Has your site ever been hacked? We hope not! It can be a scary and expensive experience, even if the damage is relatively minor.
Unfortunately, the risk of being hacked is an omnipresent one. There are millions of viruses, exploits, and other malicious code online that aim to take over your WordPress site.
But, there’s good news! You can prevent most issues and keep your site secure. How? By frequently running a security scan.
While they won’t solve every issue, they’re an easy way to quickly see any potential issues with your website.
In this post, we’ll show you how to run a security scan on your website using Wordfence, one of the most popular security plugins available for WordPress.
We’ll also cover 14 other scanners and plugins that have similar features.
Let’s get scanning!
Why Should You Use a Scanner?
While we don’t want to scare you too much, it is important to be aware of how dangerous the web can actually be.
Here are some common statistics that should help you understand the importance of running scanners:
- Over 30,000 websites are hacked everyday
- On average, it takes almost 300 days until a breach is detected
- Cybercrime has spiked during the Coronavirus pandemic
- 73% of digital agencies and freelancers are worried about security
Now, let’s cover a few other reasons why you should use a security scanner.
If your site is hacked, Google and other search engines will usually punish you and lower your position in the search results. In certain cases, they may remove you entirely from search until you fix your site.
As you can imagine, if you rely on SEO for traffic, this can be a disaster!
Chrome, Firefox and Other Browsers
You’ve probably seen the image above before. Just like search results, browsers themselves will usually prevent users from visiting a hacked site. As you can imagine, this will kill almost all of your traffic, so preventing your site from being hacked is really important!
Find Malicious Code
Scanners will also find any malicious links or code on your site. Typically, these arrive at your WordPress site via third-party plugins or themes that haven’t been vetted well.
Another type of problematic issue is a “nulled theme”, which are hacked themes that are downloaded from unofficial sources. While nulled themes are an alternative to the original paid version, they are often filled with ads or other malware. Scanners will usually determine if you are running a nulled theme.
Find Suspicious Redirects
Likewise, any odd redirects or links can be an indication that something is amiss. A suspicious redirect usually ends up at a spam site or (even worse) a phishing site that attempts to steal your users’ information.
Since phishing sites usually pose as real sites, the subtle differences are often difficult to detect with your eyes.
For example, if your site is NewYorkCityShoes.com, a phisher might use NewYorkCtyShoes.com. See the difference? If you aren’t paying attention, you might not notice. But a scanner can pick up these subtly different links.
Online vs. Direct Scanners
There are two basic types of scanners: online scanners and “direct” scanners.
Online scanners are just websites that do a rudimentary search on a public-facing website. You type in a domain name, press Go, and get some results. As you can imagine, they are sometimes limited.
Direct scanners are ones that you upload directly to your website, usually via a plugin. They tend to have higher costs and require more time to use, but will give you better results.
Limitations of Scanners
While scanners are no doubt useful, you shouldn’t think that they are a complete security solution to keeping your site secure. They all have some limitations.
Let’s go through a few of them here:
- User accounts. The online-only scanners don’t have access to your user accounts or other private information. As such, they can’t read that data.
- Plugins and themes. Likewise, online-only scanners can only read which plugins you have installed and see if they are up-to-date. They can’t see inside the code itself.
- Certain options only available to paid users. Depending on the plugin, many scanning features will only be available to paying users. This often includes removing any negative results.
Using Wordfence to Scan Your WordPress Website
Wordfence is the single most popular security plugin for WordPress. Wordfence is a “direct” scanner that you install directly on your site, meaning that it doesn’t have the limitations that some online scanners do.
From within the plugin itself, you can run a scan on your site. This scan looks for dangerous code, backdoors, malicious URLs, and other recognizable problems.
The results are then categorized into four security levels: critical, high, medium, and low.
Pros of Wordfence:
- Detects harmful, malicious code upon a single click
- Offers generous features in the free version
- Easy customization of security settings
- Real time email alerts for vulnerabilities
- Immediate reports of suspicious activity on the site
Cons of Wordfence:
- No obvious downsides
Wordfence is a free plugin available on the WordPress repository. It also offers a premium version starting from $99 per year.
