WordPress malware investigation

How can I know for sure if my WordPress site has malware?

How can I know for sure if my WordPress site has malware?

Knowing for sure whether a WordPress site has malware is rarely possible from one quick scanner run. Some infections are obvious: redirects, Google warnings, unknown administrators or spam pages. Others stay quiet and activate only for Googlebot, mobile visitors, search traffic or users from specific locations.

A site can also appear clean while a backdoor, fake plugin, hidden administrator or scheduled task remains. Those leftovers can bring the infection back days later, even after visible malware is removed.

The real question is not only "did a scanner find something?" It is also "is there still a path for the attacker to return?"

Visible signs of infection

Strong indicators include:

If the site is actively compromised, first follow the first 30 minutes response plan. After containment, move to deeper validation.

Why a clean-looking site may still be infected

Attackers do not always cause visible damage immediately. Often they only need persistence: a way to return later.

Common hidden leftovers include:

This is why sites can be "cleaned" and then reinfected. See our guide on why WordPress gets reinfected after cleanup.

File-level checks

Start with unusual locations:

wp-content/uploads/
wp-content/cache/
wp-content/mu-plugins/
wp-content/plugins/
wp-content/themes/

Executable PHP files usually do not belong in uploads. The mu-plugins directory is especially important because files there load automatically and may not appear like ordinary plugins.

Suspicious code patterns include:

eval(...)
base64_decode(...)
assert(...)
shell_exec(...)
passthru(...)

Do not rely only on file timestamps. Modification times can be forged, and attackers may set malicious files to old dates.

Database checks

Inspect:

Malware does not always live in files. Sometimes a malicious script is stored in the database and printed into every page by a legitimate-looking plugin or theme function.

Why a scanner is not enough

Scanners are useful, but they rely on patterns. New, obfuscated, conditional or plugin-embedded malware can be missed. That is why Wordfence can say the site is clean while malware remains.

A stronger conclusion needs multiple evidence sources:

How to reach high confidence

You can be close to confident when:

If you want certainty, choose WebShield WordPress protection. After cleanup, ongoing logging, backups, monitoring and expert response help ensure the site is not only clean once, but remains protected.

Conclusion

A WordPress site is not necessarily clean just because the homepage looks normal or a scanner reports no issue. Backdoors, fake plugins, unknown administrators, database injections and scheduled tasks can bring malware back. A reliable answer requires file, database, permission and log analysis.

Want to avoid the next WordPress infection?

WebShield helps with continuous protection, backups and logging so reinfections are easier to prevent.