WordPress Security Scanner

More than 60 thousand WordPress sites get hacked every day! Don’t believe us? Have a look at this real-time counter. It’s extremely frustrating to get hacked. It costs time, money, reputation, and nerves, but what’s even worse – in most cases it’s completely avoidable if you follow WordPress security best practices. No site is completely hack-proof. The fact that huge companies get hacked all the time is the best example of that. However, just a tiny effort can dramatically increase chances for not getting hacked!



Enter the URL and scan your site The scan is completely safe! It will not simulate a brute-force attack nor perform any kind of action that could jeopardize it. Please enter a valid site URL Check if readme.html file is accessible via HTTP As mentioned in the previous test - you should be proud that your site is powered by WordPress but also hide the exact version you're using. readme.html contains WP version info and if left on the default location (WP root) attackers can easily find out your WP version. Check if response headers contain detailed PHP version info As with the WordPress version it's not wise to disclose the exact PHP version you're using because it makes the job of attacking your site much easier. This issue is not directly WP related but it definitely affects your site. Try getting the list of usernames Disclosing usernames is not a terrible mistake. Obviously you need the username and the password to login but hiding them will prevent hacker from doing brite-force attacks on your accounts. Check for display of unnecessary information on failed login attempts By default on failed login attempts WordPress will tell you whether username or password is wrong. An attacker can use that to find out which usernames are active on your system and then use brute-force methods to hack the password. Check if install.php file is accessible via HTTP There have already been a couple of security issues regarding the install.php file. Once you install WP this file becomes useless and there's no reason to keep it in the default location and accessible via HTTP. Check if upgrade.php file is accessible via HTTP There have already been a couple of security issues regarding this file. Besides the security issue it's never a good idea to let people run any database upgrade scripts without your knowledge. This is a useful file but it should not be accessible on the default location. Check if uploads folder is browsable Allowing anyone to view all files in the uploads folder just by point the brower to it will allow them to easily download all your uploaded files. It's a security and a copyright issue. Check if admin interface is delivered via HTTPS Enabling Wordpress administration over SSL should make it much harder for a malicious person to steal your cookies and/or authentication headers and use them to impersonate you and gain access to wp-admin. It also obfuscates the ability to sniff your content, which could be important for legal blogs which may have drafts of documents that need strict protection.

Hackers love low hanging fruit

If you’re hacking more/less any site you can and don’t have a specific target it’s obvious you’ll initially target the weakest sites. Ones that take almost no effort to hack. All we’re saying is – don’t be in that category! Believe us, it doesn’t take much because a lot of people have 12345 set as their password and don’t update WordPress plugins, core or themes for years.

We’ve created this free scanner to show you a few things you should check on your site. None of the listed things by themselves pose any danger but they do increase your chances for being hacked because you’re the low hanging fruit. Just enter your site’s URL and click Scan Site. It only takes a few seconds to do the scan. No, your site won’t slow down nor will anything bad happen to it. If you want to find out more about the tests, get help on how to fix them and perform over 40 tests to secure your site we recommend installing Security Ninja – it’s free on the official WordPress repository, and it will help you make your WordPress website more secure.

