How to Conduct a WordPress Security Audit

Securing your WordPress site isn’t a one-and-done deal. No matter how much you trust your security plugin or how thorough you were with website hardening, a safe website today does not make for a safe website tomorrow. To keep hackers at bay, you have to regularly conduct WordPress security audits and fill in the safety holes you find.

Website hacking tactics are always progressing, and with them so are preventative measures to keep your site safe. Think of it as a cycle. The safer a website is, the more creative hackers have to be to get into it, which means your website has to get even safer, and so on.

Aim to conduct a WordPress security audit every three months at least. Every month is better, and every week (or even daily, depending on how sensitive your site is) is best. And of course, if you feel that there’s something wrong with your site, then conduct a security audit immediately. Any of the following should raise a red flag:

• Your website is slow and sluggish all of a sudden.
• There’s a big drop in website traffic for no apparent reason.
• There are new accounts, login attempts or “forgot password” requests.
• New links that you didn’t add are on your site.

The following steps are must-dos to keep your site in tip-top shape, safety-wise. With a checklist on hand, you’ll make your audits streamlined instead of overwhelming.

An Overview of the WordPress Security Audit

At one point or another, just about every WordPress website is going to encounter some type of security problem. A common one is a plugin or theme that becomes plagued with a vulnerability, allowing hackers right into your site. Once your site’s hacked, any number of things can happen:

• Customers’ personal data stolen
• Illegal ads and content displayed
• Traffic diverted elsewhere
• WordPress data encrypted, deleted or sold

This is so much more than a headache or a downed site for a few hours. Hackers can hold your data for ransom. Information from your site can be sold on the Dark Web. Google can blacklist your site for displaying spam on webpages. Customers can sue you if their credit card information is stolen. Other websites can be infected once hackers have gained access to yours.

WordPress security audits identify these vulnerabilities so you can patch them right away – before a hacker has found their way in. You’ll make sure that the safety steps you’re currently taking are still working, and you’ll also figure out where you need more protection.

Evaluate the Security Plugin You’re Using

Your WordPress security plugin is one of the most important tools for protecting your site. Make sure that your security plugin is still functioning in the following ways:

• Activity Log: This tracks your site’s users, including who logged in and when, failed login attempts, and site changes. There are a lot of great WordPress activity log plugins that you ca use to monitor activity on your WordPress website.
• Firewall: This will block bots, hackers and IP addresses that are trying to get into your site.
• Login Attempts: Quality security plugins will enforce strong passwords, require two-factor authentication and limit login attempts.
• Login Protection: This blocks brute-force attacks, which is when hackers try different username and password combinations to log in.
• Malware Scans and Cleanups: This should run daily, deep-scanning your site’s database, files and folders for malware and wiping clean anything it finds.
• Real-Time Alerts: The plugin should notify you immediately if there’s anything suspicious going on with your website.

Don’t have a security plugin yet? Consider getting one to be your preliminary step in your WordPress security audit. We’ve rounded up the 6 best WordPress security plugins to choose from.

Test Your Website Backup Solution

If something goes wrong on your site that’s impossible or too complex to fix, having a WordPress backup means you can restore your site to its previous state from before the problem occurred. However, if your backup fails, then you have nothing to restore, which means you could be stuck with an infected or malfunctioning site. Ideally, you’ll be using a backup solution (whether that’s one provided by your host or a plugin you use) that allows you to test your backups, like BlogVault. You also may want to read our article with the 6 best WordPress backup plugins.

Go Over Your WordPress Admin and FTP Setup

With WordPress, you can have multiple people logging in to work on various projects, but that doesn’t mean that every single person with a login should have full access to your website. And when it comes to your FTP client, allowing multiple people access means they could make changes to your site’s … well, everything.

When you add a new user in WordPress, you assign them a role (and you can edit their profile to change their role, too):

Different roles have different capabilities. For example, an Administrator can access all of the site’s admin tools (like changing the theme or installing a plugin), but a contributor can only write and manage their own posts. Here’s a comprehensive breakdown of the different roles and their capabilities.

For your WordPress security audit, do the following:

• See which WordPress users have admin-level access.
• Decide if all of those users need that level of access (and if others who have limited access should be admins).
• Lower permissions and restrict access by updating the user roles for those individuals.
• If you don’t recognize users in the dashboard, delete them – they could be accounts that were created by a hacker.
• Are any usernames simply “admin”? This is an all-too-common username and one that hackers often try to use to access your site. Create a new user account for the person and delete the old account.
• Delete the FTP accounts for users who don’t need that high a level of access.

Lastly, if your site allows members, you want to make sure that they have to actually create an account when signing up and that their default role doesn’t allow admin access. Go to Settings > General. Uncheck the box next to Anyone Can Register. Then, select the appropriate option under New User Default Role.

Make Sure WordPress is Up to Date

You may have this run automatically, but it still pays to double-check that WordPress is updated to its most recent version. Updates don’t just patch security holes – they also improve performance and add features. Go to Dashboard > Updates to see if one is ready.

Clean Up Your Plugins and Themes

Plugins can extend the capability of your website, but they’re also vulnerable to attacks, especially if they go without being updated for too long. Reliable developers will stay on top of their plugin’s vulnerabilities and release updates with patches. During your WordPress security update, head to your plugins list and do the following:

• Deactivate and uninstall any plugins that you’re no longer using or that you don’t recognize.
• Update any remaining plugins that have updates ready.
• If you’re using a plugin that hasn’t been receiving updates from the developer, consider using another one that has the same functionality – a plugin that’s outdated is too vulnerable to security issues.

Even if you’re doing your WordPress security audit once every month or so, it’s a good idea to check your plugins more regularly to update them as needed. Also, remove any themes that you’re not currently using or don’t expect to need. Just like with plugins, themes pose the risk of security vulnerabilities, so it’s best to keep your website as clutter-free of them as possible.

Stay Safe Out There!

You don’t stop working on other parts of your business – coming up with new products or services, marketing them, selling, etc. Your website security shouldn’t be any different. A small problem can quickly lead to a business-threatening hack if you don’t catch it in time, but without knowing where the problem areas are, you won’t know which fixes to implement.

Keeping your website safe is an ongoing process, and having a go-to WordPress security audit checklist saves you the trouble of trying to remember what to do every month. Plus, the more you can automate with a security plugin, the better. Your WordPress security audit checklist can be much smaller if a majority of what you have to do is double-check that the plugin is still functioning correctly. We have in-depth overviews of reviews of two leading security plugins, Sucuri and Wordfence.