Ask Sucuri: How does SiteCheck work?


If you have any questions about malware, blacklisting, or security in general, send it to us: and we will answer here. For all the “Ask Sucuri” answers, go here.

Question: How does SiteCheck work? I just scanned a site that I think is compromised but the scanner is showing it as clean. Is my site really clean or did you make a mistake?

Answer: SiteCheck is our free, remote website scanner that works to identify if the provided site is infected with any type of malware (including SPAM) or if it’s been blacklisted or defaced.

Sounds simple, but being able to identify these issues remotely (without server access) is a very complicated task, and that’s why we do not guarantee 100% accuracy. If you see the “All clear” (green) result, it just means that when we scanned we couldn’t see anything malicious.

Sucuri SiteCheck is a free & remote scanner. Although we do our best to provide the best results, 100% accuracy is not realistic, and not guaranteed.

How SiteCheck works

SiteCheck is a remote scanner. It visits your site like an everyday user or search engine bot would and verifies if any of the pages have malicious code. In its simplest form, this is how it works:

  1. We visit the main page and extract the list of links, javascript files and iframes
  2. We re-visit the main page acting as a search engine bot
  3. From the links we extract, we select 8-10 of them and visit them using different referrers and user agents.
  4. We extract and scan all javascript files and iframes present.
  5. We run all those pages/links against our large malware database and perform multiple anomaly checks, comparing results between different user agents/referrers to see if there is anything hidden.
  6. We also check all the included resources against multiple blacklists to see if there is anything being flagged by others or that we identified on other compromised sites.

As you can see, we only have access to what is visible on the browser. If you have a hidden backdoor inside your wp-content/uploads, or a core file that doesn’t render content on the browser, it will not detect anything malicious. This means it might not detect the following:

  • Phishing pages that are only known to the attacker but have no direct links
  • Hidden links or spam injection that we can’t attest that it was inserted by an attacker

There is one other very important condition that could impact the scanners detection – conditional malware. There are many new sophisticated strands of malware that apply rules to every visit by a user. Those rules will dictate when something does, or does not display. Rules vary and some only display to Google IP’s, some display only once a day, once per IP, once a week, or under specific conditions on the clients local configuration.

Complementing SiteCheck

Because of some of these challenges, we introduced the server-side scanning for all paying clients (included in all our plans). This scanner will crawl all files in your website directory and work to identify hidden backdoors, phishing page, malware injections, spam and other conditional type infections. Both scanners compliment one another and each are designed to detect certain things and help to verify what the other catches.

Another benefit of our server-side scanning is it will generate an audit trail of any file changes, allowing us to see exactly when a compromise happened.

When you couple that with our manual audits (done by our support team and included in all our plans), you start building a very high level of detection confidence in all the sites we monitor.


We hope this clarifies how SiteCheck works, but if it does not, please ask more questions and we will be happy to respond. A very important thing that all clients need to understand is that our remediation services are not restricted to what we do detect. If at any time you feel you may be compromised you are never more than one support ticket away from us manually hunting it down and removing it for you.

About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development. You can find more about Daniel on his site or on Twitter: @danielcid

  • Brad Dalton

    A lot safer for WordPress users to install a plugin like Website Defender or Wordfence which will help prevent hacking in the first place.

    These 2 plugins also alert you if there’s any changes in files and
    include other security features like limit login attempts which will help prevent brute force attempts to hack into your installation.

    These plugins also enable deeper detection of threats because they are installed on the server side.

    Web based security scanning is limited and not reliable which can provide a false sense of security.

    Thanks for writing this article Daniel and clearing up any confusion.

    • Daniel Cid

      Glad to help. Those plugins are indeed very useful and recommended. Our Premium WordPress plugin (available to all our clients) have similar options which include WAF (web application firewall), audit logs (yes, showing every activity inside WordPress) and integrity monitoring (detecting file changes). More info here:

      So yes, lots of good choices.


    Thank you for the clarification Daniel. We offer the WordPress plugin to all our customers and it is a great defense mechanism.

    Your server-side scanner is also very effective.

    Thank you for keeping ClickHOST and our customers safe!

    Cheers, Carel.

  • Thomas Zickell

    I put the plug-in on every site I make or do work on. That uses WordPress. For the sites that do not I use Sucuri I wanted to ask if you guys had any thoughts about fire host?

  • Pingback: SiteCheck Extended – Making It Easier to Scan Your Websites | Sucuri Blog()

  • Pingback: Does Sucuri work with my host? Yes, Yes we do. | Sucuri Blog()