Comparative analysis of website security assessment services
How to quickly understand how vulnerable your website is? Is it easy to hack? Or maybe it’s already been hacked?
In general, accurate and complete answers to these questions are not easy. You need a pentest that will take at least 1 week and $1,500. Or an incident investigation, if the incident is already obvious. For example, your website has been defaced or blocked, information leaked, etc.
But what if you need to understand in advance how bad your situation could be, but not spend much time and effort? For example, to convince you, when you are in doubt, that you should postpone the publication of the website and work on its security for a couple of weeks. Or to try to find a large hole, through which the published website has already been hacked.
The fastest and easiest way is to scan your website for vulnerabilities and other security issues. To do this, you need to use the services that we have described in our review of online website security analysis tools.
Introduction
The purpose of this review is not to identify the most functional and accurate scanners that provide the most information but to identify the scanners that are optimal for quick security assessment tasks by a non-security professional.
Therefore, during the review, we evaluated the following set of parameters: the possibility of free use, ease of use, the necessity of user registration, the speed of detecting problems, and the amount of free functionality.
We divided the review into three parts (“weight categories” or “leagues”):
- 16 universal website security scanners.
- 4 specialized security scanners for WordPress websites. This platform has been the most popular website building platform for the past 10 years and remains the most demanded in 2021.
- 1 helpful security assessment service included in the bonus category.
We have sorted the security assessment services alphabetically by name.
Universal website security scanners
1. Acunetix
Classic commercial website vulnerability scanner. Checks websites for many vulnerabilities. Requires registration to a corporate mailbox. The process of getting a free trial version is complicated. Free to use for 14 days. The service produces useful results.
2. Detectify
A commercial website security scanner that allows you to run dozens of automated security tests, including OWASP Top 10 tests, malware, and more. The service requires registration and is free for only 14 days. The scanner is quite difficult to use, although there are even more complicated commercial scanners. Detectify prices are comparable with the level of the world market leaders. The scan is slow, several hours long, but gives a decent amount of results.
3. H-X Scanner
Free online vulnerability scanner. It has been working since 2016 and has two modes: quick and normal. The service is quite easy to use and does not require registration. You need to enter your website URL and email to receive a security report. In the quick mode, the first results can be obtained in real time within a few seconds after launch. The entire quick scan process takes 5 minutes. In normal mode, you do not need to keep the scanner open. Scan reports are sent by email. The normal scan process takes from several minutes to several hours, depending on the complexity and size of the website. In normal mode, the report is very convenient. It contains a summary and details in tabular form. The functionality of manual verification of vulnerabilities is provided. The general conclusion is that H-X Scanner is a very convenient service with relatively detailed reports suitable for deep manual analysis and processing.
4. ImmuniWeb
ImmuniWeb is actively developing in the market of professional information security solutions. The company’s website and its free website security assessment service have a simple, user-friendly, and highly thought-out functional interface. The scanner checks the security of your website’s server, its compliance with PCI DSS and GDPR standards, HTTP headers, including CSPs, performs specific CMS tests for WordPress- and Drupal-based sites, checks for vulnerabilities in interface libraries, and much more. The service works not very quickly, but it provides very convenient and visual results.
5. Intruder
A modern commercial scanner for a wide range of vulnerabilities. The service has advanced features like cloud security analysis and API. Convenient to use. Requires registration. Free for 30 days. It works quite slowly and provides few results.
6. Netsparker Cloud
One of the classic commercial scanners. A competitor of Acunetix, which is especially noticeable in the process of getting the free trial, which is also valid for only 14 days. Requires complex corporate registration. The service provides quite a lot of results but gives false positives.
7. Norton Safe Web
The service from the famous antivirus proves once again that antivirus companies are relatively poor at assessing website security. Even though the scanner is free and easy to run, it does not produce any results unless your website is already in the service’s database. Getting a website into this database is not an easy task.
