Gravityscan Blog

Updates on website security and what's going on in our universe.

Introducing Gravityscan

This entry was posted in News on May 16, 2017 by mark 47 Replies

This morning I am incredibly excited to introduce you to a project that the Wordfence team has been working on for almost a year. A few moments ago we officially launched, a malware and vulnerability scanner that works on any website.

Gravityscan is free. You don’t need to install any software to use it. Simply visit and enter your website URL. Then hit the “Launch Scan” button and Gravityscan will start examining your website to find out if you have been hacked, or if you have any security vulnerabilities. Go and run your first scan now! I’ll be here when you get back.

A Malware and Vulnerability Scanner for Websites

Gravityscan is designed specifically for websites. It is smart enough to detect if you are running WordPress, Joomla, Drupal, Magento or vBulletin. Then it carefully examines each of those applications you have installed to find out if they have any vulnerabilities. It even detects the extensions you are running in each application and checks them for vulnerabilities.

Gravityscan also performs a comprehensive scan for malware on your site. It does a great job if you simply run a regular scan on any website. If you want a deeper analysis and to have your scan run faster, simply drop the free Gravityscan Accelerator into your website root directory and the scan will examine your website source code. With Accelerator, scans are faster, broader and deeper. To use Gravityscan Accelerator, all you need is a website that can run PHP. Accelerator can scan any website source code for patterns that indicate a malware infection.

Gravityscan includes advanced vulnerability detection for WordPress, Joomla, Drupal, Magento and vBulletin with the ability to perform a deep scan on those applications and identify security problems and vulnerabilities in the specific version of each application, extension and plugin. Even if you aren’t running one of our supported web applications, Gravityscan does an excellent job of locating malware and other security problems on any website.

Wordfence users can benefit from Gravityscan’s extensive vulnerability scanning. If you are using the Wordfence firewall to stop attackers, we highly recommend you also use Gravityscan to scan the rest of your site for vulnerabilities. You can learn more about how Wordfence and Gravityscan work together on this page.

Security for Search Engine Optimization

Security is now a ranking signal for Google. If you want to be number 1 in your category, you better ensure that your website is secure. That means you need to ensure your website is free of any links to malicious sites and is free of malware.

In addition to scanning for malware, Gravityscan analyzes the links on your site. Gravityscan checks your links against blacklists and will alert you if you are linking to a website with a bad reputation that could hurt your search ranking.

Gravityscan even visits the sites that you are linking to in order to perform a brief scan on them to make sure they are not infected with malware or something that could hurt your reputation.

Gravityscan also checks for your site on over 20 blacklists to make sure you’re not listed. Landing on a single blacklist can significantly impact your SEO rankings and your ability to send email.

Faster and Deeper Scans, for Free

Gravityscan provides an optional Accelerator that is a single PHP file you drop into your website home directory. Accelerator allows Gravityscan to scan your website source code in case there is any hidden malware on your site. It also allows Gravityscan to perform a more extensive check for vulnerabilities.

Accelerator is completely secure and uses strong public key encryption to ensure that only our servers can access your site during a scan. Accelerator also lives up to its name because it massively speeds up scans and improves accuracy.

Gravityscan Accelerator is available at absolutely no charge.

We Reinvented Vulnerability and Malware Scanning

Gravityscan was built from the ground up using new technology that incorporates non-blocking IO, advanced message queuing and WebSockets. That means that we can support thousands of customers performing scans at high speed with low operational impact. This allows us to give away most of Gravityscan to you, completely free. You can perform a full malware and vulnerability scan on your site using Gravityscan Accelerator at absolutely no cost, as many times as you like.

More importantly, Gravityscan gives you real-time feedback as the scan is running. From the moment you start a scan, you receive real-time data about vulnerabilities and malware we find, streaming into your browser window.

Gravityscan’s efficient architecture and real-time output allowed us to create a scan that performs much deeper inspection on websites than the old click-and-wait model of scanning. The number of pages Gravityscan inspects during a scan is orders of magnitude higher than legacy malware scanners. We inspect thousands of pages while the most popular click-and-wait scanner inspects less than 30 pages.

Most importantly, Gravityscan has combined comprehensive vulnerability scanning and malware scanning into a single scan. Traditionally these functions have been separate.

Gravityscan is a world-class website security scanner that can answer two very important questions: “Have I been hacked?” and “Do I have any security problems?”

