We built IsItWP’s free WordPress security scanner to help you scan your website for known malware and hacks. It also checks your domain status with top search engines.
Our security scanner is powered by Sucuri. They offer the best WordPress security firewall. We use their services on our website, and we highly recommend that you do too if you’re serious about your website security.
The importance of WordPress Security
Because WordPress is the most popular website builder in the world, it’s no surprise that WordPress sites are favorite targets for hackers and spammers.
Unfortunately, many website owners take WordPress security lightly by assuming hackers only target popular websites. However, the reality is that hackers love low-hanging fruits — websites that don’t follow WordPress security best practices.
That means if you’re not taking proper WordPress security measures, then you’re allowing the bad guys to sabotage your hard earned reputation, search rankings and your online business.
Do you want to know if your site is protected from malware? All you have to do is to scan your website with our free WordPress Website Security Scanner.
Let’s take a look at how our free WordPress security scanner works.
How Does WordPress Security Scanner Work?
Using our free WordPress security scanner is the best way to check your website for known malware and website errors.
Here’s how our security scanner works:
1. Submit Your URL to Our WordPress Security Scanner
To scan your website, all you have to do is enter your site’s URL in our WordPress security scanner and click the Scan Website button.
2. Our Tool Scans Your Website
Once the URL is submitted, this robust WordPress vulnerability scanner will check the website for any potential vulnerability threats.
3. You Get the Complete Scan Result
After the vulnerability scan is done, you’ll get a detailed report on malware threats if detected, website backlist status and other security details of your site.
How to Protect Your Site From Malware
Using a Firewall is the best way to protect your WordPress site from malware.
A WordPress firewall plugin acts as a shield between your website and incoming traffic. It monitors all your website traffic and blocks any suspicious visitors to mitigate security threats even before they reach your site. By blocking suspicious visits, a firewall plugin helps you keep your server load in control and make sure that your website has good uptime.
A firewall plugin also helps you speed up your website and boost WordPress performance.
There are two common types of WordPress firewall plugins:
DNS Level WordPress Firewall
A DNS-level firewall is highly recommended over an application level firewall because it monitors all your site traffic by routing it through cloud proxy servers. After monitoring your traffic, the plugin only allows real users to your site.
Application Level Firewall
With an application-level firewall, you examine the traffic after it reaches your server but before loading most WordPress scripts. Compared to a DNS-level firewall, an application firewall is not as efficient when it comes to reducing the server load.
A DNS-level firewall is exceptionally good at discerning genuine traffic from vulnerable requests. They do that by learning from thousands of websites, comparing trends, preventing known bad IPs, and blocking traffic to pages that your users would normally never request.
Sucuri is the best WordPress security provider that offers DNS level firewall to prevent hack attempts, brute force, Distributed Denial of Service (DDoS) attacks and zero block exploits. Sucuri also improves your website’s performance by reducing server load through caching optimization, website acceleration, and Anycast CDN (all included).
We use Sucuri for our websites including IsItWP. Our security scanner is also powered by Sucuri.
Here are the highlights of this tool:
- Built-in security hardening
- Security activity log
- Blocklist monitoring
- File integrity monitoring
- Remote malware scanning
- Security notifications
- Post-hack security actions
With most online scanners, you may get false negatives and positives because they use outdated methods that hackers have surpassed. Our WordPress vulnerability scanner powered by Sucuri is always up to date and does a deep scan of your site to find suspicious activity.
Or read our complete Sucuri review.
How to Fix Malware Infected Website
Is your WordPress site infected by malware?
Having our websites hacked in the past, we know how stressful it can be. Follow our step-by-step guide below to learn how to fix your malware-infected WordPress website.
Step 0: Hire a Security Professional to Fix Malware for You
If you’re not technically inclined, then hiring a security professional is the best way to fix malware on your site. Handing over to an expert to clean up your website gives you peace of mind so that you don’t have to deal with technical stuff that you’re not comfortable with.
Reputed security experts usually charge anywhere between $100 and $250 per hour, which is outrageous for small website owners.
For IsItWP readers, our friends over at Sucuri offer malware and hack cleanup for $199 which also includes their firewall and monitoring service for a whole year.
