Your website is your online home.

It makes sense that you should treat it the same way as you would your actual home when it comes to security.

Even if you don’t have an advanced security system, you wouldn’t just leave your doors wide open at night and hope that nobody would come in. And you wouldn’t just leave the keys to your house lying about.

Now, shift your mind to your website.

Are the doors wide open? Are you using a security plugin to keep the evil-doers at bay?

What about backup? If the worst happens, would you be able to restore your website easily using a backup plugin or would the only solution be to start everything from scratch?

Cybercrime is very real. And the threat grows larger every day, especially when it comes to WordPress. Since it’s a very popular platform, it’s often the target of many hackers. And they love nothing more than an unsecured website.

If you’re still using admin as your username and the name of your first pet for a password, fail to keep your plugins and themes up to date, you, my friend, are extremely vulnerable to a hacker’s attack.

In fact, you could potentially already have malware on your website.

See, when people think of a hacked website, most of them picture an image that says “This website has been hacked by so and so”. That’s known as defacement and in reality, it doesn’t happen that often.

Today’s hackers are much more sophisticated and they often plant malware on your site and then wait until the perfect moment.

They could be:

  • Phishing for usernames, passwords, emails or other important information you’d rather not share with the rest of the world.
  • Injecting scripts on your website which make your visitors download malware/trojans/viruses.
  • Inserting code which sets a backdoor to your computer, steal input information from forms, and similar nefarious activity.
  • Redirecting your visitors to a site with malware.

In such cases, visiting your website is not enough.

You could be fooled into thinking everything is okay and your site might appear as normal, especially if the hacker knows your IP address and they implemented a code that makes your website appear normal. While you’re thinking you’re safe, they could be doing either of the things mentioned above.

In the long run, this can lead to your website being marked as unsafe and de-indexed by Google. That’s why it’s important to do a proper check and scan your website for malware on a regular basis.

If you’re just starting to implement WordPress security measures it’s important to run a preliminary scan to make sure your website doesn’t already contain malware.

In this post, I’ll show you how to use Sucuri to scan your site for malware.

What you will learn in this tutorial

  • What Sucuri is
  • How to scan your website for malware with Sucuri
Tutorial information

Difficulty: Intermediate

Time Required: 30 minutes

Content Management System: WordPress (self-hosted)

Tools Required: Sucuri ($)

Alternatives: None that we’ve personally used

Other Requirements: None

Summary of tutorial:

  • Scan your website for malware with Sucuri SiteChecker
  • Scan your website for malware with Sucuri Security
  • Using Sucuri to remove malware

What is Sucuri?

Sucuri has a great reputation as an effective security and malware scanning solution. They offer a free online security scanner which will scan your website for common issues completely free of charge.

They also offer a WordPress plugin called Sucuri Security which will actively monitor your website and notify you if it finds any issues.

They offer a paid version for their products and services as well, which we will touch on later.

For now, let’s take a look at how to use their free tool to scan your website for malware.

How to scan your website for malware with Sucuri

You can use their online scanner to scan your website for potential malware or you could use the plugin to do the same. We’ll go over both methods.

Scan your website for malware with Sucuri SiteChecker

Scanning your website with the online checker is dead simple. Simply go to Sucuri SiteChecker and enter your website address, then click on Scan Website. Let the scan finish and you will get the results which will tell you if there was any malware detected on your website or if your website is blacklisted.

Sucuri SiteChecker

Scan your website for malware with Sucuri Security

If you want to get started implementing WordPress security measures, installing Sucuri Security is a good first step.

To get started, log into your WordPress dashboard and navigate to Plugins > Add New. Search for Sucuri Security. Install and then activate the plugin.

Sucuri Install

The plugin will ask you to generate an API key which you will need to paste in the Settings Tab of the plugin dashboard.

Once that’s done, click on Malware scan and click on Scan Website. When the scan is completed, you’ll get the results and see if there is any malware or if your website is blacklisted.

Sucuri Security

Assuming your website is safe, you will pass both the online checker and the plugin checker with flying colors.

But what happens if your site has been compromised and Sucuri detects malicious code?

What to do if your website has malware

In the event of the worst happening, the most important thing is to take action immediately. You could try to clean your website yourself but chances are this task will be a little out of your league.

However, don’t despair as there are ways to remove malware and remove yourself from blacklists.

Use Sucuri to remove malware

Sucuri provides a paid service called the Website Security Stack which includes an anti-virus, a firewall, performance optimization, and most importantly, malware cleanup.

The service is available in three pricing tiers and starts at $16.99/month, billed annually per website. Best suited for bloggers, this plan will get you a response within 12 hours which means within 12 hours your site will be back to its old self. This plan also immediately stops hack attempts and DDoS attacks.

The next tier, Pro plan starts at $24.99/month, billed annually per website. Best suited for eCommerce sites, the Pro plan offers everything included in their Basic plan but the difference is in response time – you can expect to get everything resolved within 6 hours.

Finally, their Business plan starts at $41.66/month, billed annually per website. As the name implies, it’s best suited for business websites and offers more protection layers as well as the shortest response time of 4 hours.

While I could sing praises all day long about Sucuri, I’ll leave you with a short comment from Adam about how Sucuri helped us remove some malware last year:

We had a plugin from Codecanyon installed, and the update notification didn’t come through. Turns out it was vulnerable (fixed in the later update), and someone injected malware into the plugin. Signed up for a Sucuri plan, emailed them about the malware and it was removed within 4 hours – no drama 🙂

Final thoughts

In a world where people with bad intentions are moving their efforts online, it’s crucial you take proper measures to ensure your website is secure. It’s the crux of your online presence and the virtual storefront of your business.

Preventing your website from getting hacked in the first place should be your first step, however, if you’re just getting started it’s important to make sure your website hasn’t already been compromised.

Sucuri is an excellent first step in that direction. Once you’ve made sure your website is free of malware, you can take the next steps towards making your website secure. The free version of Sucuri Security (their WordPress plugin) offers basic protection measures which will harden your website.

Sucuri’s malware removal will make sure everything is removed and offers a great peace of mind. And their firewall will add extra protection while speeding up your website like a traditional CDN would.

Get Sucuri

Posted by Ana Lynn Amelio

Ana Lynn Amelio is a WordPress designer and freelance blogger. When she isn't busy running her own small business Ley Design she can be found reading, enjoying Italian food, and helping her kids go through not-so-secret cookie stash. Follow her on Twitter or say hi on Google+