WP Ghost Website Security Check – Complete WordPress Security Audit
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Run a complete security audit of your WordPress site with WP Ghost’s (formerly Hide My WP Ghost) Security Check. One click scans 40+ security tasks, identifies vulnerabilities, and shows you how to fix each one. Free in all versions.
Changing paths, enabling the firewall, and activating brute force protection are the first steps. But how do you know everything is actually working? The Security Check answers that question. It scans your WordPress configuration, server settings, file permissions, and WP Ghost features in one pass and gives you a clear report of what is secure and what needs attention.
According to Patchstack’s 2026 report, 91% of WordPress vulnerabilities are found in plugins, and 57.6% can be exploited without authentication. The Security Check catches these exposures, from outdated plugins to accessible default paths, before bots do.
This tutorial covers the full WP Ghost > Security Check panel: running a scan, understanding the Security Optimization Score, and every security task the scan evaluates.
Run a Security Check
Go to WP Ghost > Security Check and click the Start Scan button.
WP Ghost runs over 40 security tasks to detect potential vulnerabilities. Once the scan is complete, you get a full report listing every check, its status (pass or fail), and how to fix each issue.
Security Optimization Score
The Security Optimization Score is a number from 0 to 100 that reflects how many security tasks you have completed. It appears on both the WP Ghost Overview dashboard and the Security Check page as a dynamic gauge with a numeric value.
Every time you enable a feature, fix a vulnerability, or harden a path, your score increases. This makes it easy to track your progress over time and identify which tasks still need attention. Premium users can reach higher scores by enabling advanced features like IP Block Automation, Country Blocking, and extended file hardening.
Run the scan periodically
If the last security check is older than a week, WP Ghost shows a notification next to the Security Check menu item reminding you to run a new scan.
All Security Tasks
The Security Check evaluates the following areas. Each task checks a specific aspect of your WordPress configuration, server setup, or WP Ghost feature status. Failed tasks include a description of the risk and how to fix it.
Server and PHP Configuration
PHP Version – verifies that your server runs a supported version of PHP. Older PHP versions contain known vulnerabilities and no longer receive security patches. You need PHP 7.4 or higher. PHP 8.x is recommended.
MySQL Version – checks your database server version. Older MySQL versions are vulnerable to SQL injection exploits. You need MySQL 5.7 or higher.
WordPress Version – confirms you are running the latest version of WordPress. Each new release includes security fixes that patch known vulnerabilities. Always update WordPress when a new version is available.
Backend under SSL – verifies that your admin dashboard is served over HTTPS. Without SSL, login credentials and session cookies are transmitted in plain text. Your hosting provider should provide a free SSL certificate (Let’s Encrypt).
display_errors PHP Directive – checks that PHP error display is disabled on your live site. Visible PHP errors reveal file paths, database details, and plugin information to attackers.
WordPress Debug Settings
WP Debug Mode – checks that WP_DEBUG is disabled on your production site. Debug mode outputs error information in the frontend that reveals your WordPress internal structure to attackers.
DB Debug Mode – verifies that database debugging is disabled. Database debug output can reveal table names, query structures, and error messages that attackers use to plan SQL injection attacks.
Script Debug Mode – confirms that SCRIPT_DEBUG is disabled. When active, WordPress loads unminified CSS and JS files, which reveal plugin and theme source code structure.
User and Authentication Security
User “admin” as Administrator – checks if any administrator account uses the username “admin”. This is the first username bots try during brute force attacks. Change it to something unique.
Author URL by ID Access – verifies that URLs like yourdomain.com/?author=1 do not reveal usernames. WP Ghost’s Hide Author ID feature blocks this enumeration technique.
Spammers Can Easily Signup – checks if user registration is open when it should not be. If you do not run an e-commerce, membership, or guest posting site, disable registration in Settings > General to prevent spam account creation.
WordPress Database Password – verifies that your database password is strong. Weak or empty database passwords are a critical risk if wp-config.php is ever exposed.
Salts and Security Keys Valid – checks that your WordPress SALT keys are properly configured. These keys encrypt information stored in cookies and hashed passwords, making your site harder to crack.
Path and File Security
/wp-content Path Is Accessible – verifies that the default wp-content path has been changed or hidden. An accessible /wp-content path confirms WordPress to every scanner and reveals your plugin and theme structure.
