Free Tools to Scan Your WordPress Website for Vulnerabilities

Free Tools to Scan Your WordPress Website for Vulnerabilities

It’s a stroke of luck for mischief makers on the internet if they can find a way to harm WordPress websites. With just one trick up their sleeves, they can take a shot at almost 30% of the websites on the internet. That’s the downside of WordPress being the most popular CMS. As website owners, on our part, we need to be proactive and review/ update security measures regularly to be safe from hackers. One important and easy-to-implement step in your security checklist is to scan WordPress for vulnerabilities.

Why You Should Scan WordPress For Vulnerabilities

  • Your WordPress website may be the repository of sensitive personal information submitted by users. They trust you to prevent this information from falling into unwanted hands.
  • Others can place backlinks, redirects, advertisements or banners of websites that they want to promote on your site.
  • Users with unauthorized access to your website may be eating into your bandwidth, even without you knowing it.
  • So long as it’s not detected, malware can lurk within your website and gather information. It can send out spam emails to others infecting them too in the process. This can lead to Google and other security services like AVG or Norton blacklisting your site. Again, you may not even know about it.
  • Regular scans can catch some security threats early and prevent your site from being hacked.

Free Tools to Scan WordPress

Carrying out a basic scan for vulnerabilities in your WordPress website is neither difficult nor expensive. There are many free remote scanners and free plugins available that can screen your website for rogue software.

The important difference between the two – remote scanners and plugins – is that a remote scanner only looks at the final rendered version of your website, as it appears on your browser. It visits your website somewhat in the same manner of a search engine bot. It does not look into the server, and so any malicious element on your server remains undetected. On the contrary, when you install a plugin, it accesses the server in the hosting environment that it resides and does a much deeper scan.


Remote scanners are tools that can do a preliminary scan and reveal a number of security flaws. They are a kind of quick check in your security regimen. Most scanners generally function in much the same way – simply enter the URL of your website on their webpage. Your site, as visible in the browser, will be scanned in a few moments and a report generated. Many vulnerabilities can show up in the report. Some tools will also suggest remedial action that you can carry out.

Some remote scanners are designed specifically to scan WordPress sites, while others include a WordPress scan in their list of features.


If you’re looking for a WordPress specific scanner, WPScans will fit the bill. On their webpage, you have a choice – submit your website URL for a scan or sign up for their free / premium account.


A free account entitles you an automatic weekly scan. If you’re managing multiple WordPress websites, you can keep track of the security of all the sites from a single dashboard. You’ll also receive alerts by email if any bug is found or if your WordPress installation is due for an update.

A basic report can list some security flaws as well as tell you how to go about setting it right. You can also access a record of your scan reports for future reference. WPScans maintains a vast database of the latest bugs and security threats, which means the more common threats can be detected with this scanner.

WordPress Security Scan

WordPress Security Scan also offers two options – a free basic version and a premium advanced version. It carries out checks by calling up a number of pages via regular web requests and analyses the corresponding HTML source. A scan will reveal obvious WordPress security flaws and recommend security-related improvements in configuration that can step-up protection from future attacks.

WordPress Security Scan

The free scan checks for WordPress version, host reputation, geolocation, and site reputation from Google. It also checks external links, list of plugins and directory indexing on plugins. It lists the iframes present and the linked Javascript, both of which can be used to deliver malicious code. You can then look into any script that does not appear familiar to you.


A new entrant in the arena is Gravityscan, from the team that’s behind Wordfence security. The recently launched malware and vulnerability scanner does a rather thorough job of scanning all websites, including WordPress websites. It carries out an extensive scan of the website to identify security problems and vulnerabilities. It not only checks your blacklist status, it also examines the links on your site to check if you’re linking to a blacklisted site.


There’s an optional Accelerator on offer that performs an in-depth scan on your server as well as speeds up the scanning process. The Accelerator is a simple downloadable PHP file that uses a strong public encryption key while communicating with Gravityscan servers. For $10 per month, you can upgrade to their premium plans.

WP Loop

WP Loop works in much the same way as other scanners – enter your site URL and hit the Scan button. It tests whether information about WordPress version, usernames or failed login attempts are detectable.


It also checks if the readme.html file, the install.php and the upgrade.php files are accessible via HTTP and if the uploads folder is browsable. But for a really meaningful scan that covers over 40 tests, they advise you to install Security Ninja.

Sucuri SiteCheck

Sucuri is a well known name in website security and compiles regular and comprehensive vulnerability reports. The SiteCheck will scan all websites, including WordPress websites and reveal known malware, out-of-date software and website errors. You’ll also know your blacklist status with services like Google, AVG Antivirus, McAfee and Norton.

Sucuri SiteCheck

The scanner compares all your pages with the Sucuri database and reports any anomaly. The report also recommends how you should handle these anomalies.

Virus Total

Instead of running your site URL through multiple scanners, you can submit it on Virus Total, a subsidiary of Google. It does the work of aggregating the results of a scan from multiple scanners like Avira, Comodo, Sucuri and Qettera.

Virus Total

The advantage in such a method is that you can detect false positives from scanners more easily. You’ll know if any harmless resource is being wrongly classified as malware when the URL is run through multiple scanners. This tool is not WordPress specific, and all kinds of websites can use the scanner. Virus Total is not a comprehensive virus testing tool, but an aggregator of scan results from different scanners.

Files and URLs submitted at Virus Total will be shared with security companies for their use in improving overall web security.


As mentioned before, for a deeper scan of your website, you’ll have to take help from plugins. Most security plugins – like Wordfence, Sucuri or Exploit Scanner, include malware scanning as a function.


While Quttera does offer a one click online scan, it also packs in a WordPress specific scanner, that requires you to download their plugin onto your WordPress website.

Quttera WordPress Scanner

The plugin scours your site for suspicious scripts, malicious media and hidden threats and lets you know if you’re on any blacklist. The remote servers of Quttera scan the data. On completion of a scan, you’ll receive a detailed investigation report, which will recommend corrective action. These reports are classified as Clean, Potentially Suspicious, Suspicious and Malicious and are available to the public for viewing.


Wordfence is a comprehensive security plugin that scans anything WordPress-related on your website, including source code and image files. If you enable the option, it’ll also scan non-WordPress related files. Their Threat Defense Feed is constantly updated and the feed is used by scanners to identify suspicious software.


A scan looks for 44,000+ known malware and backdoors, as well as for phishing URLs in all your comments, posts and files. Not only that, it scans the core files, themes and plugins and compares it with the files in the WordPress repository.

In Conclusion

These free online scanners and plugins do a basic job of revealing malware and vulnerabilities. For a more thorough analysis and spot-on recommendations to reduce vulnerabilities you’ll need to look into their premium plans. These plans bundle services like monitoring, cleanup and hands-on support when faced with threats.

And, as I mentioned at the start, scanning your website is only the first step in WordPress security. For more tips on securing your website, check out the tips John has to offer.

Source link

Share this post