Vulnerabilities are not just a risk; they are the root cause for an overwhelming 95% of all WordPress hacks. Swiftly updating problematic plugins and themes isn’t a suggestion; it’s a necessity, making the difference between security and malware. 

Vulnerability scanners are a huge help in that respect. But of course, there are so many that it is hard to pick the best one. That’s where our extensive testing comes to your rescue.

TLDR: Your best bet for a vulnerability scanner is MalCare. MalCare will send you an alert as soon as a vulnerability is detected on your site. Patch it with an update and secure your site in minutes. 

What is a WordPress vulnerability scanner?

A WordPress vulnerability scanner is a type of scanner, which flags known or discovered vulnerabilities in the WordPress core, installed plugins, and themes on sites. 

Since the definition of a vulnerability is fairly loose, we are referring specifically to lapses in code that can potentially be exploited by a hacker to launch an attack. We are not speaking of any other type of vulnerability, like weak passwords, or even things that are perceived to be poor security and therefore “vulnerabilities”, like not renaming the wp-login page, for instance.

A vulnerability scanner will only be able to detect discovered vulnerabilities on a site. They maintain a database of plugins and themes, their versions, and information about which versions have security issues. Therefore it does not discover vulnerabilities in site code—this kind of scanning is known as penetration testing, and is an entirely separate activity. It is something of a misnomer to call these “scanners”; as they are more akin to monitoring services.

Therefore, while a vulnerability scanner is a part of the defense of your site, it is by no means the only means to protect your site.

In fact, a far better approach to security is to protect against types of vulnerabilities, regardless of whether or not they are in a scanner’s database. For that, you need a WordPress firewall, malware scanner, and malware removal plugin—not a vulnerability scanner. 

1. MalCare 

Vulnerability scanner score: Great

MalCare passed all our tests with flying colours. It detected vulnerabilities of varying types, right from SQLi to XSS and everything in between. The size of the plugin or theme did not affect the outcome. The number of installs and the plugin’s popularity did not affect the outcomes. All themes and plugins, big and small, were flagged uniformly. 

One of the vulnerable themes has not been patched as of writing this article. Interestingly, some of the other scanners ignored this theme entirely, whereas MalCare clearly flagged the theme as vulnerable, and requiring attention. 

MalCare’s vulnerability database is one of the most comprehensive ones available. It is sourced from multiple security researchers, developers, and databases. In fact, while we were unable to test this out, MalCare is one of the few vulnerability scanners to detect issues in premium themes and plugins. And more importantly, stop exploits of vulnerabilities dead in their tracks. 

However, MalCare’s research focus has been to secure websites, regardless of whether or not they have vulnerabilities, by creating Atomic Security, a proactive defense of a WordPress site. Of all the scanners and security plugins we have tested, MalCare is the only one with this revolutionary new approach to WordPress security.

2. Patchstack

Vulnerability scanner score: Great

Patchstack does a great job of flagging vulnerabilities, and educating admin about them. The vulnerabilities are classed by their CVSS score, or severity in layman’s terms, and a helpful flag indicates what the priority should be to update them. (In our considered opinion, all vulnerabilities are high-priority, if not high-severity. A hack via a low-severity vulnerability is still a hack. If you know about it, fix it as soon as possible.)

Vulnerabilities are sorted according to their release date and priority on the Patchstack dashboard. Each of the vulnerabilities is a separate entry on the list, even if a plugin or theme has more than one. This is a little confusing at first.

Patchstack is one of the only plugins to show if a fix is available for a detected vulnerability; the only others being MalCare and WPScan. This is useful info and, coupled with the severity score, it can make the decision to move to an alternative easier. 

Our single negative experience with Patchstack was during installation. To use Patchstack’s vulnerability scanner, you need to sign up for an account and go through an elaborate process to add your site to their external dashboard. Once we set up an account, we were immediately prompted to sign up for a paid plan, which has a free trial. However, the vulnerability scanner is a free feature, so this seemed disingenuous UX. 

Overall, Patchstack is a great vulnerability scanner for WordPress sites. 

Note: Solid Security (formerly iThemes Security) leverages a Patchstack integration for vulnerability scanning.

3. WPScan

Vulnerability scanner score: Great

WPScan is one of the most comprehensive vulnerability scanners available for WordPress. It is a crowd-sourced repository of vulnerabilities, and it flagged every vulnerability installed on our test site. Two thumbs up so far. 

However, WPScan is not a security plugin in the common parlance of security plugins. It doesn’t have a firewall or malware scanner. In an article about vulnerability scanners, you may well be wondering why this is important. It is because, for most of the plugins on this list, the vulnerability scanner is a nice-to-have feature, and therefore free. WPScan? Not so much. Since the vulnerability scanner is its entire reason for existence, it has a freemium model. You can scan for vulnerabilities in 25 themes and plugins every day for free. 

This is not bad news as such. If your site has more than 25 add-ons—which is very likely, since the average site has close to 50—you can cycle through different ones every day. Of course, this is a manual effort that takes the auto out of auto scanning. 

WPScan is a great vulnerability scanner, which comes in a plugin and CLI form. Both perform the same functions and just vary on their installation and usage. 

