If you are looking for the best website security check tool and want to make sure that your website is safe and doesn’t suffer from any potential vulnerabilities that might cause issues in the future then this post is for you. Everyone knows that website security is important – but how do you tell whether your website is secure or not? Here I take a look at some of the tools that can help self builders with their Wordpress or ClassicPress site security.
Additionally, almost all of the tools on this list are free. And the one tool that is paid offers a 14-day free trial, with no credit card required. Unlike a lot of other similar posts, this one isn’t really about picking the single best website security check tool. Instead, all of these tools bring something unique to the table and there’s really no reason not to benefit from all of them.
For each tool, I’ll try to highlight what makes it unique and what types of insights it can help you discover. For example, one tool is focused on finding vulnerabilities in WordPress and its extensions, while others are focused on general website security best practices.
Understanding the limitations of these website security check tools:
All of these tools are useful for assessing the security and vulnerability of your website, but it’s important to understand that they’re limited in their approach.
All of these tools essentially scan your site as an “outside observer.” This lets them find vulnerabilities that could let other malicious actors into your website.
However, this does not give them the ability to, say, find a piece of malware sitting hidden in one of the folders on your server.
To find malware in this way, you’d need a dedicated malware scanner tool that’s able to scan every single file on your server.
Basically, it’s important to understand that just because these tools don’t find any issues, that doesn’t 100% guarantee that there’s nothing wrong with your site. This is not a criticism of the tools on this list – it’s just important to understand what they’re actually checking for.
Five best website security check tools in 2020
Let’s discuss them in detail:
Sucuri SiteCheck is one of the most popular free website security check tools.
It’s super simple – all you do is plug in your URL. Then, Sucuri SiteCheck will check for:
- Known malware that’s presenting on the front-end of your site.
⚠️ Remember, it cannot catch all malware because it’s not actually scanning the files on your server.
- Blacklisting status.
- Website errors.
- Out-of-date software.
- Malicious code.
It will then spit back an easy-to-interpret results page that highlights the tests you’ve passed, as well as any areas where you could improve your security.
If you’re using WordPress, you can also access much of this information from the free Sucuri Security WordPress plugin.
The plugin also adds some WordPress-specific scans, like file integrity monitoring for the WordPress core.
Both Sucuri SiteCheck and the Sucuri Security WordPress plugin are 100% free, though Sucuri does offer a paid firewall/security service if you want more proactive protection.
- The results page is easy to interpret.
- It’s 100% free.
- If you’re using WordPress, there’s a free plugin.
- It’s not as detailed as some of the other tools on this list.
Observatory is a free website security check project from Mozilla, the same company behind the popular Firefox browser. It integrates both its own tests, as well as some built-in tests from third-party platforms like SSL Labs.
SSL Labs could probably get its own spot on this list. But, because it’s already included in Observatory, I’m leaving it off.
Overall, this is probably the most detailed free website security check tool on this list.
It breaks its test results up into four sections:
- HTTP Observatory
- TLS Observatory
- SSH Observatory
- Third-party Tests
By itself, the results page can be a little difficult to interpret. But one nice thing about Observatory is that, for most tests, it links you to a page that explains what each test means in much greater detail.
You might need to invest some time to understand what it’s telling you, but it does provide you with the resources that you need to learn what’s happening, and it goes into a lot of detail.
Observatory is 100% free!
- Observatory is quite detailed in the tests that it runs.
- It also integrates test data from third-party tools, like SSL Labs, that could deserve their own spot on this list.
- It’s 100% free.
- There are lots of documentation resources built around the tool that explain what most of the tests mean.
- Interpreting the results can be a little difficult if you’re a casual user. Mozilla explains everything – you’ll just need to invest some time in reading the aforementioned documentation.
Detectify is a more heavy-duty website security check tool…but it’s also not free. So – trade-offs!
In total, Detectify scans your site against 1,500+ vulnerabilities, including CORS, OWASP Top 10, and Amazon S3 Bucket misconfiguration.
To build its scanner, Detectify uses a unique crowdsourcing approach. Over 150 “handpicked ethical hackers” contribute to the scanner to build its automated tests.
Overall, it’s definitely the most detailed scan of any tool on this list.
