How to Perform a WordPress Security Audit

perform a WordPress security audit featured

WordPress is the most widely used free CMS platform, which makes doing a security audit extremely important. Failing to run these audits will provide hackers with greater opportunity to break into your site. Once they have access, they can add illegal content, steal personal data and engage in many other malicious actions. In other words, performing a security audit will allow you to prevent hackers from taking control of your site. While this might not be an all-in-one solution, updating your website security will help in making your site more secure. In this post, I’ll explain the steps you need to take to perform a WordPress security audit.

What is a WordPress security audit?

A WordPress security audit is the process of checking for security gaps by looking to see if there is any suspicious activity or malicious code on your site. You might be concerned that this process is too complicated and that you’ll need to hire a developer to perform the audit for you – worry not! In fact, the steps are quite simple, and you can perform them manually. 

Take note that online audit services are also available that you can use to check the security of your website. 

Below, I’ll describe the steps you need to take and which automated tools you can use to run the security check automatically.

When to run a security audit

Even if you don’t detect any suspicious activity on your site, it’s prudent to run a security audit every quarter. However, if you notice something odd happening on your site, you should check it immediately.

You should perform a WordPress security audit if you notice any of the following signs: 

  • Your website started loading too slowly 
  • Your website traffic suddenly dropped
  • Some new accounts appeared that you didn’t create, you received forgot password requests or login attempts on your website
  • Some suspicious links were placed on your website 

If you experience all these issues, you should perform a security audit immediately! Let’s move to the section below, so I can show you how easily you can get this done.

How to perform a WordPress security audit 

To evaluate your site from top to bottom, you need to first go through several steps. Here are the most important tasks that need to be done to perform a security audit.

Check username and password

What username do you use to log onto your WordPress site? Is it “Admin”? If so, you must change that username. To do this, you need to create a new user at first that has Administrator rights. Then delete the “Admin” user and assign all content to a new user that you created.

Make sure you’re the only user who has Administrator rights. If there is another user with an Admin account, you should remove it by creating a new user for him/her. If you keep two Admin usernames, please note that your site will definitely be under brute force attack.

As for the password, it must be difficult, so it’s hard to guess. Use not only letters but also symbols and numbers. You can generate a secure password with an online service.

Another tip to secure your WordPress site is to use two-factor authentication. It requires a user to enter not only a password but also a security code which is usually sent to a phone or an email. So if someone guesses your password, he/she won’t be able to log in as they would also need a security code, so they will need access to your phone or email.


Updates are very important as outdated items are the first cause for security issues. You need to make sure your WordPress plugins and themes all have been updated for their latest versions. Do this easily via Dashboard > Updates and update all software. If you don’t regularly update the items, you’ll then run the risk of getting your website hacked. Read more about why updates are so important in this article.

Remove unused plugins and/or themes

Check the list of the plugins in the Plugins menu of your dashboard. All plugins should be installed only from the trusted sources – avoid installing any pirated or nulled version of plugins and be sure to delete them immediately if you have any. Such plugins will infect your site with malware and open backdoors for hackers. 

If you have some inactive plugins that are not required for your theme anymore, delete them. Use only the ones that are needed for the site.

perform a WordPress security audit

The same goes for themes: keep only the one that you are using. There’s no need to install different themes as they may provide vulnerabilities. Make sure your active theme is up-to-date!

Run backups

Having a backup of your WordPress installation is extremely important and useful. If anything goes wrong (such as your site being hacked or simply broken after an update), you can always restore the site from a backup. We already have some articles regarding backup solutions, so you can find the detailed information about backups here:

How to Perform a WordPress Backup in Jupiter X with BlogVault

How to Backup Your WordPress Database Like a Pro

Restore Your WordPress Website Using a Backup: Here’s How!

Run a security scan

There are many online tools that help you to check your site for vulnerabilities. For example, one of the tools you can use is the Free WordPress Website Security Scanner. Note that such scanners check only public pages of your site. To run a deeper scan, you can use security plugins. When looking for a plugin, check if it has these features:

  • Malware scan
  • Malware cleanup
  • Malware alert
  • Login protection
  • Activity log
  • Firewall

Further down in the article, you’ll find the plugins that you can install.

Check the file/folder permissions

It’s also important to find out what permissions are set for the files and folders in your WordPress installation. The correct permissions should be 755 for folders and 644 for files. You can ask your hosting provider support to help you change permissions. Don’t hesitate to contact them as the permissions are a server-related issue and are not related to the WordPress theme. The detailed description about permissions is in the WordPress Codex.

Check the upload file extensions

Double check the upload file extensions on the forms anywhere on the website as they might be used as backdoors for attackers. Read this doc to find which file types are accepted in WordPress.

Check additional code

Also check every custom code you’ve added to your website because many of the custom codings do not pass any security test. As an example, a JS customization that uses cookies can be used to steal some user information.

Automatically perform a security audit

To keep records of all activities on your site and automate the security audit, it’s better to use a WordPress plugin.

The WordPress Security Audit Log plugin is one of the best tools that will make it easier for you to run security checks – and you’ll have the logs of all user activities. The detailed knowledge base and the documentation of this plugin can be found at this link.
Another great plugin for security audit is Sucuri Security.

perform a WordPress security audit

It provides protection from DDoS attacks, improves your site loading speed, scans your files for suspicious code and has many other features. For more information, check the Sucuri knowledge base.

Using a security plugin, your site will be protected and no one suspicious will be able to attack it. So keep that in mind when installing such a plugin.

Wrapping up

By taking the steps outlined above, you’ll be able to prevent hackers from entering your site. As mentioned earlier, it’s best to perform these tasks frequently so that your site is both up-to-date and secure. Performing a WordPress security audit isn’t too difficult or time-consuming, and you’ll save hours of time if anything happens to your site.

