How to Run a Security Scan on Your WordPress Site

How to Run a Security Scan on Your WordPress Site

There are well over 7.5 million attacks on WordPress sites every hour so the probability of your site being attacked is almost guaranteed. Simply scanning your site for vulnerabilities, however, can help you keep nasty hackers at bay.

Scanning your site will tell you how your site is vulnerable to attack so you can then take specific actions to patch any holes in your security.

So how exactly do you do a security scan? Fortunately, there are some fantastic tools and plugins available, which we’ll check out in this post. I’ll also run you through how to easily automate the whole process with our Defender plugin.

Is Your Site Actually Vulnerable to Attack?

It’s all too easy to think it won’t happen to you, that your site is safe from hackers. After all, who would really care about your little corner of the web, especially when your site doesn’t have any identifiable or personal information?

The truth is, all WordPress sites could be vulnerable and you can’t assume you’re completely safe. If your site has personal information on it, a hacker could use it for identity theft and could hack into any other account you have on the internet, especially if you use the same passwords for everything. I’m talking social media accounts, bank accounts, you name it – your whole life could be compromised because of a single vulnerability in your site.

Even if your site doesn’t include any personal information (which usually isn’t the case), hackers could use your site to piggyback on your bandwidth and cost you hundreds or even thousands of dollars a month depending on what kind of hosting plan you have and if your host automatically charges you for excessive traffic.

Best case scenario: Your hosting company cuts you off and your site becomes unavailable until you go through a lot of red tape and convince your host that you can whip your site back into shape. It could take up to a month in certain cases. Can you really afford to wait that long?

While WordPress itself is secure, it’s only secure if you have the latest version installed since it’s the only version that’s up-to-date with the most recent security fixes.

Beyond the WordPress core and keeping your site up-to-date, there are tons of ways your site could be left open to hackers:

  • Weak passwords
  • Using “admin” or “administrator” as your username
  • Vulnerable plugins or themes
  • Using defaults for naming your database prefixes
  • Improper file permissions
  • Enabled plugin and theme editor
  • Insecure server or computer
  • Important files are without password protection

The thing is, this only scratches the surface. There are tons of ways your site could be easily vulnerable and you can get more details in a couple of our other posts: WordPress Security: Tried and True Tips to Secure WordPress and 12 Ways to Secure Your WordPress Site You’ve Probably Overlooked.

When 73% of the most popular WordPress sites are vulnerable, there’s a good chance your site is as well. While these are great places to start to search for security holes, they’re just that – a start. So how can you be sure your site really isn’t vulnerable?

The only way you can truly know is to scan your site and check.

Scanning Your Site and Server

There are many great tools out there that are not only free, but can scan your site online. With the sites listed below, all you need to do is enter your site’s URL and click a button to start scanning your site for vulnerabilities:

  • WordPress Security Scan – Checks for basic vulnerabilities in your WordPress site. Advanced scans are available with a premium upgrade.
  • Sucuri SiteCheck – Your WordPress site can be checked for known malware, blacklisting status, errors and if your site is out-of-date.
  • Acunetix – Scans for network vulnerabilities, isn’t WordPress specific and requires a free registration for a 14-day trial.
  • Scan My Server – You can get a detailed report of your site’s vulnerabilities once you sign up and provide a backlink on your site to verify ownership and that you’re not a hacker.
  • WPScan – A self-hosted vulnerability scanner that is free for personal use. You can also get a paid licence for commercial use.
  • Unmask Parasites – You can check to see if your site has already been hacked and injected with malware or spam.
  • Norton Safe Web – Similar to the scanner above, you can check if your site has already been compromized.

With these sites, you can see exactly where your site could use some amping up in security.

A sample summary of an Acunetix Scan.
A sample summary of an Acunetix Scan.

These free scanners usually offer a fairly basic overview with the exception of a couple of them, but you would need to sign up for a premium account to really get a good look at where you need to make significant improvements.

Sure, these scanners would offer a good starting point, but to get to the core of your site’s vulnerabilities, there are other options.

Detailed Scans with Plugins

For more detailed scans of your site, you can install a plugin that can let you know what vulnerabilities your site contains. These plugins are updated regularly and work well on single installs of WordPress, but they should also work on Multisite networks when they’re activated on a site-by-site basis.

  • Total Security

    Total Security monitors your site for vulnerabilities. When they arise, you’re notified right away so you can patch it up. If checks your site’s files and the WordPress core for issues and you can also change your site’s login page URL for added security.

    While you aren’t able to apply many important vulnerability fixes, it’s an excellent scanner with detailed reports.

    Interested in Total Security?

  • Vulnerability Alerts

    The Vulnerability Alerts plugin isn’t able to fix any issues on your site, but it can detect issues in your site’s files as well as any plugins or themes you have installed. The results themselves aren’t too detailed, but often do include links where you can find out more about the vulnerability that was detected.

    This plugin can also send you email notifications when issues are found.

    Interested in Vulnerability Alerts?

