 |
VOOZH | about |
|
VOOZH | about |
Hardening WordPress security can keep your site safe from malicious attacks. A large part of this hardening process involves using a vulnerability scanner to detect security issues. This tool reviews your site for weaknesses that could leave it open to attack — things like outdated plugins or weak password policies.
Though many WordPress vulnerability scanners exist, this guide showcases some of the best. With this information, you’ll be better prepared to harden your WordPress security.
Choosing a vulnerability scanner comes down to weighing several factors. Here’s a look at the most important features you’ll need when scanning for website security issues:
Vulnerability scanners test for malicious code, known malware, viruses, suspicious links, suspicious redirects, website errors, out-of-date software, and blocklisting status. In short, they look for any weaknesses that might allow hackers to perform things like SQL injection, RCE, XSS, or CSRF.
Remote vulnerability scanners look at your site from an outside perspective. They have limited access and, as a result, can’t see every possible weakness. Nor can they test your database, settings, user accounts, themes, or plugins.
Vulnerability scanning plugins, on the other hand, will have much more intimate knowledge of every tool you have installed and the inner workings of your settings and user base. They can take a much closer look at everything for a more complete risk analysis.
So a plugin is usually the winner here, though a remote scanning tool is still useful in some situations, especially if your site is broken, and you don’t have access to scan it with a plugin.
To be clear, scanners won’t protect your site against vulnerabilities. They only identify weaknesses, threats, and certain existing conditions.
Scanners can only detect discovered vulnerabilities. So vulnerability scanning organizations have to maintain a database to track vulnerabilities and rate their severity. When a WordPress security scan takes place, it compares the site to this database.
Look for a WordPress security scanner with a robust, up-to-date database. Many free scanners use databases up to six months old, while their premium versions are current. New vulnerabilities pop up all the time — especially within six months. So, some free scanners can give a false sense of security.
A vulnerability scanner should operate quickly and provide accurate results. A scanner that takes too long to run might be ignored when the admin has other priorities. A fast scanner more readily fits within their workflow.
And, of course, accuracy matters a lot. Scans won’t do you any good if they don’t pick up on critical threats.
Usability is another crucial element when considering a WordPress security scanner. It should be simple to use. This includes the layout, buttons, and text. Difficult to use tools often get ignored. Look for an interface that’s intuitive and one that uses straightforward terminology.
The scan results and your next steps should also be easy to understand. Information without a clear direction of how to act upon it isn’t very helpful.
Most WordPress security scanners report the results of their scans to the site administrator via email or within the dashboard. Threats should be prioritized according to a distinct threat level. The report should also include clear follow-up steps to resolve all threats in priority order.
Reputation and customer support are always factors to consider with any plugin or service, but these matter even more for WordPress security. Use a scanner that’s well-reviewed and noted as effective at finding malware.
Hopefully, you won’t need customer support. But, if you do, it should be easy to find and fast to respond. Competence matters, too. Look for scanners that have a support staff that deeply understands WordPress and can provide solutions promptly.
Now that you know what to look for, we’ve compiled a list of plugins and services that can provide those features. Some are plugins, others are off site tools, and a few are a blend of the two. Each tool has its own set of unique advantages. Let’s take a look!
Jetpack Scan is a security feature from Automattic that performs automated daily scans of your website to detect potential security threats, like malware or unauthorized code changes. You’re alerted if any are detected. For many issues, you’ll also be given quick solutions to solve the problem. All results are stored in a history file, allowing you to review past threats and address any unresolved issues later.
It can scan with or without server credentials. However, scans with server credentials result in faster, more comprehensive scans and a greater likelihood that hidden threats are detected. Fortunately, adding server credentials is simple and Jetpack provides a tutorial to guide you through the process.
Key features of Jetpack Scan:
Pros of Jetpack Scan:
Cons of Jetpack Scan:
Pricing:
Wordfence Security is a malware scanner that checks WordPress core files, themes, and plugins for malware, malicious redirects, code injections, backdoors, bad URLs, and SEO spam. It’s a full security package that includes a firewall and login security to help prevent successful attacks.
Most of the security tools are only available in the premium versions. The scanner features require a premium version for up-to-date scans. The free version scans every three days and the vulnerability database is out of date by 30 days.
Key features of Wordfence:
Pros of Wordfence:
Cons of Wordfence:
Pricing:
Wordfence is available for free or with several premium packages that include various security options.
All the better scanning features are available in the Premium version, which costs $149/year and includes real-time signatures and unlimited scanning.
Sucuri SiteCheck is a remote website scanner that checks for known malware, malicious code, viruses, internal server errors, out-of-date software, and blocklisting status. It provides a list of the checks with a risk-level score for each. It also lists domain checks, so you’ll know which domain service to approach if your site is blocklisted.
Since it’s remote, you can test any website to see if it’s safe to use. It’s an easy way to identify security and configuration issues.
Key features of Sucuri SiteCheck:
Pros of Sucuri SiteCheck:
Cons of Sucuri SiteCheck:
Pricing:
Sucuri SiteCheck is free to use for unlimited scans. However, for deeper scans and malware removal, you’ll need premium services, which start at $229/year.
MalCare is a complete security plugin with several scanning features, depending on the version you use. It has a free and premium version to choose from. It also has a cloud-based scanner, so your site doesn’t see a performance dip when using it.
With the premium version, you have access to a one-click malware cleaning tool. You can view the hacked file details and clean them in a minute or less.
Key features of MalCare:
Pros of MalCare:
Cons of MalCare:
Pricing:
There is a free version of MalCare available, but most features are available at the premium level. Each premium plan lets you scan more often than the previous plan but all include malware removal tools.
Premium pricing starts at $149/year.
The Anti-Malware Security and Brute-Force Firewall plugin provides a scanner and firewall to protect your WordPress website. It scans WordPress core files, themes, and plugins. A free account is required to get complete scans. New definitions are automatically downloaded every time you run a scan in the premium version.
Key features of Anti-Malware Security and Brute-Force Firewall:
Pros of Anti-Malware Security and Brute-Force Firewall:
Cons of Anti-Malware Security and Brute-Force Firewall:
Pricing:
Defender Security is a complete security package with a strong malware scanner, a firewall, and login security. It scans WordPress files and compares them to the original files in the WordPress repository. It then alerts you to the differences, allowing you to restore the original with minimal effort.
The free version has manual scanning, while the pro version includes automated and scheduled scanning. If you only need the scanning features, this plugin might be overwhelming.
Key features of Defender Security:
Pros of Defender Security:
Cons of Defender Security:
Pricing:
The free version includes limited scanning capabilities and only has manual scanning. The pro version is available across three plans ranging from $15-$50 per month. All plans include scanning features, with tier levels based on how many sites you want to scan.
Security & Malware Scan by CleanTalk is a free plugin that works with the premium CleanTalk cloud security service. It provides several security features including malware scanning, a firewall, two-factor authentication, and login protection.
The scanning service stores the results in the cloud so you can view them and take the proper actions. If you’re unsure if a file has malware, contact CleanTalk, and they’ll check the file for you. Their feedback system allows you to send suspicious files from your WordPress backend to their cloud for scanning.
Key features of Security & Malware scan:
Pros of Security & Malware scan:
Cons of Security & Malware scan:
Pricing:
The free version includes manual scanning, bulk actions, and logs. For automatic and outbound link scanning, you’ll need a premium plan. Prices start at $9 per year for scanning and security.
Patchstack is unique among malware scanners. It’s a security plugin that doesn’t perform external checks on your website. Instead, it matches your WordPress core, plugins, and themes to their vulnerability database to determine if there is a known vulnerability. This doesn’t use your server’s resources, so your site’s performance remains unaffected.
It sends an email or Slack notification if any of your installed plugins or themes have known vulnerabilities. The security dashboard lets you protect up to ten websites for free.
