In the Feature Spotlight posts, we highlight a feature in iThemes Security Pro and share a bit about why we developed the feature, who the feature is for, and how to use the feature. Today we are shining the spotlight on the iThemes Security Pro Site Scan, a great feature to secure and protect your website.
Why we Developed the iThemes Security Pro Site Scan
At the end of 2018, hackers were actively taking advantage of an exploit in the WP GDPR Compliance plugin. The exploit allowed unauthorized users—people not logged into a website—to modify the WP user registration settings and change the default new user role from a subscriber to an administrator. Thankfully, the WP GDPR Compliance plugin developers acted fast and released a patch for the day after the vulnerability was publicly disclosed.
In the days following the WP GDPR Compliance vulnerability discloser, we received a flurry of reports from our customers that they were finding new and unexpected administrator users on their website. Or worse, that their admin user was removed, and as a result, they lost control of their website. Luckily, we knew what the culprit of the attacks was, and we were able to instruct people to remove the new users, and update WP GDPR Compliance to version 1.4.3 or above to patch the point of entry and to prevent further attacks on the exploit. Unfortunately, some of our customers that lost access to their website didn’t have a WordPress backup to restore from and had to hire a hack repair specialist to regain access to their website.
Receiving a high number of reports of customers sites being exploited by WP GDPR Compliance vulnerability months after they released a patch was not something we expected to see. It wasn’t until a full year after the patch was released that we finally stopped receiving regular reports about customer’s sites being hacked via this exploit. In that year, our customers collectively had hundreds of hacked websites that could have been prevented simply by keeping their plugins updated.
Having a vulnerable plugin or theme for which a patch is available but not applied is the number one culprit of hacked WordPress websites. As we learned earlier, the WP GDPR Compliance vulnerability gave hackers the blueprint they needed to take over any site that didn’t update to version 1.4.3 to patch the point of entry. Talk about rolling out the red carpet.
The most frustrating thing for me from my time in support was hearing from customers who fall victim to hacks that could have been easily prevented. It made me cringe to think about all of the unnecessary time spent cleaning up the hacked sites and all of the difficult conversations informing clients and customers about the preventable breaches.
We knew that our customers didn’t have the time to keep track of every disclosed WordPress vulnerability and compare that list to the versions of plugins and themes you have installed on your site. So we created a way to automatically protect themes Security Pro customers from the #1 culprit of hacked WordPress websites.
What Is The iThemes Security Pro Site Scan?
The iThemes Security Pro Site Scanner is our way to secure and protect your WordPress website from the number one cause of all software hacks. The Site Scanner checks your site for known vulnerabilities and automatically apply a patch if one is available.
The 3 Types of Vulnerabilities Checked
- WordPress Vulnerabilities
- Plugin Vulnerabilities
- Theme Vulnerabilities
Using the Google Safe Browsing API, the Site Scan also checks your Google’s blocklist status and will alert you if Google has found any malware on your website. I get so excited when thinking about how the iThemes Security Pro Site Scan will save people from spending unnecessary time and money cleaning up hacked websites.
I feel a sense of relief, knowing that the Site Scan will prevent our customers from losing their clients or customers after informing them about a successful hack.
How to Use the iThemes Security Pro Site Scan
To enable the Site Scan on new installs, navigate to the iThemes Security Pro settings and click the Enable button on the Site Scan settings module.
How to Perform a Manual Site Scan
To trigger a manual Site Scan, click the Scan Now button on the Site Scan Widget located on the right side-bar of the security settings.
The Site Scan results will display in the widget.
If the Site Scan detects a vulnerability, click the vulnerability link to view the details page.
On the Site Scan vulnerability page, you will see if there is a fix available for the vulnerability. If there is a patch available, you can click the Update Plugin button to apply the fix on your website.
There can be a delay between when a patch is available and the iThemes Security Vulnerability Database getting updated to reflect the fix. In this case, you can mute the notification to not receive any more alerts related to the vulnerability.
Important: You should not mute a vulnerability notification until you have confirmed your current version includes a security fix, or the vulnerability doesn’t affect your site.
How to Enable Automatic Vulnerability Patching
The Site Scanner integrates with the iThemes Security Pro Version Management feature to automatically update vulnerable software when a patch is available.
To enable automatic vulnerability patching, navigate to the iThemes Security Pro settings and click the Configure Settings button on the Version Management module.
Next click the checkbox next to Auto Update If Fixes Vulnerability option in the Version Management settings.
Once enabled, iThemes Security Pro will automatically update a plugin or theme if it fixes a vulnerability that was found by the Site Scanner.
The iThemes Security Pro Site Scan is a powerful tool to protect your WordPress website from the number one culprit of hacked WordPress websites. In the coming months, we plan to add File Level Malware Scanning and Automatic Malware Remediation to the Site Scan to add more layers of protection to your website.