19 Free Tools To Scan Your WordPress Site Vulnerability Online
With more than 39% market share WordPress websites are the leading targets for hackers. Unless you are careful anytime your website(s) can be the next target, More than 50 thousand websites get hacked every day. So with a WordPress site in hand, you need to more careful to stop hacking/backdooring and what not. On CMS analysis by Sucuri in the first quarter of 2019 –
In most instances, the compromises analyzed had little, if anything, to do with the core of the CMS application itself, but more with improper deployment, configuration, and overall maintenance by the webmasters and their hosts.
Therefore, it is always necessary to scan WordPress vulnerability for the security and check for site vulnerabilities before anything. With these WordPress online vulnerability scanners, you can at least be aware of some loopholes and more importantly how to stop your site from getting hacked by using these WordPress online scan tools.
1. wpscans.com

Checks your site with their intelligent scanning algorithms and scans for known bugs that have been indexed in the WPScan Vulnerability Database, which contains over 4000 reported vulnerabilities. A great tool to scan your WordPress vulnerability online. It also tries to identify the plugins you run and compare their versions against the bug database. In addition, wpscan scans for several well-known mistakes that people make when setting up their WordPress installation, A decent (one of the many WordPress online scanners) place, to begin with.
Note – wpscans doesn’t scan the server for security and also doesn’t scan your password for that matter.
2. sitecheck.sucuri

Sucuri is known for its timely vulnerability reports on the WordPress ecosystem on both plugins and themes. Sucuri also has a site scanner for vulnerabilities. Scans Malware, Website Blacklisting, Injected Spam, Defacements, Website Firewall also scans through your scripts and links. If you want to get the latest report and scan WordPress vulnerability for your website sucuri is the site scan with. Checks to see whether your site has been blacklisted any other popular services like –
- Google Safe Browsing
- Norton Safe Browing
- Phish Tank
- Opera Browser
- SiteAdvisor
- Sucuri Malware Labs Blacklist
- SpamHaus DBL
- Yandex (via Sophos)
- ESET
3. WordPress Security Scan

Another free tool to scan WordPress vulnerability online. it checks for application security, WordPress plugins, hosting environment, and the webserver. The security scanner downloads a handful of pages from your website and performs analysis on the raw HTML code. Also scans for user enumeration, directory indexing, linked websites, linked JavaScript, and linked iFrames. With membership, you can gain a more advanced scan for your site.
4. wploop.com

Checks your site for WordPress meta tags, readme.html, response headers contain detailed PHP version info, list of usernames, Check for the display of unnecessary information on failed login attempts, accessible install.php file via HTTP, accessible upgrade.php file via HTTP, browsable uploads folder, EditURI link present in the page header, deliverable admin interface via HTTPS and Windows Live Writer link in page’s header. If you want to get a technical report to work on, scan your WordPress site for online vulnerability.
5. scanwp.com

Performs a basic scan checking whether all your WordPress files up to date or not, scores your website out of 100. It also suggests you tighten security and hide your WordPress version. The scanner visits your homepage and checks for the generator tag. Note – The WordPress core team has decided that displaying your WordPress version to the public is not a security concern.
6. wprecon.com

Checks your site against Google safe browsing, active plugins, theme, user enumeration, directory indexing, Google malware scan, external link, linked iFrame, and linked JS files. A nice online scanner for finding WordPress vulnerability.
6. quttera.com

Scans your WordPress site for online vulnerability and checks for iFrame, Malicious files, Suspicious files, External links, and blacklist status of the site.
7. virustotal.com

A very useful tool to scan WordPress vulnerability online. This site checks your site on 68 reputed online site inspectors and some of them are – AegisLab WebGuard, Avira, BitDefender, Comodo Site Inspector, K7AntiVirus, Malware Domain Blocklist, MalwareDomainList, SecureBrain, Spam404, Sucuri SiteCheck, Web Security Guard, Yandex Safebrowsing, ZeusTracker, Kaspersky and ZCloudsec.
VirusTotal gives you a complete set of reports after scanning your WordPress website for online vulnerability.
8. Google Safe Browsing

9. Ghost Scanner

10. Hackercombat
Scans your site for – malicious activity, malware detection, phishing, blacklist checking, worms, back doors, trojans, transaction protection, and also shows basic who.is information to send the report to your email address. If you want to actively search for the malware scan report Hackercombat is the best place to scan WordPress vulnerability online.
11. app.upguard.com/webscan

Performs a pretty decent scan of a website, checks Communication DNS, Communication Services, Sub Domain, Scripts, SSL, Meta tags, Info, Header, Google Safe Browsing Check. In addition to these also checks against 27 factors they are –
SSL Enabled, SSL Expiry, SSL Strength, Suspected Phishing Page, Suspected Malware Provider, Suspected of Unwanted Software, X-Powered-By Header, HTTP Strict Transport Security, ASP Net Version Header, Server Information Header, SPF Enabled, DMARC Enabled, Mail, App, User Auth, File Sharing, Voice, Administration, Database, DNSSEC Enabled, Domain Expiry, HttpOnly Cookies, Secure Cookies, Exposed Emails, Breaches.
Combining all these factors give your site a score out of 950.
12. zerocert.org