We personally know the team at Sucuri, and we wouldn’t be recommending them if we didn’t trust them with our own websites.
While we highly recommend you hire an expert to fix malware, if you’d rather want to fix your website on your own, then follow the steps below.
Step 1: Identify the Hack
Dealing with a hacked website can be stressful. There are different kinds of attacks like SQL injections, brute force attacks, cross-site scripting (XSS), SEO keyword spam, and more.
Before you start, write down everything you can do to identify the hack and fix the issue.
Here is a good checklist to run through:
- Are you able to log into your WordPress dashboard?
- Are there any redirects that take your visitors away from your site?
- Can you find any harmful backlinks on your site?
- Is Google marking your website as insecure?
- Are you using an outdated WordPress installation?
- Have you recently installed a new plugin that isn’t being maintained?
- Have you recently installed a nulled WordPress theme?
Outdated software can cause security vulnerabilities on your site. Any WordPress vulnerability that’s detected is quickly fixed by developers and then a new version of the software is released. So always make sure you’re running the latest WordPress version.
Added to that, you should only use trusted themes and plugins on your site. Downloading and installing nulled or pirated software can lead to malware attacks. It’s best to stay away from such vulnerable plugins and themes, it’s not worth it.
Now that you’ve got a checklist in hand, the next thing to do is fix them one by one, so you can ensure you don’t miss out on any threat.
It’s advised to change your password before and after cleaning up your site.
Step 2: Check With Your Hosting Company
If you’re on shared hosting and you’ve found that your site is infected, chances are other sites may also have been affected with malware. Get in touch with your hosting company and ask if they’re able to make a quick fix. Hosting providers like SiteGround and HostGator are good at this. They’ll be able to provide more details about the hack especially if other sites have also been affected.
You should read our complete SiteGround review and HostGator review to learn more about the hosting companies.
Step 3: Restore From Backup
If you have already set up a backup for your WordPress site, then you can quickly revert it to normal. We have a complete guide on how to restore your WordPress site from backup that you can follow.
If you didn’t take a backup on your own, this guide will help you check with your host and explore other methods to see if there was a backup automatically handled for you.
The downside to restoring an old backup like that is you may risk losing the latest content that has not been backed up.
We recommend scheduling automated backups on your site using a plugin like Duplicator.
After you’ve restored your website backup, you’ll need to identify the reason for the threat and fix it to ensure it doesn’t happen again.
Step 4: Scan and Fix
Next, remove any inactive themes and plugins from your site that could be potentially vulnerable. More often than not, this is where hackers hide their backdoors.
Backdoor is a method of bypassing normal authentication and gaining the ability to remotely access the web server while remaining undetected. This way hackers can regain access to your site even after you find and remove the exploited plugin.
After removing any inactive themes, you’ll have to install two plugins for further inspection: Sucuri WordPress Auditing and Theme Authenticity Checker (TAC).
Sucuri Scanner: This WordPress security scan tells you integrity status of all your WordPress core files which enables you to identify where the hack is hiding. The most common places are themes and plugin directories, uploads directory, wp-config.php, wp-includes directory, and .htaccess file.
Theme Authenticity Checker: The Theme Authenticity Checker plugin enables you to scan your theme files for any potentially suspicious code. If potentially malicious codes are found in an installed theme, then the plugin will tell you the patch, and the line number and display the suspected code. This makes it easy to take preventive actions on your own. This plugin comes in handy to double-check whether your installed themes have any encoded script slipped inside them.
Step 5: Check User Permissions
Take a look at the Users section of your WordPress admin panel to ensure that only you and your trusted members have administrator access to your site. If you find any suspicious users, then you’ll need to remove them from your site.
Step 6: Change Your User Keys
If someone stole your username and password, then they’ll remain logged into your site unless you disable the cookies. To disable cookies and revoke unauthorized access to your site, you’ll have to regenerate a set of security keys that encrypts your password and then add it to your wp-config.php file.
Learn more about WordPress security keys.
Step 7: Reset All Your Passwords
Now that we’ve almost completed fixing the infected files on the site, the final step is to reset all your passwords including your WordPress, cPanel, FTP, and MySQL passwords.