Created by a Team With a Deep Understanding of Website Security

Gravityscan is engineered by many of the same team members who helped architect Wordfence. Matt Barry, one of our lead developers on Gravityscan, wrote the Wordfence firewall that keeps millions of WordPress websites secure today. If you are a regular reader of the Wordfence blog, you will recognize a few other names on the Gravityscan team who are well known in the security community and have contributed to research and to Wordfence.

The Wordfence team collectively has incredibly broad and deep experience and knowledge of website security. Together they created Gravityscan to provide a way for website owners to determine if their website has been hacked or if it has any security holes.

I’m incredibly proud of the entire team. The Gravityscan Team are:

  • Dan Moen – Product Design and Product Manager
  • Kerry Boyte – Legal, Admin and Strategy
  • Matt Barry – Senior Developer
  • Sean Murphy – Senior Developer
  • James Yokobosky – Senior Developer
  • Gary Moon – Operations
  • Colette Chamberland – QA Lead
  • Matt Rusnak – QA Analyst
  • Robert McMahon – Development and QA
  • Brad Haas – SST Liason
  • Tim Cantrell – Customer Service Strategy
  • Asa Rosenberg – Customer Service Strategy
  • Jonathan Kingsbury – SST Coordination
  • Kathy Zant – Copywriting and SST
  • Pan Vagenas – Security Analyst and Testing
  • Syndel Klett – Design and UX
  • Ed Foster – Website Development
  • Maciej Kocol – QA Analyst

I’d like to extend my special thanks to our senior developers Matt, Sean and James. Also Colette Chamberland who ran QA for this project. Special thanks to Gary Moon for architecting the operational environment for Gravity. Very special thanks to Dan Moen who helped bring Gravityscan into the world.

I would also like to give a special thanks to Ryan Britton who has been leading development on Wordfence while the Gravityscan project has been underway and Matt Rusnak who has been leading QA on Wordfence ensuring that we continue to deliver a high quality product.

Special thanks to the Wordfence Security Services Team for their contribution to testing Gravityscan including: Kathy, Brendan, David C, David M, Giles, Jonathan, Marco, Mohamed, Ned, Paolo and Stephen.

Finally thank you to the rest of the team for the various ways they contributed to this project.

This is Launch Day. We need your feedback!

As with any launch day, we may have to chase away a few gremlins that show up in the machine. Any feedback is very much appreciated. You can use our contact page to contact us. We encourage you to run your first scan right now! Then let your friends and family know about Gravityscan so that they can ensure their websites are safe and secure.

Mark Maunder – Wordfence Founder and CEO


Did you enjoy this post? Share it!

47 Replies on "Introducing Gravityscan"

Bert Tammer May 18, 2017 at 9:18 amReply

Hi Mark,

Potentially a great product. Thanks very much.
However i run into problems after the install of Graviscan and lost access to website wp-admin page

I am a long time satisfied user of Wordfence, so i trusted the announcement of Graviscan and decided to give it a try immediately.
Yesterday, before i installed Graviscan i updated several plugins on my website, using the wp-admin page.
After that i installed Graviscan and verified the ownership of the site (by placing the html file in the root). Next, I am not able to log into my wp-admin page again. In Firefox i receive nothing while with MS Edge and Vivalde i receive an http 500 error. (WP Internal Server Error).

Please could you advice me how to solve this error OR how to revert the installation of Graviscan?
Is it sufficient to click REMOVE SITE in the Manage Site page? Will all the files which have been adapted by Graviscan be reverted to their origional content?
It would be a pitty if i have to go back to the situation before the install of Graviscan, because i like the idea of such a vulnerability tool very much.

I already reported a bug via the site.

Kind regards,

mark May 18, 2017 at 4:51 pmReply

Hi Bert,

I think your site broke because of your plugin update. Not because of Gravityscan's Accelerator. The Accelerator is a single file that you put in the root of your website. If you don't want it there, just remove it from your site. It doesn't interact or interfere with WordPress in any way.


Martin Gallagher May 17, 2017 at 3:48 pmReply

I'm a bit concerned about

Your scan says I'm blacklisted by them, when I visited their site and checked my IP it says no other blacklisting occurs.