Let’s walk through the process of conducting a scan on your WordPress site with Wordfence.
Step 1: Download, Install, and Activate the Plugin
There are both free and premium versions of Wordfence available. You can download the free version on the WordPress repository, or pay for one of their premium plans. For this tutorial, we’ll just stick with the free version.
Step 2: Go to the Wordfence > Scan
Once you’ve activated the plugin, go to the WordPress sidebar. Click on the Scan tab under Wordfence.
Step 3: Click Manage Scan
Now you’re on the Scan page. There are many options here, most of which are only available to Premium users.
For now, click on the Manage Scan link in the top left part of the panel.
Step 4: Choose the Scan Type
Here, you can choose what type of scan you want to run. There are four scan types:
- Limited Scan: for basic sites that don’t have a lot of resources.
- Standard Scan: The standard option. Recommended for most sites.
- High Sensitivity Scan: If you think you might be hacked, use this scan type.
- Custom Scan: This will be enabled by default if you customize anything in the tabs below.
You can also customize other parts of the scan by clicking the General Options, Performance Options, and Advanced Scan Options tabs below.
For now, we will just stick with Standard Scan. Click Save Changes and go back to the previous page.
Step 5: Run the Scan
Now it’s time to run the scan. Press Start New Scan. You can see the results as they come in at the bottom.
Step 6: Review the Results and Take Action
Once the scan is over, you’ll see all of the results at the bottom of the page. Wordfence will cover many different things, including plugins that need updating or themes that are inactive but insecure.
If you click on the Details button on the right, you can view more information about each item.
If the scan picked up any problematic files, you can delete them by clicking Delete all Deletable Files.
We’re done! Nice job, your site is now clean.
Best WordPress Malware Scanners
Can’t (or don’t want to) use Wordfence? No problem. Let’s take a look at 14 other WordPress security scanners.
1. Sucuri Site Check
Along with Wordfence, Sucuri is one of the most popular security plugins available for WordPress. Their plugins have a ton of scanning capabilities, including blacklist monitoring, file integrity monitoring, malware detection and removal, security notifications, and lots of other features.
They also have a free site scanning tool. Although it’s designed primarily for scanning other websites, it’s still useful. Give it a try!
Sucuri has both a free plugin and a variety of paid plans, which start at $199 per year.
Pros of Sucuri:
- Helps with website SEO along with protecting it from attack
- Well-known company with a good reputation
- Simple to use and set up
- Easy dashboard and interface
- Provides help if your website has been hacked
Cons of Sucuri
- A bit expensive
Sucuri is a premium plugin available for $199.99 per year.
2. Hacker Target
The basic scan is free, but you can also pay monthly to get access to extra features.
Compared to many other online scanners, Hacker Target is very easy to use and provides a lot of data. It also runs rather quickly and gives you results in a matter of seconds.
Pros of Hacker Target:
- Simulates real world security events
- Identifies the issue and addresses the risk
- Fast servers optimized for performance
- Identifies the attack surface with scanning tools
- Test up to 20 sites at a time
Cons of Hacker Target:
- Performs basic scan in the free version
Hacker Target offers free and paid versions starting from $10 per month
Detectify is a paid service designed for sites with a larger budget. The cheapest plan starts at about $80 per month, but it includes a full remote scan of your website and any related applications. Your site is tested against more than 2,000 vulnerabilities, which are updated weekly.
While there is no free option, you get a free two week trial. This may be enough to scan your site and remove any critical errors!
Pros of Detectify:
- Continuous discovery and monitoring of all internet-facing assets
- Simple configuration to get you started
- Provides a comprehensive view of the attack surface
- Application scanning for deeper insights
- Option to scan applications using smart page filters
Cons of Detectify:
- Has no free option
Detectify offers application scanning for $89 per month.
