Malicious code is everywhere. They can also infect a website, server, even in a WordPress theme. It could be a trojans, botnets, even more dangerous, a backdoor / webshell. So it’s very important to do a routine scan on your WordPress themes, especially if you get them from unknown sources (nulled?).
Here is a plugins review which can help you to check a WordPress for Malicious code.
1. Theme Authenticity Checker (TAC) Plugin
TAC stands for Theme Authenticity Checker. TAC searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code.
2. Theme-Check Plugin
The theme check plugin is an easy way to test your theme and make sure it’s up to spec with the latest theme review standards. With it, you can run all the same automated testing tools on your theme that WordPress.org uses for theme submissions.
3. WP Change Tracker
WP Changes Tracker is not a malware checker. What it does is highlight the changes that have been made to the WordPress database, plugin files, and theme files. This plugin will keeps track of all changes made to your wordpress structure: core, network, plugins and options.
4. Wordfence Security
Wordfence is one of my favorites. It starts by checking if your site is already infected. We do a deep server-side scan of your source code comparing it to the Official WordPress repository for core, themes and plugins. It’s 100% free, but also offer a Premium API key that gives you access to premium support and feature.
5. Sucuri Online Scanner
Sucuri is one of leading internet scurity firm, provides free online scanner that will check the website for known malware, blacklisting status, website errors, and out-of-date software. It’s free, but you can also paid for premium plan/feature. Sucuri, by far is one of the best online scanner out there. And it’s worth to try.