Detecting suspicious code within a site isn’t always that simple and can easily go unnoticed. Thankfully, our 5-star Defender plugin is well equipped to find malware, let you know about it, and eliminate it with brute force. See how it’s done in this tutorial.
Looking for a convenient and hassle-free way to locate and delete suspicious code from your sites?
In this tutorial we’re showing you, step-by-step, how Defender‘s vast suite of security features can help banish and keep suspicious code at bay.
You’ll also learn how to keep your sites protected from these kinds of issues going forward.
For reference, here are the 7 talking points we’ll be covering (feel free to jump to any specific section!):
- How to Scan Your Site for Malicious Code
- Deleting and Ignoring Issues
- Taking Care of Issues in Bulk
- Watching Out for False Positives
- Control Which Files To Scan With ‘Scan Types’
- Notifications of Suspicious Activities
- How to Schedule Regular Scans of Your Site
Let’s get into it.
1. Start By Scanning Your Site for Malicious Code
Scanning your site for malicious code can be achieved through Defender’s dashboard under Malware Scanning. Here, you can see when your last scan was, any issues, and more.
The New Scan button kicks things off. Defender will then scan your WordPress core files for any suspicious code modifications or additions.
Once started, it generally only takes a few moments, depending on the size of your site.

Defender discloses the exact issue(s) and tells you what they are under the Issues tab.

[…]
This article was written by Nathanael Fakes and originally published on WPMU DEV Blog.