Security Audits and Prevention

wordpress security services

Secure Your Site with WP ShieldMatrix

Ensure your WordPress site is protected with comprehensive Security Audit and Prevention service. Leveraging years of expertise in WordPress security, I provide a thorough assessment and robust protection tailored to your site’s needs.

  • Expertise and Experience: Benefit from years of know-how in WordPress security.
  • All-In-One Solution: Consolidate your security needs with one comprehensive service.
  • Peace of Mind: Focus on growing your business while I handle your site’s security.

What is included

Our 49 security tests cover everything from hiding your website from prying eyes to addressing default settings that leave you vulnerable. We tackle major threats like SQL injection, cross-site scripting (XSS), and brute-force attacks, among others. These tests ensure that your site isn’t just safe, but fortified against the most common and dangerous cyber threats out there.

Security Audit and Prevention

$99

one time

Ensure your website’s safety with a thorough security audit and proactive measures.

Buy now

List of all 49 tests included

Click on the arrow to expand and read more about each task:

1. Check if WordPress core is up to date

Keeping WordPress core updated is crucial for site security. When vulnerabilities are discovered, updates are released to address them, and details about these vulnerabilities become public. This means older versions are more susceptible to attacks. Therefore, regularly updating WordPress is essential to protect your site from potential threats.

2. Check if automatic WordPress core updates are enabled

Unless you have a highly customized WordPress site that needs thorough testing for each update, we recommend enabling automatic minor core updates. These updates typically include crucial security fixes that do not significantly alter WordPress and should be applied immediately upon release to maintain your site’s security.

3. Check if plugins are up to date

Keeping your plugins up to date is crucial for site security. Since most plugins are freely available, their code can be easily accessed, making them vulnerable if not updated. For plugins from the official WordPress repository, you can check for updates in Dashboard -> Updates. For purchased plugins, follow the vendor’s instructions for manual updates. Always remember to back up your files and database before upgrading to avoid any potential data loss.

3. Check if plugins are up to date

Keeping your plugins up to date is crucial for site security. Since most plugins are freely available, their code can be easily accessed, making them vulnerable if not updated. For plugins from the official WordPress repository, you can check for updates in Dashboard -> Updates. For purchased plugins, follow the vendor’s instructions for manual updates. Always remember to back up your files and database before upgrading to avoid any potential data loss.

4. Check if there are deactivated plugins

If you’re not using a plugin, remove it from the WP plugins folder. Inactive plugins can still be exploited if they contain malicious code or vulnerabilities. Simply delete all inactive plugins from the plugins section in your dashboard, or log in via FTP and move them to a folder outside of /wp-content/plugins/. This ensures your site remains secure by minimizing potential attack vectors.

5. Check if active plugins have been updated in the last 12 months

Plugins that haven’t been updated in over a year can be a significant security risk, as they may contain unpatched vulnerabilities that hackers can exploit. It’s best to replace such plugins with well-maintained alternatives. If you rely heavily on an outdated plugin, consider contacting the developer to request an update or hire someone to maintain it for you. Always prioritize security by using plugins that receive regular updates.

6. Check if active plugins are compatible with your version of WP

Plugins that are incompatible with your WordPress version can cause issues such as site crashes or erratic behavior. Often, these incompatibilities stem from plugins that are outdated and haven’t been updated in years. It’s best to use plugins that are regularly tested with the latest WordPress version. If you encounter an incompatible plugin, look for a maintained alternative or contact the developer to request an update. Prioritize compatibility to ensure your site remains stable and secure.

7. Check if themes are up to date

Just like the WordPress core, keeping your themes up to date is essential for site security. Most themes are freely available, which means their code can be accessed by anyone. Updating to the latest version helps protect against known vulnerabilities and ensures compatibility with the latest WordPress version. Regular updates are an easy and effective way to maintain your site’s security and functionality.

8. Check if there are any deactivated themes

Just like with the WordPress core, keeping your themes up to date is crucial for site security. Most themes are free, and their code is publicly accessible, so updating to the latest version helps protect against known vulnerabilities. Additionally, it ensures compatibility with the latest WordPress version.

For themes from the official WP repository, check for updates in Appearance > Themes. For purchased themes, follow the vendor’s update instructions. Always remember to back up your files and database before upgrading to prevent data loss.

9. Check if full WordPress version info is revealed in page’s meta data

You should proudly power your site with WordPress, but avoid displaying the full WP version info in the default location (page header meta). Revealing this information makes it easier for attackers to find and exploit sites running specific WordPress versions. For better security, hide the version details to protect your site from potential threats.

10. Check if readme.html file is accessible via HTTP on the default location

As mentioned earlier, you should proudly power your site with WordPress but avoid displaying the exact version. The readme.html file contains version info and, if left in the default location, can expose your WP version to attackers. This issue is easy to fix: rename the file to something unique like “readme-212.html,” delete it, move it to another location, or change its permissions (CHMOD) to prevent access via HTTP. This simple step enhances your site’s security by obscuring critical version details.

