Security Monitor

Websites change all the time. So, when it comes to security, the moment you stop monitoring your site is the moment you expose it to significant risk.

One way that Hide My WP Ghost ensures that security monitoring of your site is a continuous process is through the Security Monitor feature.

Once you add a site that’s connected to your account to Security Monitor, Hide My WP Ghost will scan that site for security issues every week.

All findings will be documented in a dedicated website security report, and you can even get the report conveniently sent to your preferred email address every week.

This makes it easy to:

keep track a site’s performance in terms of security;
monitor changes;
uncover and fix potential weaknesses in a site’s security.

! The Security Monitor feature supplements the Security Check feature. Both features scan your WordPress site for similar issues and WordPress-specific vulnerabilities that affect your site’s security.

How to Access Security Monitor

The Security Monitor feature is located within your Hide My WP Ghost Cloud account.

Navigate to WPPlugins Account > Security Monitor in order to reach it.

Monitor a New Website

To add a new website that you want Hide My WP Ghost to monitor and generate reports for, click on the +New button shown in the screenshot below.

Clicking on the +New button will take you to a new panel where you can:

Add a new website for which you want Hide My WP Ghost to generate a weekly report. Once you connect your website(s) to your account, all websites under your account will show in the drop-down list, and you can simply add the website you want to monitor from that list.
Choose whether to receive a weekly email containing the report via email or not. (Yes/ No option)

In your Profile Settings, you have the option to specify the email address where you want to receive the report.

To set the email address, go to WPPlugins Account > Profile > Settings

Don’t forget to click on the Submit button to save your settings.

! Note that the email address you set here is also the email address where you’ll receive the User Events Email Alerts.

You can also set up an individual email address for each website you’ve added to Security Monitor (useful for cases when you want each Website Report to be sent to different email addresses).

To set this up, go to: WPPlugins Account > Connected Sites

The settings you make here have priority over the settings you may have made in Profile Settings (meaning: when an email address is specified for a site in the Connected Sites section, Hide My WP Ghost will use that email address to send the weekly Website Report).

IMPORTANT NOTE! If NO email address is specified in either Profile Settings OR Connected Sites section but you enabled Email Notification for that site, Hide My WP Ghost will send the weekly website report to the email address connected to your account.

Security Monitor

Once you’ve added your website(s) to Security Monitor, you can access the reports that Hide My WP Ghost generated for your website(s) from the Security Monitor panel.

For every report, you’ll see the following information:

The URL (website) for which the report has been generated.
Whether the option Email Notification has been enabled or not.
The date when the website has been added to Security Monitor. (Created At column)
The date when the website was last verified. (Last Verified column)

To view a particular report, click on View Report (as shown in the screenshot below).

You can also choose how to view items in the Security Monitor panel. If you want, you can remove one or more of the following columns:

URL
Email Notification
Created At
Last Verified
Options

You can remove these items by un-checking them from the drop down shown below – and then clicking on the Submit button.

So, by un-checking the Email Notification item, for instance, the Email Notification column will NO longer be visible in the Security Monitor panel.

You can always change your mind and bring a column back by checking the corresponding item from the drop-down.

Remove Website

To remove a website from Security Monitor, go to WPPlugins Account > Security Monitor.

From the Action column, click on the Delete icon corresponding to the URL you want to remove. (as shown below)

Website Report

The Website Report contains insights that Hide My WP Ghost uncovered after scanning a specific site connected to your account which you’ve previously added to Security Monitor.

In the screenshot below, you can see an example of how a website report looks like.

The colour Blue is used for report insights that are purely informative (meaning: they don’t necessarily require you to take action)
The colour Red is used to highlight critical issues that you still need to resolve to address WordPress vulnerabilities and strengthen your website’s security.

Next up, we’ll go over every individual type of warning that Hide My WP Ghost may generate and display inside the Website Report for a site connected to your account.

We’ll explain what each of them means and how to address them using Hide My WP Ghost features, so let’s get to it.

A path is visible. Brute Force attack is imminent!

This means that Hide My WP Ghost found a vulnerable WordPress authentication path which hackers could exploit in order to perform brute force login attempts.

The best solution is to hide the login and admin paths from visitors and set a different login path only for your access.

You can also activate Brute Force Protection using Google reCAPTCHA or Math reCAPTCHA.

