WordPress Security Audit

WordPress Security Audit: 15+ Best Audit Practice [Checklists]

The most lacking habit that the majority of bloggers have is, not doing regular WordPress Security Audit.

Without knowing how vulnerable your website is, you can’t be aware and prepare your website from getting hacked.

For WordPress Security Audit, there are a number of checklists and markers that you have to follow to give your website the most secure environment.

To make this task easier, I came up with the step by step guide on how you can do Security Audit for your WordPress website without taking any additional help.

I promise you, you will get all the practical pointers that you can do right away to make your website more secure.

I also want to mention here that these WordPress Security Audits pointers can be used as a checklist. On each check, you make your website more secure and less vulnerable to hack.

Before jumping directly to the security audit checklist for your WordPress website, let’s have a look at why you should never miss them.


Why is WordPress Security Audit Important?

It is clear that a security audit dictates all the vulnerabilities that hackers might use to gain access to your WordPress website.

This will lead to a very devastating situation.

They can demand money. They sell your website content including your user’s data, card details, and very important credentials.

This will create chaos for your business. And once your website gets hacked,

  • They may redirect them to other websites.
  • Sell your client’s details to the black market.
  • You might lose Google ranking.
  • Add malicious code to your website.
  • Blacklisted by search engines.
  • And lastly, ask for ransom.

This all creates a situation where your website loses the trust of your fair audiences— not good for the brand.

This is just a glimpse of what is going on today.

To make the security of your website top level, you should always do a security audit for your WordPress website.

So first, we have to detect the vulnerability of our websites before the hacker does it for us and leverage the opportunity. And finally, hack us.

That’s all.

Now, without wasting time, let’s have a detailed look at how you can perform a Security Audit for your WordPress website.

How to Perform a WordPress Security Audit?

There are a total of 16 checklist in this step by step guide on WordPress Security Audit.

Among 15 checklists, 13 are for every website owner, and the rest 3 are for the owners whose websites are continuously hit by hackers.

#1 Update to Latest Versions

About half of the website owners don’t open their WordPress website weekly. As time is changing, the frequency of updates for plugins and themes also increases.

This builds the most vulnerable situation for your website’s security.

Majorly, there are two types of updates: one is on-site updates and the other is server-based updates.

On-site updates include updates that don’t require to access the control panel of your server. They can be updated right from your WordPress dashboard.

However, server-based updates generally require control panel access to update them. PHP updates are some of them.

On-Site Updates

In terms of updating on-site, you can either update via the ‘update’ option in the plugins section or you can upload them manually.

To update the WordPress core, plugins, and themes, you can go to the ‘update’ section— right after the dashboard section— and update from this single window.

One more thing, with WordPress 5.6 update, there are auto-update features for the WordPress core and plugins.

So, if you’re not-so-regular to using WordPress, you can switch on the auto-update option.

But, don’t enable the auto-update feature for WordPress core. Why?

Because it might break your website. This is what happens to millions of website owners.

With WordPress 5.5, millions of websites got broken because WordPress developers remove jQuery from the WordPress directory. And sites that are based on jQuery hit by this update.

Therefore, I highly suggest not to enable the auto-update feature for WordPress core updates and always take a backup before updating WordPress.

Server Based Updates

Most of the server-based updates are governed by the hosting providers. However, one of the crucial updates— PHP, is important to update.

WordPress 5.6 and latest, support PHP version up to 8.

But I would say, for now, don’t go beyond v7.3 because the majority of plugins and themes don’t support PHP v8.

Moreover, the majority of hosting providers use cPanel to manage their servers. So, if you have a cPanel based server, follow the following pointers to update PHP.

  1. Login to cPanel
  2. In the search tab, search PHP.
  1. In the result tab, click on “Select the PHP”
  2. Now, click on v7.3 and save the settings.

While doing on-site or server-based updates, you always should first take the backup of your website.

This is significantly important because new updates might not be compatible with your website theme or create conflicts with other plugins.

So, it is a better idea that you should always take back before updating.

