21 Awesome Free Tools To Check WordPress Vulnerabilities Online

With more than 30% market share WordPress websites are the leading targets for hackers. Unless you are careful anytime your website(s) can be the next target, More than 50 thousand websites get hacked everyday. So with a WordPress site in hand you need to more careful to stop hacking/backdooring and what not.On CMS analysis by Sucuri in first quarter of 2016  –

In most instances, the compromises analyzed had little, if anything, to do with the core of the CMS application itself, but more with improper deployment, configuration, and overall maintenance by the webmasters and their hosts.


Therefore, it is always necessary to use WordPress security scan and check for site vulnerabilities before anything. With these WordPress online vulnerability scanners you can at least be aware of  some loopholes and more importantly how to stop your site getting hacked by using these WordPress online scan tools.


Before diving into the free tools, I just want give a quick shout out to an awesome paid security plugin that will take the security of your WordPress website.

MalCare – WordPress Security Plugin


Malcare Security plugin

MalCare is a complete WordPress security solution, comes with One-Click automatic Malware Cleaner. MalCare Scanner comes with an early malware detection technology that helps prevent blacklisting of your websites by Google or from being blocked by web hosts. The Scanner can successfully detect complex malware that goes undetected in other popular plugins. Focuses on the accuracy of identifying a malware and significantly reducing the number of false positives. It facilitates implementation of WordPress security best practices and also comes with an intuitive Site Management module that lets you manage your themes, plugins, users and WordPress core.



1. wpscans.com


Checks your site with their intelligent scanning algorithms and scans for known bugs that have been indexed in the WPScan Vulnerability Database, which contains over 4000 reported vulnerabilities.  Also tries to identify the plugins you run and compare their versions against the bug database. In addition, wpscan scans for several well-known mistakes that people make when setting up their WordPress installation, A decent (one of the many WordPress online scanners) place to begin with.

Note – wpscans doesn’t scan server for server for security and also doesn’t scan your password for that matter.



2. sitecheck.sucuri


Sucuri is known for their timely vulnerability reports on WordPress ecosystem on both plugins and themes. Sucuri also has a site scanner for vulnerabilities. Scans Malware, Website Blacklisting, Injected Spam, Defacements, Website Firewall also scans through your scripts and links. Checks to see whether your site has been blacklisted any other popular services like –

  • Google Safe Browsing
  • Norton Safe Browin
  • Phish Tank
  • Opera Browser
  • SiteAdvisor
  • Sucuri Malware Labs Blacklist
  • SpamHaus DBL
  • Yandex (via Sophos)
  • ESET



3. WordPress Security Scan


Checks for application security, WordPress plugins, hosting environment and web server. The security scanner downloads a handful of pages from your website and performs analysis on the raw HTML code. Also scans for user enumeration, directory indexing, linked websites, linked JavaScripts and linked iFrames. With membership you can gain more advance scan for your site.



4. wploop.com


Checks your site for WordPress meta tags, readme.html, response headers contain detailed PHP version info, list of usernames, Check for display of unnecessary information on failed login attempts, accessible install.php file via HTTP, accessbile upgrade.php file via HTTP, browsable uploads folder, EditURI link present in page header, deliverable admin interface via HTTPS and Windos Live Writer link in page’s header.



5. scanwp.com


Performs a basic scan checking whether all your WordPress files up to date or not, scores your website out of 100. Also suggests you to tighten security and hide your WordPress version. The scanner visits your homepage and checks for the generator tag. Note – The WordPress core team has decided that displaying your WordPress version to the public is not a security concern.



Checks your site against Google safe browsing, active plugins, theme, user enumeration, directory indexing, Google malware scan, external link, linked iFrame and linked JS files.


7. quttera.com

Checks for iFrame, Malicious files, Suspicious files, External links and blacklist status of the site.


8. virustotal.com

Checks your site on 68 reputed online site inspector and some of them are – AegisLab WebGuard, Avira, BitDefender, Comodo Site Inspector, K7AntiVirus, Malware Domain Blocklist, MalwareDomainList, SecureBrain, Spam404, Sucuri SiteCheck, Web Security Guard, Yandex Safebrowsing, ZeusTracker, Kaspersky and ZCloudsec.


