sucuri SiteCheck won’t be able to see it. The real pride and joy of Sucuri SiteCheck is really their signature matching database.

Now, signature matching is based on historical data and it can’t recognize new malware, which is a huge problem.

Also, it only sees malware that affects HTML. This is flawed because the vast majority of malware do not manifest themselves in the HTML. In fact, most malware manifests itself in either the files or the database of WordPress.

The bottom line is that: Sucuri SiteCheck fails to spot almost all major malware that is even slightly complex in nature. It also does nothing to take action and repair hacked files.

Why We Feel that Wordfence Tries Hard, Means Well, But Fails

Wordfence takes the hardliner stance of only being a plugin-based server scanner. It has full access to your site and has clear visibility of all your files and your database.

This automatically means that it can offer a deeper scan than any remote scanner out there. But is that necessarily a good thing?

Here’s how Wordfence works:

  • Wordfence scans the WordPress core files and checks if it has been modified. WordPress is open-source software. So, anyone can compare to see if the contents of the files have been changed from the original files.
  • Wordfence also checks theme and plugin files against the WordPress repository
  • Wordfence also goes for signature scanning against known malware.
  • Wordfence then looks for certain keywords in the code such as BASE64DECODE or EVAL and marks the code as malware.

Javascript Malware in WordPress Site

But what does this mean?

Checking Core Files

Checking the core WordPress files is a step beyond what you get from Sucuri SiteCheck. This can find a lot of hacked files that might have been hacked because of an older version of WordPress.

On the surface, this seems to give Wordfence the edge.

But managed hosting services and WordPress installations in languages other than English often have different core files. For instance, Flywheel modifies wp-settings.php for improved functionality. This mismatch leads to Wordfence raising a false alarm.

Checking Theme and Plugin Files

Wordfence can look at public plugins and themes and check against the WP repository. It’s the exact same thing as checking the core files against a repository. Naturally, it has the same drawbacks for checking plugin and theme files.

  • For premium themes, there is nothing to compare against as the files are privately held.
  • Custom or child themes will have a different set of files that Wordfence won’t be able to recognize.
  • Premium plugins may have the same directory structure as the free version but with added or modified files.

All these will trigger false alarms from Wordfence.

In fact, here’s a popular example:

Different coding languages can have different syntaxes and grammar for something as simple as the new line feed.

But Wordfence doesn’t see what was modified – only that the files were modified and raises an alarm. In other words, if a new file is created it does not know if the file is good or bad.

Is that the extent of Wordfence’s protection?


It checks the signature, remember?

Checking Known Malware Signature

A signature is essentially a piece of code that forms the bedrock of the malware. But there is an infinite number of signatures that may exist. So, it misses the right signature quite often.

Signature checking is even more complex for JS because signatures are a lot more difficult to curate or even develop in Javascript.

Malware Signature

The worst part is that certain signatures can be part of good code or bad code. Again, Wordfence fails to understand the overall code and can end up flagging even benign code as malware.

Checking for Keywords

Keywords can certainly help narrow down the search for known malware.

But the problem is: Those keywords are present in normal code also. The mere presence of the keyword proves absolutely nothing. Also, there are lots of malware that don’t use keywords.

Malware Difference Checker

Checking the Database

But enough about files. Let’s tell you a little bit about the database.

The way signature matching works is something like this:

  • Load all known signatures on the website database
  • Keep sending database queries to check for matching signatures
  • Save the results of each database query in the database

As a result, your database will get bloated. Also, most decent managed WordPress hosting providers will charge you based on the resources consumed by your site.

So, you will end up with a slower website and pay a lot more for a slow site while you use Wordfence. This is a classic example of replacing a problem with another problem.

For these exact reasons, it offers four different scanning options based on the depth of the scan. If you have limited resources, then you should opt for the “Limited Scan” type. But then, you end up having a very superficial check.

The bottom line is that: Wordfence is that overhyped WordPress security plugin that fails to catch complex threats and cries wolf all too often. The plugin not only has some gaping holes in its security logic, but also slows your website down.

Why MalCare’s Scanner is Way Better than the “Industry Leaders

MalCare which takes a unique approach and brings you the best of both worlds. Because we started much later in the game than most industry leaders, we already knew exactly what they were doing wrong and how we could do better.

Hybrid Scanning WordPress site

MalCare syncs your website with its own servers and creates a copy of it. It then scans each file in the copy that it creates. This way, you get the depth of a plugin-based scanner with no load on your website because of the remote scanning.

Why MalCare Uses Its Own Servers

On our servers, we can run more complex algorithms than any other plugins in the market with 100+ security signals. We can do this because it’s on our servers and not yours.

Our servers are dedicated to running some pretty powerful algorithms.

If you run the same scanner on your WordPress site, it will slow down quite a bit. But since we do it exclusively on our servers, you get none of the baggage and all of the benefits!

How Does MalCare Detect Malware?

A signal can be as simple as the time when a file was modified. This alone is simply suspicious and we use it as a red flag to examine against other signals. We typically check how often the signal occurs on our network of 200,000+ sites for a better understanding.

MalCare has a learning system running that keeps getting smarter to pinpoint the most complex malware with zero false positives and high accuracy.

Let’s give you an example of how we do things better any other WordPress malware scanner in the market:

Since different versions of plugins exist, most plugins update/modify the files without updating the version.

This confuses plugins such as Wordfence.

Since Wordfence spots and flags false positives too often, you will get inundated with alarms. Imagine if you were an agency with 20+ sites all running Wordfence!

Chances are, you’ll simply start ignoring the alarms after a while because it’s a tiresome job monitoring all the malware alerts that aren’t even a real threat.

And when you get infected by a real malware, chances are that you’ll either ignore that threat too or take at least a week to resolve it.

The bottom line is: MalCare only raises an alarm only when something is wrong. So, when we send you a notification, you KNOW there’s a real threat to your site.

We scan the site once a day and send an alarm on email or Slack only when something is really wrong with your site. This way, you get notified of malicious activities before the hosting service or Google blacklists you or before the hacker does major damage to your site audience.

The best part is that MalCare gives you a one-click option to clean up your site. But that’s a whole other story.

The Final Verdict

We took on this project to decide for ourselves exactly what our competitors are doing. What we realized was that our team is in the right direction. Our network of 200,000+ websites exists because of the work we put into making MalCare the most powerful WordPress security plugin there is.

The outcome?

We can say with 100% certainty that MalCare not only serves the most important features in WordPress security but also skips the B.S. to provide real security. You know, the kind that helps our clients sleep better at night.

So, if you’re worried that Wordfence picked up on some malware that MalCare didn’t, chances are that it’s a false alarm.

Take a moment to try out our free malware scanner on your website. You may very well save your business from a hacker.

We mean it when we say that we protect your businesses. Let us do it for you.

P.S.: Have questions? Check out our FAQs page. If that sounds like a chore, talk to our amazing support team instead. We’re happy that you took the time to read our thoughts.

Would love your thoughts, please comment.x