20 Awesome Free Tools To Check WordPress Vulnerabilities Online

With more than 29% market share WordPress websites are the leading targets for hackers. Unless you are careful anytime your website(s) can be the next target, More than 50 thousand websites get hacked everyday. So with a WordPress site in hand you need to more careful to stop hacking/backdooring and what not.On CMS analysis by Sucuri in first quarter of 2016  –

In most instances, the compromises analyzed had little, if anything, to do with the core of the CMS application itself, but more with improper deployment, configuration, and overall maintenance by the webmasters and their hosts.


Therefore, it is always necessary to check for site vulnerabilities before anything. With these WordPress online  vulnerability scanners you can at least be aware of  some loopholes and more importantly how to stop your site getting hacked.


1. wpscans.com


Checks your site with their intelligent scanning algorithms and scans for known bugs that have been indexed in the WPScan Vulnerability Database, which contains over 4000 reported vulnerabilities.  Also tries to identify the plugins you run and compare their versions against the bug database. In addition, wpscan scans for several well-known mistakes that people make when setting up their WordPress installation, A decent (one of the many WordPress online scanners) place to begin with.

Note – wpscans doesn’t scan server for server for security and also doesn’t scan your password for that matter.


2. sitecheck.sucuri


Sucuri is known for their timely vulnerability reports on WordPress ecosystem on both plugins and themes. Sucuri also has a site scanner for vulnerabilities. Scans Malware, Website Blacklisting, Injected Spam, Defacements, Website Firewall also scans through your scripts and links. Checks to see whether your site has been blacklisted any other popular services like –

  • Google Safe Browsing
  • Norton Safe Browin
  • Phish Tank
  • Opera Browser
  • SiteAdvisor
  • Sucuri Malware Labs Blacklist
  • SpamHaus DBL
  • Yandex (via Sophos)
  • ESET


3. WordPress Security Scan


Checks for application security, WordPress plugins, hosting environment and web server. The security scanner downloads a handful of pages from your website and performs analysis on the raw HTML code. Also scans for user enumeration, directory indexing, linked websites, linked JavaScripts and linked iFrames. With membership you can gain more advance scan for your site.


4. wploop.com


Checks your site for WordPress meta tags, readme.html, response headers contain detailed PHP version info, list of usernames, Check for display of unnecessary information on failed login attempts, accessible install.php file via HTTP, accessbile upgrade.php file via HTTP, browsable uploads folder, EditURI link present in page header, deliverable admin interface via HTTPS and Windos Live Writer link in page’s header.


5. scanwp.com


Performs a basic scan checking whether all your WordPress files up to date or not, scores your website out of 100. Also suggests you to tighten security and hide your WordPress version. The scanner visits your homepage and checks for the generator tag. Note – The WordPress core team has decided that displaying your WordPress version to the public is not a security concern.


Checks your site against Google safe browsing, active plugins, theme, user enumeration, directory indexing, Google malware scan, external link, linked iFrame and linked JS files.


Checks for iFrame, Malicious files, Suspicious files, External links and blacklist status of the site.


Checks your site on 68 reputed online site inspector and some of them are – AegisLab WebGuard, Avira, BitDefender, Comodo Site Inspector, K7AntiVirus, Malware Domain Blocklist, MalwareDomainList, SecureBrain, Spam404, Sucuri SiteCheck, Web Security Guard, Yandex Safebrowsing, ZeusTracker, Kaspersky and ZCloudsec.


Unlike everybody if you want to directly check your site on Google Safe Browsing without relying any other third party scanners, You can check your site’s safe browsing status directly from this URL.


Shows you a simple plain result whether your server is vulnerable or not. You can also check out other scan services such as TCP Port scan, UDP Port scan, SSL Hearbleed scan, SSL Poodle scan, SSL DROWN scan, Bash Shellshock scan and Ghost Glibc scan.


Checks your site for Tracing, Custom Errors, Stack Trace, Request Validation, HTTP to HTTPS, Hash Dos Patch, ELMAH Log, Excessive Headers, HTTP Only Cookies, Secure Cookies, Clickjacking and Mac State. You can also schedule a scan by signing up.


Performs pretty decent scan of a website, checks Communication DNS, Communication Services, Sub Domain, Scripts, SSL, Meta tags, Info, Header, Google Safe Browsing Check. In addition to these also checks against 27 factors they are –
SSL Enabled, SSL Expiry, SSL Strength, Suspected Phishing Page, Suspected Malware Provider, Suspected of Unwanted Software, X-Powered-By Header, HTTP Strict Transport Security, ASP Net Version Header, Server Information Header, SPF Enabled, DMARC Enabled, Mail, App, User Auth, File Sharing, Voice, Administration, Database, DNSSEC Enabled, Domain Expiry, HttpOnly Cookies, Secure Cookies, Exposed Emails, Breaches.
Combining all these factors give your site a score out of 950.


Performs simple scan, also shows your Google Page Rank and Whois information. There’s a setting panel as well you can tweak check depth, user agent.


Checks your site on Google Safe Browsing, Phish Tank and Web of Trust.


Checks for vulnerability on 26 reputed online scan software, shows your IP information and Alexa traffic.


Gives you complete scan that includes Blacklist Checking, Phishing, Malware Downloads, Drive-by Download, Worms, Backdoors, Trojans, Suspicious iFrames, Heuristic Virus, Suspicious Codes, Suspicious Connections and Suspicious Activities. On top of that shows you E-Commerce Safety Information.


Performs Intrusion Detection Systems, Blacklists, JavaScript Scripts and HTTP Transactions


Site scan report includes – External links, iFrames, Blacklist status, Clean files and Suspicious files.


19. siteguarding.com/en/sitecheck

Scans for Malware, Website Blacklisting, Injected Spam, Defacements, Website Firewall, links, scripts and links analyze.

20. https://hackercombat.com/website-malware-scanner/


Scans your site for – malicious activity, malware detection, phishing, blacklist checking, worms, back doors, trojans, transaction protection and also shows basic who.is information to send the report to your email address.


Security Checklists/Resources

Prevention is better than cure and that is why I have prepared these security checklist for you. These are by no mean a complete list rather than a short overview for you of how to tighten up the security for your website.
  1. Always use latest version of WordPress
  2. Don’t tweak/mess code in core WordPress files
  3. Keep your plugins’ versions up to date
  4. Install plugins from trusted sources
  5. Use Limit Login plugins to limit brute force attack
  6. Use strong password
  7. Don’t use Admin for username
  8. Always use backups ( With UpdraftPlus plugin you can have free backups to Google Drive)
  9. Use 2 factor authentication if possible
  10. Use a trusted hosting

For more detailed security measures you can check out these cool resources –

  1. Hardening WordPress
  2. WordPress Security
  3. Brute Force Attacks
  4. wpsecuritychecklist.org
  5. wprecon.com/wordpress-security-tips
  6. WordPress Security Implementation Guideline
  7.  wpvulndb.com( Cataloging 5251 WordPress Core, Plugin and Theme vulnerabilities, It is a WPScan vulnerability database )

In case you find anything suspicious, follow this checklist to protect your website – 7 Ways to Fix WordPress Hacked sites + 17 Ways to Protect it from happening (again) from – CollectiveRay

Now that you have hand full of online WordPress online vulnerability scanners. Give these tools a try before it gets too late. Did I miss out any other websites you follow ? What security measures you take for your site ? Leave a comment if you want to share your resources.

Build your Websites with lightweight & Bloat free themes Without Any coding Knowledge

Browser Themes

Get Free Resources To Grow Your Business :

- Free Web Resources

- Tips & Insights

- Theme releases


Enter your email address