WordPress online security scans are garbage

WordPress and All Online security scans do more harm than good, as I’ll explain in this article.


1. They mislead you about how to security posture your website.

I’ve recently tried online WordPress security scans to review our customers’ WordPress sites. I prefer to start with a company I trust, and thus started with an online security scan with Sucuri, an industry leader in website security.

After entering the URL and watching a loading animation for 20 sec or so, the Sucuri report returns with All Clean… really all clean?

I didn’t upgrade this site to WP 4.8 until yesterday. I want to believe I’m one of the lucky ones, that no grimy hacker and their maleficent hackbots have laid a slimy tentacle on my beautiful site. Fortunately, I know I am a gullible person seeking feelings of trust and safety and happiness. My life experience is smart enough to know that if I left my garage door open in the city, for months on end, there would be shady characters looking in my garage, maybe even taking inventory, adjusting the interior and using it as their own.

How many vulnerabilities did this website scan? I’d say like 1-3%. If there is already a hacker abusing your site with a Pharma hack, and Google found it, then this type of scan can confirm it. It can validate your suspicion if the abuse is rampant and going on for a while on your website. The best WordPress security plugins looks for a handful of the top packages and malware signatures in the most common places.

2. They try to sell you another subscription product.

The Sucuri report told me All Clean… except for Website firewall, where they offer me a subscription-based firewall, a subscription-based WordPress plugin.

  • What about a WordPress Firewall Plugin?
    • These are worthless for many types of hacks. For example, if you are on a budget server and your neighbor site is hacked, a WordPress Firewall will not stop a cross-site contamination.
    • It’s not the firewall company, it’s that by nature of what a firewall is, firewalls don’t really belong on the site level.
    • A WordPress Firewall is a heavy plugin to load on your site, it affects your site-load speed and it’s only really good for slowing down a general hackbot attacks. Firewalls belong at the DNS Server level.
      • A DNS firewall offers the fastest performance and most security. Think of it as a glowing forcefield around your website. Stops major attacks.
      • Think of a WordPress Firewall like putting armor on your website. It increases protection at the cost of speed and agility. It’s useful for long-range arrows and hackbots.
      • Both increase your protection, but if you choose only one, get a SuperShield first. Specialized Hosting with SSL and DNS Shield offers increased speed and access to your customers, along with safety and reliability of your website.
      • On-site firewalls are going to slow down the experience, since they are processing traffic with rules that are loaded and maintained by a 3rd party.

3. 99%+ of hacks are not traceable through an Online WordPress Security Scan.

Can I trust Sucuri as security leader to offer a solid ONLINE scan?  Overall, I trust the Sucuri team and believe these guys are doing a great job fighting in the battle for online security, the real answer is NO ONLINE SCAN offers a thorough web security scan.

  • Why are 99% of hacks not found by an online Security Scan?
    • To understand this we need to grasp the objective of hacking. The objective of pro hacking is to penetrate a system and gather information without being traced.
  • How do Advanced Persistent Threat hacks work?
    • By dropping a compressed and encrypted file.package on a remote server. This traditionally is a backdoor entrance and collects valuable data across time.
  • Where are these files?
    • Hard to find in hidden places on your server, made to look like common web files, buried deep in file directories, or maybe in a set of images or in a vulnerable plugin or even in the wp-content/uploads/ folder.
  • What do they look like to average web programmer?
    • It looks like a mini .js file, compressed and encrypted/obfuscated, and/or a thumbs.db, or an image.png that is actually only an image shell holding a database. Sometimes it’s a Perl file (.pl), sometimes the package has a unique file extension.
    • Some appear to belong to the site plugins or was a part of the original theme your WordPress site is built on. Super hard to detect by eye. Could take days going through a single website and evaluating every plugin files by hand.

4. Online Security Scans do not detail the depth of their scan

  • The best Online Security Scan can only check for a small handful of malware, blacklists, active spam, and common defacements.
    • This is far from secure or comprehensive. This is only detecting if there is already an abuse or defacement on your site. These are simple, juvenile hacks, less than 3% of total hacks.
    • It’s like if you used an online car alarm that only responded to clown shoes, and didn’t test for professional car thieves.
      • Russian/Ukraine/China hack teams are not clowns, and industry security data indicates these countries have WordPress APT (Advanced Persistent Threat) initiatives which include hacking every WordPress website.
      • Do you care enough to stop Russia/Ukraine/China/North Korea from hacking your website?
  • How do you find hack files?
    • To find hacked files, one must open files and scan the internal contents for malware signatures and packages. There are hundreds of thousands of malware and hack signatures. This scanning process of tens of millions of scans per website is not possible to do on an online website scan. Besides the cross-domain security obstacles, tens of millions of scans from one website to another would slow your server down and possibly take days.
    • In order to scan for thousands of malware signatures in thousands of files, installing a server-side scanner is the best method to openly scan and watch all your site files for hack and malware signatures, and anything else that doesn’t look normal.
    • Server-side scanners are costly and require sophisticated users to operate them.


5. Online Scans lure you into a false sense of security

How does a strong web posture and security awareness affect my Search Engine Ranking? Google PageRank measures your website, including your Google PageSpeed, security posture and hosting provider structure.

If you are on a budget host paying an amazingly low price, Google knows this. The state-sponsored Russian/Ukraine/Chinese hack teams know this too. Unless you are making efforts diligently on your WordPress security, your website is vulnerable and possibly already another WordPress hacked by …

If you sign up for WordPress Support with us, like under our WordPress Support plans, we build our (DNS) SuperShield around your site and host your unique IP website on Cloud-based SSD for supercharged super secure high-speed WordPress.

If a single hacker or millions attack, our SuperShield is built to defend and mitigate millions of attacks per hour. Your site in our SuperShield (Distributed DNS with CDN and super fast SSD Cloud Hosting) means your website is like greased lightning. We offer you website security, WordPress specialized hosting and web posturing options that the smartest brands in the world use today.

As for the site I was testing? We installed a server-side scan on the site and found 5 files in 3 places that had hack signatures. We removed those files (one was a thumbs.db, one was an image.png, both are Russian hack databases), and placed the site inside our SuperShield. It’s now 2.5x faster and 100x more secure than before on our SSD Cloud with SSL and MaxCDN.

We are WordPress Superheroes offering Security Posturing and WordPress Support. We protect and serve WordPress websites. What’s happening with your website?  Maybe you can use a free Website SuperScan.

Related Posts

Comments (2)

[…] Learn why online security scans do more harm than good […]

Нello, just wanteԀ to tell you, I loνed this article.
It was helpful. Keep on posting!

Leave a comment

You must be logged in to post a comment.