Two Free Tools to Scan Your Website for Vulnerabilities
Yesterday we compared Squarespace and WordPress, and I indicated that as slick as Squarespace was, 40Tech was going to remain on a self-hosted WordPress installation. Bloggers using a self-hosted instance of WordPress, though, need to make sure that their blogs are secure. That includes making sure that your blog isn’t already compromised. How do you do that? The easiest way to do that is to use external tools to scan your site. There are two that we use here at 40Tech, and recommend.
The first is Sucuri SiteCheck, which is the more streamlined of the two. Simply type an address in the Scan box, and the service will scan your site.
The second tool is actually a suite of scans from HackerTarget.com. From the front page of that site, you’ll find links to 12 different scans that can be performed.The scans range from a port scan, to an SQL injection test, to scans for different types of platforms (WordPress, Drupal, Joomla).
I’ve tried the WordPress scan. According to the site, the scan not an in depth audit, but instead a “passive analysis” that uses web requests to download a handful of pages from the site, and then perform some analysis on the resulting HTML.
The security checks listed include the following:
- WordPress Version Check
- Site Reputation from Google, Norton and MyWot
- Default admin account enabled
- Directory Indexing on plugins
- htaccess readable
- robots.txt present
- Sites Externally linked from main page (reputation checks)
- WordPress Plugins that are detected passively and versions against latest versions.
- iframes present
- internal site links
- Hosting Reputation and Geolocation information
- IP address sharing and reputation of sites sharing the IP address
When the scan is done, you’ll be emailed a PDF file with the results. My only gripe with the service is that I found that after I went through the process of selecting a scan to run, I had to go to my email account, click on a verification link in an email, and then go back to the site and reenter the info that I’d already entered. It appears to only require this once per day in order to prevent spam perhaps, but it was still a hassle to have repeat the process. I guess for a free service, we can’t complain.
I did find one error in my hackertarget.com results. The results include a list of other sites that share your IP address. There were three sites in the list that I didn’t recognize, so I became concerned that a rogue site was running off of my account. When I did an IP address search using other sources, I found that the hackertarget.com report was off by one digit, and those sites were not sharing the same IP address. I also had 40Tech’s host dig into this to be safe, and my suspicions were confirmed.
HackerTarget.com is also free, for up to 4 scans per day.
Do they work?
Since you can’t see how these tests operate, there is no way to know for sure how effective they are. However, HackerTarget did detect two iFrames back when we had our attack last week. After we took the site offline, detected and removed the intrusion, and located and patched the vulnerability, the PDF report came back clean. I didn’t start using Securi SiteCheck until after the attack, so I can’t comment on its effectiveness (and I’m not about to intentionally infect 40Tech, just to test it out).
Next week, we’ll look at a simple WordPress plugin that can help you keep your site secure. In the meantime, how do you protect your site?