WordPress Sites – Key Indicators of Security Vulnerabilities

Published by Baden Maxwell on February 8th, 2013 - in Wordpress Security


WordPress – The Powerhouse of Website Management Systems!


Wordpress Site Security

WordPress has become a powerhouse in website content management systems and for good reason. The platform is FREE to use, has been programmed and continually updated with extremely clean coding and built specifically to be as search engine friendly as possible.

Besides these attractive qualities, WordPress is extremely easy to use, easy to edit, simple to teach others how to manage and comes packed with thousands of FREE themes, plugins and capabilities. It’s no wonder it has become one of the leading content management systems on Earth, and is used by millions of individuals, businesses and corporations to project their online presence.


Vital Flaws


However, there are some major flaws in the default WordPress file configurations and settings, and alarmingly, not many users – many of them webmasters and designers – are even aware of the inherent security risks in this major platform.

If YOUR website is powered by WordPress and you, or whoever built your site is NOT aware of these security flaws, your online presence, information and business is extremely insecure, unprotected and vulnerable to attack from hackers, site spies and website hijackers.

If immediate action isn’t taken to rectify your security issues, sooner or later you may find your site hacked, infected with malware, spyware or viruses, and that Google and the other major search engines have deemed it UNSAFE for browsing and completely de-index you.

And that’s just the beginning – because if your site HAS been breached, you’ll more than likely find that confidential personal, business and/or financial information may have been stolen and exploited from right under your nose!


The Key Indicators of Weak Security


We want to share with you the 4 Key Indicators that we use to evaluate whether a site has at least a basic level of security. Use this information so that you can quickly check your own security levels and determine whether you need to address any issues your site may have.


  • 1. Is Wp-config.php Accessible?


    A common and EXTREMELY DANGEROUS mistake made by most WP users, is to leave the wp-config.php file in the root (public) directory, which is highly insecure and makes this file publicly accessible and readable with the right tools. The wp-config.php file contains your site’s operating database username and password information.

    To check whether your wp-config file is secure or not, type: (your web address) yourwebsitename.com/wp-config.php into your web browser address bar.

    If the page that appears returns a 404 ERROR message, then congratulations, you or your webmaster has done a good job!

    However, if the page is BLANK, the news is NOT good. You may think because the page is blank that there is nothing there, but in actual fact, the SCREEN is only blank, but the file IS readable. Meaning your wp-config file can be read and all of your vital information accessed.


  • 2. Is Login.php Available and Returning Error Messages?


    This is another very common and dangerous mistake many WordPress users make. Wp-login.php does NOT need to be publicly accessible and should NOT return ANY error messages. Unless you are running a membership area in your website, your login page shouldn’t be publicly accessible.

    The reason NO error messages should be returned, is because these messages give hackers information to work with.

    An extremely dangerous mistake to make is to keep your username as the default admin name. When this is used, all that a hacker has to do is try admin (which is highly possible considering it’s the default setting) along with any password on login, and if your login page is returning messages, it will tell them either ERROR: Incorrect password., or ERROR: Incorrect password for username admin. Meaning, they now KNOW your username and can use an automated program to easily crack your password.

    To check your login page, either pull it up or type: yourwebsitename.com/wp-login.php into your address bar. Now try logging in with incorrect details to see if any messages are being returned. If you see ANY error messages – especially the two from above if you use admin – your site is terribly vulnerable.


  • 3. Is Readme.html Available?


    The readme.html file contains information about your current WordPress installation, and allows people to see which version is currently installed on your website. The danger of this is that hackers may be aware of known exploits for your WP version and find a vulnerability to target.

    There is absolutely NO valid use for a readme.html file and it should be removed immediately.

    To check if readme.html is available, type: yourwebsitename.com/readme.html into your address bar. This file will appear onscreen if it is still available.


  • 4. Is The Installation Script Still Available?


    Once again, one of the most common and dangerous errors we see with WordPress sites, is NOT removing the installation script from the file folder. Once WP has been installed and/or updated, there is no longer a valid use for the script and it should be removed immediately.

    If this file is still available, chances are that it will still be EXECUTABLE as well. This gives hackers the ability to re-install a new site along with completely different execution details like usernames and passwords, effectively locking you out of your own domain.

    Or they could just destroy your entire website with the click of a button if they wished!

    To check for the installation script, type: yourwebsitename.com/wp-admin/install.php. If it is still available an Already Installed message will appear.


    Unfortunately, every time WP is updated to the current version, it re-installs and replaces almost ALL of the files that were previously secured, rendering your site insecure once again.

    Website security is an on-going task that requires consistent, periodic updating and re-securing.

    We strongly suggest you seriously consider the security of your WP website, and remain vigilant in your efforts to keep your online business, presence and capabilities fully protected and secure.

    Click Here for more information about our WP Security Services or Contact Us Today for a friendly NO OBLIGATION chat to see if we can help you address your site security issues and protect YOUR online business!



    Leave a Reply

    Your email address will not be published. Required fields are marked *

    © iWEB Marketing NZ
    All Rights Reserved 2013.