#2 Strengthen Username, Password, and Database Name

For obvious, a weak username and password are the most predictable loose ends. And as the owner, you don’t want to be in that category.

You should strengthen your login credentials— after all, they are important.

As the username, it should not be:

  • As the author’s name.
  • Your initials
  • Emails prefix

The username should be impossible to predict so that no one ever guesses that.

To check the possibility of getting predictive, you can use a mix the name with your favorite person or animal along with some random numbers.

This is how you can make the best username for your WordPress. But what about passwords? 

Unlike username, where you can’t use special symbols, in password, you have full disclosure to use them.

A secure password should:

  • Not only your name, DOB, or any name.
  • Contains at least one special character.
  • At least 8 lettered.
  • Have both upper and lower case.

Moreover, while creating the password for your website, there is a password enhancer tool that states the password strength in numbers (up to 100) and green color. So, try to get 100/100 here.

But now the question arises, how can you edit or create new credentials for your website? 

You can do this by these two measures:

  1. Using WordPress dashboard
  2. Using cPanel’s Window

Changing Credentials Using WordPress Dashboard

To change the password from your WordPress Dashboard, you have to

  1. Go to the Users section
  2. Click on the “Profile” segment
  3. Hover to “Account Management” and click on “Generate password”
  4. Enter the new password here.
how to change password for your wordpress user for more security

The above guide is only for changing the password for your username. But what if you want to change your username?

You have two options:

Changing Credentials Using cPanel 

To change the password using cPanel, you also have two option:

  • Using WordPress Installation window
  • Using phpMyAdmin

But for changing both username and password, you have to use phpMyAdmin.

To change the author’s password using the WordPress Installation window, follow the same:

  1. Search for WordPress.
  2. Click on “WordPress Management”
  3. Select the Site, and click on “Change Password”
  4. Now, enter the respective username (old) and new password.
  5. Hit the Save button.

Changing Credentials Using phpMyAdmin

To create, edit or change the username and/or password, follow the same:

  1. Search for ‘phpMyAdmin’ in the search column.
  2. Click on phpMyAdmin.
  3. Select the respective database of your website.
  4. On the left, you will see WordPress database tables with the suffix “wp”.
  5. Click on “wp_users” and select the ‘edit’ option with the respective author that you want to edit.
  1. Now, change the username and password, and click the ‘Go’ button.

#3 WordPress Backup Suite

Take backup— even when you’re not doing a security audit —of your WordPress website is important.

Backups are the crucial saving that keeps you away from any blunder that happens due to editing the malicious codes or storing the website before it was hit by the attackers.

Apart from this, one additional step that you should take is to check whether your backups are restorable or not.

Moreover, try to download backups regularly of your website to other cloud storage or locally. This would help you restore the files even after hackers delete them from the dashboard.

This majorly happens because hackers delete the backups files too, to make owners helpless while restoring their website.

Many hosting companies take regular backup of your website but I would suggest don’t fully depend on them.

You should install UpdraftPlus or iThemes BackupBuddy. You can also check other backup plugins for your WordPress website.

#4 Flushing Unused Plugins, Themes, And files

Did you know? A big part of hacks is due to unused plugins and themes. Hackers use flaws of out-dated plugins and themes to create a backdoor to your website.

So, it’s better to flush them all out.

This not only makes your website lite but also removes the flaws of out-dated plugins and themes.

To delete plugins, you just have to hover to the plugins section and click on the delete option, at the bottom of each plugin.

Deleting additional themes is a little bit different. To delete them you have to first visit the theme section and click on the additional theme.

After that, at the bottom left of the screen, you have the option to delete them.

Now, you deleted plugins. You deleted themes. What’s more? The extra files.

Extra files such as unused images, files, and pdfs should also be deleted.

#5 Don’t Upload GPL license Plugins and Themes

Nowadays, bloggers are taking advantage of GPL licensed files at the cost of their WordPress security.

In the majority of cases, GPL licensed plugins and themes let you enjoy premium features for free.

