There’s well over 20,000 free plugins which anyone can install in WordPress.
Hundreds of these plugins have been developed for security purposes however how do you know they really protect your site?
How can you really test them to check that they really work unless you have been hacked?
You can’t, and you will find some online security tools out there are all hype and created specifically for attracting links based on my experience.
I know this because i have tested some of them when i was really hacked and the WordPress core files on this site injected with malicious code redirects.
Let’s now take a look at a plugin named Sucuri Site check Malware Scanner.
Here’s what the plugin author claims:
This plugin enables full malware and blacklisting scan capabilities from Sucuri Site Check right in your WordPress dashboard. It will check for malware, spam, blacklisting and other security issues like .htaccess redirection’s, hidden evil code, etc. The best thing about it is it’s completely free.
I have tested this plugin using the hacked files which contain the malicious code redirects i removed from this site. I am using an exact copy of this site on a local installation setup using instantwp and have also tested the site scan feature on a live installation.
Plugin Security Features
- Latest version of WordPress – Your current version (3.5-beta2) is not current. This works.
- WordPress version properly hidden. This works.
- Upload directory properly protected. This works.
- Database table set to the default value. Not recommended. *We do not offer the option to automatically change the table prefix, but it will be available soon on a next release. This clearly doesn’t work however you can install another plugin which will change the prefix and make you installation more secure.
- Default admin user name (admin) being used. Not recommended. This works and is a good feature which you should use if you are still using the default username of admin.
- Readme file properly deleted. This works.
- Using an updated version of PHP (v 5.3.2) This works.
Sucuri Site Check Malware Scanner
This feature doesn’t work and didn’t detect the malicious code redirects in the core WordPress files i replaced from my hacked site this week.
Didn’t test this service as it only took a few minutes for me to remove the malicious redirects injected into the core WordPress files.
To their credit, Sucuri.net have published a blog post titled, How does SiteCheck work? I haven’t tested the server side scanning they offer other than what this plugin includes.
The big con based on my testing and opinion is the scanning feature. It just failed to detect the redirects.
I used Wordfence to scan my files and it picked up the hacked files within minutes. Not sure how a plugin like Sucuri Site Check malware scanner can complete a full scan in seconds!
Clearly needs a lot more development if its to be anywhere near as good as the 2 i linked to above.