11. Check the PHP version

Using an outdated PHP version makes your site slow and vulnerable to attacks due to known exploits in unsupported versions. Running anything older than PHP 5.6 is risky and should be avoided. Upgrade to PHP 7 or newer for better performance and security. If your hosting company can’t accommodate this, it’s time to find a more reliable host. Contact your hosting provider immediately and request an upgrade to PHP 7 to ensure your site remains fast and secure.

12. Check the MySQL version

Using an outdated version of MySQL makes your site slow and vulnerable to hacker attacks due to known vulnerabilities in unsupported versions. To ensure better performance and security, you should email your hosting company and request an upgrade to a newer version of MySQL. This will help protect your site from potential threats and improve its overall speed and reliability.

13. Check if server response headers contain detailed PHP version info

Just as it’s unwise to disclose your WordPress version, revealing the exact PHP version you’re using makes your site more vulnerable to attacks. Although this isn’t directly related to WordPress, it significantly impacts your site’s security. Avoid disclosing your PHP version to minimize the risk of targeted attacks.

14. Check if expose_php PHP directive is turned off

Disclosing the exact PHP version you’re using is unwise, as it makes your site an easier target for attackers. Hackers can exploit known vulnerabilities in specific PHP versions, putting your site at risk. By concealing your PHP version, you add an extra layer of security, making it more difficult for malicious actors to pinpoint and exploit potential weaknesses. Always ensure your PHP version is up to date and consider hiding version details to enhance your site’s overall security.

15. Check if user with username “admin” and administrator privileges exists

If someone attempts to guess your username and password or uses a brute-force attack, they’ll likely start with “admin” since it’s a common default. To enhance security, create a new user with the “administrator” role and avoid usernames like “root,” “god,” or “null.” Once the new user is set up, delete the “admin” account and reassign all its posts and pages to the new user. This reduces the risk of unauthorized access by making it harder for attackers to guess your credentials.

16. Check if “anyone can register” option is enabled

Unless you run a community-based site, this option should be disabled. Even limited backend access can provide attackers with enough leverage to exploit other security vulnerabilities. It’s essential to minimize any potential entry points to enhance overall site security.

17. Check user’s password strength with a brute-force attack

Using a dictionary of 600 commonly used passwords, WP ShieldMatrix performs a brute-force attack on your site’s user accounts. Accounts that fail this test are at serious risk, as they use easily guessable passwords like “12345,” “qwerty,” or “god.” Notify these users or change their passwords immediately to enhance site security.

18. Check for display of unnecessary information on failed login attempts

By default, WordPress indicates whether a username or password is incorrect on failed login attempts. This can help attackers identify valid usernames on your system, which they can then target with brute-force methods to crack the passwords. Disabling this feature prevents attackers from gaining valuable information about active usernames, making it harder for them to successfully breach your site. Implementing additional security measures like login attempt limits and CAPTCHA can further protect your site from brute-force attacks.

19. Check if database table prefix is the default one

Knowing the names of your database tables can help attackers extract sensitive data, such as password hashes. WordPress uses predefined table names, making it easier for attackers to guess them. To enhance security, use a unique table prefix instead of the default “wp_” or common variations like “wordpress_.” This simple change makes it significantly harder for attackers to guess your table names and access your database. By customizing your table prefix, you add an extra layer of protection to your site’s critical data.

20. Check if security keys and salts have proper values

Security keys are essential for encrypting information stored in user cookies and hashed passwords. They add random elements to your site’s encryption, making it significantly harder for hackers to crack. You don’t need to remember these keys; once set, you won’t see them again. Properly setting these security keys strengthens your site’s defenses and ensures better encryption, leaving no excuse for neglecting this important step. Implementing strong security keys is a simple yet powerful way to enhance your WordPress site’s security.

21. Check the age of security keys and salts

It is recommended to periodically change your security keys and salts to enhance site security. This process will invalidate all existing cookies, requiring all users to log in again. While it may seem like a minor inconvenience, this practice ensures that old or stolen cookies cannot be used to access your site. Regularly updating your security keys and salts significantly reduces the risk of unauthorized access, providing an extra layer of protection for your users and your website.

22. Test the strength of WordPress database password

There is no such thing as an “unimportant password,” and this includes your WordPress database password. Even if most servers are configured to block database access from outside the local network, it’s still crucial to use a strong password. Avoid simple passwords like “12345.” Instead, choose a complex password that is at least eight characters long and includes a combination of letters, numbers, and special characters. A strong password is a fundamental step in securing your database and protecting your site from unauthorized access.

