Discover how the Hide My WP Ghost plugin helps you verify your website’s security level!
1. Detect potential security breaches on your site.
2. Identify security or access-related issues on your website before they become a problem.
3. Determine whether any of your plugins or themes have security vulnerabilities.
4. Verify site integrity (the plugin does this for you).
5. Take preventive measures against attacks.
6. Fix potential breaches by providing step-by-step guidance.
You can install and set up the plugin in less than 5 minutes. You don’t have to be an expert to make it work. No programming knowledge required.
Hide My WordPress Ghost was tested with over 1.000 other themes and plugins. Works with the most popular Cache Plugins, Security Plugins, CDN Plugins, and WordPress Themes.
We offer professional WordPress support that includes: bugs, site fixes, payment processing issues, website speed inquiries, and much more.
Hide My WordPress Ghost is a speed-optimized plugin. The average loading time is 0.03s, which is faster than 90% of WordPress plugins. This will help improve your site's Search Engine ranking.
You can visit your site often and manually verify its vulnerabilities, or you can set up email alerts to instantly be notified if anything needs to be fixed.
You should check for updates frequently (at least once a week) and install them as soon as possible. Or you can use a website monitoring service that detects site changes.
In the following paragraphs, we’ll go over each checkpoint that is verified for you by the Hide My WordPress Ghost plugin – and provide more details.
Make sure your site is running the latest version of PHP.
Using an old version of PHP makes your site slow and prone to hacker attacks due to known vulnerabilities that exist in no-longer maintained versions of PHP.
More than 40% of WordPress users are using PHP 5.6 (or less), which can be one of the factors for SQL Injection in WordPress.
You need PHP 7.0 or higher for your website.
SQL injection is an injection attack type in which hackers embed commands in an URL that trigger behaviors from the database. (SQL is the command language used by the MySQL database.)
These attacks can reveal sensitive information about the database, potentially giving hackers an open path that enables them to modify the actual content of your site.
Using an old version of MySQL makes your site slow and prone to hacker attacks due to known vulnerabilities that exist in no-longer maintained versions of MySQL.
You need MySQL 5.4 or higher.
You should always update WordPress to the latest version. Recently-released versions usually include security fixes that don’t alter WP in any significant way and should be applied as soon as WP makes them available.
According to official WordPress stats, only 42.3% of WordPress sites use the latest version (4.9.x). All previous versions can be vulnerable and might lead to your site getting hacked.
When a new version of WordPress is available, you will receive an update message in your WordPress Admin Screens. To update WordPress, click the link in that message.
SSL is an abbreviation used for Secure Sockets Layers, which are encryption protocols used on the internet to secure information exchange and provide certificate information.
These certificates provide an assurance to the user about the identity of the website they are communicating with. SSL may also be called TLS or Transport Layer Security protocol.
It’s important to have a secure connection for the Admin Dashboard in WordPress.
Every good developer should turn on debugging before getting started on a new plugin or theme. In fact, the WordPress Codex ‘highly recommends’ that developers use WP_DEBUG.
Unfortunately, many developers forget to turn off debug mode even after the website is live. Showing debug logs in frontend will let hackers know a lot about your WordPress website.
It’s not safe to have the Database Debug turned on. Make sure you don’t use Database debug on live websites.
Every good developer should turn on debugging before getting started on a new plugin or theme. In fact, the WordPress Codex ‘highly recommends’ that developers use SCRIPT_DEBUG.
Unfortunately, many developers forget to disable the debug mode even after the website is live. Showing debug logs in the frontend will let hackers know a lot about your WordPress website.
Displaying any kind of debug info in the frontend is extremely bad, security-wise.
If any PHP errors happen on your site, they should be logged in a safe place – and not displayed to visitors or potential attackers.
In the old days, the default WordPress admin username was ‘admin’. Since usernames make up half of the login credentials, this made it easier for hackers to launch brute-force attacks.
Thankfully, WordPress has since changed this and now requires you to select a custom username when installing WordPress.
If you do not have an e-commerce, membership or guest-posting website, you shouldn’t let users subscribe to your blog. You will end up with spam registrations, and your website will be filled with spammy content and comments.
WordPress and its plugins and themes are like any other software installed on your computer, and like any other application on your devices. Developers periodically release updates to provide new features, or fix known bugs.
These new features may not necessarily be something that you want. In fact, you may be perfectly satisfied with the functionality you currently have. Nevertheless, you are still likely to be concerned about bugs.
