Online WordPress Vulnerability Scanners are useful tools to determine whether your WordPress site is secure or not by checking for vulnerabilities in your plugins, applications, and web hosting ecosystem, including, the web server.
Which Tests are Performed by Online WordPress Vulnerability Scanners?
WordPress Vulnerability Scanners perform a series of tests, some of which are free while others are premium tests. The free tests are passive tests that usually download some pages from your website and check for vulnerabilities in the raw HTML code.
But Why Do You Need a Vulnerability Scanner?
WordPress is the most popular content management system and more than 73% of all popular WordPress sites are vulnerable as revealed by this infographic on WordPress security. The online vulnerability scanner scans your WordPress site frequently to detect presence of any malware or backdoor entry on your site.
The premium tests are active tests that involve thorough auditing of your site’s plugins and themes using custom WordPress scripts to check for any vulnerabilities.
You can expect the following checks using free online WordPress Vulnerability Scanners:
- WordPress version
- Reputation checking (Google safe browse, Spamhaus check, Abuse CC etc.)
- Web Server details, PHP version, IP details, Hosting details (whether shared or dedicated and number of sites on the same server)
- The plugins and themes installed on your site and their version (update to the latest version if you’re on an old version)
- Your author name and user login
- Directory Indexing whether disabled or not
- Link reputation by checking for quality of outbound links
How to Use the Tests to Harden WordPress Security
Once you have run your WordPress site though the vulnerability scanner the next step is to take remedial measures for the adverse issues you might notice in the test report. The following tips will help to harden your WordPress security.
- If your site is not on the latest WordPress version, you should update it immediately since the latest versions of WordPress contain many security and bug fixes over the older versions.
- If your web server is on older versions of PHP, you should ask your web host to update it to the latest version since older PHP scripts are slow and can also compromise your sites security.
- Plugins are the life of any WordPress site and keeping them up to date is vital for your site’s security since plugins are also the main source of backdoor code injection, once a loophole is discovered by the hackers. The same applies to your themes.
- If your real username and/or author slug is revealed in the test, it implies the whole world knows about it and you should hide your username and author slug immediately.
- As a good WordPress security practice, you should disable directory indexing since hackers can find a way of injecting malicious code in your WordPress installation if they have knowledge of your WordPress directories.
- Maintaining a good link reputation is a good SEO practice and if the vulnerability test reveals any bad external links you should rectify it quickly.
The Best WordPress Vulnerability Scanners
Although there are quite a few WordPress vulnerability scanners available online, I cannot vouch for the majority of these security scanners. The reason being, most of them just didn’t work when I tried them out.
So instead of listing the ‘top 5 or top 10 vulnerability scanners’, most of which don’t work, I will just list the WordPress vulnerability scanners that:
- are free to use, and
- that work 😉
My first recommendation is WordPress Security Scan which is the best free online vulnerability scanner for WordPress based sites. There is also a premium version that offers many more tests and includes in-depth testing of all your plugins.
The second recommendation is a WordPress plugin called WPScan. It is not too popular and has modest installations of about one thousand but it is useful for scanning your plugins and themes, which is not offered in the free version of WordPress Security Scan.
The third recommendation is Website Security Check that not just scans your WordPress site for security flaws and vulnerabilities, but also provides a complete security report in your dashboard, for free.
So go ahead and test your site for any vulnerability and don’t forget to harden your WordPress security with the feedback you get from these tests.