[How To] Easily use remote tools to scan your WordPress site for security issues, malware etc
Basically, I just recently read about a WP site being hacked in the Divi FB group and I thought it can't hurt to share some ways how you can approach scanning your website (on a regulary basis) for malware, hacks, exploits, issues. Of course on a shared host your options are limited but this blog post by WPBeginner actually presents to you 14 WordPress Security Scanners for Detecting Malware and Hacks.
To speed things up a bit I am going to list my 3 favourites here (you have probably heard about Google Safe Browsing already):
1) Sucuri Site Check
Sucuri is well known in the scene and I think someone on the other forum also works/worked there?!
This is an easy way to scan your website remotely without having to install any extra plugin/tool on your WP site or do any other preparation: Sucuri SiteCheck scanner will check the website for known malware, viruses, blacklisting status, website errors, out-of-date software, and malicious code.
Sucuri scan also includes Google Safe Browsing results so I will not list it here.
2) WPSec also scans your website for exploits but also extendst to the scan of plugins, themes and robots.txt . I found a potential security risk for one of my plugins here which wasn't mentioned on Sucuri. So WPSec definitely makes for a good addition as it has another approach to scannning.
3) UpGuard also seems like a cool solution. It gives your Website a security score (from 0 to 950, 950 being best) and takes Website risks, such as Insecure SSL, HSTS enforcement and E-Mail Security
into account. My website just scored a score in the 500eds so I guess I have some work to do.
In the Blog post from WPBeginners I mentioned above you will find even more cool ways to scan your website with remote tools but these 3 are probably my personal favourites.
Honorable mention: Don't forget that your good pal from Linux.iso scanning Virustotal can also scan websites
Hope this will be of help to some of you guys!
Kind regards,
Ympker
Comments
Every time i saw a "Wordpress Security", i'll post this link
https://www.pluginvulnerabilities.com/blog/
Used to work on shared-hosting company before. it's amazes me that most of people these days has really low reading interest or shorter attention span to read how to properly secure wordpress installations https://wordpress.org/support/article/hardening-wordpress/
And then beg for Enterprise-grade Support (and MUST be FIXED RIGHT NOW AAAAAAAAAAAAA) while their shitty site got defaced by chinese bruteforce bot after paying you 7$ annually
self-hosting even if it's just installing shit from softaculus is harder to comprehend, those corporations with muh decentralized "app" or "in da cloud" are winning. the end is nigh
This is also a pretty good "read": https://wpvulndb.com/
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Great sources you would like to add sslabs or something like that for A+ of the lets encrypt . it is helpful , basic but helpful
I believe in good luck. Harder that I work ,luckier i get.
Wordfence and WP Security Ninja can be added to the list.
Also site lock
———-
blog | exploring visually |
I have heard of these tools and that they are good but are they remote tools that require no further plugin installation? Just asking because the OP is about remote tools (as to not derail the topic). Regardless, the tools you mentioned surely are worth mentioning in regard to WP security.
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Site lock is not a plugin IIRC.
Other two are. In that light I limit my comment to site lock which is also what you have mentioned.
Cheers
Edit:
Nice read:
https://wordpress.org/support/article/hardening-wordpress/
They mention Cloudflare, Sucuri and Incapsula but did not understand the connection (except CDN).
Last line is interesting
And..
Here is a screenshot from sitelock weekly scans on a test site. I think you can change frequency, weekly is too slow in hindsight
———-
blog | exploring visually |
My 2c:
https://io.bikegremlin.com/8963/wordpress-security/
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
Looks nice Not free though, right? :P
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Now that you mention it, probably it came with shared hosting plan. Was a CPanel based host. Do not recall which one. I want to say Hostgator ( I know... pre LE "X" days) but I could be wrong.
———-
blog | exploring visually |
have you achieved the 950 mark @ympker on upguard ? I am in it and after achieving 751 i am not able to check it . Always shows 751 even i have solved some issues . It seems that the page is in their cache and shows always the same .
I believe in good luck. Harder that I work ,luckier i get.
I think I cant manage to go higher than 700 lol
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Thanks for the share
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Which ¨problems ¨appears in the yours ?
789 here .
not using HSTS- I do not plan to use it
Wordpress version appears in the website well .... i would not change everything so i guess i could live with it
But i have no idea about this one :
1) Domain registrar deletion protection not enabled
Domain is not protected from unsolicited deletion requests with the registrar. The domain should have clientDeleteProhibited set.
2)Domain registrar update protection not enabled
Domain is not protected from unsolicited update requests with the registrar. The domain should have clientUpdateProhibited set.
I have checked all the options of namesilo but i have not found anything similar in any area . I have checked lowendspirit and seems that this was done properly . @AnthonySmith , would you mind to give us some information about what could be ? Sorry about this question probably it is a dumb question .
I believe in good luck. Harder that I work ,luckier i get.
Wordfence is real good, on going deep to analyze the site not only for malicious code or viruses, but for potential threats and suspicious code or activity. I have found plenty of times malicious code and have the opportunity either to automatic delete it or go further with investigation on what it is, how it got there and what I should remove to make the wp safe again.
• If a program actually fits in memory and has enough disk space, it is guaranteed to crash.
• If such a program has not crashed yet, it is waiting for a critical moment before it crashes.
B 732 / 950 here
But in reality, they are things I'm OK with it.
"Insecure SSL/TLS versions available" (it's not used in reality) and "HTTP Strict Transport Security (HSTS) not enforced" (I don;t want to), "DMARC policy is p=none" (the mail server is completely disabled as so the ports), "Domain registrar deletion - update protection not enabled" (also I don't use this).
So, the score is more than good in aspects that really affects a wp installation
• If a program actually fits in memory and has enough disk space, it is guaranteed to crash.
• If such a program has not crashed yet, it is waiting for a critical moment before it crashes.
And this is te best tool to scan for virus/malware all the plugins or the uploads to a WP site: https://www.virustotal.com/gui/home/upload
• If a program actually fits in memory and has enough disk space, it is guaranteed to crash.
• If such a program has not crashed yet, it is waiting for a critical moment before it crashes.
How much does wordfence charge?
I also think I'll stick with 700ish score @Chievo . Anything else seems kinda unrealistic tbh.
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
I think I already mentioned it in OP but yeah, it's great
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
“Technology is best when it brings people together.” – Matt Mullenweg
Durexsky
I believe in good luck. Harder that I work ,luckier i get.
The free version works
• If a program actually fits in memory and has enough disk space, it is guaranteed to crash.
• If such a program has not crashed yet, it is waiting for a critical moment before it crashes.
Good to know, so no paywall for essential features?
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
@Ympker The paid version do have a massive addon functionality, real time scanner...
• If a program actually fits in memory and has enough disk space, it is guaranteed to crash.
• If such a program has not crashed yet, it is waiting for a critical moment before it crashes.
Folks i have found this page that would be interesting to be included :
https://securityheaders.com/
I must work on it , D here
I believe in good luck. Harder that I work ,luckier i get.
Thanks for sharing @Chievo
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
You are welcome
I believe in good luck. Harder that I work ,luckier i get.
Use wifi
Action and Reaction in history