Free Tools to Scan WordPress for Vulnerabilities

It’s a stroke of luck for mischief makers on the internet if they can find a way to harm WordPress websites. With just one trick up their sleeves, they can take a shot at almost 30% of the websites on the internet. That’s the downside of WordPress being the most popular CMS. As website owners, on our part, we need to be proactive and review/ update security measures regularly to be safe from hackers. One important and easy-to-implement step in your security checklist is to scan WordPress for vulnerabilities.

Why You Should Scan WordPress For Vulnerabilities

• Your WordPress website may be the repository of sensitive personal information submitted by users. They trust you to prevent this information from falling into unwanted hands.
• Others can place backlinks, redirects, advertisements or banners of websites that they want to promote on your site.
• Users with unauthorized access to your website may be eating into your bandwidth, even without you knowing it.
• So long as it’s not detected, malware can lurk within your website and gather information. It can send out spam emails to others infecting them too in the process. This can lead to Google and other security services like AVG or Norton blacklisting your site. Again, you may not even know about it.
• Regular scans can catch some security threats early and prevent your site from being hacked.

Ways to Scan WordPress

Carrying out a basic scan for vulnerabilities in your WordPress website is neither difficult nor expensive. But like more things in life, you have options. When it comes to scanning WordPress for vulnerabilities there are two main methods.

Remote scanners are tools that can do a preliminary scan and reveal a number of security flaws. They are a kind of quick check in your security regimen. Most scanners generally function in much the same way – simply enter the URL of your website on their webpage. Your site, as visible in the browser, will be scanned in a few moments and a report generated. Many vulnerabilities can show up in the report. Some tools will also suggest remedial action that you can carry out. Some remote scanners are designed specifically to scan WordPress sites, while others include a WordPress scan in their list of features.

On the contrary, when you install a plugin, it accesses the server in the hosting environment that it resides and does a much deeper scan. A plugin offers options to setup of scanning rules, automations and complete scans that dive into your database to ensure security.

The important difference between the two is that a remote scanner only looks at the final rendered version of your website, as it appears on your browser (sort of like a search engine bot). Unlike plugins, a remote scan cannot look into your server, and so any malicious element on your server could remain undetected.

There are many free remote scanners and free plugins available that can screen your website for rogue software – let’s look at some of the best.

1. MalCare

First on our list is MalCare, which offers free cloud-based scanning via their free plugin. This high tech WordPress site scanner looks at all of your files and your entire database to find even the most complex malware. And best of all, because it uses MalCare’s own cloud servers to scan for vulnerabilities it won’t slow down your site.

MalCare also offers premium plans with even more options for early detection, automated scanning & removal of malware, CAPTCHAs, IP blocking, recommend WordPress settings (disable file editor, uploads folder protection, security keys, etc), disallowed plugins, plus more. And depending on your needs, they even offer a white labeled solution with custom reports for your clients.

2. Sucuri SiteCheck

Sucuri is a well known name in website security and compiles regular and comprehensive vulnerability reports. The SiteCheck will scan all websites, including WordPress websites and reveal known malware, out-of-date software and website errors. You’ll also know your blacklist status with services like Google, AVG Antivirus, McAfee and Norton.

The scanner compares all your pages with the Sucuri database and reports any anomaly. The report also recommends how you should handle these anomalies.

3. WP Sec Scan

If you’re looking for a WordPress specific scanner, WP Sec will fit the bill. On their webpage, you have a choice – submit your website URL for a scan or sign up for their free / premium account.

A free account entitles you an automatic weekly scan. If you’re managing multiple WordPress websites, you can keep track of the security of all the sites from a single dashboard. You’ll also receive alerts by email if any bug is found or if your WordPress installation is due for an update.

A basic report can list some security flaws as well as tell you how to go about setting it right. You can also access a record of your scan reports for future reference. WPScans maintains a vast database of the latest bugs and security threats, which means the more common threats can be detected with this scanner.

4. WordPress Security Scan

WordPress Security Scan also offers two options – a free basic version and a premium advanced version. It carries out checks by calling up a number of pages via regular web requests and analyses the corresponding HTML source. A scan will reveal obvious WordPress security flaws and recommend security-related improvements in configuration that can step-up protection from future attacks.

The free scan checks for WordPress version, host reputation, geolocation, and site reputation from Google. It also checks external links, list of plugins and directory indexing on plugins. It lists the iframes present and the linked Javascript, both of which can be used to deliver malicious code. You can then look into any script that does not appear familiar to you.

5. First Site Guide

The First Site Guide scanner works in much the same way as other scanners – enter your site URL and hit the Scan button. It tests whether information about WordPress version, usernames or failed login attempts are detectable.

It also checks if the readme.html file, the install.php and the upgrade.php files are accessible via HTTP and if the uploads folder is browsable. But for a really meaningful scan that covers over 40 tests, they advise you to install Security Ninja.

6. Wordfence

Wordfence is a comprehensive security plugin that scans anything WordPress-related on your website, including source code and image files. If you enable the option, it’ll also scan non-WordPress related files. Their Threat Defense Feed is constantly updated and the feed is used by scanners to identify suspicious software.

A scan looks for 44,000+ known malware and backdoors, as well as for phishing URLs in all your comments, posts and files. Not only that, it scans the core files, themes and plugins and compares it with the files in the WordPress repository.

7. Virus Total Scanner

Instead of running your site URL through multiple scanners, you can submit it on Virus Total, a subsidiary of Google. It does the work of aggregating the results of a scan from multiple scanners like Avira, Comodo, Sucuri and Qettera.

The advantage in such a method is that you can detect false positives from scanners more easily. You’ll know if any harmless resource is being wrongly classified as malware when the URL is run through multiple scanners. This tool is not WordPress specific, and all kinds of websites can use the scanner. Virus Total is not a comprehensive virus testing tool, but an aggregator of scan results from different scanners.

Files and URLs submitted at Virus Total will be shared with security companies for their use in improving overall web security.

8. Quttera

While Quttera does offer a one click online scan, it also packs in a WordPress specific scanner, that requires you to download their plugin onto your WordPress website.

The plugin scours your site for suspicious scripts, malicious media and hidden threats and lets you know if you’re on any blacklist. The remote servers of Quttera scan the data. On completion of a scan, you’ll receive a detailed investigation report, which will recommend corrective action. These reports are classified as Clean, Potentially Suspicious, Suspicious and Malicious and are available to the public for viewing.

These free online scanners and plugins do a basic job of revealing malware and vulnerabilities. For a more thorough analysis and spot-on recommendations to reduce vulnerabilities you’ll need to look into their premium plans. These plans bundle services like monitoring, cleanup and hands-on support when faced with threats. And, as I mentioned at the start, scanning your website is only the first step in WordPress security.