As a WordPress site owner, security has always been top concern for me and also a tad overwhelming. The knowledge that new vulnerabilities are exposed every day only makes it that much scarier. I decided that having a good scanning solution in place for my site would be the way to go forward. Once I have a reliable scanner, I can bank on it to detect any malware and other known issues on my site quickly and thus minimize the damage that it can cause. So far, so good; but how do I narrow down on that one good scanner? Should I trust the popular reviews or go by user rating? Even then how do I know for sure that the scans are really effective? If a scanner doesn’t pull up any issues on my site, can I safely assume that my site is malware free? Or is it just creating a false sense of security?
The best way to put my mind at rest, I realized, was to subject the scanners to a test. I picked the most popular names associated with WordPress scans – Sucuri, Wordfence, WPScan, and Exploit Scanner. I then introduced two known issues into my site –
- The vulnerable TimThumb script
- A conditional redirect malware from Sucuri’s website
While I added the TimThumb script into my current theme, I introduced the malware into the index.php file. I was all set for the final test – the scan itself. I could now check if the scanners were efficient, without having to rely on other reviews.
You can talk about WordPress security without mentioning Sucuri. So what better place to start our test with than Sucuri SiteCheck? It is free tool that checks your site for malware, blacklisting status, website errors, and out-of-date software. What’s even better is that I didn’t have to install anything to try this tool out. All I did was enter my URL into the space provided, clicked Scan, and waited for the scan results to be displayed. The interface is simple and easy to use. It took just a few minutes for the scan to complete, but that may vary depending on the size of your site.
The status of the scan caught me by surprise – no malware was detected. This was a little scary as well as disappointing considering it was coming from Sucuri. Adding to all this was the fact that I had picked the malware from their own site.
Wordfence is another popular name when it comes to WordPress security. It is available as a security plugin that needs to be installed on your site. The plugin comes with an in-built scanner along with a host of other security features. The scan mainly covers the following points –
- Checks for known malware
- Compares WordPress core, plugin, and theme files against the repository
- Scans file content for infections and vulnerabilities
Some features like checking if your site generates spam is restricted to paid customers. The time taken for the scan to complete depends on what you’ve included in the options section. I went ahead and checked almost everything on the list. Why leave out parts of your site to save on a few minutes? Unknowingly, we may even omit files that are potentially infected rendering the scan useless.
Though the scan took a while to complete, I was thrilled that it was able to detect both the issues on my site. Users also have the option of scheduling scans as per their needs. Wordfence is definitely a potential candidate for my site.
The WPScan team refers to their product as a black box scanner that detects known security issues in WordPress sites. There is an online version similar to Sucuri’s Sitecheck that takes in a URL and gives us the results. The tool also comes pre-installed in many of the popular Linux distributions. Apart from basic security checks, the tool also has the ability to enumerate plugins, themes, and users to identify possible issues on your site. However, these advanced options are only available in the installed version and not in the online one. The main challenge that I saw right away was interpreting the scan results. The results are in pure text format with minimal formatting, making it hard to read through quickly.
What mattered in the end, however, is that the scanner couldn’t detect the issues on my site.
Exploit Scanner is another WordPress security plugin that checks your site for signs of suspicious activity. Unlike plugins like Wordfence, this is a pure scanning utility. Once installed, you can use the Run Scan option to initiate a scan. It’s really that simple, without too many options to play around with.
Now for the good news, the scanner was able to catch both my issues. Apart from that, the scanner listed hundreds of other files that looked potentially suspicious. While it is a good thing that the scanner goes through all the file content in detail and lists the code snippet that it deems malicious corresponding to the file. However, the list looked to be including many false positives that have to be eliminated through manual inspection of code. Now this may seem easy for a developer, but not for a regular WordPress user like me who had little idea about code. The interface too can do with a little bit of structuring.
At the end of the whole exercise I realized there is no perfect solution when it comes to scanners. Especially with many of them putting up disclaimers stating 100% accuracy isn’t guaranteed (e.g. Sucuri and Exploit Scanner), I wondered for a fleeting instant if I should install a scanner at all. In the end, I decided to go with Wordfence as it was most effective and easiest to use. Plus, it brings added features that’d help improve my site’s security. Wordfence is my choice, what’s yours? Share your scan story in the comments section.