Wait! I had seen many cases where these files became the culprit for the hacks and security breaches. It also happens to me.

You can even google it if you don’t believe me. To save your time, check this article by pagely.

I am not saying, they are always the culprit but why take chances.

Honestly, in the beginning, I used to have some GPL license plugins and themes. After learning my lesson— I shared my story later in the post— I completely flushed them out.

And this is what I also recommend you to do so.

#6 Delete or Restrict Author’s Role

Many of the bloggers skip this part but you should never underestimate it.

When your website has too many authors, and some are not working for you, it’s better to cut them permanently off.

This will help to rectify any misuse of their credential for gaining access to your website.

I am not saying, you should delete extra authors, but my point of saying is, deliberately or by mistake, their credentials can be used by hackers to get access to your WordPress dashboard.

But “I don’t want to delete them?” What are other options? You can change their password.

As they are not working for you and you don’t want to permanently delete the account then it’s better to change their password by using phpMyAdmin.

It saves your website from any misuse of their passcodes.

For more security of multi-authored websites, it is better to restrict the access of various authors to change or manipulate a certain section of your WordPress.

The following video shows you how you can restrict the access of authors for WordPress websites.

#7 Block Brute Force Attacks

If you are trying to access someone else’s accounts using some sets of passwords and usernames, then you are doing a brute force attack.

I hope you understand what a Brute Force attack is.

But how can you block this force attack?

To stop these attacks, you have to do mainly 3 things. These are adding two-step authentication, limiting login attempts, and changing the default login URL.

How to check your Website is Brute Force Attacks? By checking the Google analytic.

If you saw any abnormal dip in the traffic, usually by a very large margin, there is a possibility that your website is under brute attack.

A. Adding Two-Step Authentication

To add two-step authentication, there are a number of plugins. But, if you ask me to suggest one, I would say, “Two Factor Authentication by UpdraftPlus author’s”.

They are simple yet do their job perfectly.

To add two-step authentication to WordPress website:

  1. First, go to the plugins section and click “Add new”
  2. In the search bar, type “Two Factor Authentication”.
  3. Install the plugin with the same name and activate it.
  4. Now, go to the plugin’s main page, and hover to its setting module.
  5. By default, it is set to disable. You have to enable it with the code that will be listed below the activation box.
  6. Now, select “Enabled” and save changes.

After the primary setup, at the bottom, it would ask you to choose in between TOTP and HOTP

  •  TOTP: Time-based OTP. They are the most common algorithms that are even used by Google Authenticator.
  •  HOTP: Hash-based OTP. They are event-based authentication systems.

My personal choice is TOTP.

Whether you chose TOTP or HOTP, you should save the private key that is listed on the page. This would help you in the future if you don’t have an authenticator system.


B. Limiting the Number of Login Attempts

Similarly, like 2-step authentication, limiting the login attempts can save your web from brute force attack.

And for that, you have to just install a plugin named “Limit Login Attempts Reloaded”.

After installing the plugins,

  1. Go to “Setting” >> Limit Login Attempts >> Setting tab.
  2. Scroll to App setting with subtitle, “local App”.
  3. By default, it is set to 4. You can change whatever you want.
  4. Save changes by clicking the “Save Setting” button.

C. Changing the Default Login URL

By default, the WordPress login URL is “site.com/wp-admin/”. So, it is easier for hackers to use the credentials to log in to your WordPress dashboard.

As the default login URLs get changed to a new one, the unauthorized person isn’t able to find the page where he/she put the details for successful login.

So, by changing the default login URL, even if a person has your login details, they cannot log-in, unless they have your cPanel access too.

In order to change the default login URL, you simply have to add a new plugin— WPS Hide Login.

Just activate it, and hover to the plugins setting. After that put the suffix word in the place of wp-admin.

For example: “site.com/wp-admin/” can be replaced with “site.com/iloveblogging/” or  “site.com/hideme/”

D. Whitelisting IPs

All of the above three distinctive ways, alone decrease the chances of getting hacked by 99% using brute-forcing. But there’s another pointer that clears any constriction related to brute attacks i.e Whitelisting IPs to the dashboard.

