Why is my website showing malware warnings in Google Search?

Google Safe Browsing flags your site when its crawler detects malicious code, drive-by downloads, phishing content, or deceptive pages. The most common causes are injected PHP backdoors via outdated plugins, compromised FTP credentials, eval(base64_decode) shells, hidden spam links for SEO poisoning, and cryptominer scripts. Use this free malware scanner to identify the specific file and line number causing the issue, then remove it and submit a reconsideration request in Google Search Console.

What is the difference between a virus and malware on a website?

In common usage, website malware refers to any malicious code injected into a website, including backdoors, web shells, cryptominers, phishing pages, SEO spam, and redirects. A website virus specifically refers to self-replicating code that spreads to other files on the server. In practice, most website infections are backdoors or injected scripts rather than true viruses. A website virus checker or malware scanner tests for all of these threat types simultaneously.

Malware · Backdoors · Cryptominers · Security Headers · Phishing

Website Malware
Scanner Free

Q: How do I scan a website for malware for free?

Enter your full website URL into the scanner above and click Scan Now. The tool fetches your page, runs it against 25+ malware signature patterns, checks your HTTP security headers, and returns a full threat report with exact line numbers for any issues found. No login, no install, and completely free.

Q: What does a website malware scanner check for?

This free website virus checker scans for eval-based PHP backdoors, Base64-obfuscated payloads, cryptominer scripts (including Coinhive variants), hidden iframes, JavaScript forced redirects, cookie theft patterns, keyloggers, web shells like c99 and r57, phishing form actions, SEO spam injection, cloaking code and missing HTTP security headers like CSP, HSTS and X-Frame-Options.

Q: How does malware get injected into a website?

The most common infection vectors are: outdated CMS plugins and themes with known vulnerabilities; weak or reused FTP/cPanel passwords compromised via credential stuffing; shared hosting environments where one compromised site infects neighbours; SQL injection attacks that write malicious PHP into database-driven files; and social engineering attacks that trick admins into installing fake plugins or themes containing backdoors.

Q: What security headers should every website have?

Every website should have six security headers: (1) Content-Security-Policy to restrict which scripts can run; (2) Strict-Transport-Security (HSTS) to enforce HTTPS; (3) X-Content-Type-Options: nosniff to prevent MIME sniffing; (4) X-Frame-Options to block clickjacking; (5) Referrer-Policy to control data leaked in the Referer header; and (6) Permissions-Policy to restrict browser feature access. This free security check reports on all six.

Q: Can this tool detect all malware on my website?

This tool scans the rendered HTML of any publicly accessible URL and checks it against 25+ signature patterns covering the most common injection types. It cannot access your server file system, database, or non-public files. For a complete server-level scan, pair this tool with a server-side scanner such as Maldet or ClamAV. Think of this as a fast first-pass check that finds the majority of real-world infections within seconds.

Instantly scan any website for malware, injected backdoors, cryptominers, phishing code, hidden iframes and missing security headers. Free website virus checker — no login, no install, instant results.

25+ malware signatures

Exact line numbers reported

Security headers audit

Threat score out of 100

🦠

Malware Detection

Shells, eval, obfuscation

⛏️

Cryptominer Check

Coinhive & variants

🔒

Security Headers

CSP, HSTS, X-Frame

🎣

Phishing Patterns

Cloned forms & spam

🛡️ Free Website Malware Scanner

Website URL to Scan

Scans publicly accessible URLs only. For a complete server-level check, pair with a file-system scanner.
Also try our DOM Size Checker to audit page performance.

🦠 Malware & Threat Signatures

Detected patterns matched against 25+ malware signatures

🔒 HTTP Security Headers Audit

The Scan Process

How This Free Website Malware Scanner Works

Five stages run server-side the moment you click scan — no data stored, no third-party API, no login required.

Fetch & Verify

The tool fetches your URL using a server-side cURL request, verifies the HTTP response code, follows redirects, and records the final resolved URL.

Signature Scan

The raw page HTML is matched line by line against 25+ malware signatures covering eval backdoors, cryptominers, web shells, phishing forms, cloaking code and keyloggers.

External Resources

All external scripts, iframes and links are extracted and checked against high-risk TLD patterns. Resources loaded from suspicious domains are flagged immediately.

Header Audit

HTTP response headers are checked for the six most critical security headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy.

Score & Report

A 0–100 security score and letter grade are calculated. Every finding is reported with its severity level, exact line number, a code snippet, and a plain-English explanation.

Complete Security Guide

Website Malware, Viruses and Security — Everything You Need to Know

How attackers compromise websites, what malware looks like in the wild, and how to clean and protect your site using this Free website virus checker.

🦠

What Is Website Malware and Why Does Google Flag Infected Sites?

Website malware is any malicious code injected into a website without the owner's knowledge. Unlike desktop viruses that spread through executable files, website malware lives inside PHP files, JavaScript files, database records, and .htaccess configurations. Its purpose is to exploit your site's visitors, your server resources, or your search engine rankings — often all three simultaneously.