9. Google Safe Browsing

Unlike everybody if you want to directly check your site on Google Safe Browsing without relying any other third party scanners, You can check your site’s safe browsing status directly from this URL.


10. Ghost Scanner

Shows you a simple plain result whether your server is vulnerable or not. You can also check out other scan services such as TCP Port scan, UDP Port scan, SSL Hearbleed scan, SSL Poodle scan, SSL DROWN scan, Bash Shellshock scan and Ghost Glibc scan.


11. asafaweb.com

Checks your site for Tracing, Custom Errors, Stack Trace, Request Validation, HTTP to HTTPS, Hash Dos Patch, ELMAH Log, Excessive Headers, HTTP Only Cookies, Secure Cookies, Clickjacking and Mac State. You can also schedule a scan by signing up.


12. app.upguard.com/webscan

Performs pretty decent scan of a website, checks Communication DNS, Communication Services, Sub Domain, Scripts, SSL, Meta tags, Info, Header, Google Safe Browsing Check. In addition to these also checks against 27 factors they are –
SSL Enabled, SSL Expiry, SSL Strength, Suspected Phishing Page, Suspected Malware Provider, Suspected of Unwanted Software, X-Powered-By Header, HTTP Strict Transport Security, ASP Net Version Header, Server Information Header, SPF Enabled, DMARC Enabled, Mail, App, User Auth, File Sharing, Voice, Administration, Database, DNSSEC Enabled, Domain Expiry, HttpOnly Cookies, Secure Cookies, Exposed Emails, Breaches.
Combining all these factors give your site a score out of 950.


13. zerocert.org

Performs simple scan, also shows your Google Page Rank and Whois information. There’s a setting panel as well you can tweak check depth, user agent.


14. scanurl.net

Checks your site on Google Safe Browsing, Phish Tank and Web of Trust.


15. urlvoid.com

Checks for vulnerability on 26 reputed online scan software, shows your IP information and Alexa traffic.


16. app.webinspector.com

Gives you complete scan that includes Blacklist Checking, Phishing, Malware Downloads, Drive-by Download, Worms, Backdoors, Trojans, Suspicious iFrames, Heuristic Virus, Suspicious Codes, Suspicious Connections and Suspicious Activities. On top of that shows you E-Commerce Safety Information.


17. urlquery.net

Performs Intrusion Detection Systems, Blacklists, JavaScript Scripts and HTTP Transactions


 18. scanner.pcrisk.com

Site scan report includes – External links, iFrames, Blacklist status, Clean files and Suspicious files.


19. siteguarding.com/en/sitecheck

Scans for Malware, Website Blacklisting, Injected Spam, Defacements, Website Firewall, links, scripts and links analyze.


20. Hackercombat


Scans your site for – malicious activity, malware detection, phishing, blacklist checking, worms, back doors, trojans, transaction protection and also shows basic who.is information to send the report to your email address.



21. WP Plugins

Scans your WordPress website for common pitfalls and display message of what is can be improved in terms of security. Also has this handy option of alerting you when your website is vulnerable, you can avail the option by subscribing to their newsletter.




Security Checklists/Resources

Prevention is better than cure and that is why I have prepared these security checklist for you. These are by no mean a complete list rather than a short overview for you of how to tighten up the security for your website.
  1. Always use latest version of WordPress
  2. Don’t tweak/mess code in core WordPress files
  3. Keep your plugins’ versions up to date
  4. Install plugins from trusted sources
  5. Use Limit Login plugins to limit brute force attack
  6. Use strong password
  7. Don’t use Admin for username
  8. Always use backups ( With UpdraftPlus plugin you can have free backups to Google Drive)
  9. Use 2 factor authentication if possible
  10. Use a trusted hosting

For more detailed security measures you can check out these cool resources –

  1. Hardening WordPress
  2. WordPress Security
  3. Brute Force Attacks
  4. wpsecuritychecklist.org
  5. wprecon.com/wordpress-security-tips
  6. WordPress Security Implementation Guideline
  7.  wpvulndb.com( Cataloging 5251 WordPress Core, Plugin and Theme vulnerabilities, It is a WPScan vulnerability database )



In case you find anything suspicious, follow this checklist to protect your website – 7 Ways to Fix WordPress Hacked sites + 17 Ways to Protect it from happening (again) from – CollectiveRay

Now that you have hand full of online WordPress online vulnerability scanners. Give these tools a try before it gets too late. Did I miss out any other websites you follow ? What security measures you take for your site ? Leave a comment if you want to share your resources.

