Wordpress & Web Development

My WordPress Blog Could’ve Been Hacked – Detectify Saved Me

Ryan Dube 21-03-2014

If I told you that there’s one place you can go to get peace of mind that your website is secure, would you believe me? Well you should, because there is. It’s called Detectify.


I’m the kind of website owner that has always sort of been in denial. It can’t happen to me. Why would anyone ever want to hack my site?

Well, all those delusions came crashing down around my head in 2011 when the main PHP file of my home page was replaced with a web page announcing that the site had been successfully hacked. Not only was it a shock to realize that someone had actually replaced a file on my web server, but it was a very big blow to my pride. What kind of idiot allows his website to get hacked?

The reality is that over time my WordPress blog had become outdated, and increasingly vulnerable to attack as hackers scoured the Internet hunting for older version of WordPress with known, unpatched vulnerabilities. Major fail on my part. So, recently I finally finished updating my blog to a brand-spanking new theme. Confident that I had nothing to worry about in the security department, I didn’t even bother checking whether the theme or any of my installed plugins had any known security issues. It wasn’t until I came across Detectify that I realized just how close my blog was to being attacked and potentially hacked, once again.

Installing Detectify

Sure, there are other security scan plugins Give Your Website A Thorough Security Check With HackerTarget As the internet evolves and the systems it’s running on become harder to hack, you’d think websites would be hacked less! In fact, the opposite is true, with the number one problem lying not in... Read More you can use on your site, but Detectify is just so easy to set up and use, even for a novice. Detectify is a combination plugin and web service. The first step, as is usually the case with web services – you’ve gotta sign up.

detectify1The next step is to download and install the Detectify Plugin. This is a pretty simple plugin, but it gives the web-based security app the ability to tap into every aspect of your blog and analyze it for security flaws. Detectify searches for things like local and remote file inclusion, DOM or other cross site scripting problems, PHP array path issues, remote command execution and much more. You can see all of the vulnerabilities that Detectify searches for on the plugin page.


Once you’ve signed up for the service and the plugin is installed, the last step is to confirm your installation by typing the verification key you receive via email into the field in the plugin. Then you’re all linked up and ready to roll.

Running a Detectify Scan

Once your site is linked, you’ll see it show up in your list of available domains on  your online Detectify account. You can sign up to scan multiple domains if you like.
When you’re ready to launch your website vulnerability scan, just click the Scan button and let it do its job.  A few recommendations at this stage: try to run the scan during a time when your site has the least traffic. Detectify will be crawling and scanning files on your site, so there will be a little bit of performance hit due to that processing.


Secondly, give the service the time it needs to do all of that crawling and scanning. It isn’t going to be a quick 30-60 minute job, unless your website is puny. Odds are for a medium sized blog you’re looking at over 6 hours. For a large blog, many more.
The best option for most people is to launch the scan before you go to bed, and you’ll have the results waiting for you in the morning. In my case, despite my brand, shiny new theme and running the latest version of WordPress, I discovered that I had several warnings related to the security of my blog.


Clicking on the Report button will take you to the page with the scan details for your domain.

Understanding Your Scan Results

The first dashboard page basically gives you an overview of how many files were scans, the types of files scanned and how long it took to scan them.
That’s every single file on your server, so if you have a lot of media files, you better believe the scan is going to take a long time. The reported results also detail the exact breakdown of scan time so you can see what part of the scan consumed the most processing time. In my case Crawling How to Build a Basic Web Crawler to Pull Information From a Website Ever wanted to capture information from a website? Here's how to write a crawler to navigate a website and extract what you need. Read More and Exploitation testing made up the bulk of scan time.
The report will also give you a history of last scans you’ve run, with discovered vulnerabilities. As you fix issues on your site, you can return here to make sure that your new scans reflect an improving situation with your site, rather than an increasing number of issues.
Of course, the best part of Detectify (and the whole point of using it really), is the detail section, which outlines very specific issues that were discovered on your site.

Fixing Your Site’s Security Issues

So here’s the thing that saved me. There were a few warnings that made me realize my site had lingering issues despite the fact that I had just upgraded everything and thought I was high and dry. One of the first warnings wasn’t too serious, but was related to the fact that the PHP install on my Apache server offers an “Easter Egg 10 Fun & Surprising Operating System Easter Eggs Find hidden hilarity and otherwise odd stuff, built right into the operating system you're using. They're hiding in plain site, in software you use every day, and when you find them you'll be delighted –... Read More ” that could allow would-be hackers to identify what version of PHP I am running by checking which icon displays when the icon Easter Egg code is appended to my site URL.

I was unknowingly allowing the PHP version to be revealed, which also reveals to hackers where to hunt for vulnerabilities that can be used to hack into my site. I wasn’t very happy to see this (I had no idea about these Easter Egg codes).



The nice thing about the Detectify report is that even if you aren’t a web designer or programmer, the explanation of the problem and the recommended solution is easy enough to understand that you could easily fix most of the discovered issues yourself.