/wp-login Path Is Accessible – checks that the default login path has been changed. An accessible /wp-login.php is the first target for brute force attacks.
wp-config.php File Is Writable – verifies that your wp-config.php file has restrictive file permissions. This file contains your database credentials and should never be writable by the web server.
install.php and upgrade.php Files Are Accessible – checks that these WordPress setup files are not accessible from the web. Known security issues have been associated with these files.
XML-RPC Access Is On – checks whether XML-RPC is enabled. XML-RPC sends credentials with every request and is commonly exploited for brute force attacks via the system.multicall method. Disable it unless a specific service requires it.
Versions in Source Code – verifies that version numbers have been stripped from CSS, JS, and image files in your source code. Version numbers tell attackers exactly which WordPress, plugin, and theme versions you run.
Database Prefix – checks whether your database tables use the default wp_ prefix. Changing the prefix makes automated SQL injection attacks harder because the attacker cannot assume the table names.
Plugin and Theme Security
Outdated Plugins – checks if any installed plugins have available updates. Plugin updates frequently include security fixes for known vulnerabilities.
Not Updated Plugins – identifies plugins that have not been updated by their developer in the last 12 months. Abandoned plugins are a major security risk because newly discovered vulnerabilities will never be patched.
Version Incompatible Plugins – flags plugins that are not tested with your current WordPress version. Incompatible plugins may contain unpatched security issues for your WordPress release.
Outdated Themes – checks if your themes have available updates. Like plugins, theme updates include security fixes that should be applied promptly.
Firewall and Advanced Security
Firewall Active – verifies that the WP Ghost firewall (7G or 8G) is enabled. The firewall blocks script injection, SQL injection, and exploit attempts at the server level.
IP Block Automation – confirms that automated IP blocking is configured correctly. This ensures repeat offenders are automatically banned at the firewall level.
MySQL Grant All Permissions – checks whether your database user has overly broad permissions. For day-to-day WordPress operation, only SELECT, INSERT, UPDATE, and DELETE are needed. The CREATE and DROP privileges should only be active during plugin installations or WordPress updates.
Security Check vs Security Monitor
WP Ghost offers two complementary security scanning tools. The Security Check runs inside your WordPress dashboard when you click Start Scan. It checks 40+ server and WordPress configuration items. This is a free feature available in all versions.
The Security Monitor runs automatically every week from the WP Ghost Cloud. It scans your site externally, seeing exactly what bots see, and checks for exposed paths, accessible files, and visible WordPress markers. Results are emailed to you. This is a Premium feature.
Use both for complete coverage: the Security Check for deep internal configuration, the Security Monitor for continuous external validation. For the Security Monitor setup guide, see the Security Monitor tutorial.
Frequently Asked Questions
How often should I run the Security Check?
Run it after every major change: installing or updating plugins, changing WP Ghost settings, updating WordPress, or switching themes. WP Ghost shows a notification when the last scan is older than a week.
Is the Security Check free?
Yes. The in-WordPress Security Check with all 40+ tasks and the Security Optimization Score is available in all versions of WP Ghost. The cloud-based Security Monitor is a Premium feature.
What does the Security Optimization Score mean?
The score (0-100) reflects how many security tasks you have completed. Higher scores mean fewer vulnerabilities are exposed. The score updates dynamically as you enable features and fix issues.
Can a failed task be ignored?
Some tasks may not apply to your setup. For example, the MySQL permissions check depends on your hosting configuration and may not be changeable on shared hosting. Focus on the tasks you can control, starting with the most critical ones: SSL, debug modes, outdated software, and exposed paths.
Does WP Ghost modify WordPress core files?
No. The Security Check reads your configuration and server settings. It does not modify any files. The fixes it suggests are configuration changes you make through WP Ghost settings, WordPress settings, or your server configuration.
Related Tutorials
Fix the issues found by the Security Check:
Customize All WordPress Paths – fix exposed path warnings by changing wp-admin, wp-login, wp-content, and more.
Firewall and Geo Security – enable the 8G Firewall and configure IP block automation.
Brute Force Attack Protection – add reCAPTCHA and login attempt limits.
Activate Security Tweaks – remove version tags, debug output, and WordPress fingerprints.
Security Monitor – automated weekly cloud scanning (Premium).
Hide From WordPress Theme Detectors – verify your site is fully hidden after fixing all Security Check warnings.