The site states I need to fill in the captcha to get de-listed. They do not show anysuch captcha or link on their very sparse site as to where I can enquire to get myself removed. bounced.

Having done a bit of research on justspam, I am finding many complaints. It appears that this site is just a collector of the data given by other DNSBL sites.

All my sites are clear. Should you be using justspam? as it appears from my research that they either don't communicate with queries presented by individuals or are just belligerent.

Whilst I am pro everything about security, I'm afraid your use of the justspam dnsbl in your program is the only downside to your service

Kindest respects, aye,

mark May 17, 2017 at 4:46 pmReply

Thanks Martin. We removed them after we received a raft of complaints just like yours. The issue was they don't have a removal process.


Berrie Pelser May 17, 2017 at 11:48 amReply

WOW this is great, much better than internal plugins that can slow the site down. Good work, again! Thx!

mark May 17, 2017 at 4:46 pmReply

Awesome, tanks Berrie.

Didier ROUX May 17, 2017 at 9:49 amReply

Excellent tool! I use Wordfence on all sites and Gravityscan will complete it.
Where could I find the "Site Errors" listed in the Scan Results?
The question mark on the left says : "Site Errors are HTTP requests to your website that failed unexpectedly during the current scan. Errors that prevent the scan from completing successfully will be listed in the Scan Results".
May be it is under my nose, but I could not figure where. Could you help?

mark May 17, 2017 at 4:46 pmReply

I want this too! We have a bug for it. I'll have the team up the priority on this.

J Hazel May 17, 2017 at 8:43 amReply

Big thank-you from a non-technical minder of two small non-commercial websites. In the first scan it found my sites were using a PHP version with vulnerabilities. Easy to fix, but something I would not have known about, without Gravityscan.
Can the scan be set for HTTPS ?
Would be great if Help pages could explain items under 'HTTP Security Header information' and what to do about them, in simple terms.
Many thanks indeed!

mark May 17, 2017 at 4:47 pmReply

Thanks J! Will pass on this feedback.

nils May 17, 2017 at 8:09 amReply

A Wordfence scan flags the Gravity html file I uploaded as malicious.

Ron Frazier May 17, 2017 at 5:32 amReply

What is to keep someone from copying my gravityscan meta tag to their site and pretending to be me and getting my scan results?

What is to keep spammers from directing your scans at unrelated sites as a form of ddos attack?


mark May 17, 2017 at 6:23 amReply

Copying a meta-tag to another site would not give you access to someone else's scan results. You have an account on gravityscan. That account needs to prove site ownership to see vulnerabilities. We provide various methods to prove site ownership. Once you've proved ownership of a site, that is tied to your account. Copying a meta-tag or any other data to another site would achieve nothing.

We also limit the number of scans per site. We also require you to prove site ownership for sites with a higher amount of traffic or that are sensitive e.g. military, intelligence, government or well known like ebay, google, paypal, etc.


Michael Erb May 17, 2017 at 5:18 amReply

I'm having a love/hate relationship initially. I had no luck at first importing my Analytics managed sites into GravityScan. Later in the day it worked and I allowed 13 sites to be added to Gravityscan. One of my sites, a Drupal site, had 4 instances of malware installed and I was able to manually remove it but the guidance provided by Gravityscan was not sufficient for me to do this. I had to do further research online to complete the task. But I was thankful that Gravityscan alerted me to the fact that the malware was there. That same site had a multitude of other critical errors apparently related to Drupal and installed modules. Again, I was not aware of any of this so Gravityscan was helpful.

I am balking at the pricing. Yes the free version is nice, but who wants the less powerful version? Not me. But with over 30 sites under my wing, I can hardly afford $300/month for the service plus the additional cost for WordFence. You really need to rethink your pricing. You should offer a substantial discount for multi-site clients.

But I appreciate WordFence and Gravityscan. I feel somewhat relieved knowing that I have a better idea of the threats my websites are subjected to each and every day in this fast changing environment.

mark May 17, 2017 at 6:24 amReply

Thanks Michael. Great feedback! Hey, it's day one! We're still figuring this out and you guys are doing a great job helping us do that.

Michael Love May 17, 2017 at 4:41 amReply

Hi Mark,

Great work everyone! Super appreciate it. getting error for TLD .website , can you add thanks

mark May 17, 2017 at 6:24 amReply

Will do. Thanks.

james thomson May 17, 2017 at 3:09 amReply

Analytics verification failed.
Uploaded the HTML file and worked fine

mark May 17, 2017 at 6:25 amReply

Thanks James.

