S E C U R I T Y

Loading

Details
Stay Up To Date
Parent Checks

  • Wordpress Scanner

Need Membership

Yes

Need Proof Of Ownership

No

Estimate Time (Second)

300

Full Wordpress Scanner Detail

Did you know WordPress is the most frequently used (36% of all websites) and also hacked content management system around the world? You don’t need to worry. You can scan your WordPress website with our online tools to eliminate the risk of hacking.

WordPress Security Scan

WordPress is a content management system. Due to its simple installation, automatic set-up support by many hosting providers, opensource code structure, thousands of theme and plugin support, different file type support and a high number of online documents, this system is used by many people. What is more, even the corporate firms can use this system in addition to individual bloggers.

WordPress’s popularity has made it a focal point of the attackers. For this reason, attackers work really hard to exploit WordPress vulnerabilities. They compromised paid WordPress plugins and themes. Then, they leave a backdoor in them and offer these themes and plugins for free to users. When a website is built with these themes and plugins, attackers can easily compromise that website.

The main reasons for the system with the WordPress infrastructure to be compromised by the attackers are as follows:

  1. Not using the most up-to-date WordPress version
  2. Using non-updated plugins
  3. Installing plugins from untrusted sources
  4. Using untrusted themes
  5. Inadequate configuration of the password to access to WordPress admin panel
  6. Shared hosting services
  7. Database configuration errors

Especially let’s emphasise those who can’t be checked remotely without providing information. First of them is the cybersecurity risks in shared hosting. Share hosting services host multiple website client on a server. In fact, if you could take the folder with the files of your website to higher directory, you can see the folders of all websites. But correctly configured server will prevent you to see other websites on the same server. If the server is not configured correctly, when one of the websites on that server is compromised, all other websites can be compromised. Remember, you are as safe as the weakest link in cybersecurity.

Another thing is about database configuration. You need to be careful if the database has other data than your website (which is the case for most databases). When the user information with database reading authentication is compromised (this could be root or user of the other websites), the database of your website will be compromised.

After talking about these two remotely uncontrolled but important attack vectors, it is time to talk about what we can do and our recommendations.


How can you ensure the security of a WordPress website?

You can use our free and online WordPress Vulnerability Control tool to easily check WordPress vulnerability. To do this, you can start by typing your domain name in the form on top of the page and start scanning.

Or you can remotely check them by using open-source code tools such as wpscan, cmsscan. These tools will provide you with a report as if your website is attacked.

wpscan --url https://securityforeveryone.com

[+] URL: https://securityforeveryone.com/ [127.0.0.1]
[+] Started: Sun Jun  7 18:34:17 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: nginx
 |  - X-Powered-By: PHP/5.4.45
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: https://securityforeveryone.com/xmlrpc.php
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 | Confirmed By:
 |  - Link Tag (Passive Detection), 30% confidence
 |  - Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] https://securityforeveryone.com/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://securityforeveryone.com/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 2.3.3 identified (Insecure, released on 2008-02-05).
 | Found By: Rss Generator (Passive Detection)
 |  - https://securityforeveryone.com/?feed=rss2, 
 |  - https://securityforeveryone.com/?feed=rss2, http://wordpress.org/?v=2.3.3

[+] WordPress theme in use: theme212
 | Location: https://securityforeveryone.com/wp-content/themes/theme212/
 | Style URL: https://securityforeveryone.com/wp-content/themes/theme212/style.css
 | Style Name: WordPress theme 212
 | Style URI: http://wordpress.org/
 | Description: A theme from Template-Help.com Collection...
 | Author: Template_Help.com
 | Author URI: http://www.Template-Help.com/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://securityforeveryone.com/wp-content/themes/theme212/style.css, Match: 'Version: 2.0'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] wp-gbcf
 | Location: https://securityforeveryone.com/wp-content/plugins/wp-gbcf/
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | The version could not be determined.

Some Advice for Common Problems

Other than remote scanning software, you can check your security by installing WordPress plugins: The most popular WordPress security plugins:

  1. WordFence Security
  2. BulletProof Security
  3. Sucuri Security
  4. iThemes Security
  5. All In One WP Security & Firewall
  6. GOTMLS / Antimalware and Brute-Force Firewall
  7. Shield Security
  8. WP fail2ban

Be careful about the following items to have a secure WordPress:

  1. You need to use the latest version of WordPress and keep automatic updates open.
  2. Try to open certain IP address on certain times to access to the admin panel. Change the simple username and password to access the admin panel. Each user must have a strong password. Activate two-factor authentication to access the admin panel.
  3. You can disable the debug mode by adding the following code to wp-config.php file.
  4. define( ‘WP_DEBUG’, false ); 
  5. You must never use plugins or themes downloaded from untrusted sources. These themes and plugins might contain harmful software or black SEO links.
  6. Regularly back-up your WordPress website against capturing or ransomware attacks.
  7. WordPress theme files can be edited from code editor on the admin panel. You can disable PHP file edit property by adding the following code to wp-config.php folder to eliminate the risk for attackers to edit these files and inject harmful codes to compromise the server.
  8.  define(‘DISALLOW_FILE_EDIT’, true); 
  9. You must uninstall the unused themes and plugins.
  10. Since WordPress is open-source, attackers know the location of the important files such as wp-config.php by default. Therefore, wp-config.php file can be closed for access, relocated or the file can be encrypted by .htaccess file.
  11. It is important to protect the plugin directory against directory listing vulnerabilities to prevent the attackers to collect the information from the vulnerable plugins.
  12. WordPress REST API property and XML-RPC access must be disabled.
  13. To disable XML-RPC access, you can add the following code to function.php file of your theme.
    add_filter(‘wp_headers’, ‘remove_x_pingback’);
    add_filter(‘xmlrpc_enabled’, ‘__return_false’);
    To disable REST API property, you can add the following code to function.php file of your theme.
    // Filters for WP-API version 1.x
    add_filter( ‘json_enabled’, ‘__return_false’ );
    add_filter( ‘json_jsonp_enabled’, ‘__return_false’ );
    // Filters for WP-API version 2.x
    add_filter( ‘rest_enabled’, ‘__return_false’ );
    add_filter( ‘rest_jsonp_enabled’, ‘__return_false’ ); 
  14. WordPress version information should be turned off.