23. Check if general debug mode is enabled

Enabling any debug mode or error reporting on a production site is highly discouraged. It not only slows down your site and confuses visitors with technical messages, but it also exposes critical information to potential attackers. This information can be used to exploit vulnerabilities in your system. Always ensure that debug and error reporting modes are disabled on your live site to maintain optimal performance and security.

24. Check if database debug mode is enabled

Enabling any debug mode or error reporting on a production server is highly discouraged. When modes like WP database debug mode are active, they can significantly slow down your site and confuse visitors with unexpected messages. More critically, they expose sensitive system information that attackers can exploit. This information can include database queries, file paths, and other details that can be leveraged to find vulnerabilities. Always ensure that debug and error reporting modes are disabled on your live site to maintain optimal performance and security, protecting both your site and your users.

25. Check if JavaScript debug mode is enabled

Enabling any kind of debug mode, such as WP JavaScript debug mode, or error reporting on a production server is highly detrimental. It can significantly slow down your site and confuse visitors with unexpected messages. More importantly, it provides potential attackers with valuable information about your system, such as code structure and vulnerabilities. To maintain optimal performance and security, always ensure that debug and error reporting modes are disabled on your live site.

26. Check if display_errors PHP directive is turned off

Displaying any kind of debug information or similar details on a live site is highly inadvisable. If any PHP errors occur, they should be logged securely rather than displayed to visitors or potential attackers. Publicly revealing such information can provide attackers with insights into your site’s structure and vulnerabilities, making it easier for them to exploit weaknesses. To ensure the security and integrity of your site, it is essential to configure error logging so that any issues are recorded in a safe location, inaccessible to unauthorized users.

27. Check if WordPress installation address is the same as the site address

Relocating WordPress core files to a non-standard directory can enhance your site’s security by making it less susceptible to automated attacks. Many scripts used by attackers rely on default file paths. For instance, if your site is hosted at www.site.com, consider placing WordPress files in a unique directory such as /var/www/vhosts/site.com/www/my-app/ instead of the typical /var/www/vhosts/site.com/www/. This simple change disrupts the assumptions made by malicious scripts, thereby reducing the risk of automated exploits targeting your site.

28. Check if wp-config.php file has the right permissions (chmod) set

The wp-config.php file contains critical information, including your database username and password, stored in plain text. It’s essential that this file remains inaccessible to anyone except you and WordPress (or the web server). Exposing this file to unauthorized access can compromise your entire site’s security, as it provides a gateway to your database and sensitive data. Ensure proper permissions and security measures are in place to protect wp-config.php, keeping it secure from potential attackers and maintaining the integrity of your site.

29. Check if install.php file is accessible via HTTP on the default location

The install.php file in WordPress has been linked to several security vulnerabilities in the past. After WordPress is installed, this file serves no purpose and should not remain in its default location where it can be accessed via HTTP. Keeping it accessible poses an unnecessary risk to your site. To enhance security, it is advisable to remove or relocate the install.php file immediately after installation, preventing potential attackers from exploiting any vulnerabilities associated with it.

30. Check if upgrade.php file is accessible via HTTP on the default location

There have been several security issues related to this file in the past. Additionally, allowing anyone to run database upgrade scripts without your knowledge is risky. While this file can be useful, it should not remain accessible in its default location. To maintain site security, it’s crucial to move or secure this file to prevent unauthorized access and potential exploitation.

31. Check if register_globals PHP directive is turned off

This is one of the most critical security issues you can encounter on your site! If your hosting provider has this directive enabled by default, it’s imperative to switch to a more secure hosting company immediately. The PHP manual provides detailed information on why this poses such a significant risk.

32. Check if PHP safe mode is disabled

PHP safe mode was designed to address shared-server security issues, but attempting to solve these problems at the PHP level is fundamentally flawed. Despite this, many ISPs have used safe mode due to limited realistic alternatives at the web server and OS levels. However, since PHP 5.3 (which is itself outdated), safe mode has been deprecated. If your hosting provider still relies on PHP safe mode, it may be time to consider switching to a more up-to-date and secure hosting service.

33. Check if allow_url_include PHP directive is turned off

Enabling this PHP directive will expose your site to cross-site scripting (XSS) attacks. There is absolutely no valid reason to have this directive enabled, as it leaves your site vulnerable. Additionally, using any PHP code that requires this directive is extremely risky and should be avoided to maintain the security of your site.

34. Check if plugins/themes file editor is enabled

The plugins and themes file editor is convenient for making quick changes without FTP. However, it poses a significant security risk. Not only does it expose PHP source code, but it also allows an attacker to inject malicious code if they gain admin access. For better security, it’s advisable to disable this feature and use more secure methods for file modifications.