However, the downside, again, is that it’s not free. You can test it out with a 14-day free trial (no credit card required). However, once that trial runs out, the paid plans start at $50 per month (annually) or $60 per month (month-to-month).
Still, if you just want to run a one-time security check, you can take advantage of the free trial to put your site through the wringer.
To get started, you’ll need to verify your website first, which is an extra step vs the other tools. However, you have some simple options to accomplish this, including Google Analytics, uploading a file, or adding a meta tag.
- Detailed security scan that checks for more than 1,500 vulnerabilities.
- Has a unique crowdsourcing approach to develop the security scanner.
- Runs security scans on all your pages, whereas most tools just check the specific URL that you enter.
- 14-day free trial with no credit card required.
- There’s no permanent free plan.
- Paid plans are pricey, so you need to be willing to invest in website security.
Despite the name, the SSLTrust website security check tool tests a lot more than just your SSL certificate (though it does that, too).
It doesn’t run its own checks per se. Instead, it tests your site against a huge collection of third-party tools/blacklists including:
- Google Safe Browsing
- Sucuri SiteCheck
- Opera blacklist
In total, it checks your site against 66 different services. However, with the exception of the SSL test, everything is just pass/fail.
So, this one can tell you if your site has been flagged for an issue, but it’s not going to provide a ton of details by itself.
It’s helpful when combined with the other tools, but you shouldn’t rely on it by itself as it’s not running proactive protection scans – instead, it’s just telling you if you already have a security issue.
- Tests your site against 66+ other services.
- Super easy to interpret the results – almost everything is just pass/fail.
- It also includes a more detailed SSL security test.
- It’s 100% free.
- With the exception of the SSL tests, none of the tests are proactive – they’re all backward-looking and only focused on detecting existing issues.
- The pass/fail nature of most of the tests means that you don’t get a ton of details.
WPScan is a WordPress vulnerability checker sponsored by Automattic, the same company behind WordPress.com and WooCommerce.
Unlike the other website security check tools, WPScan is specifically focused on WordPress vulnerabilities, which makes it a great option if you’re using WordPress (but not very helpful if you aren’t!).
Because it’s just focused on WordPress, you also shouldn’t rely on it by itself. Instead, I think it’s a great option to pair with the other website security checker options on this list. That way, you can use WPScan to catch WordPress-specific vulnerabilities and the other tools to catch general website vulnerabilities.
The code itself is available on GitHub, so you’re free to install it on your own server if you feel comfortable. But if you don’t know how to do that, or if you just don’t feel like messing with the setup process, there are also cloud services that can run the scan for you, as well as a dedicated WordPress plugin.
You can find the free WPScan plugin at WordPress.org.
And two good options for the cloud service are:
- WPScan.io – this is the “official” cloud service that offers one free scan per month or daily automated scans for a price.
- WPSec – this is a third-party service from Triop AB that uses the WPScan code with some additional algorithms on top. You can manually run scans whenever you want.
- Checks for vulnerabilities in WordPress core, plugins, and themes.
- Multiple ways to use it – you can install it on your own server, use a cloud scan, or install the free plugin.
- It’s free (though there is a paid service if you want more frequent automated scans).
- Only checks for WordPress vulnerabilities – it’s not a complete website security check.
Which is the best website security check tool?
Unlike other roundups, there’s really no need to choose a single tool. Each of these tools has something to offer and most are free, so there’s no downside to using all of them.
Two tools that I would single out are:
WPScan is a great option if you’re running a WordPress site because it takes a WordPress-specific approach to security scans that none of the other tools do. If you combine it with these WordPress security tips, you’ll be in great shape.
Detectify is pricey, but it is a great option if you want more comprehensive security scanning and vulnerability detection (and are willing to invest in it).
All of the others are free and basically just require plugging in your site’s URL, so there’s no reason to skip any of them. For example, the SSLTrust tool will quickly tell you if your site has known malware or blacklisting issues, while Mozilla Observatory will actually dig into some proactive checks that can prevent you from having issues in the first place.
Sucuri SiteCheck sits somewhere in between – offering a basic blacklist check plus some proactive tips.
They all have value – so you can use them together to ensure that you get the best security for your site.If you enujoyed this post, why not check out this article on Top Wordpress Plugins For Non Techies!