48 Ways to Keep Your WordPress Site Secure

This article is part of a series created in partnership with SiteGround. Thank you for supporting the partners who make SitePoint possible.

Hackers. Vulnerabilities. Brute-force. Malware. Denial of service. Man-in-the-middle. Phishing. All scary words. We live in a dangerous online world!

Has your site been hacked? I have, and we’re not alone. In 2012 more than 70% of WordPress sites were vulnerable to attack, and not much has changed since. What have you done to protect ensure you have a secure WordPress site?

In this article we’ve pulled together security tips from previous SitePoint articles, our own experience, and from around the web, and organized them in a way I hope you find useful and understandable. And most importantly, easy to act on.

All-in-one WordPress security plugins are useful (and we’ll be covering them in our next article), but security requires more than just installing a plugin and walking away. It requires a careful strategy and constant vigilance. Be proactive, not reactive. In other words, don’t assume your site is safe—work out a security plan before you are hacked!

That being said, there is no such thing as 100% security. What you can achieve is risk reduction, and find the balance (for you) between security and convenience.

Security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.” — codex.wordpress.org

Where should you focus your attention? In an article last year, WP White Security reported the following statistics about hacked websites:

• 41% were hacked through a security vulnerability on their hosting platform
• 29% were hacked via a security issue in the WordPress Theme they were using
• 22% were hacked via a security issue in the WordPress Plugins they were using
• 8% were hacked because they had a weak password

That’s where the holes are in your defence. Keep that in mind while you’re creating your security strategy.

OK. With all that in mind, here are 40 ways you can keep your WordPress site secure. Choose the ones that make sense for you and your site.

Secure WordPress

1. Keep WordPress Up to Date

The latest of WordPress is most likely more secure than the last one, and has less vulnerabilities. So keep it up to date—it’s a one-click operation. Make sure you back up your site first!

WordPress updates rarely cause problems, but if you like to be careful, update it on a test server first. Or, if you’d just like WordPress to auto-update itself, apply the following code to your wp-config.php file:

#Enable all core updates, including minor and major:
define ( 'WP_AUTO_UPDATE_CORE', true );

If you don’t want to manually update your WordPress, consider a hosting provider like our partner SiteGround, which has a special auto-update tool available on all plans.

2. Back Up Your Site Regularly

Make sure you make regular backups of your WordPress site. A backup of WordPress data and files can play a crucial role in an emergency. If all else fails, you won’t have to start from scratch!

Schedule your backups so you won’t forget them, and do a test restore from time to time.

Further reading:

• 5 WordPress Plugins for Backups and Migrations
• The Best WordPress Backup Plugins Compared
• How to Manually Backup Your WordPress Website
• Your Regular WordPress Maintenance Checklist

3. Enable SSL for WordPress Data Security

Enable SSL to secure your WordPress site. A Secure Sockets Layer encrypts all information sent to and from your site, keeping it private and preventing man-in-the-middle attacks where a third party listens in or modifies the communication between the client and the server. As a bonus it can also boost your Google PageRank.

The address of an SSL-certified site will start with an HTTPS, while a site that’s not SSL certified will begin with HTTP. It’s best to activate HTTPS before installing WordPress, but it’s possible to update your WordPress settings if you add it later. Hosting providers like SiteGround offer free SSL certificates.

Further reading:

• Secure WordPress with SSL

4. Secure wp-config.php

Lock down wp-config.php—it’s one single location that contains a wealth of critical data regarding your database, username, and password. Only you should have access.

To deny access to this file, you should add the code below at the top of the .htaccess file:

<files wp-config.php>
    order allow,deny
    deny from all
    </files>

5. Move wp-config.php

Move the wp-config.php file into the folder above your WordPress installation. This will make it inaccessible to anyone using a browser, meaning a cracker has less chance of locating it.

Further reading:

• The Easiest WordPress Security Tip Ever!

6. Hide the WordPress Version Number

Some versions of WordPress have known vulnerabilities. Someone familiar with those vulnerabilities can discover which version you’re using because it’s shown in the HTML head of every page.

Remove that information by adding the following line to your theme’s functions.php file:

remove_action('wp_head', 'wp_generator');

You should also remove the readme.html file, which also contains the WordPress version number.

7. Remove WordPress References from Your Theme

Someone will only try to hack WordPress if they know you’re using it. So keep it a secret! Remove all references to WordPress from your theme files.

