How often should a WordPress security scan take place?
You might be surprised to see the opening line of this page talk about backups rather than security scanning. Well there is a very good reason why this is the case. Even if you are super diligent and are scanning and find malware or infected content, if you do not have a backup to roll back to a point before the infection, then you are in real trouble. So we will say it again WordPress backups are a must.
Scanning daily is a minimum requirement. Scanning to detect malware, whether your website is blacklisted, if your IP address is being used for malicious activity etc. A good security plugin such as Wordfence or Sucuri will check for malicious code, backdoors and shells that can allow attackers unauthorized access to your server. It will check against known patterns of infections to see if it can find any matches on your site. Wordfence looks through all your posts, pages and comments for hidden code and URLs.
The dangers of shared hosting
Shared hosting is usually very cheap but be careful that a cheap price does not carry a big cost. The main issue is that many sites may be on a server under the one hosting account and if one gets infected so will the others.
Hosting environments vary and when we go in to clean up a hacked site that a new customer comes to us with we have seen exactly this. One case where we were contacted about a site being infected led us to discover 5 other sites under the same hosting account. We had a tough time explaining to the customer that there was little point in only cleaning the site that he was reporting to us as we could not guarantee it to be cleaned unless the other 5 sites were also cleaned. With some more explaining he did eventually understand and he now knows the dangers of cheap shared hosting.