WordPress is — as content management systems go — very secure. It’s the most targeted web application in the world, but it’s also the best protected. It is in the interest of many thousands of developers and users to seek and destroy any vulnerabilities that may find their way into the code of WordPress Core, themes, and plugins.
If a WordPress hosting client follows a few basic security best practices, the likelihood of a successful attack is slim. Security best practices include:
- Updating WordPress, themes, and plugins as soon as new versions are released.
- Getting themes and plugins from trustworthy sources.
- Using long, random passwords. Or, even better, using two-factor authentication.
- Not sharing passwords with third-parties.
But everyone who manages a website has to face the reality that their site may be targeted, and if it is targeted, it may be compromised. It’s not enough to follow security best practices. You also have to keep an eye out for signs of compromise. But what does a compromised site look like?
Criminals don’t want you to know when your site has been compromised. The longer they remain hidden, the longer they can use a site to distribute malware, send spam, and inject their SEO links. A site that looks perfectly fine to you might, in fact, be spewing spam and infecting your visitors.
The solution is automated vulnerability and malware scanning. Vulnerability and malware scanners are capable of monitoring a site for signs of malicious software or known software vulnerabilities and alerting you to them.
For occasional scans, there are several excellent online tools that you should be aware of.
- GravityScan is an online vulnerability and malware scanner from the team behind the Wordfence security plugin. It will check a site for both malware and software vulnerabilities.
- Sucuri SiteCheck is similar to GravityScan, providing much the same malware and vulnerability checking.
An external web-based scanner is a good option to have, but they aren’t as capable as dedicated security plugins which have greater access to a site and its files.
Wordfence Security is the most popular WordPress security plugin, and it includes a host of features to keep WordPress sites secure, including malware, vulnerability, and backdoor scanning, and a Web Application Firewall capable of repelling known attacks. The premium version of this plugin adds real-time updating of firewall rules, more frequent scans, and two-factor authentication.
Wordfence’s main competitor is the Sucuri Security plugin. Sucuri includes file integrity monitoring, remote malware scanning, and security hardening. The premium version includes a website firewall that can protect a WordPress site against the exploitation of software vulnerabilities, brute force attacks and denial of service attacks.
For most sites, a plugin is probably a better solution than a web service. The plugins we’ve discussed automatically alert site owners when they discover a problem. Relying on your memory to prompt you to regularly use the web scanning tools is probably not the most effective approach.