8. Observatory
Free service from the famous Mozilla project. The scanner has helped the owners of tens of millions of websites to find out their security state. The service is easy to use, fast and intuitive. It checks the security of HTTP headers, performs tests for SSL, TLS, HSTS preloading, etc. The functionality is somewhat limited, but the tool is undoubtedly noteworthy.
9. Pentest-Tools
Fast and easy-to-use scanner with free and paid parts. The free scan can only be run twice. It does not require registration, but it provides very limited results. The scanner website advertises paid checks with rich functionality.
10. Probely
This paid vulnerability scanner has a good user interface and a 14-day free trial. Registration and use are not complicated. The Probely service is convenient for website and web application developers. It contains not only the vulnerability search functions but also the full cycle of vulnerability management, including elimination. The scanner works quite fast, but in free mode, it produces a very limited number of results.
11. Quttera
This free tool is somewhat similar to the Sucuri scanner described below but gives slightly more results. It is a little slower, although in general, it is quite fast – a few dozen seconds. The scanner is easy to use and allows you to check a website for a limited list of vulnerabilities, for the presence of malicious and suspicious files, and also analyzes the website’s presence in Safe Browsing lists and in the lists of malicious programs. Many vulnerability scanners give false positives from time to time, reporting security problems where they really do not exist. But Quterra does it in a very insistent and intrusive way, immediately pressing you to buy their troubleshooting services. For example, this service complains about the non-existent “Malicious obfuscated JavaScript threat”. This behaviour undermines the credibility of this tool.
12. Sucuri SiteCheck
The free Sucuri scanner leaves a good impression. SiteCheck is easy to use. It works with all types of websites, not just WordPress. The service has rather limited functionality, it checks the presence of a website in safe browsing lists (Google, Yandex, etc.) and blacklists, checks for a firewall, monitoring, some malware, as well as some protocols and headers. The scanner makes a mistake with the CMS identification, and also evaluates the security of such websites as facebook.com or microsoft.com as medium risk level. This is a deliberately incorrect overestimated risk value. In general, the service works very quickly, in just a few seconds, but it also gives very little information.
13. SiteGuarding
The service scans websites for malware, checks blacklists, spam, etc. The scanner declares that it recognizes WordPress, Joomla, Drupal, Magento, osCommerce, Bulletin, and other platforms. It is moderately difficult to start, but does not require registration. The scanner works fast but gives very limited results. Complex navigation, complex interface, intrusive advertising.
14. Tinfoil Security
The tool is paid, with the possibility of a free demo. Setting up Tinfoil Security is moderately complex. Some tests are performed even if the website is password-protected or registration is required to enter. The service has monitoring functionality.
15. UpGuard Scan
This paid tool performs risk assessment. It uses information about various parameters of the website. The registration process is complex. The free trial is valid for 7 days.
16. VirusTotal
The famous antivirus aggregator, which was acquired by Google, also has the function of aggregating website blacklists. It works for free, as simple as possible, and produces results instantly. However, by definition, they are not full, since the service does not check for website vulnerabilities. Accordingly, the service does not guarantee the website security.
Security scanners for WordPress websites
17. IsItWP Security Scanner
It is a free, easy-to-use, no-registration scanner based on the Sucuri engine, but it has two drawbacks: 1) low speed, 2) the scanner’s functionality is limited only by some checks (mainly for known malware). The vendor’s site advertises additional services to protect WordPress websites and describes steps to respond to security incidents. In general, the service leaves an impression of rawness, and there is little chance of getting useful information from it.
18. Web Inspector
Online scanner to check the security of WordPress sites. The service crawls the site using Google Safe Browsing and the Comodo engine. The scanner checks for malicious code, backdoors, viruses, suspicious scripts, and files. Registration, in comparison with other services, is not just complicated, but difficult, since it requires the payment card details.
19. Wprecon
The Wprecon scanner for WordPress sites is free, easy to use, and quite fast. Among its competitors, it has the most detailed and convenient reports, as well as additional functions. The tool checks WordPress version, plugins, themes, user ID, directory indexing, iframes, links, JavaScripts, and so on. The results are fairly complete.
