Hide My WP Ghost
Login
Buy Now

Website Security Check
for Your WordPress Site

Discover how the Hide My WP Ghost plugin helps you verify your website’s security level!

Why is it important to check your WordPress website's security?

Most company owners think that their business is too small to be noticed by hackers. But the reality is that hackers will try to steal data from any business.
 
WordPress is the most popular publishing platform in the world – powering over 41% of all websites.
 
Every week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. If you are serious about your website, then you need to pay attention to WordPress security best practices.

The Hide My WordPress Ghost Plugin Will
Help You:

1. Detect potential security breaches on your site.

2. Identify security or access-related issues on your website before they become a problem.

3. Determine whether any of your plugins or themes have security vulnerabilities.

4. Verify site integrity (the plugin does this for you). 

5. Take preventive measures against attacks.

6.  Fix potential breaches by providing step-by-step guidance.

Download Demo

What Does the Hide My WP Ghost Plugin check for you?

XML-RPC
access is on
MySQL
Permission
WP
Debug Mode
Backend
under SSL
DB Debug
Mode

Script Debug
Mode

Author URL
by ID access
display_errors
PHP directive
wp_login
path
wp_config
file
Outdated
Plugins
Plugins that have not been Recently Updated
See the complete checklist (every item explained)
Wanted a proper multi-site WP hide admin, this one worked. Didn’t need to do anything. And what a bonus all the extra stuff to protect site is an excellent deal. Highly recommend, and very pleased they still doing updates.
@mikeybabes
@mikeybabes
I have tryed many plugin with no success (bugs) this one is very simple to config and effective !
@nicodweb
@nicodweb
THis plugin replaces one that I used which was abandoned. This does the job better and is more reliable with absilutely no problems.
@npeiman
@npeiman
Let me start off by saying the support I received was nothing short of excellent. I was a trying to adjust a couple things and received fast responses back and I was able to get this up on all my sides and you can not tell I am even on WordPress let alone what my theme is.. happy customer will continue to use!
@enthusiast1
@enthusiast1
I bought the PRO version and installed it on a local dev site to test it out and it worked flawlessly. It does in fact mask each aspect of linked assets that make mention of WP, as well as areas of WP that hackers/bots look for such as wp-admin and wp-login!
Jason Ryan
Jason Ryan
Previous
Next

Easy-to-use. No Coding Required.

You can install and set up the plugin in less than 5 minutes. You don’t have to be an expert to make it work. No programming knowledge required.

Compatible With Other Plugins​

Hide My WordPress Ghost was tested with over 1.000 other themes and plugins. Works with the most popular Cache Plugins, Security Plugins, CDN Plugins, and WordPress Themes.

Professional Support

We offer professional WordPress support that includes: bugs, site fixes, payment processing issues, website speed inquiries, and much more.

Faster Than Others​

Hide My WordPress Ghost is a speed-optimized plugin. The average loading time is 0.03s, which is faster than 90% of WordPress plugins. This will help improve your site's Search Engine ranking.

What should you do to ensure long-term security of your website?

You can visit your site often and manually verify its vulnerabilities, or you can set up email alerts to instantly be notified if anything needs to be fixed. 

You should check for updates frequently (at least once a week) and install them as soon as possible. Or you can use a website monitoring service that detects site changes.

In the following paragraphs, we’ll go over each checkpoint that is verified for you by the Hide My WordPress Ghost plugin – and provide more details.  

What should you verify?

PHP Version

Make sure your site is running the latest version of PHP.

Using an old version of PHP makes your site slow and prone to hacker attacks due to known vulnerabilities that exist in no-longer maintained versions of PHP. 

More than 40% of WordPress users are using PHP 5.6 (or less), which can be one of the factors for SQL Injection in WordPress.

You need PHP 7.0 or higher for your website.

MySQL Version

SQL injection is an injection attack type in which hackers embed commands in an URL that trigger behaviors from the database. (SQL is the command language used by the MySQL database.) 

