Skip to content

WordPress: Malware scanning & security plugin [Malware / Virus detection and removal]

A plug-in that checks (detects and confirms) WordPress site tampering, hijacking, hacking, malware, and virus infections.

WordPress Doctor malware scanner plugin is that checks and detects WordPress site codes from 3395patterns of malicious code (malware, virus, falsification, hacking damage) .
Malware patterns are constantly updated on our servers and can be detected with the latest pattern definitions.

WordPress Doctor: Malware scan is a plug-in that not only detects tampering, but also determines whether hackers embed malicious code .

WordPress with top-class security features that prevent hacking

The plug-in has 26 easy-to-use WordPress security enhancement function that can be used free.
This is one of the most powerful security plug-ins that can also prevent hackers from entering and detect malware.

Download plugin for free

Malware scanner plug-in overview

Scan entire WordPress site files with latest malware definition patterns

WordPress Doctor’s cloud server stores the latest malware patterns that are increasing every day.
From this patterns this plugin scans WordPress files and investigates and detects files that have been tampered by hackers.

When WordPress is hijacked, you can check the location of the file and where it has been tampered with.

Pattern match, definitive diagnosis

the test results are displayed in two stages as a pattern match(Programatically search files for malware code) and definitive diagnosis(If the detected location has already been identified as an malware code by a specialist).

Detection position highlighting

Highlights which part of the code contains malware.

Auto scan, email notification

Automatically scan for malware at your preferred time. It also notifies you by email when malware is detected.

Download plugin for free

Security improvements

The WordPress Doctor Malware Scanner has a powerful site security enhancement feature that you can use for free.
Also, this function can be easily set by anyone just by checking.

Login LockDown

Blocks login for 10 minutes after 3 repeated login failures. This function can reduce the risk of hacker incursion by a brute-force attack on the login display.

Login captcha

Displays captcha on the login display. Adding questionnaire on the login display can reduce the risk of hacker incursion and prevent administrative rights from being deprived.

Password reset captcha

Displays captcha on the password reset display to prevent hacking that utilizes fragility of mail transmission program on the display.

Change login page URL

Prevents hackers from accessing the login page by changing the login page URL.

Login log function

You can save up to one month of logins with administrator privileges to check for unauthorized logins.

Prevent leakage of WordPress version (This plug-in only original function)

Hackers try to find out WordPress version to utilize the fragility. Hides the information by disabling meta generator output and query (numeric variable of the version which is given to CSS or JS read into HTML).

Protect important files

Prevents any access to htaccess and wp-config.php

Protect server information

Prevents any access to readme.html, license.txt and wp-config-sample.php which consist WordPress or plugins and may contain version or server information. Also restricts server signature which outputs server information.

Prohibit display of Index list

Disables display of file list when accessing a directory which does not contain any index file, such as Index.html.

Prohibit WPSCAN

WPSCAN is a fragility checker for WordPress which is used by many hackers for a pre-survey. Hides version information or block certain IP for a while when the IP tried to access specified file, to disable WPSCAN.

Ban brute-force attack IP to XMLRPC and wp-login

Disables accessing for 3 hours of the IP which tried to access XMLRPC or wp-login for more than 50 times in 10 minutes. Since this function detects only excessive access, it can be used with Jetpack and also reduces the load of the website by preventing brute-force attack.

Permission (write permission of files)

Write permission of files is fragile. Please replace the particulars indicated in red or yellow in the left table with recommended permission.

Prohibit editing of themes and plugins

Disables editing of themes and plugins from the administration display.

Protect author information

Prevents WordPress from outputting user information based on accesses from a particular query, such as /?author=1.

Prohibit Pingback

Disables Pingback; notification function of WordPress, which has a risk of being utilized for high-intensity attack with multiple accesses or of information leak about username, etc.

Prohibit REST API

REST API is loaded into WordPress 4.7 or later which enables outside posting, information aquisition, modification and addition of posts, etc. However, it has great fragility in some versions and may be subjected to other misuse in future.
Its function is utilized in some famous plugins such as Jetpack and ContactForm7, therefore disables all Jetpack and ContactForm7 functions except REST API.
If enables its function while using REST API in other plugins, some kind of malfunction may occur.

Prohibit Trace & Track

Prevents attacks utilizing Trace & Track function of the server (unique processing method of requests sent to the server) such as HTTP trace attack (XST) and cross site scripting (XSS).

Include file protection, Block danger query

Protect direct access to include php files in wp-include folder and other. Block danger queries that contains script tag or GLOBAL or mysql queries.

Prohibit comment posting via proxy

Prohibits comment posting via proxy by judging from header information unique for the proxy users.

Comment form captcha

Prevents automatic comment posting by adding captcha to the comment form. It may not be displayed in particular themes which display customized comment form.

