Free Website Security Scanners

TL;DR

Here’s a guide to some of the best free tools for finding security problems on your website. We cover scanners that check for common vulnerabilities like cross-site scripting (XSS), SQL injection, and outdated software.

1. Understanding Website Vulnerability Scanners

Website vulnerability scanners automatically look for weaknesses in your site’s code and configuration. They can help you identify problems before attackers do. There are different types:

• Online Scanners: You enter your website address, and they run tests from their servers.
• Desktop/Self-Hosted Scanners: You download software to install on your computer or server.

No single scanner finds everything. It’s best to use a combination of tools.

2. Top Free Website Security Scanners

1. OWASP ZAP (Zed Attack Proxy)

OWASP ZAP is a powerful, free open-source scanner. It’s good for both beginners and experienced users.

• Type: Desktop/Self-Hosted
• Features: Active and passive scanning, spidering (crawling your website), API testing.
• How to use: Download from https://www.zaproxy.org/. Enter your website URL and start a scan.

Basic ZAP command-line example (after installation):

zap -t http://yourwebsite.com

2. Qualys FreeScan

Qualys FreeScan provides a quick vulnerability assessment.

• Type: Online
• Features: Checks for common vulnerabilities, malware, and SSL issues.
• How to use: Go to https://www.qualys.com/freetrial/ (requires account creation). Enter your website URL and email address.

3. ScanMyPnP

ScanMyPnP is a simple online scanner focused on finding known vulnerabilities in plugins.

• Type: Online
• Features: Plugin vulnerability detection (especially useful for WordPress, Joomla, and Drupal).
• How to use: Visit https://scanmypnp.com/ and enter your website URL.

4. VirusTotal

While not strictly a vulnerability scanner, VirusTotal can help identify malicious files or scripts on your site.

• Type: Online
• Features: Multi-engine virus scanning, URL analysis.
• How to use: Go to https://www.virustotal.com/ and enter your website URL or upload files from your server.

5. WPScan

Specifically for WordPress websites, WPScan identifies vulnerabilities in plugins, themes, and the core WordPress installation.

• Type: Desktop/Self-Hosted (also available via online services)
• Features: Plugin detection, theme detection, vulnerability database.
• How to use: Install using https://github.com/wpscan/wpscan (requires some technical knowledge). Basic command:

  wpscan --url http://yourwordpresswebsite.com

3. Interpreting Scan Results

1. Prioritize: Focus on high-severity vulnerabilities first (e.g., SQL injection, remote code execution).
2. Research: Understand what the vulnerability means and how it could affect your site.
3. Fix: Update software, patch code, or implement security measures to address the issues.
4. Re-scan: After fixing vulnerabilities, re-scan your website to confirm they are resolved.

4. Important Considerations

• False Positives: Scanners sometimes report problems that aren’t real vulnerabilities. Always verify the results.
• Terms of Service: Check the terms of service for online scanners to ensure you are allowed to scan your website.
• Regular Scanning: Scan your website regularly (e.g., weekly or monthly) to catch new vulnerabilities as they emerge.