Test Your WordPress Site Security – 6 Free WordPress Security Scanners
We think our security plugin, Defender, is pretty darn good, but we’d never tell you to put all your eggs in one basket. Even with a super-reliable and robust security plugin, you should still carry out extra checks on your site’s security…
Gone are the days where the only way to infiltrate someone’s computer or accounts was to send them a virus disguised as a pdf or manually guess their passwords.
Nowadays, hacking is easy. It’s automated.
Bots can brute-force their way into a site, create fake administrator accounts, and scan the network for vulnerabilities and valuable files in a matter of seconds.
This means that you no longer need a determined enemy in order to be the victim of an attack.
And since attacks are always on the rise, it makes sense to take whatever precautions are available in order to protect your site and ultimately, your visitors.
One of these precautions is simply taking the time to check your site from a few different sources.
Read on as we take a look at some of the best free tools out there.
Hopefully, you’re already using Defender to protect your site against malicious attacks, however, did you know it has an awesome scan feature, as well as a comprehensive rundown of things you can do to improve your site security?
Let’s start with the scan.
To begin a scan, click on Defender’s Malware Scanning option in the WordPress sidebar.
Defender will then highlight any files that it thinks are suspicious, such as core files which have been edited or don’t come as standard.
You’ll need to check through the files to decide whether they pose a risk, or whether they are changes you’ve made yourself.
You then have three options:
- If you don’t think a certain file should exist at all, you can delete it.
- If you believe a core file has been tampered with, you can restore it to the original – Defender will replace it with a fresh copy.
- If you trust these files, you can ask Defender to ignore them in future scans.
Ensuring that no code has been tampered with is a great way to keep on top of your site security.
Defender goes one step further. It can carry out an overall check on your site security to give you recommendations if there are vulnerabilities on your site that could easily be fixed.
Simply head to the Recommendations section to find out if Defender has picked up any vulnerabilities.
You can click on each item individually to see more information. Defender can even provide you with instructions to fix it!
Defender will also let you know what you’re doing right, by listing all the precautions you have already taken.
Simply navigate to the Actioned tab on the left of Defender’s screen.
Like what you see?
2. WordPress Tools
The WordPress Tools section might not be somewhere you check into often, however, the Site Health menu can be pretty valuable, and is worth the odd visit.
This tool also offers more than just security recommendations and will provide more information than any of the external tools as it is linked directly with your site.
If you click on each recommendation, you will get some pretty useful further details.
You can also check out the list of passed tests so that you know what you’re doing right.
It’s built right into your WordPress installation so it should only take a minute or two to carry out a quick check every once in a while.
It’s good to get an idea of any information about your site which is publicly accessible, as this can be used by hackers to find ways to compromise your security.
One of the best ways to find out what information is readily available is by using a third-party tool that isn’t linked to your site.
wpRecon is one of these tools.
Simply input the URL of the site you want to test.
The test will give you a variety of results, with the first set being in relation to your server type, IP address, and a check of the version of WordPress you’re running.
It will also inform you of any plugins that are reading the HTML source of the website’s front page, check for information it can find about the theme, and try to list the contents of uploads and plugins folders.
A routine check using a tool such as wpRecon will help you identify if there are any big holes, ready for hackers to walk through.
VirusTotal is another free online tool for scanning sites, documents, and IP addresses. It has a database of over 70 antivirus scanners and URL/domain blacklisting services.
If your site is clean, you should be good to go, however, if any of the databases pick up something malicious, it could be that you have malware.
If this is the case, it could be worth running a full malware scan.
You can also check some further details regarding your site.
VirusTotal shares the result of the scan with the examining partners that it uses. This grows their virus and knowledge databases, helping to fight the fight against malware and hackers.
5. Mozilla Observatory
Mozilla Observatory is slightly different from the tools we’ve looked at above, as it offers a few separate types of tests.
When you first run the scan, it will test vulnerabilities in relation to HTTP. It will then give your site a score in the form of a letter.
Scroll down to see which of the tests you failed (if any).
Click on the name of each test to be taken to a page created by Mozilla which fully explains what it means.
After the first scan, you can also initiate further ones to check if access to your site can be gained through SSH (it would be very concerning if this was the case!) and extra tests with third-party companies ImmuniWeb, securityheaders.com, and hstspreload.org.
6. Google Transparency Report
Google’s Transparency Report isn’t really the answer for checking for vulnerabilities on your own site, however, there’s a reason it made it to this list.
The reason it won’t be much help when it comes to your own site is that it only tells you whether or not it finds anything unsafe, it doesn’t tell you what the unsafe content is.
This makes it pretty redundant when checking on your own site but can come in useful when checking a site you want to visit.
If you’re nervous about visiting a URL for the first time, you can simply input it into Google Transparency Report’s search bar, and let it check it out for you.
So yes, whilst it may not be the answer to checking for holes in your site security, it’s a pretty good tool to have in your bag!
Stay One Step Ahead
Carry out regular checks on your site using a variety of tools to make sure you identify any vulnerabilities before hackers or bots sniff them out.
Many of the issues picked up by these tools are quick and easy fixes, so schedule in regular checks as part of your site security process.
If you want to know how to make sure you haven’t missed anything when it comes to setting up the protection for your WordPress site, be sure to check out our 16-step checklist to total site lockdown.