Website Security Check

You need to run the security check periodically to ensure that all the hack-prevention security options are working and the Website is hidden from hacker bots.

WP Ghost Security Check will help you to :

Detect potential security breaches on your site. Identify security or access issues on your website before they become a problem. Determine whether any of your plugins or themes have security vulnerabilities. It teaches you the security features you must activate to fix potential breaches.

Run a Website Security Check

To run a security check, go to WP Ghost > Security Check and click the Start Scan button

WP Ghost will run 39 security tasks to detect all potential breaches. Once the process is ready, you will receive a complete list of vulnerabilities and instructions for fixing them.

All The Security Tasks

PHP Version

Make sure your site is running the latest version of PHP.

Using an old version of PHP makes your site slow and prone to hacker attacks, as there are known vulnerabilities in no longer maintained versions of PHP. 

More than 40% of WordPress users are using PHP 7 (or less), which can be one factor in SQL Injection in WordPress.

You need PHP 8.0 or higher for your website.

MySql Version

SQL injection describes a class of these attacks in which hackers embed commands in a URL that trigger behaviors from the database. (SQL is the command language used by the MySQL database.) 

These attacks can reveal sensitive information about the database, potentially giving hackers entrance to modifying the actual content of your site.

Using an old version of MySQL makes your site slow and prone to hacker attacks, as there are known vulnerabilities in no longer maintained versions of MySQL. 

You need Mysql 8 or higher. If you have MariaDB, them MariaDB 10 or higher.

WordPress Version

You should always update WordPress to the latest versions. These are usually security fixes that don’t significantly alter WP and should be applied as soon as WP releases them. 

According to the official WordPress stats, there are over 30% of WordPress sites still using version (5.x). These versions can be vulnerable and might result in getting hacked.

When a new version of WordPress is available, you will receive an update message on your WordPress Admin Screens. To update WordPress, click the link in this message.

Backend under SSL

SSL is an abbreviation for Secure Sockets Layers, encryption protocols used on the Internet to secure information exchange and provide certificate information.

These certificates assure the user about the identity of the website they are communicating with. SSL may also be called TLS or Transport Layer Security protocol. 

It’s essential to have a secure connection for the Admin Dashboard in WordPress.

WP Debug Mode

Every good developer should turn on debugging before starting a new plugin or theme. The WordPress Codex highly recommends that developers use WP_DEBUG. 

Unfortunately, many developers forget the debug mode even when the website is live. Showing debug logs in the front end will let hackers know a lot about your WordPress website.

DB Debug Mode

It’s not safe to have Database Debug turned on. Don’t use it on live websites.

Script Debug Mode

Good developers should turn on debugging before starting a new plugin or theme. The WordPress Codex ‘highly recommends’ that developers use SCRIPT_DEBUG. 

Unfortunately, many developers forget the debug mode even when the website is live. Showing debug logs on the front end will inform hackers about your WordPress website.

Display_errors PHP directive

Displaying any kind of debug info in the frontend is extremely bad. 

If PHP errors happen on your site, they should be logged safely and not displayed by visitors or potential attackers.

User ‘admin’ as Administrator

In the past, the default WordPress username was “admin.” Since usernames make up half of the login credentials, this made it easier for hackers to launch brute-force attacks. 

Thankfully, WordPress has since changed this and now requires you to select a custom username when installing WordPress.

Spammers can easily Signup

You shouldn’t let users subscribe to your blog if you don’t have an e-commerce, membership, or guest posting website. You will end up with spam registrations, and your website will be filled with spammy content and comments.

If you allow user registration, we recommend using Brute Force protection on the registration form. You can activate it from WP Ghost > Brute Force > Settings.

Outdated Plugins

WordPress and its plugins and themes are like any other software installed on your computer or any other application installed on your devices. Periodically, developers release updates that provide new features or fix known bugs. 

These new features may not necessarily be something that you want. You may be delighted with the functionality you currently have. Nevertheless, you are still likely to be concerned about bugs.

Software bugs can come in many shapes and sizes. They could be very serious, such as preventing users from using a plugin, or they could be minor and only affect a certain part of a theme, for example. In some cases, bugs can cause serious security holes. 