35. Check if uploads folder is browsable by browsers

Allowing unrestricted access to your uploads folder means anyone can easily view and download all your uploaded files by simply pointing their browser to it. This presents both security and copyright issues, as it exposes sensitive files and potentially infringes on intellectual property rights.

36. Test if a user with ID “1” and administrator role exists

Although not technically a security issue, having a user with the ID 1, which is usually the admin, can sometimes aid an attacker.

37. Check if Windows Live Writer link is present in pages’ header data

If you’re not using Windows Live Writer, there’s no valid reason to include its link in your page header. This link indicates to everyone that you’re using WordPress, potentially exposing your site to targeted attacks.

38. Check if wp-config.php is present in the default location

If someone gains FTP access to your server, obfuscating your installation won’t completely protect you, but it can add an extra layer of difficulty for potential attackers.

39. Check if MySQL server is connectable from outside with the WP user

Since the MySQL username and password are stored in plain text in wp-config.php, it’s advisable to restrict access so that only connections from your server (localhost) are allowed. Allowing connections from any host can make certain attacks much easier. Limiting access to localhost enhances security by reducing the risk of unauthorized remote connections.

40. Check if EditURI link is present in pages’ header data

If you’re not using Really Simple Discovery services like pingbacks, there’s no need to advertise that endpoint link in your header. While this isn’t typically a security issue for most sites that want to be discovered, removing it can help conceal that you’re using WordPress, adding a layer of privacy.

41. Check if Timthumb script is used in the active theme

We don’t recommend using the Timthumb script for image manipulation. Besides its history of security issues, WordPress offers built-in functions for image manipulation that are more secure and efficient. It’s best to utilize these native functions to ensure better performance and security for your site.

42. Check if the server is vulnerable to the Shellshock bug #6271

Shellshock, also known as Bashdoor, refers to a family of security vulnerabilities in the Unix Bash shell. Web servers using Bash to process certain commands are susceptible, allowing attackers to exploit vulnerable versions of Bash to execute arbitrary commands. This can result in unauthorized access to the system. Although Shellshock is not directly related to WordPress, it poses a significant security threat. It’s crucial to address this vulnerability to protect your server and overall web environment. For more details, refer to security advisories and updates from your server provider.

43. Check if the server is vulnerable to the Shellshock bug #7169

Shellshock, also known as Bashdoor, is a series of security vulnerabilities in the widely used Unix Bash shell. Web servers that utilize Bash to process commands can be exploited by attackers who make vulnerable versions of Bash execute arbitrary commands. This allows attackers to gain unauthorized access to the system. While Shellshock is not directly related to WordPress, it poses a significant security risk for web servers. It’s important to address this vulnerability to protect your server. For more details, refer to security advisories from your server provider.

44. Check if admin interface is delivered via SSL

It’s important to run your entire site via HTTPS for enhanced security and improved search engine ranking. If you prefer not to secure the entire site, at least make the admin area secure. Some hosting companies charge high fees for SSL certificates, but you can obtain free ones from Let’s Encrypt. Even if you don’t have an SSL certificate, you might still be able to run the admin via HTTPS depending on your server configuration. However, obtaining a valid SSL certificate is the smarter and more secure option.

45. Check if the REST API links are shown in code

WordPress includes a powerful REST API system that provides access to various data in a structured format. However, it is recommended to disable these links from appearing in the header to enhance security and reduce exposure of your site’s information.

46. Check if MySQL account used by WordPress has too many permissions

If an attacker gains access to your wp-config.php file and obtains the MySQL username and password, they can log in to the database and perform any actions permitted by that account. Therefore, it’s crucial to limit the account’s privileges to the bare minimum. For example, if you’re not installing new plugins or updating WordPress, the account doesn’t need CREATE or DROP table privileges. Keeping permissions minimal helps mitigate potential damage from unauthorized access.

47. Check if server response headers contain X-Content-Type-Options

This ensures that a browser only loads external resources if the content type matches the expected type, preventing malicious code hidden in files. For example, if a page tries to load a .jpg file but the content is actually executable PHP code, this check would block it. This safeguard helps protect your site from hidden and unexpected threats.

48. Check if server response headers contain X-Frame-Options

The X-Frame-Options response header specifies whether a page can be displayed in an <iframe>, <frame>, or <object>. By setting this header, you can prevent clickjacking attacks by disallowing your content from being embedded on other websites. This enhances the security of your site by ensuring that your content is not misused or manipulated within other frames.

49. Check if server response headers contain Strict-Transport-Security

Instruct your web server to enforce HTTPS connections exclusively, blocking any insecure HTTP connections.

Get an all-round security system, minus the hassle.

Why Choose me and WP ShieldMatrix?

  • Expertise: Years of experience in WordPress security and optimization.
  • Personalized Service: I handle everything for you, providing tailored solutions.
  • Continuous Protection: Regular monitoring and updates keep your site secure.