Anne H May 17, 2017 at 1:53 amReply

Hi Mark,

First, I applaud your team for tackling this. Any tool that helps webmasters find/monitor issues is welcome. I also think the freemium model works well in this case.

I have several items for you apart from the kudos;-)

1. I'm a paid WordFence user. As I understand it, the difference is that GravityScan (GS) can crawl and analyze outside of the native WordPress folders. Correct?

In other words, GravityScan can traverse outward to other directories I might have on the server off of public_html, whereas WordFence looks at the Wordpress directory structure. This is important to me as we have some folks uploading email assets to a directory on the server, but outside of WordPress.

2. I've seen some comments here about Google verification etc. In my case, I saw multiple entries for one of my domains. I'm guessing your tool is scanning and finding multiple UA numbers per domain in this case. It didn't seem to be duplicating off of GA profiles. (Thank heavens)

3. I did turn in an issue/bug report on Content Security Policies (CSP). In some regards, I agree with the flagging but I think it needs to be more granular.

mark May 17, 2017 at 6:26 amReply

Thanks Anne. Yes, we scan absolutely everything on your system. Wordfence focuses on WordPress, although it does provide the option to scan outside your WP folders if you enable that in Wordfence options. Gravity has built in support for a range of other PHP applications and, most importantly, also scans for vulnerabilities in absolutely everything. Wordfence will just tell you about theme and plugin vulnerabilities in WordPress.


Chris Gatcombe May 17, 2017 at 1:30 amReply

I just copied the .html_file_with_a_long_name over to two domains I have control over and then ran my first scan. One came up clean, with no errors (a few minor things I'm not bothered about), and the other said there is a 'bad internal link - 404 :$url'. What does this mean exactly?

Thanks for introducing a useful tool.

mark May 17, 2017 at 6:27 amReply

Looks like you have that link somewhere on your site Chris. Did it provide a page where it found that link? If gravityscan did, I'd suggest you view source to find it.


Brian Atkins May 16, 2017 at 11:17 pmReply

With a pro version of wordfence, whats the advantage to have gravityscan pro? shouldnt this be covered by a wordfence pro scan?

mark May 17, 2017 at 6:29 amReply

Gravityscan scans all your applications, not just WordPress. It also provides comprehensive vulnerability scanning. Wordfence will only tell you about vulnerabilities in WordPress. Gravityscan can find vulnerabilities in WordPress, Drupal, Joomla, vBulletin and more including Nginx and Apache.

Olibroman May 16, 2017 at 10:56 pmReply

Great service. Thank you.

We use Cloudflare firewall. Even after following the instructions to set the security to lower than High and whitelisting the IP ranges, we still get "Detected CloudFlare blocking requests" error.

mark May 17, 2017 at 6:30 amReply

Thanks. Please log a support ticket via our contact page and our team will get right on it.

George G May 16, 2017 at 8:35 pmReply the basic premise of GS...great timing given recent world news. But it Doesn't seem to like Cloudflare...even when in DevMode...AND when whitelisted at server level...AND when whitelisted in Wordfence.

What else can be done to circumvent "Detected CloudFlare blocking requests"???

mark May 17, 2017 at 6:31 amReply

Thanks George. Please open a support request on our contact page and our team will help. Thanks.

Ron Frazier May 16, 2017 at 8:12 pmReply

Hi Mark,

Great product. Thanks very much.

My website works in safe or managed mode from 1and1. I cannot put any files in the file system directly. Would it be possible to install the accelerator as a plugin through the control panel?

I had to tinker with the settings in my theme to add the verification tag. I was unable to figure out a way to put the meta tag only on the home page, since the home page is dynamic every time a new post is added. Essentially, there is no home page as such, not in the static sense. However, I did figure out a way to add it to every page, including the home page, using a setting within the theme. It still worked.

I suggest also adding a verification method which involves adding a text record to the site's dns record.



mark May 16, 2017 at 8:16 pmReply

Thanks Ron for the feedback. For support questions, please visit our contact page and use that to open a support ticket.


