A Short Test of WordPress Malware Scanners

WordPress is the choice of many for setting up their website. Site security measures are therefore one of the most discussed subjects in the WP community.

Security can be addressed through simple steps like changing the admin user name to more complex measures such as specialized security plugins. Regardless of all this, websites get hacked every day. It is very important to secure one’s website and equally important to identify any hacking at the earliest.

Malware can grant access to your system and compromise the security and health of your WordPress website. It is spurious in nature. This is where malware scanners come in. Malware scanners offer protection by scanning, detecting and removing malware.

Most scanners have an inbuilt malware database with file definitions and actions. This helps in malware detection. If a match is found with a file in the scanner database, the scanner will single it out and act upon it. In cases where the malware cannot be removed by the scanner the malware scanner will quarantine the malware.

Three of the most popular WordPress malware scanner plugins are Sucuri Security, Exploit Scanner and Wordfence Security.

I tried out all three. The real test of effectiveness of a malware scanner is in its ability to identify real malware. Since the test website I am installed these malware scanners has a fresh installation of WordPress, I manually introduced two different types of malware files into my website entitled bastian.php and fileman1.php. You can read more about the type of scripts I added to these files in this article.

Sucuri Security

Sucuri Security was the only plugin I installed that prodded me for the API key generation.

Sucuri Security
Sucuri Security is an effective solution for hardening a WordPress website.

The free plugin offers a basic service to check if your website is ok. I clicked on the Scan tab and the scan was completed in seconds. To my surprise, the scan did not detect either of the two. I looked around for a bit but it seemed like Sucuri had given my site and its contents a clean bill of health.

Sucuri Security site check result
The results from my first scan.

It was a bit of a let down, since both the files were showing in the audit logs in the background page.

Sucuri security background - Bastian.php
Sucuri security background – Bastian.php
Sucuri security background - Fileman 1.php
Sucuri security background – Fileman 1.php

With an ambiguous message about possible file and folder modifications in the mauve box, Sucuri is safely sitting on the fence. The message that I got was to manually check the folders in the specified locations for this scan to be sure that there was an issue.

Sucuri  Security standard instructions
Instructions from Sucuri Security.

I installed the scanner to sort the issue. Manual checking is always an option, but usually the last one. While it is nice to see changes being highlighted, I would rather the scanner show me what the issue is and where the issue is. And I would rather it showed me how to resolve the issue rather than suggesting a manual check.

Moving on, I installed a plugin from WordPress that was malware free. After activating it, I ran the Sucuri scan again.

Broken Link Checker plugin
Broken Link Checker is a WordPress plugin that will look for dead links on your website.

I was given a clean sheet this time as well, but I saw a pattern that any new installation gets an orange Warning box from Sucuri.

Orange warning box- Broken Link Checker plugin added
Orange warning box that appeared after installing Broken Link Checker plugin.

This is very similar to the mail alerts that Sucuri sends every time I log in and customize my website. I found the Sucuri free scanner performance pretty dismal.

After some more looking around, I found this:

Sucuri paid services
Sucuri’s paid services start from $9.99 per month.

There was a bouquet of services on offer. These are, however, available at a price. My guess is that there may be value in the paid options since they offer a firewall, IP blocking, post–hack, and the works. Sucuri security and the various services provided are cloud based and general reviews about the paid version are positive.

Exploit Scanner

This scanner took the longest time to scan but returned with a check of 399 odd files. A whole lot of strings were displayed which made zero sense to me.

Exploit Scanner plugin
Exploit Scanner helps you detect malware on your WordPress website.

I did not see anything malicious in my scan. Most searches described unknown files. It made me feel good that there was such thorough checking.

Exploit Scanner results
The results of my scan.

My initial joy soon gave way to disappointment. This scanner showed me 399 files which had nothing, but did not show me the two files that I knew were infected. Repeated checking of so many files, if anything, can lead to manual error since overlooking in such cases is natural.

To sum up, Sucuri and Exploit scanners seem pretty much the same to me except for the fact that the latter was quite comprehensive in its results. Neither of them were helpful in my case though.

Wordfence Security

The reviews I had read for Wordfence Security were really good, but I was keen to see all of it for myself.

Wordfence Security plugin
Wordfence Security is one of most popular security plugins for WordPress.

As soon as I installed this plugin, I got a pop up asking for my email ID so that I could receive security alerts. There are plenty of other options to choose from the menu, but you need to pay for some features such as scan scheduling.

Wordfence Security scan schedule - paid offering
Some Wordfence Security features are reserved for premium users.

Wordfence is a bit of an all-rounder, but does not have any options to scan themes or plugins, which is is contrast to Exploit Scanner which scans everything.

Wordfence Security scan result
My results from Wordfence Security.

After the scan, I received an email from Wordfence pointing out issues found on my site.

Wordfence email security alert
Wordfence Security sends an email that summarises the results from your scan.

I found Wordfence Security to be the best solution out of the three I tested, however I was still not 100% happy with the results.


Sucuri Security, Exploit Scanner and Wordfence Security, while bringing the various apparent issues to the fore, did not quarantine any questionable file. The onus of removing any suspicious file is on the person maintaining the website.

One thing is clear: There are no foolproof scanners for WordPress. Even if I were to pay for premium features, the question of how secure my website really is will always remain open ended.

Given the choices that I have now tested, Wordfence Security is undoubtedly my preferred WordPress malware scanner, however I recommend testing your website using multiple scanners from time to time to help you detect malicious files.


Featured Image Credit: “Padlock” by Alyson Hurt from Alexandria, Va., USA – Flickr. Licensed under CC BY 2.0 via Wikimedia Commons.

Nisha has 8 years of experience in the learning and development field with various conglomerates as also a passion for writing and meeting people. She is currently Manager- Marketing Communications for blogVault -a premier WordPress backup service. You can reach out to her at [email protected] Nisha is based out of Bangalore. When she is not writing or thinking about writing, you'll find her reading or spending time with her kids, doing whatever they like.
Share This