Secure your wordpress with security scanner plugin
In the history wordpress was accused of many security breaches. He is not having a good background, but things changed.
The real problem was not only because he have many flaws, but when a flaw is discovered, all bots are set-up to exploit that, and even if your blog was not popular if you did not updated in the right time you were exposed.
Now the things are better you don’t have to worry that much. But even if someone can’t take over your blog, he can still get in with the right amount of work.
How he can do that ? Brute force, finding individual plugins flaws, trying and trying. I can’t say how hard it is, but he may actually find some ways to get in, if he truly wants.
Back in 2008 i did not used wordpress as a CMS. I had a separate website with good rankings in google. I wanted to have a plece where to write articles and i installed wordpress on a subdirectory. I didn’t paid attention. I forgot to update and a flaw was discovered. Some bots entered some bad hidden links into my articles. I didn’t noticed until google dropped my site.
At that point i started to investigate everything until i found the hidden links. It is hard to search for something while it is hidden. I was luck because i have good “view source” skills.
Now wordpress is paying more attention to security. More, now there are several plugins that can help us to see what we forgot to secure before launching the blog.
I use Wp security scan. You can download it from here.
The plugin will create a menu at the bottom of your admin panel menu, you have there some functionality. The most important problems are listed in the wp security admin tools initial scan.
You can see that it checks if you have the latest version. This is very important, flaws may appear anytime but they are fixed quickly. Update and don’t worry.
The table prefix: hackers may find mysql vulnerabilities but they can’t do too much. If they know how your tables are named they can actually do something, they can find a way to execute a php file that change the content of your database. If they don’t know your table prefix it can be hard for them to do something.
Turn off wordpress errors. Using errors they can find your directory structure and this is very very bad.
Admin user. They know that this user is created by default, and many administrators use it. They can try brute force to get the password of user admin. Brute force means checking every password until they find the one who match. If they don’t know the user, the chances to do that are very very slim. It is impossible to check every possible user with every possible password.
The wp security scan will also check all your directories to see if they have appropriate permissions settings.
Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the item, I will receive an affiliate commission
April 10th, 2010 at 1:54 pm
Looks like a very useful plugin. I haven’t tried it yet but I can definitely use some more security measures for my blog. thanks
April 11th, 2010 at 6:50 pm
Altough it cannot change things for you, it tells you the things that are obvious and you should immediately change.
May 21st, 2010 at 5:34 am
Thanks for the advise! I change my prefix with this plugin and now I can’t login anymore.
What should I do now? I want to change the prefix back but that is not possible.
I shouldn’t have used a plugin that is tested up WP 2.8.4.
So, Lucian, how can I fix this?
May 21st, 2010 at 7:13 am
This is happening probably because the table prefixes were changed but the plugin don’t have permissions to change the wp-config.php file where the table prefix is stored. You have to login to your ftp and edit wp-config.php file. Change the $table_prefix = ‘wp_’; value to whatever you set for your table prefix.
December 1st, 2010 at 6:53 pm
[…] lose your password: if you lose your e-mail account associated with the wordpress url, or if some hacker get access trough a badly coded plugin, […]