Skip to contentSkip to main navigation Skip to footer

Website Security Check

To make sure that all the security options are working and the Website is hidden from Themes Detectors you need to run the Security Check periodically.

Hide My WP Security Check will help you :

  • Detect potential security breaches on your site.
  • Identify security or access issues on your website before they become a problem.
  • Determine whether any of your plugins or themes have security vulnerabilities.
  • Verify your site integrity for you.
  • Take preventive measures against attacks.
  • Teaches you how to fix these potential breaches.

Run a Website Security Check

To run a security check, go to Hide My Wp > Security Check and click the Start Scan button

Hide My WP Ghost will run over 35 security tasks to detect all the potential breaches. Once the process is ready, you get a complete list with all the vulnerabilities and how to fix them.

Weekly Notification

If the last security check is older than a week you will get a push notification next to the Security Check tab.

If you don’t want to receive the Push Notifications anymore you can switch off Hide My WP > Advanced > Security Check Notification

All The Security Tasks

PHP Version

Make sure your site is running the latest version of PHP.

Using an old version of PHP makes your site slow and prone to hacker attacks due to known vulnerabilities that exist in no-longer maintained versions of PHP. 

More than 40% of WordPress users are using PHP 5.6 (or less) that can be one of the factors for SQL Injection in WordPress.

You need PHP 7.0 or higher for your website.

Mysql Version

SQL injection describes a class of these attacks in which hackers embed commands in a URL that trigger behaviors from the database. (SQL is the command language used by the MySQL database.) 

These attacks can reveal sensitive information about the database, potentially giving hackers entrance to modifying the actual content of your site.

Using an old version of MySQL makes your site slow and prone to hacker attacks due to known vulnerabilities that exist in no-longer maintained versions of MySQL. 

You need Mysql 5.4 or higher.

WordPress Version

You should always update WordPress to the latest versions. These are usually security fixes that don’t alter WP in any significant way and should be applied as soon as WP releases them. 

According to the official WordPress stats, only 42.3% WordPress sites are using the latest version (4.9.x). All previous versions can be vulnerable and might result in getting hacked.

When a new version of WordPress is available you will receive an update message in your WordPress Admin Screens. To update WordPress, click the link in this message.

Backend under SSL

SSL is an abbreviation used for Secure Sockets Layers, which are encryption protocols used on the internet to secure information exchange and provide certificate information.

These certificates provide an assurance to the user about the identity of the website they are communicating with. SSL may also be called TLS or Transport Layer Security protocol. 

It’s important to have a secure connection for the Admin Dashboard in WordPress.

WP Debug Mode

Every good developer should turn on debugging before getting started on a new plugin or theme. In fact, the WordPress Codex ‘highly recommends’ that developers use WP_DEBUG. 

Unfortunately, many developers forget the debug mode even when the website is live. Showing debug logs in frontend will let hackers know a lot about your WordPress website.

DB Debug Mode

It’s not safe to have the Database Debug turned on. Make sure you don’t use Database debug on live websites.

Script Debug Mode

Every good developer should turn on debugging before getting started on a new plugin or theme. In fact, the WordPress Codex ‘highly recommends’ that developers use SCRIPT_DEBUG. 

Unfortunately, many developers forget the debug mode even when the website is live. Showing debug logs in the frontend will let hackers know a lot about your WordPress website.

Display_errors PHP directive

Displaying any kind of debug info in the frontend is extremely bad. 

If any PHP errors happen on your site they should be logged in a safe place and not displayed to visitors or potential attackers.

User ‘admin’ as Administrator

In the old days, the default WordPress admin username was ‘admin’. Since usernames make up half of the login credentials, this made it easier for hackers to launch brute-force attacks. 

Thankfully, WordPress has since changed this and now requires you to select a custom username at the time of installing WordPress.

Spammers can easily signup

If you do not have an e-commerce, membership or guest posting website, you shouldn’t let users subscribe to your blog. You will end up with spam registrations and your website will be filled with spammy content and comments.

Outdated Plugins

WordPress and its plugins and themes are like any other software installed on your computer, and like any other application on your devices. Periodically, developers release updates which provide new features, or fix known bugs. 

These new features may not necessarily be something that you want. In fact, you may be perfectly satisfied with the functionality you currently have. Nevertheless, you are still likely to be concerned about bugs.

Software bugs can come in many shapes and sizes. A bug could be very serious, such as preventing users from using a plugin, or it could be minor and only affect a certain part of a theme, for example. In some cases, bugs can cause serious security holes. 

Keeping plugins up to date is one of the most important and easiest ways to keep your site secure.

Not Updated Plugins

Plugins that have not been updated in the last 12 months can have real security problems. Make sure you use updated plugins from the WordPress Directory.

Version Incompatible Plugins

Plugins that are incompatible with your version of WordPress can have real security problems. Make sure you use tested plugins from WordPress Directory.

Outdated Themes

WordPress and its plugins and themes are like any other software installed on your computer, and like any other application on your devices. Periodically developers release updates which provide new features or fix known bugs. 

New features may be something that you do not necessarily want. In fact, you may be perfectly satisfied with the functionality you currently have. Nevertheless, you may still be concerned about bugs.

Software bugs can come in many shapes and sizes. A bug could be very serious, such as preventing users from using a plugin, or it could be a minor bug that only affects a certain part of a theme, for example. In some cases, bugs can even cause serious security holes.

Keeping themes up to date is one of the most important and easiest ways to keep your site secure.

Database Prefix

The WordPress database is like a brain for your entire WordPress site, because every single bit of information about your site is stored there, thus making it a hacker’s favorite target. 

Spammers and hackers run automated code for SQL injections.
Unfortunately, many people forget to change the database prefix when they install WordPress. 
This makes it easier for hackers to plan a mass attack by targeting the default prefix wp_.

Versions in Source Code

WordPress, plugins and themes add their version info to the source code, so anyone can see it. 

Hackers can easily find a website with vulnerable version plugins or themes, and target these with Zero-Day Exploits.

Salts and Security Keys valid

Security keys are used to ensure better encryption of information stored in the user’s cookies and hashed passwords. 

These make your site more difficult to hack, access and crack by adding random elements to the password. You don’t have to remember these keys. In fact, once you set them you’ll never see them again. Therefore there’s no excuse for not setting them properly.

WordPress dDatabase Password

There is no such thing as an “unimportant password”! The same goes for your WordPress database password. 

Although most servers are configured so that the database can’t be accessed from other hosts (or from outside of the local network), that doesn’t mean your database password should be “12345” or no password at all.

/wp-content path is accessible

It’s important to hide the common WordPress paths to prevent attacks on vulnerable plugins and themes.

 
Also, it’s important to hide the names of plugins and themes to make it impossible for bots to detect them.

/wp-login path is accessible

If your site allows user logins, you need your login page to be easy to find for your users. You also need to do other things to protect against malicious login attempts. 

However, obscurity is a valid security layer when used as part of a comprehensive security strategy, and if you want to cut down on the number of malicious login attempts. Making your login page difficult to find is one way to do that.

/wp_config.php file is writable

One of the most important files in your WordPress installation is the wp-config.php file. 
This file is located in the root directory of your WordPress installation, and contains your website’s base configuration details, such as database connection information.

XML-RPC access is on

WordPress XML-RPC is a specification that aims to standardize communications between different systems. It uses HTTP as the transport mechanism and XML as encoding mechanism to enable a wide range of data to be transmitted. 

The two biggest assets of the API are its extendibility and its security. XML-RPC authenticates using basic authentication. It sends the username and password with each request, which is a big no-no in security circles.

install.php & upgrade.php files are accessible

WordPress is well-known for its ease of installation. 
It’s important to hide the wp-admin/install.php and wp-admin/upgrade.php files because there have already been a couple of security issues regarding these files.

MySql Grant All Permissions

If an attacker gains access to your wp-config.php file and gets the MySQL username and password, he’ll be able to login to that database and do whatever that account allows. 

That’s why it’s important to keep the account’s privileges to a bare minimum.

For instance, if you’re not installing any new plugins or updating WP, that account doesn’t need the CREATE or DROP table privileges.

For regular, day-to-day usage these are the recommended privileges: SELECT, INSERT, UPDATE and DELETE.

Author URL by ID access

Usernames (unlike passwords) are not secret. By knowing someone’s username, you can’t log in to their account. You also need the password. 

However, by knowing the username, you are one step closer to logging in using the username to brute-force the password, or to gain access in a similar way. 

That’s why it’s advisable to keep the list of usernames private, at least to some degree. By default, by accessing siteurl.com/?author={id} and looping through IDs from 1 you can get a list of usernames, because WP will redirect you to siteurl.com/author/user/ if the ID exists in the system.

June 6, 2019

Category: