Once a possible hack is discovered, it can spread like wildfire through the hacker communities, so keeping your site up to date and addressing latent security holes is the absolute best defence.
That said, how can you know if your site is vulnerable? That’s where the free service HackerTarget.com comes in.
Limitations and Sign-Up Confusions:
The free accounts let’s you run up to 4 scans per day, the only other clause being that you cannot use certain scans with a free email address such as Hotmail, Yahoo or Gmail. The WordPress scan is available to everyone though.
Secondly, you don’t actually need to sign up – just initiate a security scan (described later) and you’ll receive an automated email. The first time you use the service, this email will contain a link to confirm your email address. Having clicked this link, you’ll then need to initiate a scan again. It’s a little bit confusing but we’re all adults, so I’m sure we’ll get over it.
What Type of Scans Can You Do:
This amazing service offers quite a comprehensive suite of security scans actually:
- WordPress / Drupal / Joomla
- Domain Profiling
- WhatWeb Scan
- BlindElephant Fingerprinting
- Nikto Server Scan
- SQL Injection Test
- OpenVAS Vulnerability Scan
- Nmap Port Scanner
We don’t have space to address all the scan, so today I’ll be taking a look at the WordPress security scan, OpenVas and SQL injection test.
WordPress Security Scan:
Upon completion of your automated WordPress scan, you’ll get a nicely presented report. Let’s look at what it tells you:
This displays the basic server versions as well as your WordPress version if it can find it. It’ll also tell you if your WordPress is out of date. This is important, as security vulnerabilities are found in older versions and running automated scans such as these is so easy, you can quickly find yourself the target of a hack.
Site Links and Scripts
This shows a report of external links found on your site as well any malware that may have been injected into your page (or built into your theme!) – be sure to check over the list and check for anything you don’t immediately recognize.
The last section lists some basic info about your host as well as other websites that share the same IP as yours.
SQL Injection Test:
Pretty much all the recent hacks you’ve heard about in the news by infamous security group Lulzsec were performed using SQL injection attack. Basically, this means that SQL commands can be run on the server directly by adjusting the URL parameters or entering them into a search box. It works because many systems won’t check what’s given to them, they’ll just read it straight in. XKCD explains this better!
With any luck, the email report you get from a SQL injection test will be short and sweet, saying it found no vulnerabilities. WordPress has over the years, been found to be vulnerable, but these are usually patched as soon as they are found – so the lesson is, as ever – ALWAYS BE UPDATED.
OpenVAS IP Scanner:
This one might be more interesting to run on your home IP address (which you can find at whatismyipaddress.com), as it’s basically a port scanner. It’ll list all the ports open to the world, which are then just another access route for a hacker to reach your PC. Once a hacker knows what ports are open and what they are used for, they can begin testing each one in turn to find vulnerabilities on them. Run on your home IP, you may even find some rogue processes that are secretly sending out spam emails.
I do hope you try out some of these incredible free scans, especially if you run a blog and are relatively clueless about the whole security thing. I would say post back here if you get any alarming results, but that might make you a target – so best to post anonymously and leave out your web address! Do you know of any similar user-friendly, free online (and trustworthy) tools to perform these scans? Share that knowledge!
Image Credit: ShutterStock