Here is a list of checks a non-technical person can perform from the “outside,” ranked by importance:
- Padlock Icon (SSL/HTTPS)
- Risk: If the address bar says “Not Secure,” any information you type (like a contact form or password) is visible to anyone on the same network.
- Fix: Contact your hosting provider to enable a free Let’s Encrypt SSL certificate and ensure all traffic redirects to
https://.
- The “admin” Username Test
- Risk: Hackers assume the first user is “admin”; if you can confirm this username exists, you’ve given them half the key to the door.
- Fix: Go to
[yourdomain.com/?author=1](https://yourdomain.com/?author=1). If it redirects to a page that says “admin,” create a new user with a unique name, give them “Administrator” rights, and delete the old “admin” account.
- The Version “Generator” Tag
- Risk: If you right-click the page, select “View Page Source,” and search for “generator,” you might see
WordPress 6.x. This tells hackers exactly which old bugs they can use to break in. - Fix: Use a free security plugin like our pt-simple-security-hardening, Wordfence or Sucuri and toggle the setting that says “Hide WordPress Version.”
- Risk: If you right-click the page, select “View Page Source,” and search for “generator,” you might see
- Publicly Browsable Folders
- Risk: Try visiting
[yourdomain.com/wp-content/uploads/](https://yourdomain.com/wp-content/uploads/). If you see a list of files and folders instead of a blank page or an error, hackers can easily browse every image and document you’ve ever uploaded. - Fix: Ask your host to “Disable Directory Browsing” or add a simple blank file named
index.phpinto that folder.
- Risk: Try visiting
- Not Using MFA
- Risk: Bots will try various user names and passwords to try to guess one that works for your site.
- Fix: Use an MFA plugin, such as our PT-Simple-MFA to add a really secure layer to your site by sending you a short code via email as you login. Once logged in you can ‘trust’ the device to not need to go through this every time. Even if someone watches you typing in your password they still need access to your email to login to your admin and this will typically block 99.9% of brute force attacks.
- The Default Login Page
- Risk: Every WordPress site defaults to
[yourdomain.com/wp-admin](https://yourdomain.com/wp-admin). Because everyone knows this, bots spend 24/7 trying to “guess” passwords on that specific page. - Fix: Use a plugin called “WPS Hide Login” to change your login link to something unique, like
[yourdomain.com/secret-entryway](https://yourdomain.com/secret-entryway).
- Risk: Every WordPress site defaults to
- Standard WordPress “Readme” File
- Risk: Visiting
[yourdomain.com/readme.html](https://yourdomain.com/readme.html)often shows a page that confirms you are using WordPress and reveals your version. - Fix: Connect to your site via File Manager or FTP and simply delete the
readme.htmlfile in the main folder.
- Risk: Visiting
- Plugin “Fingerprinting”
- Risk: If a visitor can see specific plugin names in your website’s source code (e.g.,
/wp-content/plugins/wp-file-manager/), they know exactly what tools you use and if they have known flaws. - Fix: Delete any plugins you are not actively using; the fewer plugins you have, the fewer “doors” there are for hackers to try.
- Risk: If a visitor can see specific plugin names in your website’s source code (e.g.,
- User Information Leak (REST API)
- Risk: Try visiting
[yourdomain.com/wp-json/wp/v2/users](https://yourdomain.com/wp-json/wp/v2/users). If you see a list of names and usernames, you are handing a “hit list” to attackers. - Fix: Use a security plugin (such as our pt-simple-security-hardening) to “Disable REST API for non-logged-in users.”
- Risk: Try visiting
- Comment Spam Vulnerability
- Risk: If your blog posts allow comments without any “prove you’re human” check (like a checkbox or a math puzzle), bots will flood your site with malicious links.
- Fix: Enable “Akismet” (usually pre-installed) or add a “CAPTCHA” plugin to your comment section.
- Search Engine “Indexing” of Sensitive Pages
- Risk: If you search Google for
site:yourdomain.com, and you see your login page or private folders in the results, hackers can find them too. - Fix: Ensure your “Search Engine Visibility” setting in WordPress is correct, and use a “robots.txt” file to tell Google what to ignore.
- Risk: If you search Google for
- Broken/Outdated Copyright Date
- Risk: While not a direct hole, a footer that says “© 2018” signals to a hacker that the site is likely abandoned and hasn’t been updated with the latest security patches.
- Fix: Update your theme settings or footer widget to show the current year; it signals that the site is actively maintained.
- XML-RPC Access
- Risk: Go to
[yourdomain.com/xmlrpc.php](https://yourdomain.com/xmlrpc.php). If it says “XML-RPC server accepts POST requests only,” it’s active. This is a common “backdoor” used to try thousands of passwords in seconds. - Fix: Most security plugins have a one-click button to “Disable XML-RPC.” (such as our pt-simple-security-hardening) .
- Risk: Go to