How to Perform a WordPress Security Audit

WordPress is the most widely used free CMS platform, which makes doing a security audit extremely important. Failing to run these audits will provide hackers with greater opportunity to break into your site. Once they have access, they can add illegal content, steal personal data and engage in many other malicious actions. In other words, performing a security audit will allow you to prevent hackers from taking control of your site. While this might not be an all-in-one solution, updating your website security will help in making your site more secure. In this post, I’ll explain the steps you need to take to perform a WordPress security audit.

What is a WordPress security audit?

A WordPress security audit is the process of checking for security gaps by looking to see if there is any suspicious activity or malicious code on your site. You might be concerned that this process is too complicated and that you’ll need to hire a developer to perform the audit for you – worry not! In fact, the steps are quite simple, and you can perform them manually. 

Take note that online audit services are also available that you can use to check the security of your website. 

Below, I’ll describe the steps you need to take and which automated tools you can use to run the security check automatically.

When to run a security audit

Even if you don’t detect any suspicious activity on your site, it’s prudent to run a security audit every quarter. However, if you notice something odd happening on your site, you should check it immediately.

You should perform a WordPress security audit if you notice any of the following signs: 

  • Your website started loading too slowly 
  • Your website traffic suddenly dropped
  • Some new accounts appeared that you didn’t create, you received forgot password requests or login attempts on your website
  • Some suspicious links were placed on your website 

If you experience all these issues, you should perform a security audit immediately! Let’s move to the section below, so I can show you how easily you can get this done.

How to perform a WordPress security audit 

To evaluate your site from top to bottom, you need to first go through several steps. Here are the most important tasks that need to be done to perform a security audit.

Check username and password

What username do you use to log onto your WordPress site? Is it “Admin”? If so, you must change that username. To do this, you need to create a new user at first that has Administrator rights. Then delete the “Admin” user and assign all content to a new user that you created.

Make sure you’re the only user who has Administrator rights. If there is another user with an Admin account, you should remove it by creating a new user for him/her. If you keep two Admin usernames, please note that your site will definitely be under brute force attack.

As for the password, it must be difficult, so it’s hard to guess. Use not only letters but also symbols and numbers. You can generate a secure password with an online service.

Another tip to secure your WordPress site is to use two-factor authentication. It requires a user to enter not only a password but also a security code which is usually sent to a phone or an email. So if someone guesses your password, he/she won’t be able to log in as they would also need a security code, so they will need access to your phone or email.

Updates

Updates are very important as outdated items are the first cause for security issues. You need to make sure your WordPress plugins and themes all have been updated for their latest versions. Do this easily via Dashboard > Updates and update all software. If you don’t regularly update the items, you’ll then run the risk of getting your website hacked. Read more about why updates are so important in this article.

Remove unused plugins and/or themes

Check the list of the plugins in the Plugins menu of your dashboard. All plugins should be installed only from the trusted sources – avoid installing any pirated or nulled version of plugins and be sure to delete them immediately if you have any. Such plugins will infect your site with malware and open backdoors for hackers. 

If you have some inactive plugins that are not required for your theme anymore, delete them. Use only the ones that are needed for the site.

perform a WordPress security audit

The same goes for themes: keep only the one that you are using. There’s no need to install different themes as they may provide vulnerabilities. Make sure your active theme is up-to-date!

Run backups

Having a backup of your WordPress installation is extremely important and useful. If anything goes wrong (such as your site being hacked or simply broken after an update), you can always restore the site from a backup. We already have some articles regarding backup solutions, so you can find the detailed information about backups here:

How to Perform a WordPress Backup in Jupiter X with BlogVault

How to Backup Your WordPress Database Like a Pro

Restore Your WordPress Website Using a Backup: Here’s How!

Run a security scan

There are many online tools that help you to check your site for vulnerabilities. For example, one of the tools you can use is the Free WordPress Website Security Scanner. Note that such scanners check only public pages of your site. To run a deeper scan, you can use security plugins. When looking for a plugin, check if it has these features:

  • Malware scan
  • Malware cleanup
  • Malware alert
  • Login protection
  • Activity log
  • Firewall

Further down in the article, you’ll find the plugins that you can install.

Check the file/folder permissions

It’s also important to find out what permissions are set for the files and folders in your WordPress installation. The correct permissions should be 755 for folders and 644 for files. You can ask your hosting provider support to help you change permissions. Don’t hesitate to contact them as the permissions are a server-related issue and are not related to the WordPress theme. The detailed description about permissions is in the WordPress Codex.

Check the upload file extensions

Double check the upload file extensions on the forms anywhere on the website as they might be used as backdoors for attackers. Read this doc to find which file types are accepted in WordPress.

Check additional code

Also check every custom code you’ve added to your website because many of the custom codings do not pass any security test. As an example, a JS customization that uses cookies can be used to steal some user information.

Automatically perform a security audit

To keep records of all activities on your site and automate the security audit, it’s better to use a WordPress plugin.

The WordPress Security Audit Log plugin is one of the best tools that will make it easier for you to run security checks – and you’ll have the logs of all user activities. The detailed knowledge base and the documentation of this plugin can be found at this link.
Another great plugin for security audit is Sucuri Security.

perform a WordPress security audit

It provides protection from DDoS attacks, improves your site loading speed, scans your files for suspicious code and has many other features. For more information, check the Sucuri knowledge base.

Using a security plugin, your site will be protected and no one suspicious will be able to attack it. So keep that in mind when installing such a plugin.

Wrapping up

By taking the steps outlined above, you’ll be able to prevent hackers from entering your site. As mentioned earlier, it’s best to perform these tasks frequently so that your site is both up-to-date and secure. Performing a WordPress security audit isn’t too difficult or time-consuming, and you’ll save hours of time if anything happens to your site.

Also the following articles may be interesting for you regarding this topic:

Make Your WordPress Site Safer, Learn to Create Your Own Login URL

Tips for Successfully Taking Over an Existing WordPress Site

How to Add Two-Factor Authentication in WordPress

Recommended Posts