4. Security Ninja
Security Ninja is a downloadable plugin that you install on your site. It runs over 50 security tests, which include:
- Testing password strength via a brute-force attack on user accounts
- File permissions tests
- If you’re updated to the current version of WordPress
- If your plugins are up to date
- If the wp-config.php file has the right permissions set
- The strength of the database password
A full list is available on the plugin’s download page. You can also purchase a premium plan, which gives you access to extra features like a firewall, country blocking, auto fixer, and more. Overall, Security Ninja is a fantastic free plugin that gives checks just about everything.
Pros of Security Ninja:
- Complete WordPress website protection with a firewall
- Extremely easy to use
- Discover vulnerabilities and security issues on child sites
- Has lots of hardening and permission check options
- Offers checklists and tips where you can secure websites
Cons of Security Ninja:
- Requires premium version to precisely detect the location of malware
The plugin is available for free on the WordPress repository. It also has a paid version starting from $39.99.
Quttera is a WordPress plugin that you download and install on your site. It scans for a ton of different potential vulnerabilities, including malware, trojans, backdoors, worms, viruses, and other exploits.
Since it’s a plugin you install directly on your own website, it also comes with two extra benefits: One, it is able to do a deeper search on your site, which means any issues are more likely to be found. Two, once the problems are identified, Quttera can help you remove them.
The plugin version of Quttera is completely free, but you can also pay for one of their premium plans for extra features.
Pros of Quttera:
- Provides detailed report that helps to recognize and investigate risks
- Discovers hidden iframes and other suspicious elements
- Detects redirection from pages on your site
- Simple to use
- Offers excellent features in the free plan
Cons of Quttera:
- Sometimes takes time to load the results
Quttera is a free plugin with a premium plan available from $10 per month.
GeekFlare is a completely free online tool to scan your site remotely. It tells you about the plugins you have installed, if your admin login page is exposed, if your site is vulnerable to attack, if your theme is running the most updated version, and if you’re using HTTPS.
All in all, it’s a good tool to quickly check a number of different security metrics.
Pros of GeekFlare:
- WordPress theme and plugin security checks
- Determines site performance against more than 40 metrics
- Checks internal and external broken links
- Quickly finds out the hosting provider of the site
- Tests the server response time of the website
Cons of GeekFlare:
- No downsides to mention
GeekFlare is a completely free tool.
As its name suggests, WPSec is an online scanner designed to search WordPress sites for security issues. It’s free to use and will give you some basic results. However, if you want to see a more detailed report, you’ll need to sign up to their email newsletter.
Pros of WPSec:
- Uses deep scan technology to check WordPress vulnerabilities
- Easy to use all in one dashboard
- Option to automate scan
- Push notification for the updates
- Requires no installation
Cons of WPSec:
- Premium is expensive
WPSec comes with a free as well as a premium version. The paid version costs from €29 per month.
This online tool checks the reputation of your website. It does this by searching through 34 different blacklists of spammers, phishers, and other malicious actors. You can also try an IP address directly with their IPVoid tool. It is completely free to use.
Note that your scan data will be sent to security companies.
Pros of URLVoid:
- Scans website with 17 different applications
- Looks for exploits and malware
- Checks reputation with services like Web Of Trust
- Saves your time from gathering reports from one website to another
- Great scanner that’s professional and easy to use
Cons of URLVoid:
- Not as automated as other options
URLVoid is completely free to use.
ScanURL is a free online tool that lets you check a URL for reports of phishing, malware, and viruses. While it’s intended for checking other sites and not your own, it is nonetheless useful for seeing if your site has a bad reputation that you’re unaware of. As mentioned above, on average, it takes almost 300 days until a breach is detected by a site’s webmaster. Knowing this, it’s not a bad idea to try ScanURL.
ScanURL is completely free to use.
Pros of ScanURL:
- Checks websites for phishing, malware, viruses, and poor reputation
- Checks with reputable 3rd party services
- Informs you of suspicious or dangerous web pages
- Reports on the domain provided
- Provides accurate reports of URL trustworthiness
Cons of ScanURL:
- No malware scanner or firewall
ScanURL is a free tool to scan your website.
VirusTotal is an online tool aimed at security professionals. It lets you analyze suspicious files or URLs for malware, then automatically share them with the security community. It scans your site against over a dozen databases of malware and spam. VirusTotal is completely free to use.