These attacks can reveal sensitive information about the database, potentially giving hackers an open path that enables them to modify the actual content of your site.

Using an old version of MySQL makes your site slow and prone to hacker attacks due to known vulnerabilities that exist in no-longer maintained versions of MySQL. 

You need MySQL 5.4 or higher.

WordPress Version

You should always update WordPress to the latest version. Recently-released versions usually include security fixes that don’t alter WP in any significant way and should be applied as soon as WP makes them available. 

According to official WordPress stats, only 42.3% of WordPress sites use the latest version (4.9.x). All previous versions can be vulnerable and might lead to your site getting hacked.

When a new version of WordPress is available, you will receive an update message in your WordPress Admin Screens. To update WordPress, click the link in that message.

Backend under SSL

SSL is an abbreviation used for Secure Sockets Layers, which are encryption protocols used on the internet to secure information exchange and provide certificate information.

These certificates provide an assurance to the user about the identity of the website they are communicating with. SSL may also be called TLS or Transport Layer Security protocol. 

It’s important to have a secure connection for the Admin Dashboard in WordPress.

WP Debug Mode

Every good developer should turn on debugging before getting started on a new plugin or theme. In fact, the WordPress Codex ‘highly recommends’ that developers use WP_DEBUG. 

Unfortunately, many developers forget to turn off debug mode even after the website is live. Showing debug logs in frontend will let hackers know a lot about your WordPress website.

DB Debug Mode

It’s not safe to have the Database Debug turned on. Make sure you don’t use Database debug on live websites.

Script Debug Mode

Every good developer should turn on debugging before getting started on a new plugin or theme. In fact, the WordPress Codex ‘highly recommends’ that developers use SCRIPT_DEBUG. 

Unfortunately, many developers forget to disable the debug mode even after the website is live. Showing debug logs in the frontend will let hackers know a lot about your WordPress website.

Display_errors PHP directive

Displaying any kind of debug info in the frontend is extremely bad, security-wise. 

If any PHP errors happen on your site, they should be logged in a safe place – and not displayed to visitors or potential attackers.

User 'admin' as Administrator

In the old days, the default WordPress admin username was ‘admin’. Since usernames make up half of the login credentials, this made it easier for hackers to launch brute-force attacks. 

Thankfully, WordPress has since changed this and now requires you to select a custom username when installing WordPress.

Spammers can easily sign up

If you do not have an e-commerce, membership or guest-posting website, you shouldn’t let users subscribe to your blog. You will end up with spam registrations, and your website will be filled with spammy content and comments.

Outdated Plugins

WordPress and its plugins and themes are like any other software installed on your computer, and like any other application on your devices. Developers periodically release updates to provide new features, or fix known bugs. 

These new features may not necessarily be something that you want. In fact, you may be perfectly satisfied with the functionality you currently have. Nevertheless, you are still likely to be concerned about bugs.

Software bugs can come in many shapes and sizes. A bug could be very serious, such as preventing users from using a plugin, or it could be minor and only affect a certain part of a theme, for example. In some cases, bugs can cause serious security breaches. 

Keeping plugins up-to-date is one of the most important and easiest ways to keep your site secure.

Plugins that Have Not Been Recently Updated

Plugins that have not been updated in the last 12 months can have real security problems. Make sure you only use plugins from the WordPress Directory that are frequently updated.

Version Incompatible Plugins

Plugins that are incompatible with your version of WordPress can have real security problems. Make sure you use tested plugins from the WordPress Directory.

Outdated Themes

WordPress and its plugins and themes are like any other software installed on your computer, and like any other application on your devices. Developers periodically release updates to provide new features, or fix known bugs. 

New features may not be something you necessarily want. In fact, you may be perfectly satisfied with the functionality you currently have. Nevertheless, you may still be concerned about bugs.

