WP Security Scan

You need to run a basic WordPress Security Scan and optionally change your database prefix.

Plugin Page: http://wordpress.org/extend/plugins/wp-security-scan/

Note! There are two other plugins with similar names in the plugin directory: Secure WordPress and WebsiteDefender WordPress Security. You do not need Secure WordPress. You can read more about WebsiteDefender WordPress Security here.

Why WP Security Scan Is Important

The WP Security Scan plugin performs a number of checks on your WordPress site to see if you have:

  • the latest version of WordPress

  • changed the database table prefix from the default wp_

  • hidden the WordPress version

  • turned off reporting of database errors

  • removed the WP ID META tag

  • removed the default admin user

  • created an .htaccess file in the wp-admin folder

The plugin also allows you to change the default database prefix.

You Might Also Want To Read

This is a related article that you might also want to read (opens in a new tab):

How You Complete This Security Checkpoint

Follow these steps to complete the security checkpoint.

  • Add and Activate the plugin.

  • On the main window for WSD security you can see the result of the initial scan.
    WP Security Scan Initial Scan

  • If you have any problems marked in red you should do this:

    • If you do not have the latest version of WordPress:
      Upgrade to the latest version.

    • If your database prefix is wp_.
      Use WSD to change the table prefix (see instructions below

    • If the WordPress version is not hidden.
      This is done by WSD so should always be green.

    • If WordPress Database errors are not turned off.
      This is done by WSD so should always be green.

    • If the WP ID META tag is not removed.
      This is done by WSD so should always be green.

    • User admin was found.
      Follow the instructions in Remove The Default Administrator User.

    • The .htaccess file was not found in the wp-admin directory.
      Follow the instructions in WordPress wp-admin folder in Using .htaccess Files To Secure WordPress.

  • In the File Scan Report files and folders with permissions different from the WSD recommendation are flagged.
    A higher permission number indicates more relaxed permissions. If permissions are too relaxed you could have a security problem.
    Or in other words: A lower number than recommended is fine… a higher number is not good.
    For more details on permissions see
    File Permissions.

  • Below is is an example of the File Scan Report.
    .htaccess is flagged because we have more restrictive permissions than the WSD recommendation (i.e. a lower number). This is fine.
    File Scanner

  • If you have any files or folders flagger here with a higher number than recommended please see File Permissions.

  • If you already have changed the database prefix from wp_ you are finished with this plugin. You can now uninstall the plugin.

  • If you need to change your database prefix continue with the next step.

Changing The Database Table Prefix Using WP Security Scan

WSD makes it easy to change the database table prefix.

Follow these instructions.

  • Important! Make a backup of your WordPress site now. We recommend using BackWPup. For more details on how to backup WordPress see WordPress Backup.
    Backup WordPress

  • In WSD click on the Database tab.
    Verify your wp-config.php is writable and you have ALTER rights to the database.
    Enter your own unique table prefix.
    Click Start Renaming.
    change database prefix

  • The tasks complete.
    database prefix successfully changed

  • Test that your site still works.

  • Uninstall the plugin.

whiterabbitFollow The White Rabbit

[gn_spoiler title="Click Here" open="0" style="1"]Are you reading this article as a part of the Interactive Version of The WordPress Security Checklist?

Then you can find your next article below.

If not you should take a look at the Table Of Contents.

Next article: WordPress File Monitor Plus
Previous article: AntiVirus[/gn_spoiler]

Questions Or Comments?

Please leave them below. Thanks!

About Anders Vinther

Anders is on a mission to make it easy for you to secure your WordPress.

Let's make it harder for the bad guys!

Want More?

Sign up for our newsletter and we'll let you know when we have got new stuff about WordPress Security for you. See past emails.

Most Popular Articles – All Time

Most Popular Articles – This Week


  1. WP Security Scan shoud remove the version even when it is attached after javascript and css files url?
    Example: href=’pathofthetheme/style.css?ver=3.5.1′

    Because in my case it hasn’t done that.

    • We recommend that you uninstall this plugin after you have used it to do the basic checks.

      Wordfence can also hide the WordPress version number for you.

      Please note that hiding the WordPress version number is not really a security feature. It will make it more difficult for people targeting specific versions of WP.

Speak Your Mind

   Login Using:


To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax