How to scan\ check my website is safe from internet?

Hi, I have a Cloudflare hosted website (wordpress built). Looking at doing a company audit, so the question came up about how to scan our own company website for vulnerabilities. It’s obvious I can’t just point a scanner at my host IP as that is IRL Cloudflares front end IP- so how do I scan or vulnerability check my webserver that sits behind the Cloudflare IP?

Regards, Paul

From the topic title, here is the list of the available free & online tools:

As I understand, you have a website which is hosted at your hosting provider/server. The Website is also using a CMS WordPress and you are using Cloudflare service for your domain/website, correct? Kindly, correct me if I am wrong.

Regarding WordPress, I recommend using Cloudflare service, while the best would be Pro plan, but in some cases a WAF plugin like WordFence or some other is also recommended to have:

May I ask will you perform those scans over Cloudflare IP addresses (your domain being proxied via Cloudflare, DNS records being :orange: cloud), or directly on your origin IP address (DNS records being :grey: cloud) while performing the scan, if so?

There are either some online tools, free and some paid to do that.

Therefore, I would strongly recommend hiring an expert or a company who is actually allowed to do the testing and audit, either to prepare your company for ISO 27xxx family certification process or a GDPR compilance, or even a Risk Analysis/Audit.

While you are using Cloudflare service, you have many security options available to you, even on a Free plan like Security Level, Firewall Rules, User-Agent blocking, DDoS mode, Browser Integrity Check, SSL/HTTPS, HSTS, Bot Management, IP Access Rules, Country blocking, Rate limiting and more.

Here are useful articles about them:
https://support.cloudflare.com/hc/en-us/articles/115002059131-Understanding-your-site-protection-options

https://support.cloudflare.com/hc/en-us/articles/200170056-Understanding-the-Cloudflare-Security-Level

https://support.cloudflare.com/hc/en-us/articles/200170076-Understanding-Cloudflare-Under-Attack-mode-advanced-DDOS-protection-

https://support.cloudflare.com/hc/en-us/articles/200170086-Understanding-the-Cloudflare-Browser-Integrity-Check

While Pro plan offers even more, and you can enable Managed Web Application Firewall - the huge set of rules which does to job you actually need - can be activated with just a single click :wink:

https://support.cloudflare.com/hc/en-us/articles/200172016

Some more information about scanning:

1 Like

Yes, your analysis is correct. I did realise that we couldn’t just “scan” the IP as it belongs to Cloudfire, so I asked a scanning company and they seemed confused, they kept asking for IP.

So, how do I scan my website for vulnerabilities- does Cloudfire have it’s own tools to do this? If someone has a recommended service company who is Cloudfire aware, I’m all ears :slight_smile:

FYI I haven’t yet found the original IP, only the Cloudfire re-direct.

Regards, Paul

I should add for clarity that I just “inherited” this site with no docs and only a cursory description :wink:

At DNS tab, the Website/domain should have DNS records which are pointed to your hosting provider IP address.
Or not, if you are using a CNAME type record(s)?

You can also Pause Cloudflare for your domain and do your audit and tests.

pausecloudflareforsite

In case if you do not have the Pause Cloudflare on Site option available to you in the lower right corner of your Cloudflare dashboard for your Website, you can achieve this by setting all your DNS entries to :grey: cloud instead of being :orange: one.

If so, to temporarly disable proxying via Cloudflare for your domain (the records), click on the :orange: cloud to switch to :grey: cloud next to the needed DNS records at DNS tab.

Thereafter, turn them back from :grey: to :orange: cloud.

1 Like

That looks like an option I can follow-up- thank you.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.