Software bugs can come in many shapes and sizes. A bug could be very serious, such as preventing users from using a plugin, or it could be a minor bug that only affects a certain part of a theme, for example. In some cases, bugs can even cause serious security breaches.

Keeping themes up-to-date is one of the most important and easiest ways to keep your site secure.

Database Prefix

The WordPress database is like a brain for your entire WordPress site, because every single bit of information about your site is stored there, thus making it a hacker’s favorite target. 

Spammers and hackers run automated code for SQL injections.
Unfortunately, many people forget to change the database prefix when they install WordPress. 
This makes it easier for hackers to plan a mass attack by targeting the default prefix wp_.

Versions in Source Code

WordPress, plugins, and themes add their version info to the source code, so anyone can see it. 

Hackers can easily find websites with vulnerable versions of plugins or themes, and target these with Zero-Day Exploits.

Salts and Security Keys Valid

Security keys are used to ensure better encryption of information stored in the user’s cookies and hashed passwords. 

These make your site more difficult to hack, access, and crack by adding random elements to the password. You don’t have to remember these keys. In fact, once you set them, you’ll never see them again. Therefore, there’s no excuse for not setting them properly.

WordPress Database Password

There is no such thing as an “unimportant password”! That includes your WordPress database password. 

Although most servers are configured so that the database can’t be accessed from other hosts (or from outside of the local network), that doesn’t mean your database password should be “12345” or that you shouldn’t have a password at all.

/wp-content path is accessible

It’s important to hide the common WordPress paths to prevent attacks on vulnerable plugins and themes.

 
Also, it’s important to hide the names of plugins and themes to make it impossible for bots to detect them.

/wp-login path is accessible

If your site allows user logins, you need your login page to be easy to find for your users. You also need to do other things to protect against malicious login attempts. 

However, obscurity is a valid security layer when used as part of a comprehensive security strategy, one that should be employed if you want to reduce the number of malicious login attempts. Making your login page difficult to find is one way to do that.

/wp_config.php file is writable

One of the most important files in your WordPress installation is the wp-config.php file. 
This file is located in the root directory of your WordPress installation, and contains your website’s base configuration details, such as database connection information.

XML-RPC access is on

WordPress XML-RPC is a specification that aims to standardize communications between different systems. It uses HTTP as the transport mechanism and XML as the encoding mechanism to enable a wide range of data to be transmitted. 

The two biggest assets of the API are its extensibility and its security. XML-RPC authenticates using basic authentication. It sends the username and password with each request, which is a big no-no when it comes to security.

install.php & upgrade.php files are accessible

WordPress is well-known for its ease of installation. 
It’s important to hide the wp-admin/install.php and wp-admin/upgrade.php files because there have already been a couple of security issues regarding these files.

MySQL Grant All Permissions

If an attacker gains access to your wp-config.php file and gets the MySQL username and password, he’ll be able to log in to that database and do whatever that account allows him to do. 

That’s why it’s important to keep the account’s privileges to a bare minimum.

For instance, if you’re not installing any new plugins or updating WP, that account doesn’t need the CREATE or DROP table privileges.

For regular, day-to-day usage, these are the recommended privileges: SELECT, INSERT, UPDATE, and DELETE.

Author URL by ID access

Usernames (unlike passwords) are not secret. By knowing someone’s username, you can’t log in to their account, though. You also need the password. 

However, by knowing the username, you are one step closer to logging in by using the username to brute-force the password, or to gain access in a similar way. 

That’s why it’s advisable to keep the list of usernames private, at least to some degree. By default, by accessing siteurl.com/?author={id} and looping through IDs starting with 1, you can get a list of usernames, because WP will redirect you to siteurl.com/author/user/ if the ID exists in the system.

Love what you see?

Next Feature

I want to know more about Hide My WordPress Ghost

Get Hide My Wp Ghost Today

30-Day Money-Back Guarantee. No Long-term Contracts

Copyright © WPPlugins