Is your WordPress site secure enough? Find the
flaws in your WordPress website and fix them
before someone misuses it.
The latest research by SUCURI shows more than 70% of
WordPress sites are infected with one or more
There are plenty of
online scanners to check the common web vulnerabilities,
but that may not be sufficient as a security risk may arise
from WordPress core, plugin, theme or misconfiguration.
For that, you need a specialize security
scanner which not just detect the common but also
particular to WordPress vulnerabilities.
The following scanner can help you to audit your website and
let you know for security
risk . So you can take necessary action to prevent from
WordPress Security Scanner Tools
WordPress Security Scan by Hacker Target
WordPress check by Hacker Target test for a vulnerable
plugin (1800+), outdated WordPress version, web server
configuration and the following.
- Google safe browsing test
- Directory indexing
- Admin account status (enabled/disabled)
- Hosting provider reputation
- Vulnerable themes (2600+)
- Basic level of brute force
Hacker Target downloads few pages from the URL and examines the
HTTP header and HTML code.
Detectify is enterprise vulnerability
scanner which tests for more than 500 vulnerabilities including
OWASP top 10 & WordPress specific.
So if you are looking for not just WordPress scan but
complete website security then gives a try to
3. WP SCANS
SCANS leverage WPScan vulnerability database to
compare the version and report if any vulnerable core, plugin,
a theme found.
WPScan cover more than 6100 vulnerabilities database. If you
are looking to use WP Scan on your server/PC, then you may
refer this guide about how to install and use it.
4. Security Ninja
Ninja security is a plugin, so a
test is done from within your WordPress admin. It checks for
more than 50 metrics with one click, and you
get a detailed report including test name, status, how-to fix
It took less than 2 minutes to scan my site
and got the excellent report covering latest version, database
connectivity exposure, a connection over SSL , etc.
SUCURI provide end-to-end security
solution like monitoring, clean-up & protection. If you are
looking for complete website security solution
(antivirus+firewall), then SUCURI would be a good choice.
If you are just looking to test your website on-demand, then
you can use their FREE SiteCheck which checks
for malware ,
blacklisting status, out-dated technologies used & errors.
Another option would be to use the plugin to initiate the scan from your
WordPress admin dashboard.
WordPress Vulnerability scan by Pentest-Tools is another
tool leveraging WPScan and give you the option to download the
report in PDF format. Sample report here .
It enumerates the plugin, theme, users and fingerprint the
7. Exploit Scanner
Exploit Scanner is a plugin
which you got to install within your WordPress site. It scans
for files, database, comments for anything suspicious.
If you suspect your WordPress is compromised, then this would
be very handy to run a quick scan to find anything
It doesn’t remove/change anything.
8. WP Loop
WP Loop performs 11 basic
checks covering information leakage, enumeration & file
- WP, PHP version disclosure
- html, install.php, upgrade.php accessibility
- Login enumeration
- Windows live writer and EditURI link
If you have a just setup WordPress site, then it would be a
good place to start testing & securing.
9. WP Neuron
WP Neuron tool scan
WordPress vulnerabilities in core files, plugins, libraries. It
also enumerate weak password to test brute force attacks
and scan all code to ensure none of the scripts is exposed to
Acunetix is complete website
vulnerability scanner platform which covers CMS like WordPress
specific checks as well.
Acunetix test your site for XSS, SQLi, SSL, DOS, Header,
SSRF, XXE, more than 1200 WordPress plugins,
core files, weak admin password, user enumeration,
wp-config.php and much more.
Post scan, you get detailed report with the
risk finding and fix recommendation.
Quttera plugin scan your
WordPress site for known and unknown malware
and suspicious activity. You can initiate the scan from your
WordPress admin dashboard, and it will make HTTP call to
Quttera to scan and get the results.
Along with malware lookup, it also does the following.
- Check if URL is blacklisted
- No signature or pattern detection
- Inject PHP shells detection
- External link detection
- Investigate WordPress core files
I hope above on-demand tool and plugin helps you to scan your
WordPress website for online threats so you can prevent from
If you are looking for complete website security and
acceleration, then you may explore cloud-based
solution like SUCURI , Incapsula , Cloudflare .