Main Support

What items are scanned by the website audit

The Site Audit currently performs 4 types of audits:

  • Core fileSystem integrity audit
  • File & folder permissions audit
  • Malware audit
  • Website best practices audit for WordPress & Joomla

Core filesystem integrity audit

This audit checks if any of the files distributed in the core WordPress or Joomla packages have been hacked or are missing. As shown above, the path to any missing or modified files is shown so it can be replaced with an original copy.

File & folder permissions audit

For most PHP-based CMS like WordPress and Joomla, files and folders should be set to specific permissions that allow for a combination of public accessibility on the web with editing restricted to users with appropriate privileges. System administrators refer to these permissions with the following codes:

  • 0644 — permissions for individual files
  • 0755 — permissions for folders

The File & Folder Permissions audit checks every file and folder in your WordPress or Joomla installation to make sure the permissions match this list. Any files or folders with permissions that do not match are flagged and listed in the audit results.

The preview below shows the result when file and folder permissions are set properly. 

sample file folder permissions

Malware scanner

The Malware Scanner is a deep, inside-out scan that looks for common malware signatures and suspicious code. If any suspicious code is found, the files and suspicious pattern will be displayed as shown in the sample below.

Note: False-positives are common with signature scanners. Please check with the relevant software vendor if you have any questions about suspicious files identified by the malware scan.

sample malware scanner

Website configuration and server audit

This audit checks for many of the well-known best-practices for PHP-based content management systems such as WordPress and Joomla. Below is a sample result of this audit. If a problem is detected with the website configuration or server, information on how to fix the issue is displayed.

sample cms configuration server details

Best practice scanner

Below you'll find the full list of security best-practices for both Joomla and WordPress. 

Security best practiceWordPressJoomla
Disable Debug Notices / Debug Mode checkmark checkmark
Use Strong Database Passwords checkmark checkmark
Configure robots.txt for search engine indexing checkmark checkmark
Check for known admin username exists. checkmark checkmark
Check for .HTACCESS or web.config file. checkmark checkmark
Check for known database table prefix checkmark checkmark
Remove additional CMS installations checkmark checkmark
Check for FTP credentials in config file N/A checkmark
Check for Session Length over 15 minutes N/A checkmark
Disable Open Comments in the K2 component N/A checkmark
Enable Search Engine Friendly URLs x checkmark
Disable Error reporting x checkmark
Disable Magic quotes x checkmark
Enable mod_zlib x checkmark
Enable mod_xml x checkmark
Disable Register Globals x checkmark
Remove Akeeba Kickstart x checkmark
Limit maximum execution time of php x checkmark
Remove installation directory x checkmark
Check for strong Admin Passwords x checkmark
Enable GZIP page compression x checkmark
Enable caching x checkmark
Check for changes to configuration file x checkmark
Disable Guest registration x checkmark
Disable browsing of uploads folder checkmark x
Remove deactivated plugins checkmark x
Remove deactivated themes checkmark x
Remove default readme.html checkmark x
Use secure permission on configuration file checkmark x
Apply any theme updates checkmark x
Limit information displayed on failed login attempts checkmark x
Disable database debug mode is enabled checkmark N/A
Remove PHP version info from headers checkmark N/A
Remove WordPress version from meta tags checkmark N/A
Check security keys and salts checkmark N/A