Free WordPress
Malware Scanner.
Enter your site and we'll check what it serves publicly for injected code, hidden iframes, crypto-miners, spam, exposed files, an outdated WordPress version, and its Google blocklist status. No login, no plugin, results in seconds.
Want a definitive, server-side deep scan? A remote scan can't read your core WordPress files — only code running on your server can confirm and clean a core-file infection. That's what our WordPress Care team does.
Get a Deep Scan & CleanupWhat a free remote scan
can find from the outside.
Injected & obfuscated code
Hidden eval/base64 script blobs, document.write payloads, and injected external scripts — the classic signs of a compromised theme or plugin.
Hidden iframes & miners
Zero-size iframes loading from suspicious hosts and in-browser crypto-miners that quietly hijack your visitors' CPUs.
Spam & malicious redirects
Pharma and Japanese-keyword SEO-spam injections, plus off-site meta and script redirects that hijack your traffic.
Exposed sensitive files
Publicly downloadable wp-config.php.bak, .env, debug logs, and exposed .git directories that leak credentials and source.
Vulnerable WordPress version
A publicly advertised WordPress version, an exposed readme.html, and versions with known, documented security holes.
Blocklist reputation
Whether Google Safe Browsing currently flags your domain as unsafe — the red warning screen that scares visitors away.
What a free scan can't see.
A remote scan is a black box. It can only read what your site chooses to serve over HTTP, so it surfaces symptoms: an injected redirect on the homepage, a version with known holes, a backup file left downloadable. That's genuinely useful, and it's free.
What it can't do is read your server's actual files. Confirming your WordPress core files are clean means hashing every one of them and comparing against the official WordPress.org checksums to find anything tampered with or injected. That requires code running on your server, which is exactly what a URL-only tool can't reach.
That deep, core-file integrity scan, and the cleanup that follows, is the piece people actually pay for. It's part of our WordPress Care service: we run it as a one-time engagement to remove malware and close the hole, or on an ongoing monthly plan so it never gets that far again.
WordPress Malware Scanner
Questions
Yes. The remote scan is completely free and needs no login or plugin. It checks what your site serves publicly for injected scripts, hidden iframes, crypto-miners, spam injections, exposed sensitive files, an outdated WordPress version, and its Google Safe Browsing reputation. A deeper server-side scan that reads your actual core files is part of our paid WordPress Care service.
From the outside, a scanner can only inspect what your site serves over HTTP: injected or obfuscated JavaScript, hidden iframes loading from suspicious hosts, in-browser crypto-miners, pharma and Japanese-keyword spam, web-shell markers, off-site redirects, publicly exposed files like wp-config.php.bak or .env, a WordPress version with known vulnerabilities, and blocklist status. It cannot read your server's PHP files.
A URL-only scan is a black box. Reading and verifying the integrity of your WordPress core files requires code running on your server, which no external tool can do without access. That deep, core-file integrity scan — hashing every file against the official WordPress.org checksums to find tampered or injected files — is the paid WordPress Care deliverable.
Not guaranteed. A clean remote scan means nothing malicious is visible in what your site serves publicly, which is a good sign, but sophisticated infections can hide from outside view, cloak themselves from scanners, or live in files a remote scan can't reach. For a definitive answer, a server-side deep scan is required.
Only scan sites you own or are authorized to check. The tool is a security aid for site owners, not a reconnaissance tool. Scans are rate-limited and require you to confirm ownership before running.
Where we work in the Twin Cities
Headquartered in downtown Minneapolis. Dedicated landing pages for the suburbs we work in most often.
Plus Wayzata, Saint Louis Park, Richfield, Hopkins, and the broader 7-county Twin Cities metro on a project basis.