Also the following articles may be interesting for you regarding this topic:

Make Your WordPress Site Safer, Learn to Create Your Own Login URL

Tips for Successfully Taking Over an Existing WordPress Site

How to Add Two-Factor Authentication in WordPress

Is WordPress Secure Enough? A WordPress Security Review

WordPress Security Featured Image
WordPress Security Featured Image

Let’s consider for a moment a hot topic when it comes to the web: security. Poor security on WordPress websites could lead to secrets being exposed, reputations getting lost in the market and even a service getting shut down.

Yes, security is the most important thing on the web and, unfortunately, many users and even administrators don’t have enough know-how about this matter.

In this post, we’ll take a glance at WordPress security to become familiar with the most crucial things about securing a WordPress website.

As an immense open-source project, WordPress is the most well-known CMS (content management system). Based on statistics, WordPress powers 34% of websites on the internet and more than 60% of websites that use a known CMS use WordPress. This also makes it the most attractive platform for hackers as well. Indeed, if you find an important security hole in WordPress, you can affect 34% of the internet.

You may have heard about WordPress websites getting hacked, and the main question that comes to mind is: “Is WordPress secure enough?” In this post, we’ll address this question by reviewing some stats, layers of WordPress installation security and the performances of administrators. Read until the end to get a good idea of the state of WordPress security.

WordPress Security Statistics

WordPress Security Report Sucuri.Net
Image from

According to a report from Sucuri & GoDaddy, from a total of 25,466 infected sites in 2018, 90% of them used WordPress. The report reveals an increase in WordPress infections from 2017.

When looking at the most significant problems, you won’t find anything related to WordPress core security. Interestingly, common issues with WordPress security are not related to WordPress itself. What matters are the configuration, the usage and what administrators do.

We know that WordPress is an open-source project, meaning that everyone can see the codes and make some changes to them. On the one hand, this would seem to be an open-source CMS that could potentially cause more security problems because anyone can see the codes, discover a security bug and later use it to attack websites.

On the other hand, any individual can watch the status of a project’s security and report any possible security issue privately to the team. WordPress applies security patches immediately, and a new version becomes available to download as soon as possible. Each time a new version comes out, they mention how many security problems have been fixed in the changelog.

Based on the statistics, there is no common effect on websites due to WordPress core security problems. In other words, it works!

Layers of WordPress Security

We first need to wrap our heads about the fact that the security of a WordPress site is not only about WordPress itself. It depends on some other aspects such as themes and plugins, as well as some third-party tools like hosts and servers – and above all, site administrators.

WordPress Core Security

We briefly reviewed WordPress core security in the previous paragraph and mentioned that WordPress patches any security problems immediately. But, what will happen if you don’t upgrade your WordPress installation with the latest version? Then, you’re an excellent target for hackers.

WordPress Core Security

Detecting the version of WordPress is not hard to do. Even if you use plugins and codes to hide which version of WordPress your site is using, there’s no guarantee that hackers won’t be able to detect the version of your WordPress. And after that, there’s a list of security problems (which are fixed in the latest version) that you won’t have access to it unless you upgrade WordPress. With a list of potential security holes in your site, the chances of being hacked increase. Therefore, it’s better to constantly keep your WordPress site up to date.

Security of Themes & Plugins

Unknown Sources

Most WordPress sites get hacked because of their backdoors. So, if you download a theme or plugin from an unknown source or a site that provides a nulled version of premium themes, you are at risk. It’s all too easy to inject some codes into the package and provide a zip package to download. Unfortunately, some users are not aware of this and, for that, administrators are responsible.

Non-updated Themes or Plugins

Similar to WordPress core, you should keep plugins or themes up to date because they are even more vulnerable. Sometimes it takes time to patch a security problem. If you read the fascinating facts surrounding the Panama Papers hack on Wordfence’s site, you may never forget to update your themes and plugins with the latest version.

Host, Server and WordPress Installation Configuration

Web Hosting WordPress Security
Photo by Web Hosting on Unsplash

Sometimes, a website gets hacked in shared hosting. After hacking a website, the hacker may penetrate the host and then access other websites on that server.

Consequently, it’s crucial to host your website in a known and secure host provider. And it’s better to configure the hosts accurately. There are many factors to consider while configuring a server for a WordPress installation. As a quick checklist, you should be aware of the firewall, backup system, SSL and SFTP, automatic security checks, malicious activity detector, email security, and file permission. We’ll take a deep dive into these matters in a later blog post.

Moreover, it’s necessary to be aware of configuring the installation. Changing default database table prefixes, using a strong password and not using “admin” as the username can decrease the chances of your website getting hacked. Following these simple steps can help you to avoid any possible security problems on your website. We’ll also describe in detail WordPress configuration problems in another blog post.


As mentioned previously, admin is one of the biggest problems and the main reason why websites get hacked. As we can gather from the statistics, the most prevalent problem is website administrators and webmasters. Unfortunately, not enough attention has been paid to this matter.

The security of a website is highly dependent on the performance of webmasters. They can simply allow hackers in by setting an easy-to-guess password or username like “admin” and “12345678.” Sometimes, webmasters aren’t informed about security patches or small updates, and it can put the website at risk. An administrator should be cautious about user roles and permissions when a website is open for new user registration.

Many of these precautions are easy to take when using a security plugin. We’ll have a blog post about WordPress security plugins that will include a review of the most popular ones.

As a result, it’s easy to say that the WordPress core is highly secure. The community will take care of WordPress security, and if you want to use it for your new project, it’s better to take some time to learn more about common security problems, find a good host provider and correct configuration.


Subscribe to Artbees Themes Blog for the best WordPress tips and insights.