I run a Joomla site and I went to one of the famous commercial sites that deal with vulnerabilities. They have a free security audit for malware.
I ran it on my site. And I got a reply that "Host is not alive". I have Admin Tools WAF turned ON. They recommend to shut it down temporarily, so their scanner can check everything. But to me that doesn't make any sense. Because, in my opinion, if their scanner couldn't get through, it means that the site passed the audit fine.