Fixed Test Results Still Fail?
Sometimes when you make a fix for a test and then run the scan again, the fix still fails or says it could not determine the status.
This happens if you run the security tests on a local website on your own computer or on a website that you have a “maintenance” or “under construction” feature turned on.
The plugin runs some of the tests by pretending to be a regular visitor in a web browser visiting your website, and if there is anything preventing them to visit the website like a regular visitor, this will fail the tests.
Furthermore, when you run on a local website, the programming that works fine on “regular” webservers will not work properly when you develop on your own computer.
Bottom line: Expect some tests to fail on local development websites or if you have installed a “maintenance” or “under construction” plugin on your website.
SSL Certificates and Local Development
When working on a local machine, developers often use self-signed SSL certificates for testing purposes. However, these certificates are not recognized as secure by most browsers and can cause security tests to fail. This is because self-signed SSL certificates lack the trust endorsement from recognized Certificate Authorities. As a result, when security tests are conducted, they might flag these certificates as insecure, leading to failed tests.
It’s important to be aware that while self-signed SSL certificates are convenient for local development, they do not replicate the exact security environment of a live, publicly accessible website. Therefore, some security checks may not perform as expected under these conditions.
Known Test Issues
- Check if the expose_php PHP directive is turned off.
- Check if the uploads folder is browsable by browsers.
- Check if the admin interface is delivered via SSL.
- Check if the readme.html file is accessible.
- Check if the license.txt file is accessible.
- Check if the install.php file is accessible.
- Check if the upgrade.php file is accessible.