Public Wi-Fi Safety Check
Answer 8 questions about your public Wi-Fi habits to get a personal safety score from 0 to 100.
WordPress Malware Scanner
Free WordPress security scanner — detects malware, viruses, exposed files, known CVEs and 30+ threats
Results are informational. Calculation is based on your input and public rules, official accounting may differ. For accuracy, confirm the final result if needed from the appropriate official source or specialist.
How it works?
What Does the WordPress Malware Scanner Check?
This free scanner performs over 30 automated security checks on your WordPress site and generates an instant security score from 0–100. No registration or plugin installation required — just enter your URL.
Malware & Virus Detection
- Obfuscated JavaScript — detects eval(), base64_decode(), String.fromCharCode() and other code obfuscation techniques used to hide malicious scripts
- Hidden iFrames — identifies invisible iframes, a classic drive-by download and malware injection method
- SEO Spam Injection — finds hidden links to gambling, pharma, or adult sites injected by hackers to abuse your search rankings
- Suspicious External Resources — flags scripts and embeds loading from known malware domains
WordPress-Specific Vulnerabilities
- Known CVEs via WPScan API — checks detected plugins, themes, and WordPress core against the WPScan vulnerability database for known exploits
- WordPress Version Exposure — detects if your WP version is publicly visible in meta tags, RSS feeds, or OPML files, making targeted attacks easier
- Outdated WordPress Core — flags versions with known unpatched security vulnerabilities
- User Enumeration — checks if attacker can discover usernames via REST API (/wp-json/wp/v2/users) or author archives
- XML-RPC Exposure — detects pingback amplification and brute-force surfaces via xmlrpc.php
- Open User Registration — flags if anyone can create accounts on your site (spam magnet)
Sensitive File Exposure
- wp-config.php — checks if your database credentials file is publicly accessible
- .env files — detects exposed environment files containing API keys and secrets
- debug.log — finds publicly readable WordPress debug logs that leak server paths and error details
- Backup files — scans for .sql, .bak and other backup files left in the webroot
- Git / SVN repositories — detects exposed .git or .svn directories that reveal your source code history
- Install files — checks if wp-admin/install.php or upgrade.php are still accessible after installation
Security Configuration
- Security Headers — checks for Content-Security-Policy (CSP), HSTS, X-Frame-Options, and X-Content-Type-Options
- HTTPS Redirect — verifies HTTP requests are properly redirected to HTTPS
- Directory Listing — detects if /wp-content/uploads/ or /wp-includes/ expose file listings
- Server Info Disclosure — checks if web server version or PHP version are leaked in HTTP headers
- REST API Surface — audits custom REST namespaces and unauthenticated write-capable routes
- Admin AJAX — checks if admin-ajax.php leaks information to unauthenticated requests
- Error Disclosure — detects PHP errors and database errors printed publicly on pages
- Mixed Content — finds HTTP resources on HTTPS pages that trigger browser security warnings
Note: Only scan websites you own or have explicit permission to scan.
Frequently asked questions
Is this WordPress malware scanner free?
Yes, completely free with no registration required. Enter your WordPress site URL and get an instant security report with over 30 automated checks, a security score, and actionable fix recommendations.
Is the scan safe — will it affect my website?
Yes, the scanner is completely safe. It only performs read-only checks by requesting public pages and files, exactly as a regular visitor or search engine would. No changes are made to your site, no files are written, and no admin credentials are required.
How long does a WordPress security scan take?
Most scans complete in 1–3 minutes. Scan time depends on your site's size and server response speed. The scanner crawls up to 30 pages by default and runs all security checks in parallel.
What does the security score mean?
The security score ranges from 0 to 100. A score of 90–100 means your site is well-protected (Guardian or Defender tier). 70–89 means minor issues to fix (Vigilant). 50–69 means notable risks requiring attention (Caution). Below 50 means serious vulnerabilities that need urgent action (At Risk or Critical).
Does the scanner check plugins and themes for known vulnerabilities?
Yes. The scanner detects which plugins and themes are installed on your site by analysing the page source, then cross-references them against the WPScan vulnerability database (CVE database) to find known security exploits. This requires a WPScan API key configured on the server.
What if malware or a virus is found on my site?
Each finding includes a plain-English description of the threat, its location, and a step-by-step recommendation for fixing it. Common remediation steps include removing malicious files, updating WordPress core or plugins, blocking sensitive file access in .htaccess, and restoring from a clean backup.
Why is my site flagged even though I just updated everything?
Updates fix known software vulnerabilities but don't address configuration issues. Many findings — like missing security headers, exposed wp-config.php, open user registration, or directory listing — are configuration problems unrelated to plugin versions. Review each finding individually for targeted fixes.
Can I scan any WordPress website?
You may only scan websites you own or have explicit written authorisation to test. Scanning third-party websites without permission may be illegal under computer crime laws in your jurisdiction.
How often should I scan my WordPress site for malware?
We recommend scanning at least once a month, and after every major update (WordPress core, plugins, or themes). Sites running e-commerce, accepting payments, or handling user data should scan more frequently — weekly if possible.
What is the difference between Critical, High, Medium, and Low severity?
Critical findings (e.g. malware injection, exposed wp-config.php) require immediate action — they indicate active compromise or direct data breach risk. High findings are serious vulnerabilities that attackers can exploit. Medium findings are configuration weaknesses that increase attack surface. Low findings are best-practice improvements with minimal immediate risk.