  • Vulnerable Plugin Checker

    While Vulnerable Plugin Checker doesn’t scan your site’s files or themes, it does check the plugins you’re using for vulnerabilities and security concerns. It also sends email notifications if issues are detected.

    You won’t be able to fix anything with this plugin, but scans are also automated and performed twice daily to maximize the potential to catch threats early.

    Interested in Vulnerable Plugin Checker?

  • Plugin Inspector

    Plugin Inspector is also another plugin that only checks the plugins you have installed for vulnerabilities, but the scans are thorough. This plugin can scan for deprecated functions and code that’s often used by hackers to compromise your site.

    WPMU DEV AccountFREE

    Manage unlimited WP sites for free

    Unlimited sites
    No credit card required

    This plugin works by scanning your site and also checking the WPScan Vulnerability Database for previously reported issues. If there’s a match between code used in one of your plugins and the database, you’re notified so you can fix it, although, the plugin doesn’t resolve issues for you.

    Interested in Plugin Inspector?

These plugins are great for letting you know where your site requires security patches, but you’re on your own when it comes to fixing the issues.

Patching Up Security Holes

After you have completed a scan and you know how your site is vulnerable, you can start patching up the security holes. You should start working on the most urgent problems and work your way down the list of vulnerabilities.

You don’t have to worry about notices that are labelled as informational since they’re purely there to inform you on key bits of information.

Here are some of our best articles on how to fix the most common security issues in WordPress:

The trouble is, this process can be tricky and time-consuming to do on your own so it’s best to use a security plugin that can fix the issues for you. There are many available plugins out there that can increase your site’s security.

If you have an existing WPMU DEV membership, you already have access to our Defender plugin, which can detect vulnerabilities in your site, automatically patch them up for you and harden your site’s overall security. Plus, if you’re not a member yet, you can try Defender for free.

Auto Scan and Defend Your Site

Defender takes all the guesswork out of checking your site for security holes and patching them up because it’s all done automatically. It’s easy to set up and use and requires minimal effort.

You can check your site for vulnerabilities in the WordPress core as well as in all your plugins and themes. Defender also checks for suspicious code and hardens your site’s overall security.

Start by downloading a copy of Defender (or activating from the WPMU DEV Dashboard plugin in the backend of your site) and installing it on your WordPress Multisite network or single site installation. On a network, Defender is activated on a network-wide basis so all your sites can be protected at once.

Once the plugin is activated, go to Defender > Settings and verify the options. Defender works right out-of-the-box, but sometimes you may decide you need different options than what the default settings provide.

Defender's settings page.
Defender’s settings work as is, but can be customized to fix your needs.

If you made any changes, click the Save Settings button.

In addition to choosing what kinds of vulnerabilities to scan for, you can also choose which users get emailed with updates and customize the notification emails that you receive when issues are detected.

Next, go to Defender > Automated Scans and click the toggle button on the top-right of the page to enable automatic scanning of your site.

The Automated Scans page.
You can set automated scans in Defender.

Choose what day, time and how often you want to scan your site, then click the Activate button to save your changes.

You can now start your first scan by going to Defender > Scan and clicking on the Scan My Website button.

It’s possible to navigate away from the page as your site is being scanned without disrupting anything. You can come back to view the results after a few minutes to view any vulnerabilities that have been detected.

A scan in progress with a loading bar at 53.77% complete.
Defender scans your site for any suspicious and malicious files in one click.

Once the scan is complete, you can see a full report of your site’s vulnerabilities if any have been discovered. You can then click the wrench button to resolve the issue, the universal “don’t” symbol to ignore the issue if you’re confident there’s no problem, or the trash can icon to delete the file.

If Defender has detected that a core file has been changed, for example, you can view a comparison of the current and a clean copy from to see if the file contains harmful code. You can view the differences by clicking the wrench icon. If the file does contain malicious code, you can replace it with a clean copy of the file in one click.

Three errors are reported on a site using Defender.
Even on a secure site, Defender still found issues.

Once you have resolved any vulnerabilities, you can harden your site’s security by going to Defender > Hardener. You can immediately see how many vulnerabilities can be resolved in one click.

You can make the necessary changes that have previously been described above such as change your database prefixes, update old security keys, disable the plugin and theme editor, change the default “admin” username and a ton more.

The hardening page.
You can see and patch up vulnerabilities in one click.

If vulnerabilities have been found, you can scroll down to view them. You can click on an issue to view more details and repair the issue by clicking on its corresponding button.

If you would rather not apply the fix, you can click the Ignore button so you won’t be notified about it. You can also restore the notification at any time in case you change your mind.

An issue has been selected to reveal its details.
Once you view the details of an issue, you can resolve it in one click.

Once you have hardened your site’s security, you’re all set. If more issues are ever detected, Defender will notify you by email so you can quickly resolve any issues.

It’s an easy and low maintenance way to automate security scanning for your site so you can set and forget.

Do you regularly check your site for security holes? What tools do you use to scan your site for vulnerabilities? Has you site ever been hacked and what did you do to get your site back? Share your experience in the comments below.