Find and delete the references from the header.php that look like this:

<meta name="generator" content="WordPress" />

8. Disable PHP Error Reporting

Hackers can use error messages to their advantage. For example, an error from a theme or plugin might display your server path.

To disable error reporting, add the following code to your wp-config.php file:

error_reporting (0);
@ini_set ('display_errors', 0);

9. Change the Default Secret Keys

When you install WordPress, four secret keys are written to your wp-config.php file. They improve encryption of information stored in the user’s cookies and make it harder to crack your password.

Use WordPress’ Secret Code Generator to get some new keys, and copy them into your wp-config.php file.

Secure Your Themes and Plugins

51% of hacked sites are because of security issues with themes and plugins. Give special consideration to this section!

10. Keep Your Themes and Plugins Up to Date

Don’t just update WordPress, make sure your themes and plugins are also up to date. Each one is a potential back door to your site, and each new version is likely to have less vulnerabilities.

11. Choose Themes and Plugins that are Actively Maintained and Regularly Updated

If there are security vulnerabilities found in a theme or plugin, you’d like it addressed as quickly as possible. That won’t happen with a theme or plugin that’s no longer maintained. Whenever possible, make sure the themes and plugins you use are actively maintained.

Further reading:

• How to Protect Yourself from Rogue WordPress Plugins

12. Delete Themes and Plugins You Don’t Use

If every theme and plugin is a potential back door, reduce the risk as much as possible. If you’re not using it, remove it. Deactivating plugins isn’t enough—click “Delete”!

13. Restrict Access to Your Plugins Directory

Restrict access to your WordPress plugins directory: www.your-domain.com/wp-content/plugins/. Otherwise, someone browsing the folder can see which plugins you’re using, explore them for potential vulnerabilities.

Deny access by uploading a blank index.html file to the directory. Alternatively add the following line at the start in your .htaccess file in the root folder:

Options –Indexes

14. Eliminate the Plugin and Theme Editor

There’s a built-in plugin and theme editor on the WordPress dashboard. This editor can be used to bring down your entire site if one of your user accounts is hacked.

If you don’t regularly use the editor, it’s best to disable it. Insert the following into your wp-config.php file:

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Secure Your Logins

8% of hacked sites are caused by weak passwords. Here are some techniques to improve the security of your login procedures.

15. Change the Admin Username

Avoid using the default admin username, or obvious names like ‘administrator’, the name of your site, or your own name. They’re too easy to guess, and a hacked admin account is more dangerous than an author account.

Choose an appropriate admin username when you’re setting WordPress. If your site is already using “admin”, then create a new admin user, then delete the old one, or alternatively use a plugin like Username Changer.

16. Use a Secure Password

Choose a complex password comprised of letters, numbers and characters. Here are some hints:

• Don’t choose a password that’s similar to your username.
• Don’t choose a password that’s similar to your website name.
• Don’t choose a password that’s a common word with a few simple changes.
• Avoid dictionary words.
• Consider using a random string of characters.
• Consider using a good password management tool to securely generate, store a complex password.

Here are some tools that can generate a secure password for you:

• Phonetic Password Generator
• Norton Password Generator
• Strong Password Generator

Finally, make sure you don’t use the same password as you use elsewhere. All passwords should be unique.

17. Force All Users to Have Strong Passwords

It’s no good if you use a strong password, but the rest of the team aren’t so diligent. You don’t want any weak links in the chain.

You can ensure everyone uses a strong password by using a plugin like Force Strong Passwords.

18. Change Your Password Regularly

The longer you use the same password, the more time you give hackers to crack it. Shorten the window of opportunity!

Change your password at least a few times a year. And encourage your other users to do the same.

19. Use 2-Factor Authentication (2FA)

Two-factor authentication (2FA) increases security when logging in by requiring a unique code in addition to a username and password. The code is generated for one-time-use by an app, or and sent to a device/smartphone via SMS.

Further reading:

• 2-Step Verification for WordPress Using Google Authenticator

20. Limit Login Attempts

Give hackers less opportunity to guess your password, and protect your site from brute-force attacks, by limiting the number of login attempts that are possible. This will automatically block the login screen after a configurable number of tries, and informs the administrator by email.

