Top 12 WordPress Vulnerability Scanners Tested and Reviewed

It is critical to swiftly update vulnerable plugins and themes. It is the difference between securing your WordPress site and keeping it open for attack. 

If you think your site has a problematic plugin or theme, scan it for vulnerabilities right now. 

Vulnerabilities are not just a risk; they are the root cause for an overwhelming number of WordPress hacks. 

Scanning for vulnerabilities is therefore critical. But of course, there are so many scanners that it is hard to pick the best one. 

That’s where our extensive testing comes to your rescue.

TLDR: Scan your site for vulnerabilities with MalCare. MalCare will send you an alert as soon as a vulnerability is detected on your site. Patch it with an update and secure your site in minutes.

What is a WordPress vulnerability scanner?

A WordPress vulnerability scanner alerts for known or discovered vulnerabilities found on sites. The vulnerabilities can be in the WordPress core, plugins, or themes. 

The definition of a vulnerability can vary a lot. Here, we are referring to mistakes in code that can be exploited by a hacker: SQL injection vulnerabilities, XSS vulnerabilities, RCE vulnerabilities, CSRF vulnerabilities, and so on. We are NOT speaking of weak passwords or perceived “weaknesses”, like not renaming the wp-login page.

How does a vulnerability scanner work?

1. A security researcher will examine plugin or theme code for vulnerabilities. 
2. If they find one, they first (responsibly) disclose their findings to the developer, giving them enough time to fix it. 
3. Once the patch is released, the researcher submits their findings to various vulnerability databases. The finding will contain the version, vulnerability type, and severity.  
4. The databases are in turn used by scanners to find vulnerable versions of the plugin or theme in question on a site.

That’s why a vulnerability scanner only alerts for discovered vulnerabilities. And more pertinently, the vulnerability must be discovered by a researcher. If a hacker has already discovered it, chances are sites are already being exploited. 

Therefore, while a vulnerability scanner is good to have, it cannot protect your site completely. For that, you need a WordPress firewall, which prevents exploits of vulnerabilities, regardless of whether or not they are in a scanner’s database.

1. MalCare 

Test results: Great
Vulnerabilities detected: 10
Vulnerabilities not detected: 0
Price: Free

MalCare passed all our tests with flying colours. It detected vulnerabilities of varying types, right from SQLi to XSS and everything in between. The size of the plugin or theme did not affect the outcome. The number of installs and the plugin’s popularity did not affect the outcomes. All themes and plugins, big and small, were flagged uniformly.

One of the vulnerable themes has not been patched as of writing this article. Interestingly, some of the other scanners ignored this theme entirely, whereas MalCare clearly flagged the theme as vulnerable, and requiring attention. 

MalCare’s vulnerability database is one of the most comprehensive ones available. It is sourced from multiple security researchers, developers, and databases. In fact, while we were unable to test this out, MalCare is one of the few vulnerability scanners to detect issues in premium themes and plugins. And more importantly, stop exploits of vulnerabilities dead in their tracks. 

🔥 However, MalCare’s research focus has been to secure websites, regardless of whether or not they have vulnerabilities, by creating Atomic Security, a proactive defense of a WordPress site. Of all the scanners and security plugins we have tested, MalCare is the only one with this revolutionary new approach to WordPress security. 

2. Patchstack

Test results: Great
Vulnerabilities detected: 10
Vulnerabilities not detected: 0
Price: Free

Patchstack does a great job of flagging vulnerabilities, and educating admin about them. The vulnerabilities are classed by their CVSS score, or severity in layman’s terms, and a helpful flag indicates what the priority should be to update them. (In our considered opinion, all vulnerabilities are high-priority, if not high-severity. A hack via a low-severity vulnerability is still a hack. If you know about it, fix it as soon as possible.)

Vulnerabilities are sorted according to their release date and priority on the Patchstack dashboard. Each of the vulnerabilities is a separate entry on the list, even if a plugin or theme has more than one. This is a little confusing at first.

Patchstack is one of the only plugins to show if a fix is available for a detected vulnerability; the only others being MalCare and WPScan. This is useful info and, coupled with the severity score, it can make the decision to move to an alternative easier. 

