Has your site ever been hacked? We hope not! It can be a scary and expensive experience, even if the damage is relatively minor.
Unfortunately, the risk of being hacked is an omnipresent one. There are millions of viruses, exploits, and other malicious code online that aim to take over your WordPress site.
But, there’s good news! You can prevent most issues and keep your site secure. How? By frequently running a security scan.
While they won’t solve every issue, they’re an easy way to quickly see any potential issues with your website.
In this post, we’ll show you how to run a security scan on your website using Wordfence, one of the most popular security plugins available for WordPress.
We’ll also cover 14 other scanners and plugins that have similar features.
Let’s get scanning!
While we don’t want to scare you too much, it is important to be aware of how dangerous the web can actually be.
Here are some common statistics that should help you understand the importance of running scanners:
- Over 30,000 websites are hacked everyday
- On average, it takes almost 300 days until a breach is detected
- Cybercrime has spiked during the Coronavirus pandemic
- 73% of digital agencies and freelancers are worried about security
Now, let’s cover a few other reasons why you should use a security scanner.
If your site is hacked, Google and other search engines will usually punish you and lower your position in the search results. In certain cases, they may remove you entirely from search until you fix your site.
You’ve probably seen the image above before. Just like search results, browsers themselves will usually prevent users from visiting a hacked site. As you can imagine, this will kill almost all of your traffic, so preventing your site from being hacked is really important!
Scanners will also find any malicious links or code on your site. Typically, these arrive at your WordPress site via third-party plugins or themes that haven’t been vetted well.
Another type of problematic issue is a “nulled theme”, which are hacked themes that are downloaded from unofficial sources. While nulled themes are an alternative to the original paid version, they are often filled with ads or other malware. Scanners will usually determine if you are running a nulled theme.
Likewise, any odd redirects or links can be an indication that something is amiss. A suspicious redirect usually ends up at a spam site or (even worse) a phishing site that attempts to steal your users’ information.
Since phishing sites usually pose as real sites, the subtle differences are often difficult to detect with your eyes.
For example, if your site is NewYorkCityShoes.com, a phisher might use NewYorkCtyShoes.com. See the difference? If you aren’t paying attention, you might not notice. But a scanner can pick up these subtly different links.
There are two basic types of scanners: online scanners and “direct” scanners.
Online scanners are just websites that do a rudimentary search on a public-facing website. You type in a domain name, press Go, and get some results. As you can imagine, they are sometimes limited.
Direct scanners are ones that you upload directly to your website, usually via a plugin. They tend to have higher costs and require more time to use, but will give you better results.
While scanners are no doubt useful, you shouldn’t think that they are a complete security solution to keeping your site secure. They all have some limitations.
Let’s go through a few of them here:
- User accounts. The online-only scanners don’t have access to your user accounts or other private information. As such, they can’t read that data.
- Plugins and themes. Likewise, online-only scanners can only read which plugins you have installed and see if they are up-to-date. They can’t see inside the code itself.
- Certain options only available to paid users. Depending on the plugin, many scanning features will only be available to paying users. This often includes removing any negative results.
Wordfence is the single most popular security plugin for WordPress. Wordfence is a “direct” scanner that you install directly on your site, meaning that it doesn’t have the limitations that some online scanners do.
From within the plugin itself, you can run a scan on your site. This scan looks for dangerous code, backdoors, malicious URLs, and other recognizable problems.
The results are then categorized into four security levels: critical, high, medium, and low.
Let’s walk through the process of conducting a scan on your WordPress site with Wordfence.
There are both free and premium versions of Wordfence available. You can download the free version on the WordPress repository, or pay for one of their premium plans. For this tutorial, we’ll just stick with the free version.
Once you’ve activated the plugin, go to the WordPress sidebar. Click on the Scan tab under Wordfence.
Now you’re on the Scan page. There are many options here, most of which are only available to Premium users.
For now, click on the Manage Scan link in the top left part of the panel.
Here, you can choose what type of scan you want to run. There are four scan types:
- Limited Scan: for basic sites that don’t have a lot of resources.
- Standard Scan: The standard option. Recommended for most sites.
- High Sensitivity Scan: If you think you might be hacked, use this scan type.
- Custom Scan: This will be enabled by default if you customize anything in the tabs below.
You can also customize other parts of the scan by clicking the General Options, Performance Options, and Advanced Scan Options tabs below.
For now, we will just stick with Standard Scan. Click Save Changes and go back to the previous page.
Once the scan is over, you’ll see all of the results at the bottom of the page. Wordfence will cover many different things, including plugins that need updating or themes that are inactive but insecure.
If the scan picked up any problematic files, you can delete them by clicking Delete all Deletable Files.
We’re done! Nice job, your site is now clean.
Can’t (or don’t want to) use Wordfence? No problem. Let’s take a look at 14 other WordPress security scanners.
Along with Wordfence, Sucuri is one of the most popular security plugins available for WordPress. Their plugins have a ton of scanning capabilities, including blacklist monitoring, file integrity monitoring, malware detection and removal, security notifications, and lots of other features.
