Having a <form -tag which has an action which a hard-coded http:// -URL as destination
Where? -https://www.seohacks.net/basic/terms/html/
Domain Name: -www.seohacks.net
URL Tested: -https://www.seohacks.net/basic/terms/html/
Number of items downloaded on page: 71Valid Certificate found. Certificate valid through: Jul 20 23:59:59 2017 GMT
Certificate Issuer: GeoTrust Inc.
SSL Protocols Supported: TLSv1 TLSv1.1 TLSv1.2
All 71 items called securely!
Secure calls made to other websites:
-www.googletagmanager.com is valid and secure.-www.facebook.com is valid and secure.
-b.st-hatena.com is valid and secure.
-cdn-ak.b.st-hatena.com is valid and secure.
-fonts.googleapis.com is valid and secure.
-www.googleadservices.com is valid and secure.
-googleads.g.doubleclick.net is valid and secure.
-www.google.com is valid and secure.
-static.xx.fbcdn.net is valid and secure.
Insecure <form> call.
Found on line # %2F%2FwXw.seohacks.net%2Fbasic%2Fterms%2Fhtmlã%81¨ã%81¯%2F&width=72&layout=button&action=like&size=small&show_faces=false&share=false&height=65&appId in file: wXw.facebook.com/plugins/like.php?href=https
Insecure call.
Found on line # %2F%2FwXw.seohacks.net%2Fbasic%2Fterms%2Fhtmlã%81¨ã%81¯%2F&width=72&layout=button&action=like&size=small&show_faces=false&share=false&height=65&appId.orig in file: wXw.facebook.com/plugins/like.php?href=https(Note: Chrome will show a security error for any secure page with an insecure call on the page)
quote from a report via https://www.whynopadlock.com/check.php
WordPress Version
4.6.1
Version does not appear to be latest 4.7.1 - update now.
Check: The following plugins were detected by reading the HTML source of the WordPress sites front page.
duplicate-post latest release (3.1.2)
http://lopo.it/duplicate-post-plugin/ (still being supported?).
Warning User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.
ID User Login
1 None nyl-admin
2 None otani
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.
F-F-X-status: https://observatory.mozilla.org/analyze.html?host=www.seohacks.net
polonus (volunteer website security analyst and website error-hunter)