Most of the wordpress security plugins are fraud. Yes! fraud, cause they doesn’t update you about the vulnerability. WordPress plugins only does ip blocking, wp-admin url changing, log checking and nothing. Seriously dude this is your wordpress site you earn money from it or you showcase your portfolio. So it is better that you know the ugly truth of wordpress security scan.
About 90% blog around internet provides the wrong information about security checkup of your wordpress site.
Most of the blogs checklist for wordpress security I collected from internet are:
- Password Checking.
- You cannot keep admin username.
- WordPress Salt checking.
- Theme’s malware.
- Plugin Malware.
- and nothing.
Check this things using a plugin and you are done. Most of the bloggers says that. There is nothing about exploits, zero days or any other ways.
A wordpress website security scan means what are the gateways or vulnerabilities or possible ways wordpress site can be hacked. Then checking if any possible malwares.
What are the methods for wordpress hacking:
- Theme’s exploit checking.
- Plugin’s exploit checking.
- Using WpScan to scan entire wordpress website.
- Using reverse IP to check server then symlink or server root.
Theme’s Exploit Checking: If you are using any popular theme like avada, bridge, newspaper etc etc. Then you can search exploit for your website in Exploit-DB or WpVulnDB. Trust me 90% of the popular theme is vulnerable or they keep their Remote code.
Plugin’s exploit checking: Same as Theme exploit search your plugins vulnerability in Exploit-DB or WpVulnDB. In my experience 96% plugins are vulnerable. There is a saying “Everything is hackable.”
WpScan: If you are not using a popular theme or you are using a custom plugin then use WPScan to scan your wordpress website for vulnerability. Here is user guide for WPScan
Using reverse IP to check server then symlink or server root: This is total black hat hacking. For security reasons I won’t show you the methods for exploit but I will tell you the procedure. So that you can search on google and learn for those stuff. At first you need to know you server’s IP address then go to bing and use bing dork for finding SQL injection / LFI / RFI / Image Upload / File upload vulnerabilities inside of the server, then shell upload >> Server root or Symlink and Bang!
These are the methods for wordpress website hacking. So you have to check first if your wordpress site is hackable or not.
Now move on to the Malware Part.
Malware Scanning
In this section I will speak about how to scan if there is any existing malware or not. So to do that we may need third-party websites or manual checking. Below I am describing more
Manually Malware Checking
It is a hard method but it is effective. It is time consuming but you can ensure that you removed by yourself. For manual malware checking use this checklist:
- Check your .htaccess file.
- Check every JS files and look for encrypted JS or regex codes and remove those lines of codes.
- Check every PHP files and look for encrypted PHP codes and remove those malicious codes
This is so time consuming that’s why a lot of people uses tools.
Malware Checking By Automated Tools
Use these tools for scanning malware
These are the methods for malware scanning. If you seen this work is complex or hard you can check our WordPress Security Services
In serious word no one speaks straight forward like me. I usually show every methods. Whereas most of the people wants that you go and buy their services, though I want that too but I don’t want that I keep knowledge inside of myself I want to spread the knowledge. Thank You!