Note that by submitting your site, the results of the scan will be sent to VirusTotal for research purposes.
Pros of VirusTotal:
- Easy to use interface
- Provides high confidence scan results utilizing a large number of resources
- Offers file and URL analysis
- API functionality is easy to integrate with the anti-phishing system
- Malware detection
Cons of VirusTotal:
- File scanning can be slow at times
VirusTotal is free to use.
Pentest-Tools.com is a website filled with different ways of pentesting (short for penetration testing) your website. Everything is done directly on the website. The more advanced tools aren’t free, but the basic ones are still useful.
The Website Vulnerability tool is of these basic, free options.
While you’ll need to pay to use the Full Scan, the Light Scan is also useful. It detects outdated server software, insecure HTTP headers, misconfigured cookie settings, an analysis of the robots.txt file, and more.
Pros of Pentest-Tools:
- Wide range of tools for internal and external vulnerability scanning
- Custom specialized features
- Saves tremendous time and energy with Pentest robots
- Real time notifications and custom triggers
- Evaluation of the target’s attack surface
Cons of Pentest-Tools:
- Premium is expensive
Pentest-Tools is available for free with limited features. The premium version costs $85 per month.
12. Google Transparency Report / Google Safe Browsing
The Google Safe Browsing tool is an easy way to check what Google thinks about your site. As Google is the dominant search engine worldwide, it’s important to be aware if they consider your site unsafe. The tool itself is online and entirely free to use.
Since the data is based on their web crawler, rather than being gathered when you run the tool, your site might not be listed. Either way, it’s a quick and effortless tool to see how safe Google considers your site.
Pros of Google Transparency Report:
- Examines billions of URLs every day
- Looks for unsafe websites
- Shows warning on Google search and web browsers
- Showcases if a website is dangerous to visit
- Easy to use
Cons of Google Transparency Report:
- Blacklists many websites as unsafe
Google Transparency Report is free to use.
WPScan is a CLI (command line interface) tool that tests the security of a WordPress website. It uses a database of over 22,000 known WordPress vulnerabilities and checks plugins, themes, usernames with weak passwords, publicly accessible databases, and other common vulnerabilities.
While it might seem complicated, it is actually quite straightforward once you grasp the basics.
Pros of WPScan:
- Vulnerability scanning with manual oversight
- Extensive vulnerability database
- Updated constantly
- Command line interface
- Slack hook for notifications and alerts
Cons of WPScan:
- A bit complicated for beginners
WPScan costs from $20 per month.
14. Norton Safe Web
Norton is a company that makes popular antivirus software packages for Windows, Linux, and Mac OSX. In addition to this, on their website, they also have a simple tool for checking if a website is safe. It categorizes sites into four categories: OK, Issue, Not Safe, and Inaccessible. Your site should be analyzed as OK.
Pros of Norton Safe Web:
- Email alerts on status changes
- Verify ownership of your domain to increase trust
- Monitor and manage your website trust rating
- Age verification tools
- Trusted name with good reputation
Cons of Norton Safe Web:
- A bit expensive for what i
Norton Safe Web is available for $19.99 per month.
If you weren’t running security scans on your website, we hope you are now!
The importance of keeping your site safe and secure cannot be overstated. It has a direct impact on your readers, your traffic, your reputation, and if you sell products, your revenue.
Be sure to use one of the tools above on a regular basis to ensure that you don’t have any hidden malware or trojans on your site. If you aren’t sure which one is the best, just go with Wordfence: it’s the single most popular WordPress security scanning plugin in the world.
Have you ever had a security issue with your website? What did you do to solve it? And what are you doing now to prevent future issues?
I was searching for the best security scanners and found this excellent post. Thank you very much for your efforts to put all the best tools in one place., I have just installed free versions of Wordfence on my website, and it’s working just great.
So glad to hear that you found the article so useful. 🙂
Hi Team, Great article. I have a WordPress.com-hosted website, Is there any plugin that scans WordPress.com-hosted websites?
Hello Florence, this should work on a WP.com hosted website as well. But do check with them once before giving it a try.