As estimated, there are more than 7.5 million of attacks happened on the global WordPress sites for each hour. The statistics indicate that the chances for your website to be attacked are massive. In this case, starting a regular website scanning and patching the reported vulnerabilities should be your regular routine for website maintenance.
After all, all the WordPress sites can be viewed as the vulnerable options due to various reasons. Once your site is hacked, you may lose all your efforts made on it and even suffer the financial losses, especially when you store your personal information on the website.
This time, to help you increase the level of your website security, we’d like to introduce how to scan WordPress and patch WordPress loopholes effectively.
How to Scan WordPress
Actually, there are a large number of website scanning tools available online. Here, we have listed some free ones that only require you to enter the website URL and to click the scan button for starting the effective WordPress scanning.
- WordPress Security Scan – This is an online security scanner for WordPress that tests the vulnerabilities of WordPress core, hosting environment, WordPress plugins, web server and WordPress themes.
- Scan My Server – With this tool, you can get the detailed security reports for your server machine and your site, which mainly concern about SQL injection, malware, XSS and some other vulnerabilities.
- Sucuri Site Check – This online tool will check and test your WordPress site for all the unknown malware, website errors, blacklisted status and outdated software.
In addition to these online tools, you can also use the WordPress plugins that can achieve the scanning purpose as well. Here, we highly recommend the utilization of the Total Security plugin. With it, you can easily check the WordPress installation and get the detailed and updated reporting on all the discovered vulnerabilities, suspicious and security weaknesses that might be exploited by hackers, along with the suggestions of how to deal with them.
Now, you can install it and click the Total Security button to make some plugin configurations firstly.
- This plugin allows you to hide the default “wp-admin” and the “wp-login.php” folder to prevent the malicious access to your login page effectively. In addition, you can enter your wanted security key for the login page and the exact URL for redirecting any unauthorized attempts. Here, you can leave this field blank so as to redirect to the 404 page or enter the slash to redirect to the homepage.
- In order to control the script execution time, you can decide the maximum seconds allowed to run each test.
- In order to reduce the chances of memory limit error, you can determine the exact number of files for each batch.
- You can enable the 404 error log reporting so as to figure out some hidden problems that may cause this issue. Note that you can choose to ignore the visits from some robots or the visits that do not have any HTTP referrer.
After setting up these general settings, you can start the scanning for your WordPress site.
Firstly, you can start from the vulnerability scan, which mainly checks all the major security vulnerabilities and loopholes, as well as the installation parameters. From the report, you can get a clear showcase of what security issues exist on your site, along with the needed information to help you understand and eliminate them.
To carry out the scanning, you only need to click the Execute button.
File System Scan
As for the file system scanning, this plugin will pick up all the suspicious, unknown, potentially malicious, temporary and compressed files in your WordPress core.
Generally, every change happened on your WordPress core files can result in a legitimate result. In this case, this step can detect any changes that are not made by you and may come from the exploits based on the MD5 hashing algorithm.
Here, only by clicking the Execute button, you can have all the core files scanned in a detailed manner, identify the problematic files quickly, remove any exploits, fix the accidental adding and removing of the core files, take the close look at the file sources and deal with the automatic update issues of WordPress.
If you enable the function of 404 log in the general settings of this plugin, you can easily know all the hidden problems leading to this irritating issue. This can result in the added benefits of website improvement.
How to Patch WordPress Loopholes After Scanning
In fact, no matter you use the online tool or the WordPress plugin to scan your WordPress site, you can get some suggestions of how to patch the loopholes accordingly. In addition to these available recommendations, we also suggest you doing the below things to eliminate the website weakness as much as possible.
- Keep everything updated on your site, which includes WordPress core, themes, plugins and any installed widgets.
- Use the .htaccess file to protect your pertinent website files and improve the overall security.
- Make your login page as obscure as possible.
- Use the strong password and username for everything.
- Start the full website backup on a regular basis. The recommended frequency is once a week.
- Set up the proper file permission and avoid to making it too permissive, especially for crucial files.
- Adopt the SSL certificate to safeguard your sensitive information and site data.
- Password protect all your essential folders.