Join Jeff Starr for an in-depth discussion in this video Find and report vulnerabilities, part of WordPress: Developing Secure Sites .
- [Instructor] In this video, we look at how to find and report vulnerabilities, bugs, and other issues. If you happen to discover a bug while working with WordPress, you may report it via the designated page at wordpress.org. If you think you've discovered a security vulnerability, e-mail the security team ASAP at email@example.com, and provide as much accurate and descriptive information as possible. For security issues, please do not post anywhere on the web before hearing back from the WordPress team.
You can find more details at wordpress.org. There are several plugins that will help you keep a close eye on the overall security and integrity of your WordPress powered site. They are, Activity Log, which monitors what logged in users are doing. Exploit Scanner, which scans your site for signs of hacking, and WordPress Health Check, which checks your site's health. We cover Activity Log and Exploit Scanner in previous tutorials, so let's look at that third one, WordPress Health Check.
Visiting the Add Plugins page, we do a quick search for the plugin, and we see two similar results. The first one hasn't been updated in a while and is not current with the latest version of WordPress. This one here however by Frank Corso looks much better. Checking the plugin details, everything looks good. It's recently updated, current with the latest version of WordPress, and a decent number of active installs for a newer plugin.
Plus a five star rating, it doesn't get much better. Reading the description here, we see that this plugin checks our WordPress site to ensure that it's healthy, up to date, and secure. Everything looks good, and the installation steps are straightforward. In fact, my WordPress Health Check is already installed on this demo site, so let's go ahead and activate the plugin and see how it works. The first thing the plugin does is ask you if you would like to be anonymously tracked to help improve the plugin.
That's totally your call. I tend to not allow this sort of tracking just to be safe. To get the plugin settings, visit the Tools menu and click on Health Check. Visiting the plugin page is all you need to do. As you can see here, the Health Check plugin already has scanned our site and displays the results automatically. The simplicity of this plugin is refreshing, and the information it provides can be really useful. For example, here we notice two red warnings. This one lets us know that our server is running an older version of PHP, and this one here lets us know that there are inactive plugins installed, which we are aware of.
Then we also see a yellow warning. This tells us that our version of MySQL database software is less than optimal. Then of course there are plenty of notes highlighted in green letting us know of some important things that already are taken care of. The three issues listed here are fine for this temporary demo site, but if you get the same results on any live production site, it's recommended to consult your web host. When used alongside Activity Log and Exploit Scanner, a plugin such as WordPress Health Check fills in the gaps and gives you a bigger picture of what's happening with your site.
Any time you want to check your site's general health, just visit the Health Check page and examine the results. In this video, we've seen how to respond properly to bugs and other issues, and we've seen how to use a variety of plugins to keep a better eye on your site's security.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security