Our single negative experience with Patchstack was during installation. To use Patchstack’s vulnerability scanner, you need to sign up for an account and go through an elaborate process to add your site to their external dashboard. Once we set up an account, we were immediately prompted to sign up for a paid plan, which has a free trial. However, the vulnerability scanner is a free feature, so this seemed disingenuous UX. 

Overall, Patchstack is a great vulnerability scanner for WordPress sites. 

Note: Solid Security (formerly iThemes Security) leverages a Patchstack integration for vulnerability scanning.

3. WPScan

Test results: Great
Vulnerabilities detected: 10
Vulnerabilities not detected: 0
Price: Free for 25 scans a day

WPScan is one of the most comprehensive vulnerability scanners available for WordPress. It is a crowd-sourced repository of vulnerabilities, and it flagged every vulnerability installed on our test site. Two thumbs up so far. 

However, WPScan is not a security plugin in the common parlance of security plugins. It doesn’t have a firewall or malware scanner. In an article about vulnerability scanners, you may well be wondering why this is important. It is because, for most of the plugins on this list, the vulnerability scanner is a nice-to-have feature, and therefore free. WPScan? Not so much. Since the vulnerability scanner is its entire reason for existence, it has a freemium model. You can scan for vulnerabilities in 25 themes and plugins every day for free. 

This is not bad news as such. If your site has more than 25 add-ons—which is very likely, since the average site has close to 50—you can cycle through different ones every day. Of course, this is a manual effort that takes the auto out of auto scanning. 

WPScan is a great vulnerability scanner, which comes in a plugin and CLI form. Both perform the same functions and just vary on their installation and usage. 

Note: WPScan is used as a database for a plethora of other security plugins, including Jetpack.  

4. Wordfence

Test results: Very good
Vulnerabilities detected: 9
Vulnerabilities not detected: 1
Price: Free

Wordfence did a fairly good job of flagging most of the vulnerabilities on our test site. Plugins and themes were both marked correctly, except for a single theme with very few installs. 

Additionally, the unpatched theme that MalCare showed as vulnerable but without an update was completely missed by Wordfence. We found this quite surprising. It is a vulnerability regardless of whether or not there is a fix, and it is important for a site owner to know. 

Wordfence is a powerhouse in the security space, and we often say that it is one of the best free WordPress security plugins available. However, that doesn’t mean Wordfence doesn’t fall short on occasion. Overall, the vulnerability scanner in Wordfence is pretty decent, but it is not 100% reliable.

5. Defender

Test results: Average
Vulnerabilities detected: 7
Vulnerabilities not detected: 3
Price: Free

Defender did a fairly good job of flagging the vulnerabilities on our site. It got most of the big ones while missing out only on the more obscure themes with low install counts. While we can rationalize this, it does still mean that vulnerabilities cannot be addressed with updates if the site admin doesn’t know about them. 

The vulnerability scanner is a premium feature, along with the malware scanner and a few more bits and bobs. Expect to shell out about $36 a year per site for this report. 

Once you upgrade, you’ll see a report of vulnerabilities for sure. However, what we think is great is the huge red flags Defender adds to the Plugins and Themes dashboards. The flags contain details of the vulnerabilities, so it is an added incentive to update as soon as possible. 

The standout feature of Defender, and one that cements its place in this list, is the support. The plugin has some of the best support we’ve seen, and we are officially impressed.

6. Sucuri

Test results: Bad
Vulnerabilities detected: 0
Vulnerabilities not detected: 10
Price: Free

Not sure why we are surprised with Sucuri’s dismal performance in yet another aspect of WordPress security, but here we are. It is just that the expectations from a renowned security plugin were less than zero. But the outcome from testing is definitely zero. 

Sucuri doesn’t actually have a vulnerability scanner as a part of their security plugin. What they do have is a list of available updates for installed plugins and themes, buried in the Post-hack tab of their Settings.

Gee, wonder where else we could get a list of out-of-date plugins and themes on the wp-admin dashboard? 

The critical component of a vulnerability scanner is that it should flag vulnerabilities, so as to convey an appropriate amount of urgency. Sucuri, however, has a vulnerability disclosure newsletter that goes out to subscribers. And we’re subscribed to the newsletter, so we know they do put in effort for security research. 