20. WPsec
This scanner for WordPress websites has a limited free version. It strongly recommends buying a premium account. The service requires registration and is easy to use, but there are inconveniences such as a password required to login to the service. WPsec uses the popular free WPscan engine. This engine is a command-line vulnerability scanner. It provides information on outdated versions of WordPress, its components, and other security flaws. Also, this engine is known for giving a large number of false positives. WPsec, despite its beautiful interface, is slow and generally disappointing.
Bonus
21. Google Safe Browsing
Actually, this service is not a scanner, but simply an interface to the “black list” of Google. That is, to a database containing lists of malicious websites. Many of the crawlers mentioned in this review use Google Safe Browsing for their results. For some reason, you may need to turn to the original service and not use the intermediary services. The service is integrated with Google Search Console, which is quite convenient. If suddenly your website is blacklisted, you will receive detailed instructions on how to remove your website from there. The service is free, does not require registration, is fast and easy to use. However, since it does not check websites for vulnerabilities, it has little functionality compared to other services in our review.
Comparative analysis
We want to remind you that our goal was to identify fast, user-friendly, free online website security analysis tools. The contestants lost points when they had complicated registration, complicated interface, slow performance, or gave limited results.
In the table of results, 0 means “no or almost no”, 1 means “partially”, 2 means “yes, completely or almost completely”. To get the final score, we summed up the first 4 evaluation parameters, then multiplied the result by the estimated amount of free functionality.
In the league of universal scanners, our ranking is as follows:
| Scanner | possibility of free use | ease of use | no user registration | speed of finding problems | amount of free functionality | Final Score |
| H-X Scanner | 2 | 2 | 2 | 1 | 2 | 14 |
| ImmuniWeb | 2 | 2 | 2 | 1 | 2 | 14 |
| Norton Safe Web | 2 | 2 | 2 | 2 | 1 | 8 |
| Observatory | 2 | 2 | 2 | 2 | 1 | 8 |
| Sucuri SiteCheck | 2 | 2 | 2 | 2 | 1 | 8 |
| VirusTotal | 2 | 2 | 2 | 2 | 1 | 8 |
| Quttera | 1 | 2 | 2 | 2 | 1 | 7 |
| Acunetix | 1 | 0 | 0 | 2 | 2 | 6 |
| SiteGuarding | 1 | 1 | 2 | 2 | 1 | 6 |
| Pentest-Tools | 1 | 1 | 1 | 2 | 1 | 5 |
| Probely | 1 | 2 | 0 | 2 | 1 | 5 |
| Netsparker Cloud | 1 | 1 | 0 | 2 | 1 | 4 |
| Tinfoil Seurity | 1 | 1 | 0 | 1 | 1 | 3 |
| Detectify | 1 | 0 | 0 | 0 | 2 | 2 |
| Intruder | 1 | 0 | 0 | 1 | 1 | 2 |
| UpGuard Scan | 1 | 0 | 0 | 1 | 1 | 2 |
Thus, for quick website security assessment tasks, we recommend using the H-X Scanner and ImmuniWeb tools, which outperformed the competition in terms of the given set of parameters.
In the league of WordPress security scanners, the rating is as follows:
| Scanner | possibility of free use | ease of use | no user registration | speed of finding problems | amount of free functionality | Final Score |
| Wprecon | 2 | 2 | 2 | 2 | 1 | 8 |
| IsItWP Security Scanner | 2 | 2 | 2 | 0 | 1 | 6 |
| WPsec | 1 | 2 | 0 | 0 | 1 | 3 |
| Web Inspector | 1 | 0 | 0 | 1 | 1 | 2 |
It turns out that the Wprecon service looks the most useful and convenient for checking the security of a WordPress-based site.
Conclusion
We reviewed 21 modern tools for a free, fast, convenient online website security assessment, and also performed a comparative analysis of 20 tools.
Thus, whatever website you have, if you do not want to spend a lot of time analyzing its security, we recommend using the H-X Scanner and ImmuniWeb services.
If your website is built on the WordPress CMS platform, we additionally recommend checking the website using the Wprecon service.