Security in anything we do these days is of vital importance. We are only human and we make mistakes so any kind of security back up we can put into place has got to be a good thing. In this series of five security posts I am going to review a different security related plugin and report back what are the pros and cons of each one, and of course if they are indeed making wordpress a little bit safer.

PART ONE: wp-security-scan plugin

Download: WP Security Scan

Author: Semper Fi Web design

Cost: Free

Once you have downloaded and unzipped the plugin upload it to you plugins fold and activate it in your plugins menu in the admin area of your blog.

When the plugin is active you will get a new tab in the top menu like this:

Here is what each tab will tell you

Security Tab

This tab is a ‘dashboard’ for the plugin, it reports to you all of its findings. One of the plugins features is to help you rename the ‘admin’ user and it will report to you here in red if the admin user exists. The way to rename this user is listed on a page called Change WordPress Admin Username. The other items it reports on are:

• WordPress version: 2.6.2 You have the latest stable version of WordPress.
• Your table prefix is not wp_. Your WordPress version is successfully hidden.
• WordPress DB Errors turned off.
• WP ID META tag removed form WordPress core
• “admin” user exists.
• The file .htaccess does not exist in wp-admin/.

Further down the page is a table reporting more system level information which includes:

• Operating System
• Server
• Memory usage
• MYSQL Version
• SQL Mode
• PHP Version
• PHP Safe Mode
• PHP Allow URL fopen
• PHP Memory Limit
• PHP Max Upload Size
• PHP Max Post Size
• PHP Max Script Execute Time
• PHP Exif support
• PHP IPTC support
• PHP XML support

Scanner Tab

Clicking on this tab brings up a list of files and directories which it checks that they all have the correct permissions state. If it’s correct the line is highlighted in green – if it’s incorrect then it is highlighted in red. The correct permission status is displayed so you can change the permissions accordingly.

Password Tool Tab

This is a neat facility which it gives you the ability to check the strength of your passwords. A field is displayed on screen and you are invited to type in a password, a graphical bar indicator progresses as you type, alongside words telling you the strength of the password.

Another nice touch is it automatically generates a random strong password which you can just copy and use.

Database Tab

It seems there are two major vulnerabilities in WordPress the first is the auto-generated ‘admin’ user – this is a security issue because every WordPress blog will probably have this user, therefore a potential hacker already knows half of a Username and Password pair. The second issue is the name of your tables in your database. By default when you install WordPress it auto prompts you with a table prefix of ‘WP_’ if you leave it as this then a hacker also now knows all your table names. This is a simple one to combat because all you need to do when you install is change the prefix to something else then install. This won’t prevent a hacker from getting in but it will make it more difficult.

If you have already installed your blog the Database Tab has the answer. Clicking on the tab presents you with a field populated with your current table prefix. Here you can now change it to something else, but as the big, bold, italic letters say:

Make a backup of your database before using this tool

Support Tab

The support tab is under construction but is a place where you can link back to the publishers changelog and documentation.

Conclusion

My conclusion of this plugin is it highlights the two most over looked vulnerabilities in WordPress – the admin username and the table prefix. Both vulnerabilities are fixable and this plugin shows you how to do it. What’s more having these highlighted to you will teach you to install more securely in the future. Some of the info that the plugin reports will go right over most bloggers heads but so long as you don’t get bogged down with the unimportant stuff you should be OK.

[rating:3.5]

Overall I would give this plugin 3.5/5

Killer feature: the ability to change the table prefix in one go.