iThemes Security Pro automatically scans your site for multiple types of vulnerabilities, including:
- Checks if Google Safe Browsing has flagged your site as containing malware.
- Vulnerable Plugins
- Vulnerable Themes
- WordPress Core Vulnerabilities
- Site Blacklist Status
- Site Errors
To enable automatic scanning, navigate to the security settings, and click the toggle switch button to enable Site Scan Scheduling.
After enabling the Site Scan Scheduling feature, your site will receive daily scans.
You can force a manual site scan by clicking the Scan Now button on the Site Scan card located in your iThemes Security Pro Dashboard.
To manage emails generated by the Site Sanner in the Notification Center.
You can view the results of previous Site Scans in the iThemes Security Logs.
What to do when the site scan finds a vulnerability
If the Site Scan finds a vulnerability, it isn't necessarily a cause for concern. However, you may need to do a little investigating to determine what action you should take. Here are some steps you can use to resolve the vulnerability.
Check for an Update
When a security researcher discovers a vulnerability, they will contact the plugin or theme developer to give them time to apply a fix before sharing their findings with the public. After the developer releases a fix for the vulnerability, the security researcher will then publicly disclose the vulnerability. So most vulnerabilities found by the Site Scan will already have an update with a fix available.
The first thing to do when a vulnerability is found is to look for an update.
How to Enable Automatic Vulnerability Patching
The Site Scanner integrates with the iThemes Security Pro Version Management feature to automatically update vulnerable software when a patch is available.
To enable automatic vulnerability patching, navigate to the iThemes Security Pro settings and click the Configure section -> Site Check click the Version Management tab and check the box for “Auto Update If Fixes Vulnerability” in the Protection section.
What if I still receive a vulnerability warning after updating?
There are a couple of different reasons you are still receiving a vulnerability warning after updating.
- The update didn't include a fix for the vulnerability.
- The vulnerability has been patched but the iThemes Security Vulnerability Database hasn't been updated.
- If you had a staging instance or a copy of the old site somewhere. These scans can still run and send you vulnerability emails from the copy/staging site and not the actual live site.
You can look at the changelog or reach out to the developer to find out if the update included a fix for the security vulnerability.
Muting Vulnerability Notifications
There can be a delay between when a patch is available and the iThemes Security Vulnerability Database getting updated to reflect the fix. In this case, you can mute the notification to not receive any more alerts related to the vulnerability.
Important: You should not mute a vulnerability notification until you have confirmed your current version includes a security fix, or the vulnerability doesn't affect your site.
Why Don't I See an Option to Mute a Security Vulnerability?
Web browsers like Chrome and Safari require sites to have an SSL certificate installed to receive requests back to the site.
If your site doesn't have an SSL certificate installed, your browser will block requests made from the iThemes Security Pro server back to your site. This means that your browser's security is preventing the Mute vulnerability button from displaying.
Learn more: What SSL Is and Why Is It Critical in 2020
You can install an SSL certificate on your website to satisfy your browser's security requirements and display the Mute vulnerability option.
Having SSL enabled for your site will add a very strong layer of security to your site. Ask your host if they provide SSL certificates to their customers.
Checkout Cloudflare for a free SSL certificate If your host doesn't provide one.
What if there is not a fix for the vulnerability?
If there is not a fix available for the security issue, you should remove the plugin or theme until the developer has issued a patch.
What if the Vulnerability Scanner reports a vulnerability for a plugin that shares the same name with a plugin installed on my site?
There are multiple sets of plugins that share the same generic plugin slug name like gallery, or carousel. Unfortunately, if one of the many generically named plugins has a vulnerability, the site scanner has no way to differentiate the plugins and all plugins sharing that name will be flagged as vulnerable.
If you have a generically named plugin installed on your site and receive a vulnerability alert for a different plugin with the same name, you can mute the vulnerability notification to not receive any future alerts.