Scanning Online for WordPress Security Flaws

WordPress Security flaws have been a growing risk to developers and owners alike over the past 3-4 years. As if on cue, a Halloween 2017 security surprise just added a new level of concern about WordPress hacking vulnerabilities. So being able to scan online WordPress websites for security safety has become more important for developers advising clients and owners as well.

As a developer I like to be able to advise potential clients about the security risk of their WordPress websites. As an owner, it is vital also to be able to check their WordPress websites for any vulnerabilities. With the current Halloween Surprise, the need to be able to scan a WordPress website for its security status from outside using an online service becomes vital. So here is a review on 2 such services.

2 Online WordPress Security Checkers

A quick Google search plus a discussion with some WP gurus turned up two free online WP Security check services. WPScans.com is at the top of the google search list of WordPress Online Security Scanners. Sitecheck.Secure was recommended by a couple of WP gurus.

I tried WPScans first because it had a nifty summary of some of its security data:

This WPScans data on the source of hack attacks looked very informative. So I  immediately went to the website and performed a scan of this website – theOpenSourcery.com/keepopen/. I had to list out the blog’s keepopen subdirectory:

Oops, WPScan was telling me that my website’s version of WordPress was 3.6 when I knew it to be 4.8.3. So I  tried the new SSL https  value which works for some but not all of my WordPress pages and posts. [Trust me, adding SSL to an existing website is no easy walk in the park and the subject of an upcoming post]. Same message, WPScan thinks I am at WordPress 3.6!

Hmmm. So I decided to try my PicsofCanada.com website which has working SSL protection and the WordPress is at the root URL:

Mixed messaging in this case. WPScan tells me my WordPress website is safe but cannot tell me  what version of WordPress is being used. but this is precisely the information needed – I have to insure that WordPress has auto-updated to WP 4.8.3. So I try Securi.

Securi.Sitecheck.net

First I try theOpenSourcery.com/keepopen/

And Securi returns a 3 simplified tab on what was found. The website is given passing security marks. By the way,  Securi dutifully ignores the fact that  I have  the Wordfence plugin with Firewall running on  PicsofCanada.com  which BuiltWith does report.

So I  check the Website Details tab:

In this case the info is closer to the WordPress 4.8.3 version but not precise – for some reason all Securi reports is WP 4.7.x/4.8. But of course knowing that  the version is  WP 4.8.3 NOT  WP 4.8.2 – this  is the critical data required. To make matters worse, the Google search uncovers   several complaints about Securi Sitecheck delivering false positives like this one – Oh boy.

Summary

Like Pingdom and Gtmetrix for free online testing of any website’s speed performance, there really should be an effective  free online tool to check a WordPress website’s security state. I have found two free tools; but their effectiveness still leaves more to be desired. So if you know of a good tool please let us know in the comments below. Finally, the need to check WordPress constantly for it Security state speaks volumes as well.