Keeping plugins up to date is one of the most important and easiest ways to keep your site secure.

Not Recent Updated Plugins

Plugins not updated in the last 12 months can have real security problems. Make sure you use updated plugins from the WordPress Directory.

Outdated Themes

WordPress and its plugins and themes are like any other software installed on your computer or any other application installed on your devices. Periodically, developers release updates that provide new features or fix known bugs. 

These new features may not necessarily be something that you want. You may be delighted with the functionality you currently have. Nevertheless, you are still likely to be concerned about bugs.

Software bugs can come in many shapes and sizes. They could be very serious, such as preventing users from using a plugin, or they could be minor, only affecting a certain part of a theme, for example. In some cases, bugs can even cause serious security holes.

Keeping themes up to date is one of the most important and easiest ways to keep your site secure.

Database Prefix

The WordPress database is like a brain for your entire WordPress site because it stores every bit of information about your site, making it a hacker’s favorite target. 

Spammers and hacker bots run automated code for SQL injections. Unfortunately, many people forget to change the database prefix when they install WordPress. This makes it easier for hackers to plan a mass attack by targeting the default prefix wp_.

File Permission

File permissions in WordPress play a critical role in website security. Properly configuring these permissions ensures unauthorized users cannot access sensitive files and data.

Incorrect permissions can inadvertently open your website to attacks, making it vulnerable.

As a WordPress administrator, understanding and correctly setting file permissions are essential for safeguarding your site against potential threats.

Versions in Source Code

WordPress, plugins and themes add their version info to the source code, so anyone can see it. 

Hacker bots can easily find a website with vulnerable version plugins or themes and target these with Zero-Day Exploits and SQL/Script Injections.

Salts and Security Keys valid

Security keys ensure better encryption of information stored in the user’s cookies and hashed passwords. 

The security keys are AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT.

These make your site more difficult to hack, access, and crack by adding random elements to the password. You don’t have to remember these keys. Once you set them up, you’ll never see them again. Therefore, there’s no excuse for not setting them properly.

Security Keys Updated

The security keys in wp-config.php should be renewed as often as possible.

The security keys are AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, NONCE_SALT.

WordPress Database Password

There is no such thing as an “unimportant password”, and the same goes for your WordPress database password. 

Although most servers are configured so the database can’t be accessed from other hosts (or from outside of the local network), that doesn’t mean your database password should be “12345” or no password.

/wp-content path is visible in source code

It’s important to rename common WordPress paths, such as wp-content and wp-includes, to prevent hackers from knowing you have a WordPress website.

Renaming these paths makes it harder for attackers to identify your site as a WordPress site, reducing the risk of targeted attacks.

/wp-content path is accessible

It’s important to hide and secure the common WordPress paths to prevent attacks on vulnerable plugins and themes.

Hackers and automated bots specifically target WordPress sites because WordPress is widely used and has known folder structures like wp-content and wp-includes.

Hiding and securing these paths prevents hacker bots from easily accessing or exploiting plugins and theme vulnerabilities.

/wp-login.php path is accessible

Hiding WordPress wp-login.php is essential because it prevents hackers and bots from finding the login page, their main entry point for attacks. If the login page is hidden, it becomes much harder for attackers to try brute-force attacks, where they attempt to guess usernames and passwords.

By hiding this path, you reduce the chances of unauthorized access, making your website safer. It also minimizes server load caused by repeated login attempts from bots.

In short, hiding wp-login.php adds an extra layer of protection to keep your WordPress site secure.

New Admin Path is visible in source code

Having the admin URL visible in the source code is awful because hackers will immediately know your secret admin path and start a Brute-Force attack. The custom admin path should not appear in the source code or Ajax URL.

New Login Path is visible in source code

Having the login URL visible in the source code is awful because hackers will immediately know your secret login path and start a Brute Force attack.

The custom login path should be kept secret, and you should have Brute Force Protection activated for it.

Plugins/Themes editor disabled

The plugins and themes file editor is a very convenient tool because it enables you to make quick changes without the need to use FTP.