If you’re running a multi-user website, then you might want to force a password reset for all your WordPress users.
It’s best practice to educate your team on using strong passwords. When you’re setting a password, WordPress tells you if you’re using weak passwords.
You can learn more about that in our guide on how to choose a secure password.
Step 8: Harden Your WordPress Site
There are certain measures you can add to your website to harden the security and make it incredibly hard for hackers to break in.
Usually, when hackers see these measures in place, they may make a few attempts and then move on to an easier target. Here are the measures you can take:
- Install an SSL Certificate: You can get an SSL certificate with your web host. For instance, Bluehost offers a free SSL certificate with all its web hosting plans. If not, you can use a plugin like Really Simple SSL to install it on your site.
- Secure Your Login Page: You can add a password to your login page. With this functionality, only your team members with the password can access the login page.
- Secure Web Forms: Unsecured forms are an easy target for hackers. They simply enter malicious code in your form fields. We recommend WPForms, it’s the #1 WordPress form builder that has built-in security.
- Set User Role Permissions: If you have multiple users working on your WordPress site, you can limit the permissions they have according to their role. The most powerful roles with all-access passes are super admin and admin. We recommend having as few admins as possible.
- Auto-logout Inactive Users: Another trick hackers use is to hijack browsing sessions and steal cookies. This lets them access your site through an active user account without you knowing it. There are plugins that let you automatically time out inactive users after a set period of time.
- Use 2-Factor Authentication: This adds a 2-step verification process to your login where you need to provide a one-time passcode that is sent to you in real-time through an SMS, email, or authenticator app.
- Limit Login Attempts: In a brute force attack, hackers send bots to your site to try thousands of login combinations till they get the right one. If you limit login attempts, they’ll have to stop after 3 attempts. You can enable this with security plugins like Sucuri and MalCare.
This will help resolve most of the security issues on your site.
No matter the size of your WordPress website, security should never be overlooked. Below are a few recommendations for you to secure your WordPress website.
- Switch to a secure WordPress host: Choosing a secure WordPress hosting is your first line of defense in making your WordPress site impenetrable.
- Set up a WordPress backup solution: The most costly backup is the one you never did. Invest in a WordPress backup plugin, so you can count on your backups even in the worst case scenarios like getting your site hacked or files infected.
- Set up a website firewall and monitoring system: We use and recommend Sucuri for providing bulletproof security to all your WordPress websites and block the attacks before it reaches our server. Also, make sure you have email alerts enabled to notify you if something is suspicious.
- Follow WordPress security recommended practices: Follow this ultimate WordPress security guide to implement security recommended practices on your WordPress site.
FAQs on Website Security
What is the difference between a WordPress scanner and a WordPress vulnerability scanner?
A WordPress scanner is a tool that scans a WordPress website for general issues such as broken links, outdated plugins and themes, and weak passwords. It looks for common vulnerabilities that could be exploited by hackers. The goal of a WordPress scanner is to find weaknesses that could be used by hackers to break into your site.
A WordPress vulnerability scanner is a more focused tool that specifically scans for known vulnerabilities in WordPress plugins, themes, and the core WordPress software. These vulnerabilities may be publicly known or discovered by security researchers, and they can be used by attackers to gain unauthorized access to a website, steal data, or perform other malicious actions.
Where can you find a WordPress scanner?
You can find the best WordPress scanner on IsItWP or at Sucuri.
What tool can I use to check if a site is built with WordPress?
Go to IsItWP.com to find out if a website is built with WordPress. You can get information about their WordPress hosting, WordPress theme, WordPress plugins, and more.
What tool can you use to find out what plugins are installed on a WordPress installation?
Login to your WordPress dashboard and head over to the Plugins tab. Here, you’ll see all the plugins that are installed on your site. You can see which ones are active and which are not activated yet.
If you want to check what themes and plugins are used by a third-party site, then use IsItWP.com.
What is the name of the website that provides a free WordPress scanner?
IsItWP.com provides a free WordPress scanner. You never have to sign up or pay to use it.
That’s all we have for you. You might also take a look at the best WordPress security plugins.