Key features of Patchstack:
Pros of Patchstack:
Cons of Patchstack:
Pricing:
The free version provides all the detection you need for your files but to automatically perform patches, you’ll need the premium version. The premium version is $99/month.
| Automatic scanning | Extensive database | Regular updates | Friendly UI | Clear reports with actionable insights | Support | Price | |
| Jetpack Scan | Yes | Yes | Yes | Yes | Yes | Priority | $59.40/year |
| Wordfence | Every 3 days (free) or Daily (premium) | Premium only | Premium only | No | Yes | Volunteer (free) or 24/7/365 (premium) | $149/year |
| Sucuri SiteCheck | No | Yes | Yes | Yes | Yes | Knowledgebase (free), 24/7 premium | Free, $229-999/year |
| MalCare | No | Yes | Yes | Yes | Premium only | WordPress forum (free), Premium 6-24hr response time | Free, $149-499/year |
| Anti-Malware Security and Brute-Force Firewall | No | Yes | Premium only | Yes | Yes | Forum at WordPress and publisher’s site | Free, $29 one-time |
| Defender Security | Premium only | Yes | Premium only | Yes | Yes | Premium only, 24/7 | Free, $180-600/year |
| Security & Malware scan | Yes | Yes | Yes | Yes | Yes | WordPress forum (free), Premium, 24/7 | Free, $9/year, $119 for cleaning |
| Patchstack | No | Yes | Yes | No | Yes | Chat during office hours | Free, $1188/year |
A quality WordPress vulnerability scanner will possess a few distinct qualities. So if you’re shopping around for the best one, the following attributes are good to keep in mind:
It’s important to find malware and malicious code as soon as possible. This means scanning more quickly and more often. Avoid products that only scan once or twice a week.
A slow WordPress security scanner could take too long to report important information about your files. As a result, a problem you could have swiftly solved may go unnoticed for days while infecting thousands of visitors.
A good WordPress vulnerability scanner maintains an extensive database that includes WordPress core files, themes, and plugins with known vulnerabilities. This ensures vulnerabilities don’t slip through the cracks and infect users.
WordPress security scanners should be intuitive to use. Features should be easy to recognize and understand. Buttons should be clearly labeled. Tools that require extensive training are better avoided.
Security issues should be easy to understand and their solutions just as easy to implement. You need a tool with clear reports that show the threats and their level of severity so you know which to prioritize.
The insights should be actionable as well, so you know what to do to solve the issues. It’s not helpful if you know that a plugin has a security issue, but not how to fix it.
Any tool you select should have active support available. Support helps to resolve any problems with the scanner, so look for knowledgeable support that responds quickly.
An active community can help you navigate getting started or troubleshooting as well. Anything you encounter has likely been solved by someone in the past, so an active forum or knowledge base offers the benefit of learning from others.
Looking for more information about vulnerability scanners to harden your WordPress security? You’ll find answers to your most common questions below.
A WordPress vulnerability scanner is a tool that scans your website for known security issues including malware, malicious code, and out-of-date plugins and themes that could leave your site vulnerable to attack.
A vulnerability scanner helps keep your website safe for you and your users. It identifies and alerts you to threats.
Vulnerability scanners continuously receive and verify tips from the community, scan the web for security threats, and offer bounty programs to identify issues. Threats are documented, classified, and stored in a database.
A vulnerability scanner plugin scans your website and reports the results via email and your WordPress dashboard. Most do not include tools to repair the vulnerability. Jetpack Scan, however, has a one-click fix for many issues it detects.
The difficulty of setting up and using a vulnerability scanner varies. Some are simple to use while others are complicated. Most that are simple to use don’t provide a lot of features. In our view, Jetpack Scan is easy to set up with just a few clicks and is intuitive to use. It’s available as a standalone plugin known as Jetpack Protect or as a part of the Jetpack Security package.
Jen Swisher
Jen is a Customer Experience Specialist for Jetpack. She has been working with WordPress and Jetpack for over a decade. Before starting at Automattic, Jen helped small businesses, local non-profits, and Fortune 50 companies create engaging web experiences for their customers. She is passionate about teaching others how to create on the web without fear.
We guard your site. You run your business.
Jetpack Security provides easy‑to‑use, comprehensive WordPress site security, including real‑time backups, a web application firewall, malware scanning, and spam protection.
Secure your siteHave a question?
Comments are closed for this article, but we're still here to help! Visit the support forum and we'll be happy to answer any questions.
View support forum