Unfortunately, it’s also a security issue because it not only shows the PHP source code but also enables attackers to inject malicious code into your site if they manage to gain access to the admin.

wp_config.php and wp-config-sample.php files are accessible

One of the most critical files in your WordPress installation is the wp-config.php file. 

This file is located in the root directory of your WordPress installation and contains your website’s base configuration details, such as database connection information.

By hiding this file, you reduce the chances of data exposing, making your website safer.

readme.html file is accessible

Hiding the readme.html file in WordPress is essential because it reveals the WordPress version you’re using, which can help attackers exploit known vulnerabilities in that version.

Removing or hiding this file prevents hackers from gaining critical information about your site’s setup, reducing the risk of targeted attacks.

install.php and upgrade.php files are accessible

Hiding wp-admin/install.php and wp-admin/upgrade.php in WordPress is important because attackers can exploit these files to reinstall or overwrite your site, potentially causing data loss or unauthorized access.

You protect your site from vulnerabilities during installation or update processes by hiding or restricting access to these files.

Firewall against injections is loaded

The most common way to hack a website is to access the domain and add harmful queries to reveal information from files and databases.

These attacks are made on any website, WordPress or not, and if a call succeeds … it will probably be too late to save the website.

XML-RPC access is on

WordPress XML-RPC is a specification that aims to standardize communications between different systems. It uses HTTP as the transport mechanism and XML as the encoding mechanism to enable the transmission of a wide range of data. 

The API’s two most significant assets are its extendibility and security. XML-RPC authenticates using basic authentication. With each request, it sends the username and password, which is a big no-no in security circles.

Author URL by ID access

Usernames (unlike passwords) are not secret. Knowing someone’s username means you can’t log in to their account. You also need the password. 

However, knowing the username brings you one step closer to logging in using the username to brute-force the password or to gain access in a similar way. 

That’s why it’s advisable to keep the list of usernames private, at least to some degree. By default, by accessing domain.com/?author={id} and looping through IDs from 1, you can get a list of usernames because WP will redirect you to domain.com/author/user/ if the ID exists in the system.

PHP register_globals is On

register_globals is a deprecated PHP configuration setting that automatically imports global variables from user inputs like GET, POST, COOKIE, and REQUEST into the global namespace. For example, if a user sends a URL like domain.com?user=admin, the register_globals feature would create a global variable $user with the value admin.

This behavior is highly insecure because attackers can overwrite essential variables in your application, potentially leading to vulnerabilities like code injection or privilege escalation.

PHP expose_php is On

Exposing the PHP version will make the job of attacking your site much easier as they already know the PHP version and its vulnerabilities.

PHP safe_mode is On

PHP safe mode was one of the attempts to solve the security problems of shared web hosting servers.

Although some web hosting providers still use it, this is considered improper nowadays. A systematic approach proves that it’s architecturally incorrect to try solving complex security issues at the PHP level rather than at the web server and OS levels.

Technically, safe mode is a PHP directive that restricts the way some built-in PHP functions operate. The main problem here is inconsistency. When turned on, PHP safe mode may prevent many legitimate PHP functions from working correctly. At the same time, there exists a variety of methods to override safe mode limitations using PHP functions that aren’t restricted, so if a hacker has already gotten in, safe mode is useless.

PHP allow_url_include is On

Enabling this PHP directive will expose your site to cross-site attacks (XSS).

There’s absolutely no valid reason to enable this directive, and using any PHP code that requires it is very risky.

Folder uploads is browsable

Allowing anyone to view all files in the Uploads folder with a browser will allow them to download all your uploaded files easily. This is a security and copyright issue.

Windows Live Writer is on

If you’re not using Windows Live Writer, there’s really no valid reason to have its link in the page header because this tells the whole world you’re using WordPress.

Default WordPress Tagline

The WordPress site tagline is a short phrase under the site title, similar to a subtitle or advertising slogan. A tagline’s goal is to convey your site’s essence to visitors.

If you don’t change the default tagline, it will be very easy to detect that your website was built with WordPress.