It can be easy to let security slip your mind when you’re building a website or blog with WordPress. Thankfully, there are some great tools out there that will let you easily check on the security status of your WordPress-based site and remind you of further steps you ought to be taking to protect yourself.
WP Security Scan can help keep your site secure by quickly displaying the folder permission settings critical to your site’s security, testing the strength of your passwords, hiding the version of WordPress you’re using from being displayed, hardening your database, keeping bad guys out of your admin panel, and obfuscating meta tag information in your site’s code. If some or all of this sounds a little bit above your expertise level, the plugin makes it easy and walks you through the steps necessary to turn your site into a virtual fortress.
The initial screen of the plugin gives you an overview of your WordPress install’s security as well as information on your web server—any potential problems will be highlighted in red.
From there, you can delve down into the “Scanner” tool, which will let you know the CHMOD status of the following files and directories:
- root
- wp-includes
- .htaccess
- wp-admin/index.php
- wp-admin/js/
- wp-content/themes/
- wp-content/plugins/
- wp-admin
- wp-content
This is a great tool as it saves me a ton of time should I ever get that nagging feelings that I might have left a folder set to 777 when I meant to set it back to 755. Thankfully, it’s most often the case that when I check the scanner, I’ve done the right thing and locked-down my folder after doing some maintenance on the site, but it’s nice to have a quick way to resolve that “Did I leave the Oven On?” sort of feeling.
The included password generation tool is the next item plugin’s menu. This tool is useful, but I also like using tools like the random password generator at The Bitmill. Whatever tool you prefer, it’s good to be reminded of the need to keep passwords lengthy and random.
The next item—the database tool—will allow you to rename your database prefix to something other than the default “wp_” which is how WordPress databases typically appear in examples and is the most often used prefix. Changing this creates one more thing would-be attacker won’t know about your site and doing so is easy using this tool.
Be sure to backup your database before using the database tool. Even the most tried and true plugins can easily corrupt your data should any hiccup occur in the process. Better safe than blog-less.
As a do-nothing bonus, whenever the plugin is turned on, your WordPress version is hidden from outsiders along with a lot of the meta data that could be used by potential attackers—two more bits of data that will be obscured from potential threats.
WP Security Scan is a great plugin, a fact that’s proven by its 342,000 all-time downloads. Michael Tolbert, the plugin’s author, is also the author of All-in-One SEO pack, a great plugin for those of you using a Theme that requires a bit of SEO love.
To be completely secure, be sure to follow these guides from the WordPress Codex and Pro Blog Design.
Cord is the director of new media at the Mercatus Center at George Mason University. He has been a web developer for over a decade, working with non-profits to rein in their web development costs and grow their online audiences through simple best practices.
