One of the best ways to keep your WordPress website secure is to check for potentially malicious code often on your website. Whenever you find any vulnerability, you can take immediate corrective actions before allowing anyone to exploit it and allegedly enter into your WordPress admin panel.

There is no wonder that hackers target WordPress websites hugely because it is the most popular CMS in the market. Out of the box, there are several ways to make your WordPress installation more secure. However, the harsh reality is only a fraction of sites actually follow them. This makes WordPress one of the easiest targets for hackers.

 

Recommended Reading: 17 ways to prevent WordPress hacking

In this post, let’s take a look at a few strategies to find vulnerabilities in your WordPress website. We’ll also look at various methods to fix WordPress vulnerabilities as well.

Finding WordPress vulnerabilities before installing a theme or plugin

If you’re looking for free WordPress themes to install on your WordPress website, it is always recommended to pick them from the official WordPress theme directory because the official directory ensures the security of your WordPress themes.

With that said, some legitimate theme developers and agencies prefer not listing their quality free themes in the official directory because the official directory guidelines restricts them to include many functionalities in their theme.

That means, when it comes to choosing a free WordPress theme, the official WordPress themes directory is not the only show in the town. Having said that, when you’re picking a theme outside the official directory, you need to have an extra dose of responsibility in terms of theme assessment.

Below are a few methods to check the authenticity of your WordPress theme and make sure it is secure from potentially malicious codes and WordPress vulnerabilities.

Online malware checker: Upload your free theme to a free scanning site like VirusTotal.com. The best thing is it will get a red signal in the case that any file is infected. If the theme is secure you can proceed with installing it on your WordPress website.

virustotal

 

Otherwise, you’ll have to fix it before installing. Or even better, just abandon it and going for a different one altogether.

Finding WordPress vulnerabilities after theme installation

You might have already installed many themes on your WordPress website. If that’s the case, how would you check the authenticity of the installed themes?  A few methods are listed below

Theme Authenticity Check

tac

Simply install the Theme Authenticity Check plugin on your website. This is a free plugin that allows you to scan the theme files to find if there’s any vulnerability. If potentially malicious codes are found in an installed theme, the plugin will tell you the patch, the line number and displays the suspected code, which will help you take preventive actions easily. This plugin is handy to check whether the installed theme has had any encoded script slipped in it.

Download TAC plugin

Exploit Scanner

exploit scanner

Exploit Scanner is another free plugin, which offers more robust features than TAC. The best thing is that exploit scanner plugin helps you check the database of your WordPress installation besides the theme files.

Please note that these plugins will only show you the vulnerability and it is up to you to decide what preventive measures you should take in order to eradicate the WordPress vulnerability.

Download Exploit Scanner

Hackalert monitoring

If you’re looking for a premium solution to monitor vulnerabilities of your WordPress website, you should look nowhere else than Hackalert monitoring. Hackalert monitoring is a service offered by Siteground where this site is hosted.

Hackalert ensures the security of your WordPress websites by sending an email alert whenever it finds potentially malicious code. In addition, you will be updated with a weekly email with the status of the hackalert monitoring of your website.

To know more about Hackalert monitoring service, read the post why Hackalert monitoring is awesome- 5 reasons.

So far, we’ve looked at different ways to find potential vulnerabilities in your WordPress website.

Of course, it is always better to add an additional shield of security for your WordPress website to prevent it from hacking.

WordPress is well-known for its large community of developers who want to make WordPress one of the most secure CMSes out there.

However, as a website owner, you’ll need to take some basic measures to prevent alleged entry to your dashboard.

Let’s look at some strategies to fix the vulnerabilities of your WordPress website.

Don’t use the ‘admin’ username

As the old version of WordPress creates a default user with the username ‘admin’, many hackers assume that people are still using the same username, which encourages those bad guys to try with different passwords to easily access your WordPress backend. If you’re the one who still uses your username as admin, make a new account on your WordPress site and transfer the ownership of all posts to the new account. Make sure the role of new user is administrator.

Once it is done, you can either delete the user account with the username admin or change its role to subscriber.

Tough passwords

While creating a password, the goal is to make it tougher for others to guess it. You can find lots of different password generator tools around the web.

If yours is a community site with multiple authors, it is better to install Simple User Password Generator plugin on your WordPress site, which helps you generate stronger password while creating a new user. All you need to do is clicking the generate password button just below the password field. See the screenshot below

generate strong password

Set a custom login URL for WordPress

During WordPress installation, WordPress creates two login URLs by default. They are

  • wp-login.php
  • wp-admin.php

The problem with using the default login URL is that anyone can login to your WordPress dashboard once they find (or makes the right guess) the username and password. By customizing the URL of your login page, you’re stepping towards better security for your WordPress website and making it harder for bad guys to break it.

