Test Your WordPress Site Security – 6 Free WordPress Security Scanners

Test Your WordPress Site Security – 6 Free WordPress Security Scanners

We think our security plugin, Defender, is pretty darn good, but we’d never tell you to put all your eggs in one basket. Even with a super-reliable and robust security plugin, you should still carry out extra checks on your site’s security…

Gone are the days where the only way to infiltrate someone’s computer or accounts was to send them a virus disguised as a pdf or manually guess their passwords.

Nowadays, hacking is easy. It’s automated.

Bots can brute-force their way into a site, create fake administrator accounts, and scan the network for vulnerabilities and valuable files in a matter of seconds.

This means that you no longer need a determined enemy in order to be the victim of an attack.

And since attacks are always on the rise, it makes sense to take whatever precautions are available in order to protect your site and ultimately, your visitors.

One of these precautions is simply taking the time to check your site from a few different sources.

Read on as we take a look at some of the best free tools out there.

1. Defender
2. WordPress Tools
3. wpRecon
4. VirusTotal
5. Mozilla Observatory
6. Google Transparency Report

1. Defender

Hopefully, you’re already using Defender to protect your site against malicious attacks, however, did you know it has an awesome scan feature, as well as a comprehensive rundown of things you can do to improve your site security?

Let’s start with the scan.

To begin a scan, click on Defender’s Malware Scanning option in the WordPress sidebar.



Screenshot of Defender about to start a scan
Click Run Scan.

Defender will then highlight any files that it thinks are suspicious, such as core files which have been edited or don’t come as standard.

Screenshot of Defender's scan results showing two potentially malicious files.
Defender will check your core files against the originals in the WordPress repository.

You’ll need to check through the files to decide whether they pose a risk, or whether they are changes you’ve made yourself.

You then have three options:

  • If you don’t think a certain file should exist at all, you can delete it.
  • If you believe a core file has been tampered with, you can restore it to the original – Defender will replace it with a fresh copy.
  • If you trust these files, you can ask Defender to ignore them in future scans.
Screenshot of a suspicious file in Defender showing the snipper of code.
Defender will even show you the code in question.

Ensuring that no code has been tampered with is a great way to keep on top of your site security.

Defender goes one step further. It can carry out an overall check on your site security to give you recommendations if there are vulnerabilities on your site that could easily be fixed.

Simply head to the Recommendations section to find out if Defender has picked up any vulnerabilities.

Screenshot of the security recommendations with Defender.
It will give you a list of all the current recommended steps.

You can click on each item individually to see more information. Defender can even provide you with instructions to fix it!

The code needed to fix the issue.
The instructions and code are provided.

Defender will also let you know what you’re doing right, by listing all the precautions you have already taken.

Simply navigate to the Actioned tab on the left of Defender’s screen.

Screenshot of all the actioned vulnerabilities.
Aim to get all recommendations into the Actioned column for the best chance of securing your site.

Like what you see?

Check out our full guide on how to get the most out of Defender, and if you host with us, take a look at how it integrates perfectly with The Hub.

2. WordPress Tools

The WordPress Tools section might not be somewhere you check into often, however, the Site Health menu can be pretty valuable, and is worth the odd visit.

This tool also offers more than just security recommendations and will provide more information than any of the external tools as it is linked directly with your site.

Screenshot of the WordPress tools recommendations.
Even the Performance suggestions can help with security – better update the PHP version!

If you click on each recommendation, you will get some pretty useful further details.

Screenshot of the list of inactive themes.
This information can make keeping on top of inactive themes and plugins so much easier!

You can also check out the list of passed tests so that you know what you’re doing right.

Screenshot of the 18 rectified issues.
It’s always reassuring to know when things are taken care of.

It’s built right into your WordPress installation so it should only take a minute or two to carry out a quick check every once in a while.

3. wpRecon

It’s good to get an idea of any information about your site which is publicly accessible, as this can be used by hackers to find ways to compromise your security.

One of the best ways to find out what information is readily available is by using a third-party tool that isn’t linked to your site.

wpRecon is one of these tools.

Simply input the URL of the site you want to test.

Screenshot of the box from which you can run your scan.
You can test any site you wish.

The test will give you a variety of results, with the first set being in relation to your server type, IP address, and a check of the version of WordPress you’re running.

Screenshot of information obtained from the WPrecon scan.
This is all information that can be obtained with just your URL!

It will also inform you of any plugins that are reading the HTML source of the website’s front page, check for information it can find about the theme, and try to list the contents of uploads and plugins folders.

Screenshot of the results of the test which tries to access your folders.
It is good to be aware if Directory Indexing is enabled on your site.

A routine check using a tool such as wpRecon will help you identify if there are any big holes, ready for hackers to walk through.

4. VirusTotal

VirusTotal is another free online tool for scanning sites, documents, and IP addresses. It has a database of over 70 antivirus scanners and URL/domain blacklisting services.

Screenshot of some of the partners that VirusTotal uses.
These are just a few of the databases that VirusTotal checks.

If your site is clean, you should be good to go, however, if any of the databases pick up something malicious, it could be that you have malware.

If this is the case, it could be worth running a full malware scan.

You can also check some further details regarding your site.

Screenshot of the result of the outgoing links check.
It’s good to check whether any external links have been added to your site without your knowledge.

VirusTotal shares the result of the scan with the examining partners that it uses. This grows their virus and knowledge databases, helping to fight the fight against malware and hackers.

5. Mozilla Observatory

Mozilla Observatory is slightly different from the tools we’ve looked at above, as it offers a few separate types of tests.

When you first run the scan, it will test vulnerabilities in relation to HTTP. It will then give your site a score in the form of a letter.

Screenshot of the result of the test.
Yeah, not the best score – but this is why checks like this are useful!

Scroll down to see which of the tests you failed (if any).

Screenshot of the test scores.
You will be able to see how you scored on all of the 11 tests.

Click on the name of each test to be taken to a page created by Mozilla which fully explains what it means.

After the first scan, you can also initiate further ones to check if access to your site can be gained through SSH (it would be very concerning if this was the case!) and extra tests with third-party companies ImmuniWeb, securityheaders.com, and hstspreload.org.

6. Google Transparency Report

Google’s Transparency Report isn’t really the answer for checking for vulnerabilities on your own site, however, there’s a reason it made it to this list.

The reason it won’t be much help when it comes to your own site is that it only tells you whether or not it finds anything unsafe, it doesn’t tell you what the unsafe content is.

This makes it pretty redundant when checking on your own site but can come in useful when checking a site you want to visit.

If you’re nervous about visiting a URL for the first time, you can simply input it into Google Transparency Report’s search bar, and let it check it out for you.

Google transparency search results.
It provides a basic yes or no answer as to whether the site is safe to visit.

So yes, whilst it may not be the answer to checking for holes in your site security, it’s a pretty good tool to have in your bag!

Stay One Step Ahead

Carry out regular checks on your site using a variety of tools to make sure you identify any vulnerabilities before hackers or bots sniff them out.

Many of the issues picked up by these tools are quick and easy fixes, so schedule in regular checks as part of your site security process.

If you want to know how to make sure you haven’t missed anything when it comes to setting up the protection for your WordPress site, be sure to check out our 16-step checklist to total site lockdown.

Do you use any of these methods for checking your site? If so, which one/s and what do you like most about it? Tell us in the comments!

Kirstan Norman

Kirstan Norman is a digital marketer from Yorkshire, England. She spends her downtime playing video games, board games, forgetting to water her plants, and adding too much cheese to her food.