Build your Websites with lightweight & Bloat free themes Without Any coding Knowledge

Browser Themes
  • Pingback: The Only WORDPRESS VULNERABILITIE Resources You Will Ever Need – My Blog()

  • Pingback: 20 Free and useful Firefox addons for WordPress users()

  • Pingback: 19 Awesome Free Tools To Check WordPress Vulnerabilities Online | Payment Coders()

  • https://triop.se Jonas Lejon

    I think WPScans.com is a great service and I’m using it myself on daily basis to check for WordPress vulnerabilites

    • Asphalt Themes

      Hi Jonas, It’s great to know that you found WPScans.com useful 🙂

      • https://triop.se Jonas Lejon

        Btw! I can see that WPScans also scans for server security misconfigurations. Such as directory listings (i had one on my server). The article above states that it does not

        • Asphalt Themes

          Hi Jonas, That’s a good catch, On WPScans.com homepage the team stated “we don’t provide a full overview of all vulnerabilities and we don’t scan your server for server security.” This article just reflected that . However it’s good to know that it also scans for server security configurations, pretty handy tool.

  • luca ercoli

    Hi, i work as security specialist for an Italian hosting company and my job is to play with penetration testing and hacked sites.
    I use WPScan in order to find vulnerable WordPress installation but is not foolproof. I’ve coded a plugin named “WP Security Optimizer” (https://www.wp-security-optimizer.com/) that can elude WPScan (can also block various attack such of Bruteforce, XML RPC and dDoS)

    • Asphalt Themes

      Hi Luca, Looks Good. Keep up the good work.

  • Pingback: เครื่องมือ ตรวจสอบ ความปลอดภัยของ WordPress – Moohwaan()

  • Pingback: Seguridad | Pearltrees()

  • http://www.seocoach.at/ SEO Coach

    I use http://www.web-malware-removal.com/ and https://aw-snap.info/file-viewer/ – both deliver great results to check if website is hacked.

    • Asphalt Themes

      Hi there, The first link doesn’t work and the second link does a thorough scan but the presentation is quite bad. Except from the URL crawl table the presentation is not good.

  • John Darrel

    You can also include https://wpplugins.tips/wordpress-vulnerability-detector/. It’s a free tool we made and it detects WordPress vulnerabilities.

    • Asphalt Themes

      Thank you for your comment, We will check out the scanner

  • https://cwatch.comodo.com/?af=9557 Robert Brooks

    You can also include cwatch comodo (https://cwatch.comodo.com/?af=9557). It is also one of the best free malware removal program for wordpress.

  • https://www.unitedguardforceindia.com United Guard Force India

    Very nice information related to themes. I was looking for tools of Vulnerabilities for my Security Guard Services In Mumbai. Your blog helped me a lot. Thanks you.

    • Ashiquzzaman Kiron

      Glad to know that 🙂

  • https://hackercombat.com/fix-malware-from-your-website-free William Harvey

    Very useful list of tools to check the wordpress website vulnerabilities. I tried wpscans, sucuri and hackercombat for checking malwares in my websites, all works really well .

    • Asphalt Themes

      Hi William, We’re happy that you’ve found this article useful 🙂

  • Nando Delgado

    Great list! It would also be awesome if you included Hackmetrix (https://www.hackmetrix.com/) It’s free and checks for several types of vulnerabilities and then outputs a report with tips on how to fix whatever it found. You can also set it up to run a monthly scan for three months in a row 🙂

Get Free Resources To Grow Your Business :

- Free Web Resources

- Tips & Insights

- Theme releases


Enter your email address