Jerry Haugen May 16, 2017 at 8:00 pmReply

I also couldn't get the Google verification to work. Seems like it should give me a list of properties so I could choose the applicable one, but it didn't. The download/upload file worked fine for me.

mark May 16, 2017 at 8:15 pmReply

Hi Jerry,

Please use the contact page on this site to open a ticket. That way we can keep track of your request.


Jerry Haugen May 16, 2017 at 7:56 pmReply

Great job! The user interface works perfectly and requires no particular expertise. I was able to install the Accelerator and it works wonderfully. I tried it out on one site and it reminded me of an old, unused, Wordpress installation that I was able to delete. The scan then came up clean - except for that pesky current WP issue and header issues.

One slight change that might make it easier for the user is when you identify an old Wordpress version, highlight that as the error then list all the associated problems behind the error so they aren't visible until the user expands the section. That way, one error that's easy to fix doesn't become an overwhelming number of errors that may cause a newbie to give up.

With regard to header issues:

Content-Security-Policy: CSP not found on this site
Cookies: Cookies not set on this site
Public-Key-Pins: HPKP not set on this site
Strict-Transport-Security: HSTS not set on this site
X-Content-Type-Options: X-Content-Type-Options not set on this site
X-Frame-Options: X-Frame-Options is not set on this site
X-XSS-Protection: X-XSS-Protection is not set on this site

Can you do a blog post or something to explain how to deal with these issues?

Thanks for another helpful security system!

mark May 16, 2017 at 7:57 pmReply

Thanks Jerry. That's all great feedback. Passing it on.

Mama Fortuna May 16, 2017 at 6:28 pmReply

Site verification through Google Analytics did not work, although it did ask me to log in, and I have google analytics for my site. I'm in wordpress and my home page does not show a tag, so I entered it at the top of the page and saved the page; that didn't work to verify either . My site hosting is managed, and uploading a file to a specific folder is not going to happen, so the other methods won't work either.

daniel May 16, 2017 at 7:45 pmReply

Same im unable to verify with any method on my VPS

mark May 16, 2017 at 7:47 pmReply

Hi Daniel,

Did you try google analytics?

daniel May 16, 2017 at 10:24 pmReply

Yes 'site verification failed' tried them all.

mark May 17, 2017 at 6:30 amReply

Please open a support ticket on the contact page. We have thousands of sites that successfully verified today, so this is working and our team will work through the specific issue you're having. Thanks.

mark May 16, 2017 at 6:47 pmReply

Thanks. Site verification is about as easy as we can make it at this point. However we have gotten a lot of questions about this so I'm having the QA team revisit it and we'll see if there is something we can improve.


Rich Stern May 16, 2017 at 5:53 pmReply

Love that you guys are making a tool for this, but it's not quite ready for Prime Time.

I scanned two fully patched, up to date sites (WordPress 4.7.4). On one site, Gravityscan reported many critical vulnerabilities, apparently based solely on the presence of the 4.7 readme.html file.

The two sites I scanned, on separate, lightly loaded, high performance servers, Gravityscan is reporting connection errors at it's lowest scan rate. I'm watching the servers as the scan is going on, and neither is under any kind of significant workload. Not sure why Gravityscan would be reporting connection errors.

mark May 16, 2017 at 6:49 pmReply

Thanks Rich. If you can share a screenshot that would help.

Either way, I'm having our QA lead focus scans on a generic site with the newest WP installed to see what the results look like and if there's anything we can improve.

You can ignore the connection errors. That message actually means several things including I think 404 page not found errors. So I'm having our lead dev on the scan engine look at that and A) make it less noisy and B) dial down the sensitivity.


Jack Enright May 16, 2017 at 5:45 pmReply

The site looks great, especially for a new release. I'm just curious about the zero day for WordPress: how bad is this?

mark May 16, 2017 at 6:50 pmReply

Catalin Cimpanu at BleepingComputer has provided a decent writeup:

Jack Enright May 16, 2017 at 11:35 pmReply

Thanks. I noticed 4.7.5 was just released, and the scan no longer gives this error, although I'm not 100% sure it was actually patched by reading the WP release notes.

mark May 17, 2017 at 6:28 amReply

It wasn't. They never fixed the host header vulnerability with this release.

We also suspect they may have fixed at least one vulnerability silently and will announce that in a couple of weeks. It wouldn't be the first time.

You must be a Gravityscan user to join the discussion. Register now or sign in if you already have an account.