You can limit login attempts by using one of these plugins:

• WP Limit Login Attempts
• Login Lockdown

21. Use CAPTCHA or reCAPTCHA on Your Login Screen

In addition to a username and password, use CAPTCHA or reCAPTCHA on your login screen. The user is asked to input what they see in an image as text, which is a useful way to stop botnets from attempting to log in by brute force.

Further reading:

• No CAPTCHA reCAPTCHA Integration with WordPress

22. Add A Security Question to Your Login Screen

Adding a security question to your WordPress login screen makes it harder for someone to gain unauthorized access. You can do this by installing the WP Security Questions plugin.

23. Automatically Log Out Idle Users

Users can sometimes wander away from the screen when they are logged in, posing a security risk—someone can hijacking their session, changing passwords, or making changes to their account.

You can automatically log inactive users out with the Idle User Logout plugin.

24. Assign Users the Lowest Role Possible

Users are the weakest point of any system. That weak point is most dangerous when they have administrator privileges.

Few actually need administrative access. WordPress offers a range of alternate roles to choose from:

• Editor: someone who can publish and manage their own and other people’s posts
• Author: someone who can publish and manage their own posts
• Contributor: someone who can write and manage their own posts but cannot publish them.

25. Use Forced SSL for Logins

Forced SSL is a relatively simple change which can make a huge difference. Even if you don’t encrypt your entire website, ensure your users have a secure login pages. You’ll need an up-to-date SSL certificate to ensure this.

26. Remove Error Messages from Your Login Page

With every failed login attempt, error messages on your login page can give hackers clues. Remove them by adding the following line of code in your theme functions.php file:

add_filter('login_errors',create_function('$a', "return null;"));

27. Change Your WordPress Login URL

Knowing that the WordPress admin URL is wp-admin, any hacker can easily get started with brute force attacking. Reduce the risk of getting attacked by changing that URL so hackers won’t be able to find it.

WPS Hide Login is the simplest plugin for achieving that.

28. Hide Author Usernames

To log in to WordPress you need a username and a password. By default, WordPress makes it easy to discover your authors’ usernames. According to DreamHost, it’s a good idea to hide the author’s username to ensure you aren’t making the hacker’s job easier.

To do that, copy and paste the following into your functions.php file:

add_action(‘template_redirect’, ‘bwp_template_redirect’);
function bwp_template_redirect()
{
if (is_author())
{
wp_redirect( home_url() ); exit;
}
}

29. Password Protect wp-login.php

This one’s for advanced users. You can provide another layer of security by requiring a server-side login before the WordPress login screen is displayed.

Learn more here:

• Preventing Brute Force attacks against WordPress websites

30. Protect the wp-admin Directory

If only you (or your authors, but not members or readers) need to log in, then restrict access to your /wp-admin/ folder or wp-login.php file.

If you only log in from your home computer, restrict the log in screen to only that computer. Grab your home IP address (using whatismyip.com or similar) and add these lines to the .htaccess file in your WordPress admin folder (replacing xx.xxx.xxx.xxx with your IP address):

<Files wp-login.php>
order deny,allow
Deny from all
Allow from xx.xxx.xxx.xxx
</Files>

To allow access to multiple computers (office/home/laptop or user1/user2/user3), add another Allow from xx.xxx.xxx.xxx statement on a new line.

31. Disable XML-RPC

XML-RPC allows users to connect to WordPress remotely via blogging clients, and is used for trackbacks and pingbacks. It has been enabled by default since WordPress 3.5.

Unfortunately, hackers can use it for DDoS attacks, so if you don’t use those features, consider disabling XML-RPC.

This can be done with one of the following plugins:

• Disable XML-RPC Pingback
• Disable XML-RPC

Secure Your WordPress Database & Files

32. Use Strong MySQL Database Names

Avoid naming your database “wordpress” with a user ID of “user” and a password of “password.” You only set the database up once, so make them as complex as you like. If you forget them, you can check the details in wp-config.php.

33. Set Strong Passwords for Your Database

Use a strong password for WordPress to access the database. See our password hints in #16 above.

34. Change the WordPress Database Table Prefix

When you install WordPress, tables use table prefixes like Wp_ by default. Knowing this, hackers with automated tools can work out your database structure. Change the prefix so that it becomes more difficult to run SQL injection queries and other attacks.

35. Use SFTP to Connect to Your Server

Use an SFTP (Secure FTP) connection when connecting to your server. This ensure the communication between your machine and the server is protected. Most hosts , like SiteGround, offer SFTP.

