If you do not pay attention to website security and potential vulnerabilities, this can have unfortunate consequences. The crashed site, which can be restored from the backup, is the least problem that can be faced, but the leakage of personal data, login credentials, financial information, scamming, breach of compliance, and similar things can bury your business. Also, consider that malware is insidious and able to replicate itself or leave backdoors for further attacks.
That’s why vulnerability scanners are essential, and this article is about them.
Table of Contents
WordPress Security 101
WordPress is the most popular CMS in the world, so no wonder that hackers target it a lot. There’s even one of the myths that it’s not secure. But in reality, you need to take into account the fact that the statistic is often about absolute numbers.
For illustration, imagine a city where 63% of the inhabitants own Mercedes, and the rest 20% – other 100+ brands quite evenly distributed among the customers. Guess which brand will have the biggest statistic for car accidents? Of course, Mercedes. But does it make the most dangerous car brand? Certainly not.
The market share of WordPress is almost 63% among the sites that use CMS. However, the core is safe, and in most cases, the source of vulnerabilities is plugins (according to the statistics of vulnerability scanners), which can be either not updated on time or not chosen correctly.
Most frequent WordPress vulnerabilities
SQL injection (SQLi)
Using public input forms, you can inject SQL queries to manipulate the website’s database. The best way to deal with it is to use proper form validation, parameterized SQL, etc.
Cross-Site Scripting (XSS)
A bit similar to the previous one, this type of vulnerability allows malicious scripts to be executed on the client’s browser. Secure coding practices and input validation are crucial for preventing XSS vulnerabilities.
Cross-Site Request Forgery (CSRF)
CSRF attacks trick users into performing unintended actions without their knowledge. For example, tricking customers into paying on another website, sharing confident information, etc.
📚 Read more about WordPress security in this article.
Most common website malware types
Malware (or Malicious Software) is software aimed to harm, exploit, or compromise computer systems, networks, or, in the context of websites, applications, or web servers. Malware can take various forms, and its purpose can range from disrupting normal operations to stealing sensitive information, injecting malicious code, or gaining unauthorized access to systems.
Here are some common types of malware that can affect websites:
Viruses.
Website viruses infect files on the server and can spread to other files, causing damage to the website’s functionality and content.
Trojans.
Trojans disguise themselves as normal files, but they contain malicious code. They may open a backdoor for unauthorized access, steal sensitive information, or carry out other harmful activities.
Worms.
Worms are self-replicating programs that can spread across networks and servers. They often exploit vulnerabilities to propagate and may cause extensive damage.
Backdoors.
Backdoors provide unauthorized access to a website or server. Attackers can use them to control the site, upload additional malware, or carry out other malicious activities.
Phishing.
Phishing attacks on websites involve creating fake pages that mimic legitimate sites to trick users into providing sensitive information, such as login credentials or bank information.
Spyware.
Spyware is designed to collect information about users without their knowledge. It may capture keystrokes, login credentials, or other sensitive data.
Adware.
Adware displays unwanted advertisements on a website, often disrupting the user experience. It’s not killing your website and business like many other types, but it can greatly compromise it.
False redirects.
Malware can manipulate website links to redirect visitors to malicious sites, leading to phishing or drive-by-download attacks.
7 Popular WordPress Security Scanner Plugins
Let’s have a look at some of the tools to help you deal with WordPress website security.
WPScan / Jetpack Protect (Freemium)
🏆 Best for checking plugin and theme vulnerabilities.
I put these two plugins together because they use the same database and core, and both are the products of Automattic. WPScan used to be and still is a standalone plugin. However, it’s more focused on enterprise customers now, and the free version is quite limited by a number of API calls. Its database and functionality are used by Jetpack Protect now, where you have unlimited API calls. However, if you want to do something else other than scanning and brute force attack protection, you will need a Pro version of Jetpack as well. Not everyone loves Jetpack’s constant ads, interface, and overall approach, so you can choose a free WPScan version or purchase the Enterprise one, the price of which depends on your needs.
Key features, pros and cons:
WPScan is easy to use, and you can get the key security insights for the website, including plugins, themes, core checks, and an overall basic checkup (exposed data, passwords, etc).
JetPack offers unlimited plugin scans and a basic firewall.
Pricing:
The WPScan free version offers 25 API calls a day (equal to 25 plugin checks), plus basic security checks for free. You can select which plugins to check manually.
Jetpack Security also has a free plan with unlimited checks and a basic firewall; it doesn’t perform security checks for injections, and the Pro plan costs $8/month.
A personal takeaway: I like WPScan and its very straightforward UX; the database of vulnerabilities is always up to date. And, honestly, I’m not a fan of Jetpack at all (they say you hate it or love it – just like British and Aussies either love or hate Marmite). It’s a great basic scanner for small and middle-sized projects.
Patchstack (Premium)
🏆 Best for preventing a website from being infected.
Patchstack (formerly WebARX) is a popular tool in the WordPress community. Although I categorized it as a Premium service, it actually has a free plan with a vulnerability scanner and automatic updates tool, but the protection starts at $5/month.
