Two Free Tools to Scan Your Website for Vulnerabilities

40Tech clean

Yesterday we compared Squarespace and WordPress, and I indicated that as slick as Squarespace was, 40Tech was going to remain on a self-hosted WordPress installation. Bloggers using a self-hosted instance of WordPress, though, need to make sure that their blogs are secure. That includes making sure that your blog isn’t already compromised. How do you do that? The easiest way to do that is to use external tools to scan your site. There are two that we use here at 40Tech, and recommend.

 

Sucuri SiteCheck

The first is Sucuri SiteCheck, which is the more streamlined of the two. Simply type an address in the Scan box, and the service will scan your site.

Safari

It appears to scan the page that you enter, and the pages linked off of that page. The results indicate whether the site has been blacklisted by Google Safe Browsing, Norton Safe Web, or Phish tank. It also lets you know whether malware, malicious javascript, or malicious iFrames were detected. Finally, it tests for drive-by-downloads (downloads that happen without your knowledge or intent), anomalies, Internet Explorer-only attacks, suspicious redirections, and spam. The service is free.

Safari

 

HackerTarget.com

HackerTarget

The second tool is actually a suite of scans from HackerTarget.com. From the front page of that site, you’ll find links to 12 different scans that can be performed.The scans range from a port scan, to an SQL injection test, to scans for different types of platforms (WordPress, Drupal, Joomla).

I’ve tried the WordPress scan. According to the site, the scan not an in depth audit, but instead a “passive analysis” that uses web requests to download a handful of pages from the site, and then perform some analysis on the resulting HTML.

WordPress scan

The security checks listed include the following:

  • WordPress Version Check
  • Site Reputation from Google, Norton and MyWot
  • Default admin account enabled
  • Directory Indexing on plugins
  • htaccess readable
  • robots.txt present
  • Sites Externally linked from main page (reputation checks)
  • WordPress Plugins that are detected passively and versions against latest versions.
  • Javascript linked
  • iframes present
  • internal site links
  • Hosting Reputation and Geolocation information
  • IP address sharing and reputation of sites sharing the IP address

When the scan is done, you’ll be emailed a PDF file with the results. My only gripe with the service is that I found that after I went through the process of selecting a scan to run, I had to go to my email account, click on a verification link in an email, and then go back to the site and reenter the info that I’d already entered. It appears to only require this once per day in order to prevent spam perhaps, but it was still a hassle to have repeat the process. I guess for a free service, we can’t complain.

I did find one error in my hackertarget.com results. The results include a list of other sites that share your IP address. There were three sites in the list that I didn’t recognize, so I became concerned that a rogue site was running off of my account. When I did an IP address search using other sources, I found that the hackertarget.com report was off by one digit, and those sites were not sharing the same IP address. I also had 40Tech’s host dig into this to be safe, and my suspicions were confirmed.

HackerTarget.com is also free, for up to 4 scans per day.

 

Do they work?

Since you can’t see how these tests operate, there is no way to know for sure how effective they are. However, HackerTarget did detect two iFrames back when we had our attack last week. After we took the site offline, detected and removed the intrusion, and located and patched the vulnerability, the PDF report came back clean. I didn’t start using Securi SiteCheck until after the attack, so I can’t comment on its effectiveness (and I’m not about to intentionally infect 40Tech, just to test it out).

Next week, we’ll look at a simple WordPress plugin that can help you keep your site secure. In the meantime, how do you protect your site?

Evan Kline

Hello, I'm Evan. I write about tech from my perspective – that of the average 40-something tech geek. You can also find me on Twitter and at my real-life job as a lawyer.    MORE ABOUT ME.

13 Comments:

  1. I really like Sucuri SiteCheck, added in my folder of website tools. Apparently I have no problem with my websites, may be the fact they are all hosted on Blogger…

  2. Pingback: How to Be Notified If Somebody Hacks Your WordPress Site | 40Tech

  3. I never heard about Sucuri SiteCheck but I’m so glad I find it out. Will be a huge help for me. I added it to my favorites tools.

  4. does anyone use ScanVerify.com’s scanner?

    It’s pretty good, tells you all open ports and more:

    http://scanverify.com/vulnerability_scanner_free/vulnerability_scanner_free.php

  5. http://www.securiilock.com : used these guys to add some security measures to my blogs as i have no real knowledge of web security. since being helped , i have not yet been hacked again. would recommend!

  6. Thanks for this list Evan. I found another free website analyser here: http://freeseoscan.net/ Some people suggested it on twitter and it works for me!

    Best,
    Hoizu

  7. I keep getting a malware alert on Securi with one particular link. I removed the link and the banner and I am still getting the same alert. Any ideas?

    • You’re probably going to need to check every line of code- I got hit by the Tim Thumb vulnerability a couple years ago, and I think some code was injecting rolling malicious links into my theme. I had to go through everything line by line.

      • It was a Clickbank link for one particular product so, I got a new aff link for that product from CB and just scanned the link without out putting it on my site and it came up with malware again. I sent a support form to CB but haven’t heard anything yet.

  8. thanks for the info personally I had use a company that provide me a 360 degree solutions combining application vulnerability scanner and malware daily detection
    http://www.gamasec.com have a look that a very good entire cyber cloud solution for your website

  9. Thanks for the info Didier i had try this http://www.gamasec.com combine services call GamaShield web vulnerability scan and Malware detection good reporting and very good technical support ,thanks

Leave a Reply