Further reading:

• Explanation of the FTP and SFTP protocols

36. Restrict File Permissions

Protect the security of your site by setting your file permissions to the bare minimum:

• Set the CHMOD value to 755 for folders. Only the owner will have write permissions, and others will have read and execute permissions.
• Set the CHMOD value to 644 for files. Owners have the read and write permissions, and others can only read the files.

37. Monitor for Malware

If a breach does happen, you don’t want to be serving malware to your visitors unaware. You need a solution in place that will scan regularly for infected files.

There are several server-side scanning solutions, including Sucuri. Some hosting providers, like SiteGround, have it set up out of the box.

Choose a Secure Hosting Provider

41% of hacked sites are because of security vulnerabilities on the hosting platform. So take special care when choosing or changing yuour hosting provider.

38. Choose the Best Hosting Plan You Can Afford

Your WordPress site is only as secure as your hosting account. If it’s running an old, vulnerable version of PHP, it won’t matter what you do to secure WordPress.

It’s essential that you choose a hosting provider that prioritises security. Some of the features that you should look for are:

• Support for the latest PHP and MySQL versions
• Account isolation
• Web Application Firewall
• Intrusion detecting system
• Proactive updates and patches
• Fast server monitoring
• Daily backups

SiteGround, our preferred hosting provider, provides all of that and more.

Further Reading:

• The Ultimate Guide to Choosing a Hosting Provider

39. Take Advantage of Your Hosting Provider’s Security Solutions

Several companies now offer secure, managed WordPress hosting with excellent security solutions, such as WP Engine, SiteGround and Media Temple. They spend time, effort and expertise configuring their tools for maximum effectiveness.

For example, WP Engine will automatically update WordPress and key plugins, and disable plugins known to cause performance and security issues. They provide hardware based firewalls and configuration to ensure that Distributed Denial of Service (DDoS) attacks don’t bring your site down.

SiteGround provides automatic updates for the WordPress core and plugins, an efficient ch-root account isolation for all accounts on shared servers, and sophisticated systems that block malicious bots and attackers.

Security Plugins

40. Install good security plugins

We’ve focused on highly-rated plugins that cover a range of security features, rather than one-trick-wonders. If your hosting provider doesn’t already have a comprehensive security solution, installing one of these would be a great first step in your security strategy.

Have we missed your favorite security plugin? Let us know in the comments.

41. WordFence

• Cost: Free, Premium from $99/year
• Active installs: 2+ million
• Rating: 4.8 out of 5 stars (3,048 reviews)

Wordfence Security is 100% free and open source. We also offer a Premium API key that gives you Premium Support, Country Blocking, Scheduled Scans, Password Auditing, real-time updates to the Threat Defense Feed, two-factor authentication, and we even check if your website IP address is being used to Spamvertize.

WordFence includes these security features:

• Firewall. WAF with automatically updated firewall rules that block common WordPress security threats.
• Blocking features. Real-time blocking of known attackers and malicious networks and other security threats.
• Login security. Two-factor authentication, enforced strong passwords, security to lock out brute force attacks.
• Security scanning. Scans core files, themes and plugins for malware and backdoors, and checks for files that have been changed.
• Monitoring. Monitors traffic in real time including bots and reverse DNS, monitors for DNS changes and disk space.

 

42. All In One WP Security & Firewall

• Cost: Free
• Active installs: 500,000+
• Rating: 4.8 out of 5 stars (669 reviews)

A comprehensive, easy to use, stable and well supported security plugin… It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.

All In One WP Security & Firewall includes these security features:

• User accounts security. Change the default admin username, check for user display names that are the same as usernames, password strength tool, stop user enumeration.
• User login security. Login lockdown (brute force protection), log out inctive users, view failed login attempts, whitelist IP addresses, see who’s logged in, CAPTCHA.
• User registration security. Enable manual approval, CAPTCHA, Honeypot.
• Database security. Set the default WP prefix, schedule automatic backups.
• File system security. Identify and fix insecure permissions, disable file editing from WP admin, monitor system logs.
• htaccess and wp-config.php file backup and restore. Easily backup, restore and modify these important files.
• Blacklist functionality. Ban users based on IP address or range, or by specifying user agents.
• Firewall. Add firewall protection via htaccess, firewall rules that stop malicious scripts.
• Brute force login and attack prevention. Cookie-based login prevention, CAPTCHA on login form, rename login form URL, Honeypot.
• Whois lookup. Get full details of a suspicous host.
• Security scanner. File change alerts, scan database tables for suspicious strings.
• Comment spam security. Block IP addresses of spammers, add CAPTCHA to comment form.
• Front-end text copy protection. Disables right click, text selection and the copy option.

 

43. iThemes Security

• Cost: Free, Pro: 2 sites $80/year, 10 sites $100/year, unlimited sites $150/year, Gold $297 lifetime.
• Previously called Better WP Security
• Active installs: 800,000+
• Rating: 4.7 out of 5 stars (3,812 reviews)

iThemes Security Pro takes the guesswork out of WordPress security. You shouldn’t have to be a security professional to use a security plugin, so iThemes Security Pro makes it easy to secure & protect your WordPress website.

The free version gives you some protection, but the Pro version includes these security features:

• Two-Factor Authentication. “Use a mobile app such as Google Authenticator or Authy to generate a code or have a generated code emailed to you.”
• WordPress Salts & Security Keys. “The iThemes Security plugin makes updating your WordPress keys and salts easy.”
• Malware Scan Scheduling. “Have your site scanned for malware automatically each day. If an issue is found, an email is sent with the details.”
• Password Security. “Generate strong passwords right from your profile screen.”
• Password Expiration. “Set a maximum password age and force users to choose a new password. You can also force all users to choose a new password immediately (if needed).”
• Google reCAPTCHA. “Protect your site against spammers.”
• User Action Logging. “Track when users edit content, login or logout.”
• Import/Export Settings. “Saves time setting up multiple WordPress sites.”
• Dashboard Widget. “Manage important tasks such as user banning and system scans right from the WordPress dashboard.”
• Online File Comparison. “When a file change is detected it will scan the origin of the files to determine if the change was malicious or not. Currently works only in WordPress core but plugins and themes are coming.”
• Temporary Privilege Escalation. “Give a contractor or someone else temporary admin or editor access to your site that will automatically reset itself.”
• wp-cli Integration. “Manage your site’s security from the command line.”

 

44. Sucuri Security

• Cost: Free, Basic $199/year, Pro $299/year, Business $499/year
• Active installs: 300,000+
• Rating: 4.6 out of 5 stars (260 reviews)

We keep your website safe and hack-free! The Sucuri Platform is a suite of tools designed for complete website security. With no additional cost or hidden fees, the Sucuri Platform is affordable, easy to deploy, and supported by a team of professionals at your disposal.

Sucuri forms part of the security solution of many quality hosting providers, including SiteGround. It’s a valuable tool for SiteGround to protect its clients’ sites from malware, because it scans every link that is accessible from the website homepage on a daily basis. It includes these security features:

• Clean and repair hacked websites. “Professional security incident response team available 24/7/365.”
• Attack and hack prevention. “A cloud-based WAF/IPS solution designed to stop hacks and attacks.”
• Continuous monitoring. “Continuous monitoring and alerting of any security-related issues.”

The free WordPress security plugin includes these features:

• Security Activity Audit Logging
• File Integrity Monitoring
• Remote Malware Scanning
• Blacklist Monitoring
• Effective Security Hardening
• Post-Hack Security Actions
• Security Notifications

 

45. Jetpack, which now includes VaultPress

• Cost: Free, Personal ($39/year), Premium ($99/year), Professional ($299/year)
• Active installs: 3+ million
• Rating: 4.1 out of 5 stars (1,330 reviews)

Jetpack (by Automattic, who bring you WordPress) does more than just security. It basically brings the features of WordPress.com to the rest of us, which is appealing. For security and backup the paid plans includes VaultPress.

VaultPress is a real-time backup and security scanning service designed and built by Automattic, the same company that operates (and backs up!) millions of sites on WordPress.com.

VaultPress is now powered by Jetpack and effortlessly backs up every post, comment, media file, revision, and dashboard setting on your site to our servers. With VaultPress you’re protected against hackers, malware, accidental damage, and host outages.

VaultPress includes these security features:

• Backups. “Comprehensive daily or real-time automated backups stored in our offsite digital vault, optimized for WordPress and better than your host.”
• Restores. “Even during the most stressful moments we have your back. Restore your entire online presence quickly and easily without needing your host.”
• File scanning. “Automatically detect and eliminate viruses, malware, and other exploitable security problems that may be hiding in your website.”
• Automated file repair. “Fix detected viruses, malware, and other dangerous threats with a single click.”
• Spam defense. “Protect your SEO, readers, and brand reputation by automatically blocking all spammers.”

