A WordPress Security Audit is a must for any site running any version of WordPress. Your website is solely dependent on the integrity of your CMS and can get shut down, not just for days, but permanently if it is penetrated by hackers. Even a simple PHP vulnerability can leave your site vulnerable to hijacking, or cause you to lose your entire database of customer details.
Most sites use the default settings of WordPress, without even realizing that there are a number of “secrets” hidden within the settings. This doesn’t have to be the case.
We can remove these ‘secrets’ by performing a WordPress Security Audit. So, why should we use this?
A simple reason is that so many people rely on WordPress to host their websites. And when they hear about a big company security breach, such as the recent Heartbleed bug, they go on the attack and assume that ‘no-one else has ever had a problem’.
What happens next is that you discover that, all your customers’ data has been compromised. But now your profits have been reduced, because all your customers will not be able to pay you, and you cannot send them any more products or services. You now have no products or services at all.
However, a number of people have been using WordPress, without realising that there are a number of ‘secrets’ hidden within the settings. The most important one is the option to make use of a Public Directory.
What is a Public Directory? This is an internal option, accessible only to administrators, that allows the public to view the content of your site.
This is acritical feature, because there are only two reasons why anyone would want to view your site: Firstly, if they find a vulnerability in the site, which they will then report to you; Secondly, if they want to change some part of the site, and need to insert some data that is already on your site, because it is no longer available – or is incomplete. So, this is the one option that could put your website at risk – if your site is not protected from outsiders, such as hackers, spammers, and identity thieves.
So, a Public Directory is essential. Without it, the chances of being hacked – as well as providing a means for outsiders to change the content of your site, are so high that we recommend you use a WordPress Security Audit.
We need to fix this second area of weakness: The ‘forgotten password storage’password storage not useable’ options. These are things that almost all WordPress installations have, and they are probably the most common and most serious source of problems.
Any website that has any level of security, will include a ‘password generator’ option. But this option needs to be used responsibly, as it provides your customers with a means of protecting their passwords but by erasing any previous ones that they might have stored in the site.
This does not just mean erasing them from the database. It means that you should remove any previous password that is in use – which leaves the possibility of anyone on the internet using the same password to access your site.