Key features, pros and cons:
This tool has a huge database of vulnerabilities and acts quickly when they are detected on your website. As soon as the malware is detected, it provides vPatches (an analog of WAF that works directly on the website) and activates firewall rules, so the vulnerability is not being exploited and the website is not being attacked.
Users also praise their responsive and helpful customer support and fast malware detection. You can set up various triggers for notifications and communication channels.
Pricing:
There’s a free plan without protection functionality. The protection for one app a month is $5. If you want to add more apps (up to 50), get custom notifications, longer data retention, reports, white labeling and other perks, it will cost $99 a month with a Developer plan. And if you need to protect even more websites (50-500), it will cost you $499 a month.
A personal takeaway: I like the interface and that this tool is very easy to use. Also, the idea of vPatches sounds quite exciting, as they offer more precise and selective vulnerability targeting than WAFs. Also, there are Advanced Hardening and Generic OWASP tools that are also promising. Of course, it takes some time to see it in action; however, I like how it seems to be straight to the point with no frills. Also, there is no malware scanner, and if your website is already infected, look for other solutions to fix the issue.
Wordfence (Freemium)
🏆 Best for scanning malware and blocking IPs.
Wordfence is one of the most popular security plugins for WordPress, thanks to its powerful functionality, even in a free version and many settings.
Key features, pros and cons:
The malware scanner can check even files outside the WordPress installation, which is cool because worms can be placed and attacked from there. Also, it can check any files, including images, as if they are executable – another great tool because some harmful code can be hidden with the “innocent” file extensions. It also allows you to block annoying IPs.
However, this plugin is not efficient for database injections. Probably on the higher plans ($450 and more), they might check them manually for you.
Pricing: free (with some functionality unavailable and a 30-day delay on firewall rules and malware signatures). The Premium version for $199/year includes all the perks. The higher plans for $490 and $950 are basically outstaffing the website security to the Wordfence team.
A personal takeaway: it’s pretty good, with a powerful free version. However, it requires a certain patience to deal with its dashboard and time for the learning mechanism of its algorithm before it starts to work properly.
What I like about it is real IP monitoring and the efficiency against malware. But it will slow down your site in most cases, plus you will have to have a separate tool for the database. Also, don’t forget to create a backup before doing any updates using its interface because it can crash the site.
Overall, I like it and find it a good asset on the market, at least worth trying.
Defender Security (Freemium)
🏆 Best for overall anti-malware protection.
This plugin can help you not only set up a WordPress installation, detect suspicious files, and set a firewall or 2FA but also send some files to quarantine, block IP addresses, deal with secure headers, check passwords, block spammers, and more.
Key features, pros and cons:
It’s well-designed, feature-rich, and looks promising, with mostly good reviews.
Pricing: free; the Pro version comes only in the WPMU Dev suite and starts from $15/month.
A personal takeaway: this plugin is easy to use with a lot of tools. Its free version is not so limited, and the premium one is quite affordable, considering that the company has a lot of introductory discounts, and the 30-day money-back guarantee is available.
Security Ninja (Freemium)
🏆 Best for comprehensive vulnerability scanning.
This plugin offers a comprehensive scan with an easy-to-use interface and a bunch of tools to fix the issues. The price is also quite reasonable.
Key features, pros and cons:
It performs over 50 tests, even in a free version, and the Premium offers a core scanner, a firewall, and a malware detector. You can get tips about fixing the issues.
Pricing: free; $39.99 for one website a year with a 30-day trial.
A personal takeaway: this plugin is certainly worth testing, and has a friendly interface and a lot of tools.
Sucuri (Freemium)
🏆 Best for scanning malware and blocking IPs.
This tool offers vulnerability scanning and a firewall; it focuses on blacklist monitoring and fixing most of the problems.
Key features, pros and cons:
It offers a malware scanner, hardening tools, and a firewall included in a free plan. Premium plans are focused on outsourcing and fixing your security problems.
Pricing: free; starting from $199/year, you can get dedicated support, but you will probably need a $499/year plan to fix your issues in a frame of one day.
A personal takeaway: you would probably like to visit its website first to test the feature, then test the plugin and decide what is the best for you. Also, be aware that there are a lot of complaints about their support (which is supposed to fix your problems, and it’s part of the paid packages), as well as many false positives.
FAQ
Developers fix vulnerabilities as soon as they find them and release these fixes in the new version. That’s why it’s so important to update plugins regularly. This is also one of the reasons why plugins that are not updated frequently might be a risky choice.
Vulnerability scanners have a database of known vulnerable configurations and malware and try to find them in the system they’re testing. Pen (Penetration) tests simulate real-world cyberattacks to test the system actively attempting to exploit the potential weak points.
Takeaway
Website security cannot be overstated, and that’s why choosing a vulnerability scanner is essential. Consider the website type and potential risks your project is exposed to. Security plugins are a great asset in any case, at least for reminding you to update a WordPress core, PHP, and plugins because these updates include security patches.
But such tools do much more than that, scanning the site for the malware, injections, or holes already presented on the website. Most of them offer various levels of service or the number of entities to be scanned, depending on the chosen plan.
It’s also great if your hosting has security tools to protect the website from various attacks. So, I wish you the best in choosing the instrument that meets your needs. Don’t hesitate to share your experience and insights in the comments below or in our Facebook community.