What Google Safe Browsing Detects

Google's Safe Browsing system crawls billions of pages and flags sites that serve drive-by malware downloads, redirect users to phishing pages, host deceptive content, or participate in unwanted software distribution. Once flagged, your site displays a red interstitial warning in Chrome, Firefox, and Safari, and your search rankings drop dramatically. The "This site may be hacked" notice in Google search results is the most visible sign of an active infection.

How Quickly Can Malware Affect Your Rankings?

Googlebot crawls popular pages within hours of an infection being live. A site that serves cloaked spam to Googlebot while showing normal content to human visitors can see ranking drops within 24 to 48 hours. If Safe Browsing triggers a manual action, the recovery process involves cleaning all infected files, submitting a reconsideration request via Google Search Console, and waiting for Google's review team — a process that can take days to weeks. Use our free SEO tools to monitor your site's technical health alongside security scanning.

🔑

The Most Common Website Infection Vectors in 2025

Understanding how attackers get into websites is the first step to preventing re-infection after a clean. The same entry points that allowed the original compromise will be exploited again if they are not closed. This website malware scanner identifies the resulting injection patterns — but closing the entry point requires action on your server.

Outdated Plugins and Themes

The majority of WordPress infections enter through outdated plugins and themes with known CVEs. Attackers maintain automated bots that continuously scan the internet for sites running vulnerable plugin versions. Within hours of a new CVE being published, exploit kits targeting that plugin are deployed. Update every plugin and theme immediately when security patches are released — not when it is convenient.

Compromised FTP and Hosting Credentials

Credential stuffing attacks use lists of leaked email-password pairs to log into cPanel, FTP, and hosting control panels. Once inside, attackers upload web shells — PHP files that provide a browser-based interface for running any command on your server. A single compromised hosting account typically results in every site in that account being infected within minutes. Enable two-factor authentication on every hosting account and use unique, generated passwords stored in a password manager.

Shared Hosting Cross-Contamination

On shared hosting, one compromised account can write files to neighbouring accounts if the server is not properly isolated. This is called cross-site contamination. If you are on shared hosting and have cleaned your site multiple times without success, ask your host about account isolation, or migrate to a managed hosting environment with stronger file-system separation.

SQL Injection and Database-Written Malware

SQL injection attacks target web applications that pass unvalidated user input into database queries. Attackers can use SQL injection to write base64-encoded PHP backdoors into WordPress options, database tables used by page builders, or theme configuration fields — malware that never appears in your file system but executes on every page load.

🔒

HTTP Security Headers: Your Website's First Line of Defence

Security headers are HTTP response headers that instruct browsers on how to handle your site's content. They are not visible to users, but they dramatically reduce the impact of cross-site scripting (XSS) attacks, clickjacking, MIME-type confusion, and session hijacking — attacks that malware frequently uses to escalate damage after a successful injection. This free website security check audits all six critical headers.

Content-Security-Policy (CSP)

CSP is the most powerful security header available. It tells the browser which sources are allowed to load scripts, stylesheets, images, and other resources on your page. A properly configured CSP header blocks injected third-party scripts — the core mechanism used by cryptominers and cookie-theft malware — from executing even if an attacker successfully injects them into your HTML.

HTTP Strict Transport Security (HSTS)

HSTS instructs browsers to only ever connect to your site over HTTPS, even if the user types http:// or follows an unencrypted link. Without HSTS, man-in-the-middle attackers can downgrade connections to plain HTTP and intercept or modify your page content in transit — injecting malware into the connection between your server and your visitor's browser without ever touching your files.

X-Frame-Options and Clickjacking

The X-Frame-Options header prevents your page from being embedded inside a hidden iframe on another domain. Clickjacking attacks overlay your site inside a transparent iframe and trick visitors into clicking buttons that perform unintended actions — submitting forms, approving OAuth permissions, or making purchases — while appearing to interact with an innocent-looking decoy page.

🧹

How to Clean a Hacked Website Step by Step

Finding malware with a website virus checker is the first step. The cleanup process requires methodical work across your files, database, and server configuration to guarantee complete removal and prevent re-infection. Rushing any step typically results in reinfection within days.

Step 1: Identify All Infected Files

Run a server-side file scanner (Maldet, ClamAV, or your host's malware scanner) alongside this URL scanner. The URL scanner catches what is being delivered to visitors; a file-system scanner catches dormant payloads not yet activated. Note the modification dates of infected files — attackers often modify files in batches, so files modified at the same timestamp are likely all infected.

Step 2: Close the Entry Point Before Cleaning

Do not clean before closing the entry point. If the attacker still has access through an outdated plugin, stolen credentials, or a database injection point, they will reinfect your site within hours of your cleanup. Change all passwords, disable vulnerable plugins, and revoke all active sessions before touching infected files.

Step 3: Replace, Do Not Edit, Core Files

For CMS platforms like WordPress, replace core files (wp-admin, wp-includes) with a fresh download rather than trying to identify individual injections. Attackers frequently inject multiple payloads into different files to ensure persistence. A clean reinstall of core files eliminates the entire infection surface at once.

Step 4: Request a Google Review

Once your site is clean, verify it in Google Search Console and submit a Security Issues reconsideration request. Describe the infection type, the cleanup steps you took, and the measures you implemented to prevent recurrence. Google typically reviews clean sites within 72 hours. Use our SEO tools suite to monitor your recovery in search after the manual action is lifted.