However, the effort of figuring out which vulnerabilities are on your site from this email? Site owner’s job. Which would also be alright if, you know, site owners were remotely inclined to put in manual effort for something that can easily be solved by a free plugin. We don’t even want to think about admin who have to maintain more than a few sites.

7. Security Ninja

Test results: Bad
Vulnerabilities detected: 3
Vulnerabilities not detected: 7
Price: Free

Security Ninja is an elaborate-looking vulnerability scanner, but with very little actual substance. We ran our vulnerability-filled site through its scan process, and it flagged only 15% of the plugin and theme vulnerabilities on the site. 

We also saw patterns with the vulnerabilities flagged. They were either older ones that were discovered a while back, or the plugin or theme in question had over 10000 installs. Hardly a good slice of the vulnerability pie. 

Overall, give Security Ninja a wide berth as a vulnerability scanner.

8. Sitelock

Test results: Bad
Vulnerabilities detected: 0
Vulnerabilities not detected: 10
Price: Free

We have always had a poor experience with Sitelock. Right from configuration to cancellation, it has been a nightmare. So why did we expect anything different while testing their vulnerability scanner? We didn’t. 

Sitelock didn’t detect any of the vulnerabilities on our site. The bad experience continues. End of story.

9. HostedScan

Test results: Inconclusive
Vulnerabilities detected: –
Vulnerabilities not detected: –
Price: Free

At first glance, HostedScan seemed like an amazing option. Just look at that stunning dashboard. 

However, we started getting vulnerability scan results which we didn’t understand. These “risks” are because there are no security headers set up on our test site. 

Alright, we made a mistake. HostedScan isn’t a vulnerability scanner. Nope. Went back to their site, and saw that there was clearly a WordPress vulnerability scanner; the one that shows issues with plugins and themes. 

Great! We went back to the dashboard, located the right scanner, and waited. 

And waited. And waited. And waited. A few hours later, this scan is still showing at 2%. To be clear, the site is less than 100 MB. There is no reason why this scan should be taking so long. We’ll update this article if it ever finishes.

10. SecuPress

Test results: Inconclusive
Vulnerabilities detected: –
Vulnerabilities not detected: –
Price: Inconclusive

As of writing this review, we are still not entirely certain if SecuPress has a vulnerability scanner or not. Let us explain. 

We first installed the free version, which prompted us to start a site scan. The scan is meant to check the health of the site. Now, just what ‘health’ covers in this context, we would be hard-pressed to imagine. We know that malware scanning is a premium feature, so perhaps vulnerability scanning? 

Or perhaps not. The scan report says this: “Your installation may contain vulnerable plugins. The PRO version will be more accurate.” As you can see, this message doesn’t clarify the situation very much. 

We could not upgrade to a pro version because our IPs are geoblocked by SecuPress’ firewalls. So our review ends, rather abruptly, right here.

11. WPSec

Test results: Inconclusive
Vulnerabilities detected: –
Vulnerabilities not detected: –
Price: Inconclusive

Testing out WPSec was a short, but not sweet experience. 

First off, WPSec is not a plugin. You’ve got to create an account, and you get access to a dashboard, where you can add sites for scanning. So far, so good. We love SaaS. 

And that’s where everything goes to seed. 

To scan a site, you have to upgrade to a paid subscription. Which we are perfectly ok with doing, but at least show us proof of concept first? No. Free trial? No. 

Ok, let’s try the browser scanner first, to get a sense of what is happening behind the scenes. Also, no. 

We disabled MalCare’s firewall, to see whether that was preventing the scan. Nope. Exactly the same result as before. 

At this point, we cut our losses and gave up.

12. WP Webdoctor

Test results: Inconclusive
Vulnerabilities detected: –
Vulnerabilities not detected: –
Price: Inconclusive

WP Webdoctor was an interesting experience for us, and therefore it landed in last place.

What could it possibly have done to merit this treatment? So glad you asked! It blocked us from activating the plugin on our own site.

Factors to consider in choosing the best WordPress vulnerability scanner plugin

When you’re hunting for the best WordPress vulnerability scanner plugin, here are a few things you should consider:

What to do when a vulnerability is flagged on your site

When a vulnerability is detected on your site, it’s crucial to act swiftly. Promptly update your site, especially if the issue is with a smaller plugin or theme. You can do this directly from your dashboard.

However, if the vulnerability is within a larger plugin, such as a page builder, updating directly may not be the best approach. It’s suggested to use a staging environment to test out the update first. This way, you have a safe space to verify that the update doesn’t cause any unexpected disruptions or conflicts before implementing it into the live site.

How we tested the vulnerability scanners

The only way to put a vulnerability scanner through its paces was to set up rigorous tests. We admit to being quite abusive with our test sites, but it is in the interest of scientific inquiry, so their sacrifice has not been in vain. 

We loaded up test sites with a variety of vulnerable themes and plugins. These extensions had a mix of different attributes to account for all kinds of scenarios: 

• Severity levels: Vulnerabilities come in all shapes and sizes, as do attacks. A brute force attack, while debilitating for a site, is nowhere on the scale of a SQL injection attack. We picked a variety of vulnerabilities that run the gamut from high to low severity. 
• Mix of vulnerability types: You’ll see a mix of WordPress attacks represented, like XSS, SQLi, privilege escalation, and so on.
• Old and newly discovered vulnerabilities: Here, we are looking to answer the question: Is the vulnerability database kept up to date?  
• Patched and unpatched: What does the scanner do if the plugin or theme is vulnerable, but there is no patch available? 
• Popular and obscure: Just because a few sites have a plugin or theme, doesn’t mean vulnerabilities shouldn’t be flagged. Every site is important! We chose plugins that have more than 200,000 installs to themes that have a modest 40-odd. 

One factor we wanted to check, but weren’t able to in this testing round, is how vulnerabilities in premium themes and plugins are handled by scanners. We sourced all the vulnerable themes and plugins from the WordPress repository because previous builds are available for download from there. But with premium themes and plugins not on the repo, we didn’t have that facility. For now, we’ve got a stable of premium extensions, and will wait to see if any of them are found with vulnerabilities in the future. 

One quick note: We noticed many products use WPScan or Patchstack as a database for vulnerability scanning while providing a larger security product. Since we are weighing the merits of a vulnerability scanner in isolation, we have omitted any scanners that use third-party APIs for their source of truth.

And that’s a wrap

As we said before, vulnerabilities are the leading cause of hacks, and therefore it is critically important to update plugins and themes with discovered vulnerabilities as soon as possible. A good vulnerability scanner facilitates this process. Popular plugins like Contact Form 7, for example, have had security issues flagged in the past, underscoring the importance of prompt updates.

However, vulnerability scanners are 100% dependent on their databases, and those are 100% on the efficacy of security researchers. It is very unpredictable as a security system, as vulnerabilities could lie undetected in plugins for years.

Or even worse, a hacker could find it and keep on exploiting it, without anyone being the wiser. 

Therefore, while vulnerability scanners are good to have, they are by no means sufficient security-wise. 

We recommend using MalCare, a security plugin that combines a strong firewall and malware scanner instead. Vulnerability scanning then becomes a bonus, because the firewall will keep out most exploits, regardless of the vulnerabilities on the site. 

FAQs

What is a WordPress vulnerability scanner?

A WordPress vulnerability scanner is a tool that checks your WordPress website for possible security risks or weaknesses. It helps you find issues that hackers could exploit, such as outdated plugins or known flaws, so you can fix them and keep your site safe.

Is my WordPress vulnerable?

Whether your WordPress is vulnerable or not depends on how updated your themes, plugins, and WordPress version are. Regular updates, strong passwords, and trusted security plugins, like MalCare, can help keep your WordPress safe from vulnerabilities and attacks.

Is WPScan free?

WPScan is a freemium tool. It’s an open-source WordPress vulnerability scanner that you can use to check your website for potential security issues. However, the free tier has a limit of 25 API calls. They also offer a premium version with extra features.

How do I check the security of my WordPress site?

To check the security of your WordPress site, consider installing a security plugin like MalCare. MalCare scans your site for vulnerabilities, monitors for suspicious activity, and provides updates for any detected issues.

Are there any solutions to check the vulnerability of a website for free?

Yes, there are several tools available online that allow you to check your website’s vulnerabilities for free, such as OWASP ZAP, Google’s Lighthouse, and security plugins for WordPress like MalCare.

How to find WordPress vulnerabilities?

To diagnose WordPress vulnerabilities, you can install a security plugin like MalCare. MalCare will scan your website and report any identified security issues.