Software bugs can come in many shapes and sizes. A bug could be very serious, such as preventing users from using a plugin, or it could be minor and only affect a certain part of a theme, for example. In some cases, bugs can cause serious security breaches.
Keeping plugins up-to-date is one of the most important and easiest ways to keep your site secure.
Plugins that have not been updated in the last 12 months can have real security problems. Make sure you only use plugins from the WordPress Directory that are frequently updated.
Plugins that are incompatible with your version of WordPress can have real security problems. Make sure you use tested plugins from the WordPress Directory.
WordPress and its plugins and themes are like any other software installed on your computer, and like any other application on your devices. Developers periodically release updates to provide new features, or fix known bugs.
New features may not be something you necessarily want. In fact, you may be perfectly satisfied with the functionality you currently have. Nevertheless, you may still be concerned about bugs.
Software bugs can come in many shapes and sizes. A bug could be very serious, such as preventing users from using a plugin, or it could be a minor bug that only affects a certain part of a theme, for example. In some cases, bugs can even cause serious security breaches.
Keeping themes up-to-date is one of the most important and easiest ways to keep your site secure.
The WordPress database is like a brain for your entire WordPress site, because every single bit of information about your site is stored there, thus making it a hacker’s favorite target.
Spammers and hackers run automated code for SQL injections.
Unfortunately, many people forget to change the database prefix when they install WordPress.
This makes it easier for hackers to plan a mass attack by targeting the default prefix wp_.
WordPress, plugins, and themes add their version info to the source code, so anyone can see it.
Hackers can easily find websites with vulnerable versions of plugins or themes, and target these with Zero-Day Exploits.
Security keys are used to ensure better encryption of information stored in the user’s cookies and hashed passwords.
These make your site more difficult to hack, access, and crack by adding random elements to the password. You don’t have to remember these keys. In fact, once you set them, you’ll never see them again. Therefore, there’s no excuse for not setting them properly.
There is no such thing as an “unimportant password”! That includes your WordPress database password.
Although most servers are configured so that the database can’t be accessed from other hosts (or from outside of the local network), that doesn’t mean your database password should be “12345” or that you shouldn’t have a password at all.
It’s important to hide the common WordPress paths to prevent attacks on vulnerable plugins and themes.
Also, it’s important to hide the names of plugins and themes to make it impossible for bots to detect them.
If your site allows user logins, you need your login page to be easy to find for your users. You also need to do other things to protect against malicious login attempts.
However, obscurity is a valid security layer when used as part of a comprehensive security strategy, one that should be employed if you want to reduce the number of malicious login attempts. Making your login page difficult to find is one way to do that.
One of the most important files in your WordPress installation is the wp-config.php file.
This file is located in the root directory of your WordPress installation, and contains your website’s base configuration details, such as database connection information.
WordPress XML-RPC is a specification that aims to standardize communications between different systems. It uses HTTP as the transport mechanism and XML as the encoding mechanism to enable a wide range of data to be transmitted.
The two biggest assets of the API are its extensibility and its security. XML-RPC authenticates using basic authentication. It sends the username and password with each request, which is a big no-no when it comes to security.
WordPress is well-known for its ease of installation.
It’s important to hide the wp-admin/install.php and wp-admin/upgrade.php files because there have already been a couple of security issues regarding these files.
If an attacker gains access to your wp-config.php file and gets the MySQL username and password, he’ll be able to log in to that database and do whatever that account allows him to do.
That’s why it’s important to keep the account’s privileges to a bare minimum.
For instance, if you’re not installing any new plugins or updating WP, that account doesn’t need the CREATE or DROP table privileges.
For regular, day-to-day usage, these are the recommended privileges: SELECT, INSERT, UPDATE, and DELETE.
Usernames (unlike passwords) are not secret. By knowing someone’s username, you can’t log in to their account, though. You also need the password.
However, by knowing the username, you are one step closer to logging in by using the username to brute-force the password, or to gain access in a similar way.
That’s why it’s advisable to keep the list of usernames private, at least to some degree. By default, by accessing siteurl.com/?author={id} and looping through IDs starting with 1, you can get a list of usernames, because WP will redirect you to siteurl.com/author/user/ if the ID exists in the system.
I want to know more about Hide My WordPress Ghost
30-Day Money-Back Guarantee. No Long-term Contracts