Behind the Search — Free SEO Tools

More Free Technical SEO and Security Tools

Every tool runs directly on the page — no login, no limits, no Chrome extension required.

🌳

Free DOM Size Checker

Audit your page's DOM node count against Google's recommended thresholds for Core Web Vitals

🏗️

Free HTML Headings Checker

Audit H1 to H6 structure for SEO issues, hierarchy errors and keyword placement

📋

Free Title & Meta Checker

Check title tag and meta description for pixel width, power words and SERP preview

📊

Free Keyword Density Calculator

Analyse keyword frequency and detect over-optimisation before publishing

📖

Free Readability Score Checker

Score content clarity with Flesch Reading Ease, Gunning Fog and Smog metrics

🧠

Free NLP Keyword Clustering

Group keywords into semantic topic clusters using TF-IDF and intent signals

🛠️

All Free SEO Tools

View the complete suite of free technical and content SEO tools from Behind the Search

Frequently Asked Questions

Website Malware and Security — Common Questions

Answers to the most common questions about website malware scanning, virus checking, security headers, and site cleanup using our Free scanner.

How do I scan a website for malware for free?

Enter your website URL in the scanner above and click Scan Now. The tool fetches your page, runs it against 25+ malware signature patterns covering backdoors, cryptominers, phishing code and SEO spam, then checks your HTTP security headers. Results include the exact line number, a code snippet, and a plain-English explanation for every finding. Completely free, no login required.

What types of malware does this website virus checker detect?

This free website malware scanner detects: PHP eval backdoors (eval/base64_decode, gzinflate, str_rot13), web shells (c99, r57, b374k, WSO), cryptominer scripts (Coinhive and variants), hidden iframes, JavaScript forced redirects, cookie theft patterns, keyloggers, phishing form actions, cloaking code, SEO pharma spam, hidden spam links, suspicious external resources, and long Base64 or hex-encoded payloads. The security header audit checks for CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy.

Why is Google showing "This site may be hacked" on my website?

Google's Safe Browsing system detected malicious content on your site. The most common causes are injected PHP backdoors via vulnerable plugins, hidden spam links for SEO poisoning, phishing pages overlaid on legitimate content, and cryptominer scripts exploiting your visitors' CPUs. Run this free malware scanner to identify the specific code pattern, clean the infected files, then submit a Security Issues reconsideration request in Google Search Console.

How does malware get injected into a website?

The most common infection vectors are outdated CMS plugins and themes with known CVEs, compromised FTP or cPanel credentials (often via credential stuffing from leaked password databases), cross-site contamination on shared hosting, SQL injection writing base64 payloads into your database, and social engineering attacks that trick admins into installing malicious plugins or themes. Closing the original entry point is essential before cleanup — otherwise re-infection occurs within hours.

What is the difference between a website virus and website malware?

In common usage, website malware refers to any unauthorised code injected into a site — backdoors, cryptominers, phishing pages, SEO spam injections, and JavaScript redirects. A website virus specifically refers to self-replicating code that copies itself to other files. Most real-world website infections are backdoors or injected scripts rather than traditional viruses. A website virus checker or malware scanner tests for all of these threat types simultaneously, which is why both terms are used interchangeably in web security.

What security headers should every website have?

Every production website should implement six headers: Content-Security-Policy (restricts which scripts can run), Strict-Transport-Security or HSTS (enforces HTTPS), X-Content-Type-Options: nosniff (prevents MIME sniffing), X-Frame-Options (blocks clickjacking), Referrer-Policy (controls URL data leakage), and Permissions-Policy (restricts browser feature access like camera and geolocation). This free website security check audits all six and explains what each missing header means for your visitors.

Can this tool detect all malware on my website?

This scanner analyses the rendered HTML of any publicly accessible URL against 25+ signature patterns, catching the majority of real-world injection types within seconds. It cannot access your server file system, database records, or non-public PHP files. For a complete audit, pair this tool with a server-side scanner such as Maldet or ClamAV. Think of this as a fast, first-pass check that identifies active injections being served to visitors right now — exactly what Google and your users see.

How does a website malware scanner help with SEO?

Website infections directly harm SEO in three ways. First, Google Safe Browsing flags infected sites and displays warnings that collapse organic click-through rates to near zero. Second, injected SEO spam (cloaked pharmaceutical links, hidden anchor text) causes Google to identify your site as a spam participant and issues a manual action penalty. Third, cryptominer scripts slow your page speed, hurting Core Web Vitals scores. Regular malware scanning is a technical SEO hygiene task as important as monitoring broken links or page speed. Pair it with our full suite of free SEO tools for complete site health monitoring.

Free SEO and Security Tools
Built for SEOs Who Ship

Behind the Search builds free, no-nonsense SEO and website security tools that run instantly in your browser. No login, no Chrome extension, no limits. Just reliable data to help you rank faster and protect your site.

View All Free SEO Tools

25+

Malware Signatures

Security Headers Checked

100%

Free, No Login

Data Stored

Website MalwareScanner Free