👍 Learn how you can do this with Hide My WP Ghost – Brute Force Protection

WordPress XMLRPC Brute Force exploit detected!

XML-RPC could open your site to various attacks and lead to other security issues. This feature is not used anymore because WordPress is now using API which is much safer.

The best solution is to restrict the access to the /xmlrpc.php file through .htaccess or server config file if you are using other types of servers.

👍 Learn how you can do this with Hide My WP Ghost – Hide WordPress Paths

WordPress path is still accessible!

This means that the WordPress common paths wp-content/plugins and wp-content/themes are still accessible. Knowing that most of the attacks are made on vulnerable plugins and themes, it’s crucial to hide them and not allow hackers to access the vulnerable files.

You can hide the common paths by inserting rules and filters into .htaccess for Apache and LiteSpeed servers, nginx.conf for Nginx server, web.config for IIS server.

Note! Make sure to change the common paths first.

👍 Learn how you can do this with Hide My WP Ghost – Hide WordPress Paths

WordPress readme.html is accessible!

Some of the root files like readme.html, license.txt, wp-config.php contain information about your WordPress version, Database username and password, paths, and server details.

These files allow hackers to know all about your Content Management System and server without even entering your website – and are often the first files that hacker bots access.

It’s important to restrict access to all these files, as it helps you stop a lot of attacks and prevent unnecessary server traffic.

👍 Learn how you can do this with Hide My WP Ghost – Hide WordPress Paths

WordPress old paths are visible in the source code!

This means that wp-content/plugins, wp-content/themes, /wp-admin and other common paths are visible in the source code of your website. Hacker bots will usually crawl your website to get information about your themes and plugins.

The best way to prevent this is to customize the paths and even the plugins’ and themes’ names.

This way, you will stop most of the attacks that target your installed plugins and themes. After you change the paths, you can hide the old paths for enhanced WordPress security.

👍 Learn how you can do this with Hide My WP Ghost – Hide WordPress Paths

WordPress Prefetch https://s.w.org is visible!

This META is mostly added by WordPress for the emoji feature.

But this META lets hackers know that you’re using WordPress as your Content Management system. As a result, bots will initiate more attacks on your site in order to find breaches and vulnerabilities they can exploit.

👍 It’s easy to hide this META by using Hide My WP Ghost – WordPress Tweaks

WordPress https://api.w.org/ is visible!

api.w.org is used for WordPress REST API discovery. This is mostly used by developers, so it’s not needed in your source code.

This link tells hackers that you have a WordPress website. As a result, bots will initiate more attacks to find breaches they can exploit to gain access to your site.

👍 It’s easy to hide this link using Hide My WP Ghost – WordPress Tweaks

WordPress “Powered by WordPress” is visible!

Allowing this text is the equivalent of shouting that you’re using WordPress as your CMS in a room full of hackers.

Usually, basic mistakes like these can lead to some pretty serious consequences. Good news is; you can typically easily remove this text, as most themes already have the option for removing the “Powered by WordPress” copy. Go to the theme’s settings or Admin panel > Appearance > Customize, and if the theme you’re using features this option, you will find it in one of these two places.

Note! Don’t forget to also customize the Tagline in Settings > General. The default WordPress tagline that sites get when they are created is “Just another WordPress site” – which also acts like a huge announcement, letting the world (including hackers) know that you have a WordPress website.

______________________

These are some of most common vulnerability issues that hackers typically exploit to gain access into a WordPress site.

Make sure to also run a local Security Check to get a full security report about your website and uncover urgent security threats that leave your site exposed to different types of attacks.

Run New Test

You can always run a new test and refresh the information for your website by clicking on the Run New Test button shown in the screenshot below.

By doing this, Hide My WP Ghost will run a new check of your website and deliver the latest security insights it uncovered for that particular site inside the Website Report Panel.

Export Website Report

At any given time, you can export a Website Report using the Export button you’ll see on the right of the screen.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

How to Access Security Monitor

Monitor a New Website

Security Monitor

Remove Website

Website Report

A path is visible. Brute Force attack is imminent!

WordPress XMLRPC Brute Force exploit detected!

WordPress path is still accessible!

WordPress readme.html is accessible!

WordPress old paths are visible in the source code!

WordPress Prefetch https://s.w.org is visible!

WordPress https://api.w.org/ is visible!

WordPress “Powered by WordPress” is visible!

Run New Test

Export Website Report

Previous

Next