Note: WPScan is used as a database for a plethora of other security plugins, including Jetpack.  

4. Wordfence

Vulnerability scanner score: Very good

Wordfence did a fairly good job of flagging most of the vulnerabilities on our test site. Plugins and themes were both marked correctly, except for a single theme with very few installs. 

Additionally, the unpatched theme that MalCare showed as vulnerable but without an update was completely missed by Wordfence. We found this quite surprising. It is a vulnerability regardless of whether or not there is a fix, and it is important for a site owner to know. 

Wordfence is a powerhouse in the security space, and we often say that it is one of the best free WordPress security plugins available. However, that doesn’t mean Wordfence doesn’t fall short on occasion. Overall, the vulnerability scanner in Wordfence is pretty decent, but it is not 100% reliable.

5. Defender

Vulnerability scanner score: Good

Defender did a fairly good job of flagging the vulnerabilities on our site. It got most of the big ones while missing out only on the more obscure themes with low install counts. While we can rationalize this, it does still mean that vulnerabilities cannot be addressed with updates if the site admin doesn’t know about them. 

The vulnerability scanner is a premium feature, along with the malware scanner and a few more bits and bobs. Expect to shell out about $36 a year per site for this report. 

Once you upgrade, you’ll see a report of vulnerabilities for sure. However, what we think is great is the huge red flags Defender adds to the Plugins and Themes dashboards. The flags contain details of the vulnerabilities, so it is an added incentive to update as soon as possible. 

The standout feature of Defender, and one that cements its place in this list, is the support. The plugin has some of the best support we’ve seen, and we are officially impressed.

6. Sucuri

Vulnerability scanner score: Bad

Not sure why we are surprised with Sucuri’s dismal performance in yet another aspect of WordPress security, but here we are. It is just that the expectations from a renowned security plugin were less than zero. But the outcome from testing is definitely zero. 

Sucuri doesn’t actually have a vulnerability scanner as a part of their security plugin. What they do have is a list of available updates for installed plugins and themes, buried in the Post-hack tab of their Settings.

Gee, wonder where else we could get a list of out-of-date plugins and themes on the wp-admin dashboard? 

The critical component of a vulnerability scanner is that it should flag vulnerabilities, so as to convey an appropriate amount of urgency. Sucuri, however, has a vulnerability disclosure newsletter that goes out to subscribers. And we’re subscribed to the newsletter, so we know they do put in effort for security research. 

However, the effort of figuring out which vulnerabilities are on your site from this email? Site owner’s job. Which would also be alright if, you know, site owners were remotely inclined to put in manual effort for something that can easily be solved by a free plugin. We don’t even want to think about admin who have to maintain more than a few sites.

7. Security Ninja

Vulnerability scanner score: Bad

Security Ninja is an elaborate-looking vulnerability scanner, but with very little actual substance. We ran our vulnerability-filled site through its scan process, and it flagged only 15% of the plugin and theme vulnerabilities on the site. 

We also saw patterns with the vulnerabilities flagged. They were either older ones that were discovered a while back, or the plugin or theme in question had over 10000 installs. Hardly a good slice of the vulnerability pie. 

Overall, give Security Ninja a wide berth as a vulnerability scanner.

8. SecuPress

Vulnerability scanner score: Bad

As of writing this review, we are still not entirely certain if SecuPress has a vulnerability scanner or not. Let us explain. 

We first installed the free version, which prompted us to start a site scan. The scan is meant to check the health of the site. Now, just what ‘health’ covers in this context, we would be hard-pressed to imagine. We know that malware scanning is a premium feature, so perhaps vulnerability scanning? 

Or perhaps not. The scan report says this: “Your installation may contain vulnerable plugins. The PRO version will be more accurate.” As you can see, this message doesn’t clarify the situation very much. 

We could not upgrade to a pro version because our IPs are geoblocked by SecuPress’ firewalls. So our review ends, rather abruptly, right here.

9. WP Webdoctor

Vulnerability scanner score: Unconfirmed

WP Webdoctor was an interesting experience for us, and therefore it landed in last place after SecuPress which actively blocked us from buying a license. What could it possibly have done to merit this treatment? So glad you asked! It blocked us from activating the plugin on our own site.

Factors to consider in choosing the best WordPress vulnerability scanner plugin

When you’re hunting for the best WordPress vulnerability scanner plugin, here are a few things you should consider:

• How often the scanner updates its database: New vulnerabilities pop up every week, so you need a scanner that can keep up. It should flag your vulnerable plugins and themes as soon as they are announced.
  
• Make sure the scanner doesn’t miss anything: Whether it’s a well-known plugin or some obscure one you’ve installed, a good scanner’s got your back. It should flag vulnerabilities wherever they’ve been discovered.
  
• Look for a scanner that’s always on its toes: The WordPress security scene changes faster than fashion trends. Having a scanner that runs checks regularly means you’ll know about potential trouble the minute it pops up.
  
• Ensure the scanner doesn’t forget plugins and themes: WordPress itself has gotten a lot safer in recent times, but plugins and themes… not so much. So, make sure your scanner doesn’t overlook these.

How are vulnerabilities discovered?

Uncovering a vulnerability sets a specific sequence of events into motion from discovery to update. It all begins when a security researcher identifies a vulnerability in a system.

Their job is to responsibly report these vulnerabilities to the developers of the theme or plugin. This involves explaining what they found and its potential implications, as well as often suggesting steps to fortify the system. 

The developers then spring into action, using the information from the security researcher to understand and fix the issue. They then release an update to patch the vulnerability and enhance the security of the system.

Finally, the site admin or owners play a crucial role. They must apply this update to their sites promptly. Keeping a site updated is a critical step in maintaining its safety and staving off potential threats.

What to do when a vulnerability is flagged on your site

When a vulnerability is detected on your site, it’s crucial to act swiftly. Promptly update your site, especially if the issue is with a smaller plugin or theme. You can do this directly from your dashboard.

However, if the vulnerability is within a larger plugin, such as a page builder, updating directly may not be the best approach. It’s suggested to use a staging environment to test out the update first. This way, you have a safe space to verify that the update doesn’t cause any unexpected disruptions or conflicts before implementing it into the live site.

How we tested the vulnerability scanners

The only way to put a vulnerability scanner through its paces was to set up rigorous tests. We admit to being quite abusive with our test sites, but it is in the interest of scientific inquiry, so their sacrifice has not been in vain. 

We loaded up test sites with a variety of vulnerable themes and plugins. These extensions had a mix of different attributes to account for all kinds of scenarios: 

• Severity levels: Vulnerabilities come in all shapes and sizes, as do attacks. A brute force attack, while debilitating for a site, is nowhere on the scale of a SQL injection attack. We picked a variety of vulnerabilities that run the gamut from high to low severity. 
• Mix of vulnerability types: You’ll see a mix of WordPress attacks represented, like XSS, SQLi, privilege escalation, and so on.
• Old and newly discovered vulnerabilities: Here, we are looking to answer the question: Is the vulnerability database kept up to date?  
• Patched and unpatched: What does the scanner do if the plugin or theme is vulnerable, but there is no patch available? 
• Popular and obscure: Just because a few sites have a plugin or theme, doesn’t mean vulnerabilities shouldn’t be flagged. Every site is important! We chose plugins that have more than 200,000 installs to themes that have a modest 40-odd. 

One factor we wanted to check, but weren’t able to in this testing round, is how vulnerabilities in premium themes and plugins are handled by scanners. We sourced all the vulnerable themes and plugins from the WordPress repository because previous builds are available for download from there. But with premium themes and plugins not on the repo, we didn’t have that facility. For now, we’ve got a stable of premium extensions, and will wait to see if any of them are found with vulnerabilities in the future. 

One quick note: We noticed many products use WPScan or Patchstack as a database for vulnerability scanning while providing a larger security product. Since we are weighing the merits of a vulnerability scanner in isolation, we have omitted any scanners that use third-party APIs for their source of truth.

And that’s a wrap

As we said before, vulnerabilities are the leading cause of hacks, and therefore it is critically important to update plugins and themes with discovered vulnerabilities as soon as possible. A good vulnerability scanner facilitates this process. 

However, vulnerability scanners are 100% dependent on their databases, and those are 100% on the efficacy of security researchers. It is very unpredictable as a security system, as vulnerabilities could lie undetected in plugins for years.

Or even worse, a hacker could find it and keep on exploiting it, without anyone being the wiser. 

Therefore, while vulnerability scanners are good to have, they are by no means sufficient security-wise. 

We recommend using MalCare, a security plugin that combines a strong firewall and malware scanner instead. Vulnerability scanning then becomes a bonus, because the firewall will keep out most exploits, regardless of the vulnerabilities on the site. 

FAQs

What is a WordPress vulnerability scanner?

A WordPress vulnerability scanner is a tool that checks your WordPress website for possible security risks or weaknesses. It helps you find issues that hackers could exploit, such as outdated plugins or known flaws, so you can fix them and keep your site safe.

Is my WordPress vulnerable?

Whether your WordPress is vulnerable or not depends on how updated your themes, plugins, and WordPress version are. Regular updates, strong passwords, and trusted security plugins, like MalCare, can help keep your WordPress safe from vulnerabilities and attacks.

Is WPScan free?

WPScan is a freemium tool. It’s an open-source WordPress vulnerability scanner that you can use to check your website for potential security issues. However, the free tier has a limit of 25 API calls. They also offer a premium version with extra features.

How do I check the security of my WordPress site?

To check the security of your WordPress site, consider installing a security plugin like MalCare. MalCare scans your site for vulnerabilities, monitors for suspicious activity, and provides updates for any detected issues.

Are there any solutions to check the vulnerability of a website for free?

Yes, there are several tools available online that allow you to check your website’s vulnerabilities for free, such as OWASP ZAP, Google’s Lighthouse, and security plugins for WordPress like MalCare.

How to find WordPress vulnerabilities?

To diagnose WordPress vulnerabilities, you can install a security plugin like MalCare. MalCare will scan your website and report any identified security issues.