12 Online Free Tools to Scan Website Security Vulnerabilities & Malware

Scan Your WebSite, Blog for Security Vulnerabilities, Malware, Trojans, Viruses and online threats

One of the most trending talks in Information Technologies is Web Security. Do you know 96% of tested applications have vulnerabilities

Below chart from Cenzic shows different types of the vulnerability trend found.

We often pay attention to website design, SEO, contents and underestimate the security area. As a website, blog owner web security should have higher importance than anything.

There were many questions how to scan for website security, mobile app vulnerabilities so here you go. In this article, I will list out free tools to scan your site for security vulnerabilities, malware.

If found vulnerable, then you can always protect your website with Web Application Firewall from cloud-based security provider like SUCURI.

Scan My Server

ScanMyServer provides one of the most comprehensive reports of varieties of security test like SQL Injection, Cross Site Scripting, PHP Code Injection, Source Disclosure, HTTP Header Injection, Blind SQL Injection and much more.

Scan report is notified by email with vulnerability summary.


SUCURI is the most popular free website malware and security scanner. You can do a quick test for Malware, Website blacklisting, Injected SPAM and Defacements.

SUCURI also clean and protect your website from online threats and works on any website platforms including WordPress, Joomla, Magento, Drupal, phpBB, etc.

Qualys SSL Labs, Qualys FreeScan

SSL Labs is one of most used tools to scan SSL web server. It provides in-depth analysis of your https URL including expiry day, overall rating, Cipher, SSL/TLS version, Handshake simulation, Protocol details, BEAST and much more.

If you are running a secure (https) website, you shouldn’t wait anymore to do a quick test.


FreeScan test website for OWASP Top Risks and malware, against SCP security benchmark and much more.  You need to register a free account to perform this scan.

Refer to my another post to find out SSL/TLS specific vulnerabilities.


Quttera check website for malware and vulnerabilities exploits.


It scans your website for malicious files, suspicious files, potentially suspicious files, phishTank, Safe Browsing (Google, Yandex) and Malware domain list.


Detectify is a SaaS-based website security scanner. This got 100+ automated security tests including OWASP Top 10, malware and much more.

Detectify provider 21-day free trial and you must register to perform security scan against your website.


SiteGuarding helps you to scan your domain for malware, website blacklisting, injected spam, defacement and much more.

The scanner is compatible with WordPress, Joomla, Drupal, Magento, osCommerce, Bulletin and another platform.


SiteGuarding also helps you to remove malware from your website so if you are website is affected by viruses, they will be useful.

Web Inspector

Web Inspector scans your site and provides thread report including Blacklist, Phishing, Malware, Worms, Backdoors, Trojans, Suspicious frames, Suspicious connections.

So, go ahead and run a scan to find out whether it is malicious or not.



Acunetix analyzes complete website for more than 500 vulnerabilities including DNS and network infrastructure from Acunetix servers.

They provide free 14 days trial, and you can register and validate your domain as explained here before the security scan.

Asafa Web

AsafaWeb offers quick scan results of Tracing, Custom errors, Stack trace, Hash DoS Patch, EMLAH log, HTTP Only Cookies, Secure Cookies, Clickjacking and much more.


Netsparker Cloud

Netsparker Cloud is an enterprise web application security scanner which scans for more than 25 critical vulnerabilities. Netsparker is free for open source project else you can request for the trial to run the scan.

You may refer my step-by-step guide on how to register for an account and perform the scan.

UpGuard Web Scan

UpGuard Web Scan is external risk assessment tool uses the publicly available information to grade on various factors including SSL, Clickjack attack, Cookie, DNSSEC, Headers,  etc. It’s still in beta but worth trying out.


Tinfoil Security

Tinfoil security first audits your website against top 10 OWASP vulnerabilities and then other known security holes. You get an actionable report and an option to re-scan once you are done with necessary fixes.

Entire setup will take around 5 minutes, and you can scan even if your website is protected or behind single sign-on.


One of the essentials for security is to monitor them, so you get notified whenever it’s down or hacked.

While above tools help you to scan your website on-demand you may also wish to schedule them for an automatic security scan.

I hope above list helps you to perform security scanning against your website.

24 thoughts on “12 Online Free Tools to Scan Website Security Vulnerabilities & Malware”

  1. Very informative post and it was quite helpful to me. I also wrote something on similar lines on best security testing tools.

  2. Hello Chandan,

    How are you? I am doing seo from almost 3 months, and before few days my site was hacked but now that issue has been resolved. But now getting 404 errors in my webmaster. please tell me how to fix that 404 erros from website. how to remove unwanted files from websiteplease tell me. I just want to remove that hacked files from my website..!! how to remove?

    1. Chandan Kumar

      Hello Sunita,

      It’s bit manual and lengthy process and differ from server to server. You may opt for service from SUCURI which helps in cleaning malware and recover from hacked website.

  3. Thanks for the list I am in fact using another company that does not listed and I believe it can provide an added value to add it to your list of company that provide both web application vulnerability scanner and malware detection, http://www.gamasec.com a company that provide a very good level of expertise providing both reports and option of remediation services
    Thanks D

  4. Hi Chandan I hope you are doing great.Actually I am facing some issues while I tested application on IBM web app scan There are two issues are left over.One is remove test scripts from server and second is to use only http cookie.
    How can I remove these two vulnerabillity from my application.Help me out .

Leave a Comment

Your email address will not be published. Required fields are marked *