How would you change the login URL of your WordPress website?

Simply install Custom Login URL plugin and customize the URL by navigating to

Settings>>Permalinks and changing them according to your need.

custom login url

Limit the number of login attempts

So you’ve customized the login URL of your WordPress website for better security. But what if the bad guys discovered the actual login URL? Then, how can you prevent attempted entries to your website?

In such case, one of the best methods is to limit the number of login attempts. By default, hackers can try as many as passwords to enter into your website as they want; by limiting the login attempts, you’re blocking this possibility of brute force attacks to your website.

Install Login LockDown plugin, so you can restrict the attempts a user can make to enter into the dashboard. Once the plugin is activated, navigate to Settings>> WP Limit Login and limit the login attempt by entering the maximum login entries. With this plugin, you can also block certain IP addresses to visit your website for certain periods.

loginlockdown settings

Disable directory browsing

By default when your visitor navigates to a page and the web server can’t find an index file for it, automatically it displays a page and shows the contents of the directory. The problem with this is that anyone can navigate into those directories, which can be vulnerable for your site and a hacker could exploit it easily to take your site down.

directory index wp

For instance, some WordPress directories contain sensitive data such as wp-content or wp-includes. By allowing hackers to navigate through these folders, hackers could find potential exploits in it.

So it is important for your website’s security to disable directory browsing.

How would you disable directory browsing on your WordPress website?

The only thing you need to do is to add the code below at the bottom of the .htaccess file of your WordPress website.

Options -Indexes

Note: Make sure you take a backup of your website before making any changes to it. .htaccess is a hidden file, and if you cannot find it on your server, you need to make sure that you have enabled your FTP client to show hidden files.

Recommended reading: Native vs. Plugin- Tacking WordPress backups with different methods

Once you disable directory browsing, all those directories that were previously visible will start showing a ‘404 Not Found’ page or ‘403 Access Forbidden’ message.

Download the list of 101 WordPress tricks every blogger should know

101 WordPress tricks

Click here to Download Now

Conclusion

No software is perfect when it comes to security. That’s true even for WordPress, so make sure you update the WordPress core software whenever there releases the new version. If you didn’t enable updating your WordPress core software automatically, make sure to enable it. Despite the security benefits automatic updates can offer, there is a slight chance that it can break your website.

If you have any questions, ask below in the comments section, and we’ll do our level best to help you out.

Featured On

Inc Magazine Logo  

Sitepoint logo  

CSS Tricks logo   

webdesignerdepot logo   WPMU DEV logo   

and many more!

Where are we hosted?

This site is proudly powered by FAST VPS InMotion Servers and given an insane speed thanks to MaxCDN!

Web Hosting MaxCDN - Speed up your website

New! DIVI 3.1 WordPress Template + PageBuilder

You'll surely create a perfect website with Divi 3.1!

Get an exclusive 10% OFF for CollectiveRay visitors until

Divi 3

 

Monstroid2 (Updated!)

The best-selling template from TemplateMonster has been given an awesome upgrade!

We've got an exclusive 10% OFF for CollectiveRay visitors on Monstroid2 until - use Coupon Code: collectiveray

Monstroid2 Super Update

 

TemplateMonster Bundles

Awesome bundles for awesome websites. $1300 worth of products for $49 only!

We've got an exclusive 10% OFF for CollectiveRay visitors until - use Coupon Code: collectiveray

TemplateMonster Bundles

 

The Outstanding HungryJPEG Bundles

AWESOMENESS! Bundles of premium font + graphic packs at more than 96% OFF!  Get a bundle for just $9 - ONLY!

The Hungry JPEG Awesome font bundles

 

Advertise on CollectiveRay.com

CollectiveRay (formerly known as DART Creations) is interested in developing partnerships with mutual benefit. If you like the stuff we publish and would like to develop a relationship, we'd be happy to hear from you. Go on - drop us a line - we'd love to hear from you :-)

 

 

Disclosure: CollectiveRay is funded personally out of pure passion for helping people working with websites. We do however generate some income through recommendations of products. This means if you click on a link and purchase an item we link to, we will receive a small sum out of that sale. We usually partner with vendors to make your purchase cheaper than buying direct.

who are we?

CollectiveRay is run by David Attard - working in and around the web design niche for more than 12 years, we provide actionable tips for people who work with and on websites. We also run DronesBuy.net - a website for drone hobbyists.

David attard

Follow us on Social

Follow us on Facebook   Follow us on Google+   Subscribe to our RSS Feed   Follow us on Twitter