Detectify discovered a second vulnerability related to how I had left the Username permalink on WordPress to enumerate values, allowing hackers an easy way to siphon out user links and running through password hacking algorithms to uncover an account with a weak password.
A third vulnerability that Detectify found was related to an old plugin that I had installed on the site, and a JavaScript library vulnerability buried deep inside one of the demo folders inside that plugin. I had absolutely no clue this folder even existed on the server – but there it was, a vulnerability just waiting for some hacker to come along and exploit.
And there I was thinking that I was standing strong with an impenetrable website. Again, Detectify provided very clear and easy to understand resolutions to each vulnerability warning.

Informational Security Issues

Detectify takes security a step further by providing you with informational security issues on your site. These are mostly very minor issues that aren’t exactly security problems, but could be ways that hackers could obtain more information about your website, providing them with research tools to find known vulnerabilities in what you do have installed on your web server.


You can fix these if you’re a real stickler for security, but most of these are just recommendations. You aren’t in serious danger if you decide to forgo most of these.

I noticed these results even included the fact that the crawler was able to discover email addresses in plain text on my site. It even included a list of all addresses found – mostly pulled from old comments.

What was amazing is that through the years I thought I had blocked all posting of email addresses to the site. Detectify advised me otherwise, and listed every single email address discovered.

Could my site have been hacked had I not used Detectify and corrected those warnings? Possibly. That’s the thing about website security. You may think that the issues that do exist on your server aren’t “serious” enough to warrant your time and energy, but all it takes is one resourceful and motivated hacker to research that security hole, and then take the time to actually exploit it.

When you’re spending countless hours building up a website How To Build Your Own Website In Minutes Without Any Coding Skills As the Web grows, and it does so dazzlingly fast, the need for a web presence is becoming more pressing. In many parts of the world, you simply must have a web presence in order... Read More that you love, and investing ungodly amounts of cash on web hosting and other website expenses, the last thing you need is some slimy hacker destroying everything you’ve ever built. So, install Detectify. Scan your site. Resolve those issues. Trust me, you’ll be glad you did. I know I am.

Related topics: Wordpress, Wordpress Plugins, Wordpress Themes.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Tom W
    March 23, 2014 at 2:24 pm

    Okay, I've just installed the plugin. It took a while for me to verify it, because I have PHP shortcodes disabled, and they were using a shortcode to output the "verification key" setting. I couldn't work out why it kept outputting PHP rather than saving my code. Once I edited the plugin file, it was all fine.

    • Rickard
      March 27, 2014 at 11:42 am

      Hello Tom

      Thanks for the comment. We have now updated the WP plugin based on your comment.

      Rickard (Detectify)

    • Tom W
      March 27, 2014 at 3:37 pm

      Now that's impressive. Very few organisations will actively seek out stuff like this. I was going to send a tweet to you, but I wasn't sure if it was valid because (I think) PHP are removing the option to disable shortcodes.

  2. George
    March 22, 2014 at 5:48 am

    We sorted out some of the issues. Because their scanner crashed (they are working on investigating the underlying issue for the crash), it did not scan any of my files, and I assumed 0 javascript /html files meant 0 problems detected. So that was an error on my part. I also forwarded them some of the backdoor files I found in my blog and hopefully it will help them improve the scan.
    Something else worth noting is what Rickard of Detectify wrote me: "[..the blog post focuses on wordpress but we are aiming towards developing a service that works for both CMS's as wordpress and fully home built code. We're not entirely focusing on wordpress and it's many plugins, but we are working on supporting more plugins for wordpress. Thanks for providing the information on your backdoors, it will help us improve further]

  3. George
    March 21, 2014 at 5:36 pm

    Update from Detectify.
    They've replied to my email. Waiting to exchange some more messages with them before I can give anyone interested an update.

  4. George
    March 21, 2014 at 3:08 pm

    DO NOT TRUST Detectify!!!
    I've just scanned my blog, and they show me that I have 4 notices (that are due to correct! DNS configuration). This would be great news, except that my blog was FULL of backdoors and I spend the last 2 hours deleting files and cleaning up all PHP files... probably to no avail, but even so,
    DO NOT TRUST Detectify . Their service does not mean anything!

  5. Tom W
    March 21, 2014 at 2:57 pm

    I'm definitely going to install this next time I'm at a computer. I installed Wordfence after reading about it in another MUO article. It advised me to change the default username to something other than Admin, which I did, and since then it's blocked several brute force attempts from people using Admin as the username. Invaluable. The only problem is, no matter how many security plugins I install, I'll only ever be informed if the failed attacks, not the successful ones.

  6. Ankur
    March 21, 2014 at 2:52 pm

    Thanks a lot for this article. Never heard of this plugin.
    After my site was hacked, I am being extra cautious regarding security issues.

  7. Matthew H
    March 21, 2014 at 1:25 pm

    Awesome stuff Ryan. Have you seen The Auditor by Interconnect IT (I think I mentioned this once or twice in an article I wrote)? They do a pretty handy security monitoring tool for WordPress.