After we shipped the Website Analyzer last month, a few people asked if we had anything similar for security. The Analyzer is great for SSL, headers, and tech stack - but it doesn't tell you if a page has been compromised.
So we built the Security Scanner. Paste a URL, hit scan, and it'll check the page for malware signatures, phishing patterns, defacement, scareware, and a bunch of other unpleasant things. Takes about 2 seconds. Free. No account needed.
How It Works
The scanner fetches the page content and runs it through pattern matching across 8 categories of threats. The categories range from critical stuff (Google ban indicators, hack signatures, hosting suspension notices) down to medium-severity signals (urgency language, obfuscated JavaScript, base64-encoded content).
The really nasty things the scanner looks for include "hacked by" defacement signatures - which are depressingly common on WordPress sites with outdated plugins - and phishing patterns like "verify your account" or "unusual activity detected." It also catches those scareware pages that tell your grandma her computer has a virus and she needs to call "Microsoft support" immediately.
Each pattern match adds a weighted score based on severity. Critical findings like Google ban language or defacement signatures weigh heavily. Medium-severity stuff like urgency phrases ("act now", "final warning") adds less. The total gives you a threat score out of 100.
Reading the Results
You get one of three statuses. Clean (0-19) means nothing raised flags. Warning (20-49) means some patterns matched but it might be innocent - this happens a lot with security blogs and antivirus docs because they're talking about phishing rather than actually doing it. Threat (50+) means multiple high-severity patterns matched and you should take it seriously.
Below the score you'll see every individual detection - the category, what pattern matched, severity, and how many points it added. So you can immediately tell whether the scanner flagged something genuinely concerning or whether it just got excited about a booking widget that happens to contain the words "your account."
Google Safe Browsing
The scanner also checks URLs against Google's Safe Browsing database when available. This is the same database Chrome uses for those red "Deceptive site ahead" warnings. If Google's already flagged the URL, you'll see that even if our content scan came back clean.
It works the other way too. Our pattern matching catches things Google hasn't flagged yet - especially fresh compromises and defacement that hasn't made it into Google's database. The two approaches complement each other nicely.
The WAF Problem (and Browser Rendering)
One annoying limitation with any URL scanner: sites behind Cloudflare or similar WAFs will sometimes return a JavaScript challenge page instead of actual content. Scanning a bot challenge page is about as useful as scanning a blank piece of paper.
If you hit this, toggle on Browser Rendering. It loads the page in a headless browser that handles JavaScript challenges, so you get the real page content to scan. Slower (a few seconds vs instant), but it actually works on protected sites.
When I Actually Use This
Honestly, I scan my own sites with it periodically. Partly because I'm paranoid, partly because supply chain attacks through third-party code are genuinely common. If a WordPress plugin or a CDN-hosted script gets compromised, the scanner catches the injected patterns before Google does.
I also use it before linking to anything. If I'm about to recommend a tool or resource on the blog, I'll scan the URL first. Linking to a compromised page is embarrassing at best and an SEO disaster at worst.
For affiliate marketers, it's useful for vetting offer pages. If something looks dodgy, scan it before you send traffic. A compromised offer page isn't just bad for conversions - it reflects badly on everyone in the chain.
Continuous Scanning
The one-off scanner is handy, but the same detection engine also runs automatically on your monitors. Every HTTP and keyword monitor in WebMon can run content security scans on each check cycle. If a page that was clean this morning starts showing hack signatures this afternoon, you get an alert without having to remember to scan manually.
What It Won't Catch
I should be upfront: the scanner is pattern-based. It's looking for known indicators - phrases, code patterns, signatures. It catches the common stuff well, but it won't detect a zero-day exploit with no known signature, heavily obfuscated malware that doesn't match any pattern we know about, or drive-by downloads that only trigger for specific browsers.
It's a health check, not a full security audit. If it flags something, investigate. If it comes back clean, that's a good sign, but it's not a guarantee that nothing's wrong. No scanner can make that promise.
Scan any URL for free - no account needed.