One of the best ways to keep your WordPress website secure is to check for potentially malicious code often on your website. Whenever you find any vulnerability, you can take immediate corrective actions before allowing anyone to exploit it and allegedly enter into your WordPress admin panel.
There is no wonder that hackers target WordPress websites hugely because it is the most popular CMS in the market. Out of the box, there are several ways to make your WordPress installation more secure. However, the harsh reality is only a fraction of sites actually follow them. This makes WordPress one of the easiest targets for hackers.
Recommended Reading: 17 ways to prevent WordPress hacking
In this post, let’s take a look at a few strategies to find vulnerabilities in your WordPress website. We’ll also look at various methods to fix WordPress vulnerabilities as well.
Finding WordPress vulnerabilities before installing a theme or plugin
If you’re looking for free WordPress themes to install on your WordPress website, it is always recommended to pick them from the official WordPress theme directory because the official directory ensures the security of your WordPress themes.
With that said, some legitimate theme developers and agencies prefer not listing their quality free themes in the official directory because the official directory guidelines restricts them to include many functionalities in their theme.
That means, when it comes to choosing a free WordPress theme, the official WordPress themes directory is not the only show in the town. Having said that, when you’re picking a theme outside the official directory, you need to have an extra dose of responsibility in terms of theme assessment.
Below are a few methods to check the authenticity of your WordPress theme and make sure it is secure from potentially malicious codes and WordPress vulnerabilities.
Online malware checker: Upload your free theme to a free scanning site like VirusTotal.com. The best thing is it will get a red signal in the case that any file is infected. If the theme is secure you can proceed with installing it on your WordPress website.
Otherwise, you’ll have to fix it before installing. Or even better, just abandon it and going for a different one altogether.
Finding WordPress vulnerabilities after theme installation
You might have already installed many themes on your WordPress website. If that’s the case, how would you check the authenticity of the installed themes? A few methods are listed below
Theme Authenticity Check
Simply install the Theme Authenticity Check plugin on your website. This is a free plugin that allows you to scan the theme files to find if there’s any vulnerability. If potentially malicious codes are found in an installed theme, the plugin will tell you the patch, the line number and displays the suspected code, which will help you take preventive actions easily. This plugin is handy to check whether the installed theme has had any encoded script slipped in it.
Download TAC plugin
Exploit Scanner is another free plugin, which offers more robust features than TAC. The best thing is that exploit scanner plugin helps you check the database of your WordPress installation besides the theme files.
Please note that these plugins will only show you the vulnerability and it is up to you to decide what preventive measures you should take in order to eradicate the WordPress vulnerability.
If you’re looking for a premium solution to monitor vulnerabilities of your WordPress website, you should look nowhere else than Hackalert monitoring. Hackalert monitoring is a service offered by Siteground where this site is hosted.
Hackalert ensures the security of your WordPress websites by sending an email alert whenever it finds potentially malicious code. In addition, you will be updated with a weekly email with the status of the hackalert monitoring of your website.
To know more about Hackalert monitoring service, read the post why Hackalert monitoring is awesome- 5 reasons.
So far, we’ve looked at different ways to find potential vulnerabilities in your WordPress website.
Of course, it is always better to add an additional shield of security for your WordPress website to prevent it from hacking.
WordPress is well-known for its large community of developers who want to make WordPress one of the most secure CMSes out there.
However, as a website owner, you’ll need to take some basic measures to prevent alleged entry to your dashboard.
Let’s look at some strategies to fix the vulnerabilities of your WordPress website.
Don’t use the ‘admin’ username
As the old version of WordPress creates a default user with the username ‘admin’, many hackers assume that people are still using the same username, which encourages those bad guys to try with different passwords to easily access your WordPress backend. If you’re the one who still uses your username as admin, make a new account on your WordPress site and transfer the ownership of all posts to the new account. Make sure the role of new user is administrator.
Once it is done, you can either delete the user account with the username admin or change its role to subscriber.
While creating a password, the goal is to make it tougher for others to guess it. You can find lots of different password generator tools around the web.
If yours is a community site with multiple authors, it is better to install Simple User Password Generator plugin on your WordPress site, which helps you generate stronger password while creating a new user. All you need to do is clicking the generate password button just below the password field. See the screenshot below
Set a custom login URL for WordPress
During WordPress installation, WordPress creates two login URLs by default. They are
The problem with using the default login URL is that anyone can login to your WordPress dashboard once they find (or makes the right guess) the username and password. By customizing the URL of your login page, you’re stepping towards better security for your WordPress website and making it harder for bad guys to break it.
How would you change the login URL of your WordPress website?
Simply install Custom Login URL plugin and customize the URL by navigating to
Settings>>Permalinks and changing them according to your need.
Limit the number of login attempts
So you’ve customized the login URL of your WordPress website for better security. But what if the bad guys discovered the actual login URL? Then, how can you prevent attempted entries to your website?
In such case, one of the best methods is to limit the number of login attempts. By default, hackers can try as many as passwords to enter into your website as they want; by limiting the login attempts, you’re blocking this possibility of brute force attacks to your website.
Install Login LockDown plugin, so you can restrict the attempts a user can make to enter into the dashboard. Once the plugin is activated, navigate to Settings>> WP Limit Login and limit the login attempt by entering the maximum login entries. With this plugin, you can also block certain IP addresses to visit your website for certain periods.
Disable directory browsing
By default when your visitor navigates to a page and the web server can’t find an index file for it, automatically it displays a page and shows the contents of the directory. The problem with this is that anyone can navigate into those directories, which can be vulnerable for your site and a hacker could exploit it easily to take your site down.
For instance, some WordPress directories contain sensitive data such as wp-content or wp-includes. By allowing hackers to navigate through these folders, hackers could find potential exploits in it.
So it is important for your website’s security to disable directory browsing.
How would you disable directory browsing on your WordPress website?
The only thing you need to do is to add the code below at the bottom of the .htaccess file of your WordPress website.
Note: Make sure you take a backup of your website before making any changes to it. .htaccess is a hidden file, and if you cannot find it on your server, you need to make sure that you have enabled your FTP client to show hidden files.
Recommended reading: Native vs. Plugin- Tacking WordPress backups with different methods
Once you disable directory browsing, all those directories that were previously visible will start showing a ‘404 Not Found’ page or ‘403 Access Forbidden’ message.
No software is perfect when it comes to security. That’s true even for WordPress, so make sure you update the WordPress core software whenever there releases the new version. If you didn’t enable updating your WordPress core software automatically, make sure to enable it. Despite the security benefits automatic updates can offer, there is a slight chance that it can break your website.
If you have any questions, ask below in the comments section, and we’ll do our level best to help you out.