 

46. BulletProof Security

• Cost: Free, Pro $59.95 (one time purchase)
• Active installs: 100,000+
• Rating: 4.7 out of 5 stars (302 reviews)

BulletProof Security Pro has an amazing track record. BPS Pro has been publicly available for 5+ years and is installed on over 30,000 websites worldwide. Not a single one of those 30,000+ websites in 5+ years have been hacked.

100% hack free website guarantee. If your website is hacked after installing BPS Pro, we will clean up your hacked website for free. We can easily offer that awesome deal because your website will never be hacked if you have BPS Pro installed.

The free version includes these security features:

• One-Click setup wizard
• .htaccess website security protection (firewalls)
• Hidden plugin folders / files cron (HPF)
• Login security & monitoring
• Idle session logout (ISL)
• Auth cookie expiration (ACE)
• DB backup: full/Partial, manual/scheduled, email/zip, cron delete old backups, logging
• DB table prefix changer
• Security logging
• HTTP error logging

The Pro version adds these features:

• AutoRestore Intrusion Detection & Prevention System (ARQ IDPS)
• Quarantine Intrusion Detection & Prevention System (ARQ IDPS)
• Real-time file monitor (IDPS)
• DB Monitor Intrusion Detection System (IDS)
• DB diff tool: data comparison tool
• DB status & info
• Plugin firewall (IP Firewall): automated whitelisting & IP address updating in real time
• JTC anti-spam/anti-hacker
• Uploads folder anti-exploit guard (UAEG)
• Custom php.ini website security
• F-Lock: read only file locking
• Additional logging options
• S-Monitor: monitoring & alerting core
• Pro Tools: 16 mini-plugins

 

47. SecuPress

• Cost: Free, 1 site $57.60/year, 3 sites $144/year, 10 sites $288/year, unlimited sites $479/year
• Active installs: 5,000+
• Rating: 4.8 out of 5 stars (19 reviews)

Protect your WordPress with malware scans, block bots & suspicious IPs. Get a complete WordPress security toolkit for free or as a pro plugin.

If you are proactive, our free WordPress security plugin is a great choice! No time to activate weekly scans? Then SecuPress pro is the way to go. Our plugin takes care of everything with automated tasks.

SecuPress includes these features:

• Anti brute force login
• Blocked IPs
• Firewall
• Security alerts
• Malware scan (Pro)
• Block country by geolocation
• Protection of security keys
• Block visits from bad bots
• Vulnerable plugins & themes detection (Pro)
• Security reports in PDF format (Pro)

 

48. Security Ninja

• Cost: Single site $29 (1 year updates/support), multi site $79 (1 year updates/support), forever unlimited $199
• Active installs: 6,000+
• Rating: 5 out of 5 stars (6 reviews)

Security Ninja helps thousands to stay safe and prevent downtime due to security issues. 50+ tests will provide a comprehensive overview of your site’s security.

The free version lets you achieve the following:

• Perform 50+ security tests including brute-force attacks.
• Check your site for security vulnerabilities and holes.
• Take preventive measures against attacks.
• Prevent 0-day exploit attacks.
• Use included code snippets for quick fixes.
• Brute-force attack on user accounts to test password strength.
• Numerous installation parameters tests.
• File permissions.
• Version hiding.
• 0-day exploits tests.
• Debug and auto-update modes tests.
• Database configuration tests.
• Apache and PHP related tests
• WP options tests.

You can even more protection using these Pro modules:

• Core scanner. “Easily monitor the state of your WP core files. Have a clear view of files that are modified but shouldn’t be and restore them with a single click.”
• Malware scanner. “Powerful heuristic malware scanning algorithm will check all your themes, plugins, uploaded files and options table for suspicious content.”
• Auto fixer. “If you don’t like creating backups, editing files, messing with code and getting your hands dirty – Security Ninja PRO will do everything for you. Fix security issues with one click.”
• Events logger. “Monitor, track and log more than 50 events on the site in great detail. From user actions, to post edits and widget changes – Events Logger sees everything.”
• Scheduled scanner. “Have Security Ninja do automatic, periodic scans of your sites, including scans of core files. If there are any changes you’ll be notified via email.”

Frequently Asked Questions about WordPress Site Security