One of the best ways to keep your WordPress website secure is to check for potentially malicious code often on your website. Whenever you find any vulnerability, you can take immediate corrective actions before allowing anyone to exploit it and allegedly enter into your WordPress admin panel.

There is no wonder that hackers target WordPress websites hugely because it is the most popular CMS in the market. Out of the box, there are several ways to make your WordPress installation more secure. However, the harsh reality is only a fraction of sites follow them. This makes WordPress one of the easiest targets for hackers.


Recommended Reading: 17 ways to prevent WordPress hacking

In this post, let’s take a look at a few strategies to find vulnerabilities in your WordPress website. We’ll also look at various methods to fix WordPress vulnerabilities as well.

Finding WordPress vulnerabilities before installing a theme or plugin

If you’re looking for free WordPress themes to install on your WordPress website, it is always recommended to pick them from the official WordPress theme directory because the official directory ensures the security of your WordPress themes.

With that said, some legitimate theme developers and agencies prefer not listing their quality free themes in the official directory because the official directory guidelines restrict them to include many functionalities in their theme.

That means, when it comes to choosing a free WordPress theme, the official WordPress themes directory is not the only show in the town. Having said that, when you’re picking a theme outside the official directory, you need to have an extra dose of responsibility in terms of theme assessment.

Below are a few methods to check the authenticity of your WordPress theme and make sure it is secure from potentially malicious codes and WordPress vulnerabilities.

Online malware checker: Upload your free theme to a free scanning site like The best thing is it will get a red signal in the case that any file is infected. If the theme is secure you can proceed with installing it on your WordPress website.



Otherwise, you’ll have to fix it before installing it. Or even better, just abandon it and going for a different one altogether.

Finding WordPress vulnerabilities after theme installation

You might have already installed many themes on your WordPress website. If that’s the case, how would you check the authenticity of the installed themes?  A few methods are listed below

Theme Authenticity Check


Simply install the Theme Authenticity Check plugin on your website. This is a free plugin that allows you to scan the theme files to find if there’s any vulnerability. If potentially malicious codes are found in an installed theme, the plugin will tell you the patch, the line number and displays the suspected code, which will help you take preventive actions easily. This plugin is handy to check whether the installed theme has had any encoded script slipped in it.

Download TAC plugin

Exploit Scanner

exploit scanner

Exploit Scanner is another free plugin, which offers more robust features than TAC. The best thing is that the exploit scanner plugin helps you check the database of your WordPress installation besides the theme files.

Please note that these plugins will only show you the vulnerability and it is up to you to decide what preventive measures you should take to eradicate the WordPress vulnerability.

Download Exploit Scanner

Hackalert monitoring

If you’re looking for a premium solution to monitor vulnerabilities of your WordPress website, you should look nowhere else than Hackalert monitoring. Hackalert monitoring is a service offered by Siteground where this site is hosted.

Hackalert ensures the security of your WordPress websites by sending an email alert whenever it finds potentially malicious code. Also, you will be updated with a weekly email with the status of the hackalert monitoring of your website.

To know more about the Hackalert monitoring service, read the post why Hackalert monitoring is awesome- 5 reasons.

So far, we’ve looked at different ways to find potential vulnerabilities in your WordPress website.

Of course, it is always better to add an additional shield of security for your WordPress website to prevent it from hacking.

WordPress is well-known for its large community of developers who want to make WordPress one of the most secure CMSes out there.

However, as a website owner, you’ll need to take some basic measures to prevent alleged entry to your dashboard.

Let’s look at some strategies to fix the vulnerabilities of your WordPress website.

Don’t use the ‘admin’ username

As the old version of WordPress creates a default user with the username ‘admin’, many hackers assume that people are still using the same username, which encourages those bad guys to try with different passwords to easily access your WordPress backend. If you’re the one who still uses your username as admin, make a new account on your WordPress site and transfer the ownership of all posts to the new account. Make sure the role of the new user is an administrator.

Once it is done, you can either delete the user account with the username admin or change its role to subscriber.

Tough passwords

While creating a password, the goal is to make it tougher for others to guess it. You can find lots of different password generator tools around the web.