Prohibit comment posting by spambots

Spambot is a program which posts comments automatically and does not have any referrer. Prevents comment posting by spambots by disabling posting from viewers who have no referrers.

Block any IP

Access from any computer can be restricted by IP.

Download plugin for free

Remove or delete WordPress malware

In addition to the malware detection, you can remove and delete detected malware and viruses from the WordPress management screen.

* When removing malware, please be sure to check the “Notes on removing malware” displayed on the plug-in screen.

WordPress vulnerability testing

This vulnerability check checks for the most dangerous vulnerabilities (CVSS 7.5 points ~).

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.
CSVV 7.5 points or more are vulnerabilities that enable extremely dangerous activities on the site that can be used to rewrite the database or tamper with the file without authentication outside the site.
These vulnerabilities may be the entrance to repeated site tampering.

Block hacker activity before tampering

Hackers exploit PHP functions using backdoors and vulnerabilities to send malicious code remotely.

This is a feature that allows hackers to monitor and prevent activities before sending malware to the site for tampering. If you use this function, you can detect and block immediately before tampering.

Blocked hacking activity is recorded with the hacker’s IP, so it is possible to completely block hackers using this IP.

* You can use this function by subscribing to the latest malware patterns.

Download plugin for free

How to install and use the malware scanner plugin

1 Install

Once the malware scan ZIP file has been downloaded, save it and click on Plugins> Add New> Upload Plugin from the WordPress administration screen.

Select the ZIP file downloaded and click Install Now to activate the plugin.

* It can also be installed by unzipping the downloaded ZIP file and uploading it to the wp-content / plugins / folder with FTP software.

2 Scan for malware

Click sidebar> Malware Scan on the management screen, click “scan now” on the upper right.

3 Settings

The following settings can be made from the “Settings” tab.
● Automatic scan and automatic scan start time (may be executed multiple times from the start time until all files are scanned)
● E-mail notification when detect malware (e-mail notification is not performed by default)
● Display alerts at the time of detection on the dashboard of the management screen



Auto scaning does not start at the scheduled time.

Auto scaning of malware scanner uses the auto-execution function of WordPress. This function is triggered only when there is an access to the website.
If there is no access in the scheduled time zone, execution of auto scaning may be delayed.


The execution time of malware scanning depends on the number of files. If there are a lot of files to be scanned, scanning may take several minutes at least, or more than 10 minutes to complete.

Can I switch the screen during scanning?

Scanning will be stopped, but the files are scanned properly and are recorded up to that point. Please restart scanning or wait until auto scaning is completed.

Login captcha is not displayed, or captcha value is not accepted.

Due to using Jetpack single sign-on function or caching plugin together, cached login screen without captcha or login screen including old captcha (captcha is generated at every access to the login screen for security) may be displayed. In this case, please create a URL as follows and try to access.

http://URL of WordPress/Changed login URL?jetpack-sso-show-default-form=1

If you have changed wp-login.php and login URL with a caching plugin, it is recommended not to cache the changed URL.

What if malware is detected?

When a malware is found by scanning only with pattern matching, there is a possibility of misdetection. Please consider waiting until the code is reviewed.
Please note that the website has been tampered when some files are judged as malware as a result of definitive diagnosis of individual files.
Removal of malware requires technical knowledge. It is recommended to ask an expert, but pay attention especially to the following points when you manage it by yourself.

● If the malware is infesting the file originally consists WordPress, please delete only the tampered parts carefully.
● If the file is not a regular file of WordPress, the entire file can be deleted without any problem.

However, if the tampered file is read by another tampered file, deletion of the tampered file may cause errors to the caller and may lead to malfunction such as undisplayable website. In that case, investigation of the caller and deletion of its tampering are required.



Plug-in usage requirements

WordPress version: 4.3 or higher (4.5 or higher recommended)
PHP version: 5.3 or higher

Download plugin for free

Disclaimer: We do not guarantee the accuracy of the result of WordPress Doctor: Malware Scan Plugin. In addition, we are not responsible for any damage to users, other indirect servers, any items, or data by using this tool. In order to scan the malware found by us after installation, you need to subscribe the malware definition. Please use WordPress Doctor: Malware Scan Plugin with kind understanding and acknowledgement that it acquires a part of inspection data for the purpose of accuracy improvement.
Prohibited matters (licensing): Many of the functions of this plug-in can be used free of charge. But using this plug-in to get compensation from customers (Providing other companies with paid malware scanning and removal services) is prohibited. If you violate this clause, you agree to charge 400 $ per site. If you are interested in doing business like this, please contact us and conclude a licensing agreement.

WordPress Malware Scanner plugin – English version can be download from here.