Not all scanners ar yours
Vulnerability scanners are automatized tools (bots) that perform security tests on a website or web application. They try to find weaknesses and security holes. The market for these tools is large. Popular scanners are for instance Metasploit, Burp, Suite, Grendel Scan or nmap.
These scans are carried out by two groups of persons: friendly penetration testers who are commissioned by you to find holes and malicious criminals form the other side that want do get into your system to wreak havoc.
Security firms use penetration tests to test the infrastructure of websites. Their IP addresses are usually whitelisted by all security measures of their customers. Based on the results of these scans companies can improve and optimize the security of their infrastructure successively.
The other side of penetration tests is when malicious hackers use the same technology without the website operator knowing about it. These tools operate undetected and hide in the regular web traffic. The worst of it: the security report is now in the hands of a criminal who will use the found weak spots to hack into your systems later.
Vulnerability scans are common practice. Whenever a security hole of a popular software such as Wordpress becomes public bots try to gain access to as many servers as possible using the new security hole. Expect a lot of visits from bots once your website becomes vulnerable.
Weakness scanners typically perform reconnaisance first and move on to attacking the weak systems shortly after. By stopping them to scan for vulnerabilities you can stop these kinds of attack.
How can you detect whether you’re affected?
Vulnerability scanners usually don’t discern what they scan. In case you detect an IP address that scans all pages of your website systematically this may point towards a vulnerability scanner in action.
A higher number of 404 page not found errors in your logs may also indicate a scanner.