Performs a simple scan, also shows your Google Page Rank and Whois information. There’s a setting panel as well you can tweak check depth, user agents.
13. scanurl.net

Checks your site on Google Safe Browsing, Phish Tank and Web of Trust.
14. urlvoid.com

Checks for vulnerability on 26 reputed online scan software, shows your IP information and Alexa traffic.
15. WP Plugins
Scans your WordPress website for common pitfalls and display a message of what it can be improved in terms of security. Also has this handy option of alerting you when your website is vulnerable, you can avail the option by subscribing to their newsletter.
16. scanner.pcrisk.com

Site scan report includes – External links, iFrames, Blacklist status, Clean files, and Suspicious files.
17. siteguarding.com/en/sitecheck

Scans for Malware, Website Blacklisting, Injected Spam, Defacements, Website Firewall, links, scripts, and links analyze.
18. GeekFlare Vulnerability Scanner
Gives you the follow information –
- WordPress version
- Admin exposed
- Blackelisted
- HTTPS
- WordPress Core
- Previous WordPress vulnerability with history
- Plugin vulnerability with history
Also gives you information about – Library dependencies vulnerability, such as – jQuery.
19. Pentest Tool
Although Pentest doesn’t have a free plan but you can see their sample report and get an idea of their test reports. Pentest rates risk with high, medium and low priority.
Just like GeekFlare, Pentest also gives you a full vulnerability listing of previous WordPress versions. Plugin vulnerability, user vulnerability.
Apart from the important information Pentest also scans site header, robots.txt file, xmlrpc file, readme file, theme vulnerability
Security Checklists/Resources
Prevention is better than cure and that is why I have prepared these security checklists for you. These are by no mean a complete list rather than a short overview for you of how to tighten up the security for your website.
- Always use the latest version of WordPress
- Don’t tweak/mess code in core WordPress files
- Keep your plugins’ versions up to date
- Install plugins from trusted sources
- Use Limit Login plugins to limit brute force attack
- Use strong password
- Don’t use Admin for username
- Always use backups ( With UpdraftPlus plugin you can have free backups to Google Drive)
- Use 2-factor authentication if possible
- Use a trusted hosting
For more detailed security measures you can check out these cool resources
- Hardening WordPress
- WordPress Security
- Brute Force Attacks
- wpsecuritychecklist.org
- wprecon.com/wordpress-security-tips
- WordPress Security Implementation Guideline
- wpvulndb.com( Cataloging 5251 WordPress Core, Plugin and Theme vulnerabilities, It is a WPScan vulnerability database )
In case you find anything suspicious, follow this checklist to protect your website – 7 Ways to Fix WordPress Hacked sites + 17 Ways to Protect it from happening (again) from – CollectiveRay
Now that you have a hand full of online WordPress online vulnerability scanners. Give these tools a try before it gets too late. Did I miss out any other websites you follow? What security measures you take for your site ? Leave a comment if you want to share your resources.
I think WPScans.com is a great service and I’m using it myself on daily basis to check for WordPress vulnerabilites
Hi Jonas, It’s great to know that you found WPScans.com useful 🙂
Btw! I can see that WPScans also scans for server security misconfigurations. Such as directory listings (i had one on my server). The article above states that it does not
Hi Jonas, That’s a good catch, On WPScans.com homepage the team stated “we don’t provide a full overview of all vulnerabilities and we don’t scan your server for server security.” This article just reflected that . However it’s good to know that it also scans for server security configurations, pretty handy tool.
Hi, i work as security specialist for an Italian hosting company and my job is to play with penetration testing and hacked sites.
I use WPScan in order to find vulnerable WordPress installation but is not foolproof. I’ve coded a plugin named “WP Security Optimizer” (https://www.wp-security-optimizer.com/) that can elude WPScan (can also block various attack such of Bruteforce, XML RPC and dDoS)
Hi Luca, Looks Good. Keep up the good work.
I use http://www.web-malware-removal.com/ and https://aw-snap.info/file-viewer/ – both deliver great results to check if website is hacked.
Hi there, The first link doesn’t work and the second link does a thorough scan but the presentation is quite bad. Except from the URL crawl table the presentation is not good.
You can also include https://wpplugins.tips/wordpress-vulnerability-detector/. It’s a free tool we made and it detects WordPress vulnerabilities.
Thank you for your comment, We will check out the scanner
You can also include cwatch comodo (https://cwatch.comodo.com/?af=9557). It is also one of the best free malware removal program for wordpress.
Very nice information related to themes. I was looking for tools of Vulnerabilities for my Security Guard Services In Mumbai. Your blog helped me a lot. Thanks you.
Cheers..!!
Glad to know that 🙂
Very useful list of tools to check the wordpress website vulnerabilities. I tried wpscans, sucuri and hackercombat for checking malwares in my websites, all works really well .
Hi William, We’re happy that you’ve found this article useful 🙂
Great list! It would also be awesome if you included Hackmetrix (https://www.hackmetrix.com/) It’s free and checks for several types of vulnerabilities and then outputs a report with tips on how to fix whatever it found. You can also set it up to run a monthly scan for three months in a row 🙂