You do not score 100% when running security tests? Do not worry, this is normal.
The tests being done checks for a wide range of potential issues, and it is not always possible to be 100% protected.
Warnings are just warnings
For instance, the plugin checks the current version of MySQL – the software that runs your website database. If you are just running the minimum version 5.5.60 (at the time of this writing), it is enough, but it is recommended you run at least v5.6.
Depending on where you are hosted this can be difficult to get changed as the host might have to change this setting for a lot of sites to accommodate you.
This is not really a big issue, but the plugin will still warn you.
You should pay attention to the issues that you can do something about – although they might seem innocent at first glance, the fact there is a potential point of entry is serious enough.
Example – remove default “admin” account
On the other hand, things such as the default user, “admin” still exist is a much more serious issue.
At best, even if you use a very secure password, you are still open to login attempts which at the minimum put more strain on your server.
Example – Do not use the default database prefix
To group your installation database tables together, your WordPress will have a prefix that all tables in your database begin with, the default is “wp_”. You can ensure a lot of standard attacks will have no success just by changing the default prefix.
Many attempts to insert malicious code into your website will be by filling out a form and then trying to inject MySQL code that way. Most scripts will attempt to use the default prefix “wp_” – by having a different prefix you will have thwarted those attempts.