If your website, in common with roughly 25% of all websites, is running WordPress then it’s pretty much certain that it’s being constantly attacked. WordPress is to hackers what raw meat is to jackals because unless sites are assiduously maintained, they quickly become vulnerable to a huge number of exploits.
The root cause of this vulnerability is WordPress’ ecosystem of complex core software augmented by thousands of third party developers whose themes and plugins are often buggy and not quickly (or often, never) updated to fend off known security problems. Add to that many site owners being slow to update their core WordPress installation and you have an enormous and easily discovered collection of irresistible hacking targets.
One of my favorite defenses against WordPress hackers is an excellent plugin called Wordfence which I covered back in 2015 in Wordfence plugin secures WordPress sites; solves job from hell. Since then Wordfence has become even more sophisticated and effective and, in fact, it’s so good that I’d say it’s essential to maintaining the security of any WordPress installation. Moreover, given that there’s a free version and the premium version is priced starts at a very reasonable $99 per year per site, it’s hard to imagine why any WordPress site owner wouldn’t use it.
So, the Wordfence people haven’t been idle over the last couple of years and a week ago the company launched a new Web-based service, Gravityscan, which delivers vulnerability and malware scanning not just for WordPress sites but also for Magento, Joomla, Drupal, and vBulletin installations. The service automatically discovers what’s running on your site then checks for plugins and extensions and evaluates potential security issues. The press release also explains:
Even if you aren’t running one of these applications, Gravityscan works great with any website. It checks over 20 blacklists and performs a range of other checks to help improve your reputation, security posture and let you know if you have any security problems. Gravityscan includes additional checks to help improve your search engine ranking.
I tested Gravityscan yesterday and I’m very impressed. Without “claiming” your website, which requires you to register then add a signature file to your site, you can scan any site for free but only a maximum of 20 pages will be checked along with the top 50 vulnerabilities for the detected platform, and the site’s status on more than 20 blacklists will also be checked. To thwart hackers, detected problems and vulnerabilities on unclaimed sites are listed without details (see the top line of the results on the screenshot below).
If you’re going to be performing regular vulnerability scans with Gravityscan, you should upload the free Gravityscan Accelerator to your site. This is a small PHP program that accelerates scanning and also provides Gravityscan with access to the site’s source code allowing for a deeper inspection into potential vulnerabilities. Here are the results for one of my websites that I claimed and installed the accelerator on:
To be honest, those are the results after I scanned the site and discovered that WordPress hadn’t been updated for a long time due to a plugin I’d tested long ago that suppressed all updates (at the time, an automatic WordPress update had trashed the site so I downgraded and used the plugin as a stop gap solution); what you see above is after the site was fixed, here’s the epic finding before that happened:
And here’s the detail of one of the vulnerabilities that was detected:
There’s a Pro version of the Gravityscan service priced at $10 per site per month that provides:
- Scheduled scans that can run as often as daily at a specific time
- Configure alerts sent by email or text based on the severity level of newly discovered security vulnerabilities, malware, or unfavorable blacklist check results
- Faster scanning; free scans are limited to intensity level 2, which can take a long time to complete on larger sites.
- Historical results kept for up to a full year.
- Access to support
If you’re using WordPress and you’re serious about it you really need to have Wordfence installed and scan your installation regularly with Gravityscan. If your website is a money-making endeavor and or your reputation depends on not getting hacked, spend the $99 per year for a single site Wordfence license and the $120 per year for Gravityscan so you can run regular vulnerability scans. It’s the cheapest anti-hacker insurance you can get.