They also have a free site scanning tool. Although it’s designed primarily for scanning other websites, it’s still useful. Give it a try!
Sucuri has both a free plugin and a variety of paid plans, which start at $199 per year.
The basic scan is free, but you can also pay monthly to get access to extra features.
Compared to many other online scanners, Hacker Target is very easy to use and provides a lot of data. It also runs rather quickly and gives you results in a matter of seconds.
Detectify is a paid service designed for sites with a larger budget. The cheapest plan starts at about $80 per month, but it includes a full remote scan of your website and any related applications. Your site is tested against more than 2,000 vulnerabilities, which are updated weekly.
While there is no free option, you get a free two week trial. This may be enough to scan your site and remove any critical errors!
Security Ninja is a downloadable plugin that you install on your site. It runs over 50 security tests, which include:
- Testing password strength via a brute-force attack on user accounts
- File permissions tests
- If you’re updated to the current version of WordPress
- If your plugins are up to date
- If the wp-config.php file has the right permissions set
- The strength of the database password
A full list is available on the plugin’s download page. You can also purchase a premium plan, which gives you access to extra features like a firewall, country blocking, auto fixer, and more. Overall, Security Ninja is a fantastic free plugin that gives checks just about everything.
Quttera is a WordPress plugin that you download and install on your site. It scans for a ton of different potential vulnerabilities, including malware, trojans, backdoors, worms, viruses, and other exploits.
Since it’s a plugin you install directly on your own website, it also comes with two extra benefits: One, it is able to do a deeper search on your site, which means any issues are more likely to be found. Two, once the problems are identified, Quttera can help you remove them.
The plugin version of Quttera is completely free, but you can also pay for one of their premium plans for extra features.
GeekFlare is a completely free online tool to scan your site remotely. It tells you about the plugins you have installed, if your admin login page is exposed, if your site is vulnerable to attack, if your theme is running the most updated version, and if you’re using HTTPS.
All in all, it’s a good tool to quickly check a number of different security metrics.
As its name suggests, WPSec is an online scanner designed to search WordPress sites for security issues. It’s free to use and will give you some basic results. However, if you want to see a more detailed report, you’ll need to sign up to their email newsletter.
This online tool checks the reputation of your website. It does this by searching through 34 different blacklists of spammers, phishers, and other malicious actors. You can also try an IP address directly with their IPVoid tool. It is completely free to use.
Note that your scan data will be sent to security companies.
ScanURL is a free online tool that lets you check a URL for reports of phishing, malware, and viruses. While it’s intended for checking other sites and not your own, it is nonetheless useful for seeing if your site has a bad reputation that you’re unaware of. As mentioned above, on average, it takes almost 300 days until a breach is detected by a site’s webmaster. Knowing this, it’s not a bad idea to try ScanURL.
ScanURL is completely free to use.
VirusTotal is an online tool aimed at security professionals. It lets you analyze suspicious files or URLs for malware, then automatically share them with the security community. It scans your site against over a dozen databases of malware and spam. VirusTotal is completely free to use.
Note that by submitting your site, the results of the scan will be sent to VirusTotal for research purposes.
Pentest-Tools.com is a website filled with different ways of pentesting (short for penetration testing) your website. Everything is done directly on the website. The more advanced tools aren’t free, but the basic ones are still useful.
The Website Vulnerability tool is of these basic, free options.
While you’ll need to pay to use the Full Scan, the Light Scan is also useful. It detects outdated server software, insecure HTTP headers, misconfigured cookie settings, an analysis of the robots.txt file, and more.
The Google Safe Browsing tool is an easy way to check what Google thinks about your site. As Google is the dominant search engine worldwide, it’s important to be aware if they consider your site unsafe. The tool itself is online and entirely free to use.
Since the data is based on their web crawler, rather than being gathered when you run the tool, your site might not be listed. Either way, it’s a quick and effortless tool to see how safe Google considers your site.
WPScan is a CLI (command line interface) tool that tests the security of a WordPress website. It uses a database of over 22,000 known WordPress vulnerabilities and checks plugins, themes, usernames with weak passwords, publicly accessible databases, and other common vulnerabilities.
While it might seem complicated, it is actually quite straightforward once you grasp the basics.
14. Norton Safe Web
Norton is a company that makes popular antivirus software packages for Windows, Linux, and Mac OSX. In addition to this, on their website, they also have a simple tool for checking if a website is safe. It categorizes sites into four categories: OK, Issue, Not Safe, and Inaccessible. Your site should be analyzed as OK.
If you weren’t running security scans on your website, we hope you are now!
The importance of keeping your site safe and secure cannot be overstated. It has a direct impact on your readers, your traffic, your reputation, and if you sell products, your revenue.
Be sure to use one of the tools above on a regular basis to ensure that you don’t have any hidden malware or trojans on your site. If you aren’t sure which one is the best, just go with Wordfence: it’s the single most popular WordPress security scanning plugin in the world.
Have you ever had a security issue with your website? What did you do to solve it? And what are you doing now to prevent future issues?