If yours is a community site with multiple authors, it is better to install Simple User Password Generator plugin on your WordPress site, which helps you generate a stronger password while creating a new user. All you need to do is clicking the generate password button just below the password field. See the screenshot below

generate strong password

Set a custom login URL for WordPress

During WordPress installation, WordPress creates two login URLs by default. They are

  • wp-login.php
  • wp-admin.php

The problem with using the default login URL is that anyone can log in to your WordPress dashboard once they find (or makes the right guess) the username and password. By customizing the URL of your login page, you’re stepping towards better security for your WordPress website and making it harder for bad guys to break it.

How would you change the login URL of your WordPress website?

Simply install the Custom Login URL plugin and customize the URL by navigating to

Settings>>Permalinks and changing them according to your needs.

custom login url

Limit the number of login attempts

So you’ve customized the login URL of your WordPress website for better security. But what if the bad guys discovered the actual login URL? Then, how can you prevent attempted entries to your website?

In such a case, one of the best methods is to limit the number of login attempts. By default, hackers can try as many as passwords to enter into your website as they want; by limiting the login attempts, you’re blocking this possibility of brute force attacks to your website.

Install Login LockDown plugin, so you can restrict the attempts a user can make to enter into the dashboard. Once the plugin is activated, navigate to Settings>> WP Limit Login and limit the login attempt by entering the maximum login entries. With this plugin, you can also block certain IP addresses to visit your website for certain periods.

loginlockdown settings

Disable directory browsing

By default when your visitor navigates to a page and the webserver can’t find an index file for it, automatically it displays a page and shows the contents of the directory. The problem with this is that anyone can navigate into those directories, which can be vulnerable for your site and a hacker could exploit it easily to take your site down.

directory index wp

For instance, some WordPress directories contain sensitive data such as wp-content or wp-includes. By allowing hackers to navigate through these folders, hackers could find potential exploits in it.

So it is important for your website’s security to disable directory browsing.

How would you disable directory browsing on your WordPress website?

The only thing you need to do is to add the code below at the bottom of the .htaccess file of your WordPress website.

Options -Indexes

Note: Make sure you take a backup of your website before making any changes to it. .htaccess is a hidden file, and if you cannot find it on your server, you need to make sure that you have enabled your FTP client to show hidden files.

Recommended reading: Native vs. Plugin- Tacking WordPress backups with different methods

Once you disable directory browsing, all those directories that were previously visible will start showing a ‘404 Not Found’ page or ‘403 Access Forbidden’ message.

Download the list of 101 WordPress tricks every blogger should know

101 WordPress tricks

Click here to Download Now


No software is perfect when it comes to security. That’s true even for WordPress, so make sure you update the WordPress core software whenever there releases the new version. If you didn’t enable updating your WordPress core software automatically, make sure to enable it. Despite the security benefits automatic updates can offer, there is a slight chance that it can break your website.

Need help getting your WordPress fixed and cleaned? Try these top-rated affordable gigs on Fiverr!

fiverr logo


Click here to find experts on WordPress speed optimization.

Click here to create a full WordPress website.

If you have any questions, ask below in the comments section, and we’ll do our level best to help you out.

About the Author
Shahzad Saeed
Author: Shahzad SaeedWebsite:
Shahzaad Saaed has been featured in a large number of authority websites, as a WordPress expert. He specializes in content marketing to help business grow their traffic.

One more thing... Did you know that people who share useful stuff like this post look AWESOME too? ;-)
Please leave a useful comment with your thoughts, then share this on your Facebook group(s) who would find this useful and let's reap the benefits together. Thank you for sharing and being nice!

Disclosure: This page may contain links to external sites for products which we love and wholeheartedly recommend. If you buy products we suggest, we may earn a referral fee. Such fees do not influence our recommendations and we do not accept payments for positive reviews.

Featured On

Inc Magazine Logo  

Sitepoint logo  

CSS Tricks logo   

webdesignerdepot logo   WPMU DEV logo   

and many more!



Get Started Now With ShutterstockShutterstock

Best Rated Caching Plugin

Make your website faster 

How to make your website FAST!

Step-by-step - free email course, how to make your website load in less than 1 second  

who are we?

CollectiveRay is run by David Attard - working in and around the web design niche for more than 12 years, we provide actionable tips for people who work with and on websites. We also run - a website for drone hobbyists.

David attard