Skip to content Skip to main navigation Skip to footer

Website Security Check Report

Security Check Issues

If WPPlugins founds any security issues, it means that your WordPress CMS is easily detectable, which leaves your site exposed to hackers.

If you don’t act NOW, it’s very likely that hacker bots will manage to break into your website sooner or later. If they do, they usually remove the website content entirely and steal your database information.

The loss and recovery costs can be … oh well … you do the math.

Below you will find more details and solutions for each security breach WPPlugins may uncover for your site.

A path is visible. Brute Force attack is imminent!

This means that we found a vulnerable WordPress authentication path which hackers could exploit in order to perform brute force login attempts.

The best solution is to hide the login and admin paths from visitors and set a different login path only for your access.
You can also activate Brute Force Protection using Google reCAPTCHA or Math reCAPTCHA.

Learn how you can do this with Hide My WP Ghost – Brute Force Protection

WordPress XMLRPC Brute Force exploit detected!

XML-RPC could open your site to various attacks and lead to other security issues. This feature is not used anymore because WordPress is now using API, which is much safer and does a better job of opening up WordPress to other applications.

The best solution is to restrict the access to the /xmlrpc.php file through .htaccess or server config file if you are using other types of servers.

Learn how you can do this with Hide My WP Ghost – Hide WordPress Paths

WordPress path is still accessible!

This means that the WordPress common paths wp-content/plugins and wp-content/themes are still accessible. Knowing that most of the attacks are made on vulnerable plugins and themes, it’s crucial to hide them and not allow hackers to access the vulnerable files.

You can hide the common paths by inserting rules and filters into .htaccess for Apache and LiteSpeed servers, nginx.conf for Nginx server, web.config for IIS server.

Note! To prevent from breaking your website, you need to change the common paths first.

Learn how to do this without a plugin: https://hidemywpghost.com/article/how-to-customize-wp-content-directory-in-wordpress/

👍 Learn how you can do this with Hide My WP Ghost – Hide WordPress Paths

WordPress readme.html is accessible!

Some of the root files like readme.html, license.txt, wp-config.php contain information about your WordPress version, Database username and password, paths, and server details.

These files allow hackers to know all about your Content Management System and server without even entering your website – and are often the first files that hacker bots access.

It’s important to restrict access to all these files, as it helps you stop a lot of attacks and prevent unnecessary server traffic.

Learn how you can do this with Hide My WP Ghost – Hide WordPress Paths

WordPress old paths are visible in the source code!

This means that wp-content/plugins, wp-content/themes, /wp-admin and other common paths are visible in the source code of your website. Hacker bots will usually crawl your website to get information about your theme and plugins.

The best way to prevent this is to customize the paths and even the plugins’ and themes’ names. This way, you will stop most of the attacks that target your installed plugins and theme. After you change the paths, you can hide the old paths for enhanced WordPress security.

Learn how to customize directories: https://hidemywpghost.com/article/how-to-customize-wp-content-directory-in-wordpress/

Learn how you can do this with Hide My WP Ghost – Hide WordPress Paths

WordPress Prefetch https://s.w.org is visible!

This META is mostly added by WordPress for the emoji feature. But this META lets hackers know that you’re using WordPress as your Content Management system. As a result, bots will initiate more attacks on your site in order to find breaches and vulnerabilities they can exploit.

It’s easy to hide this META by using a WordPress hook or by using Hide My WP Ghost – WordPress Tweaks

WordPress https://api.w.org/ is visible!

api.w.org is used for WordPress REST API discovery. This is mostly used by developers, so it’s not needed in your source code. This link tells hackers that you have a WordPress website. As a result, bots will initiate more attacks to find breaches they can exploit to gain access to your site.

It’s easy to hide this link by using a WordPress hook or by using Hide My WP Ghost – WordPress Tweaks

WordPress “Powered by WordPress” is visible!

Allowing this text is the equivalent of shouting that you’re using WordPress as your CMS in a room full of hackers. 🙂

Usually, basic mistakes like these can lead to some pretty serious consequences. Good news is; you can easily remove this text from your theme option.

Note! Don’t forget to also customize the Tagline in Settings > General. The default WordPress tagline that sites get when they are created is “Just another WordPress site” – which also acts like a huge announcement, letting the world (including hackers) know that you have a WordPress website.

______________________

These are some of most common vulnerability issues that hackers typically exploit to gain access into a WordPress site.

If you are using the Hide My WP Ghost plugin, make sure to run a local Security Check to get a full security report about your website and uncover urgent security threats that leave your site exposed to different types of attacks.