Whitelisting IPs to the dashboard allow you and authors to log in only with specific static IPs. This makes you 100% safe from any type of brute attacks.

Please Note: They are useful only when you’re using static IPs, not dynamic IPs. Static IPs do not change, while dynamic IPs such as mobile internet that changes every time you switch on-off airplane mode.

So, only use, if you’re using a static Wifi or LAN service. Otherwise, you can’t log in to your dashboard with any other IPs.

For more details, you can watch the video from here.

E. Adding Cloudflare Free Service

With a free Cloudflare account, you are not only getting a free CDN for your website but also primitive security.

The free plan is a great choice for small business owners. In addition, it protects your website from attacks like DDoS.

Moreover, you will get a free SSL/TLS certificate that further encrypts the data while transferring from the server to the user.

So, you can get entry-level protection for free.

For more security features, you can also subscribe to their paid plans, starting with $20/ month.

F. Adding reCAPTCHA on Comments & Login

You may know, the majority of security breaches and spam comments are due to bot attacks.

To decipher these types of attacks and spam comments, you can add reCAPTCHA to various submission forms including your login page.

By doing so, any bot attack can be halted.

To activate it, you just have to add a plugin named “Simple Google reCAPTCHA”.

Using this plugin, you can protect brute force attacks or spam to:

  • Login form
  • Comment form
  • Registration form
  • New password and reset password form

#8 Find and Eliminate Vulnerabilities

If you’re following this list for WordPress Security audit, from now, you nearly protect your website from getting hacked by external means.

But what if the attack is due to vulnerabilities in your website databases?

To tackle all the on-site vulnerabilities, there are a lot of security plugins and online tools. So, I am going to give you a detailed look at each of them.

A. Evaluate Security Using On-Site Plugins

For this, I am going to show you the two most trusted and commonly used security plugins that will rephrase your on-site vulnerabilities

Wordfence Security – Firewall & Malware Scan

Wordfence provides you with the ability to scan the vulnerabilities, malware, and loopholes that a hacker can take advantage of to access your login area.

Moreover, it also provides an on-site firewall that adds firmness to your website protection.

In addition, it is free and best known for its protection.

For evaluating the loopholes— after installing and activating it— go to the Wordfence dashboard and hover to the ‘scan’ option.

Now, click on manage scan. In the follow-up window, click on high sensitivity and click on “Save Changes”.

This time, you again have to click on the scan button, and click on “Start New Scan”.

You have to wait a couple of minutes to half hours (or evermore based on website size). After that, fix all the necessary vulnerabilities that are listed in the column.

Please Note: High sensitive scan is a very powerful means of determining the vulnerability, but it takes a lot of server resources and computing. This leads to the slow loading of websites.
So, I would recommend switching back to the default scan after you scan all the vulnerabilities for the first time.

Sucuri Security Plugin

The best paid and all-in-one solution for WordPress security.

Sucuri Security plugins are as much (even more) powerful security plugins for your WordPress website than Wordfence.Scanning WordPress using sucuri wp plugin

The plugin offers you a flexible approach to finding the vulnerabilities along with various security hardening means.

However, to activate this plugin you required an API key and for that, you have to subscribe to Sucuri plans which started from $199/year.

Though the free version is also available, it is not that much powerful as Wordfence. So, if you want to use a free security plugin, Wordfence is for you.

But if you are willing to invest some money in your website security, I recommend you to go with Sucuri.

B. Evaluating Vulnerability Using Off-Site Tools

After doing the on-site vulnerability test using plugins, it is better to confirm with other off-site online tools.

For this, I am going to show you the three tools that help you do WordPress security audits without taking too much time and load on your server.

Moreover, try to scan your website from all of these three tools.

Sucuri SiteCheck

An online tool that not only scans your submitted URL for malware but also in blacklisted databases.

The malware scan is not restricted to the specific URL but also scans the supplementary pages that are associated with the submitted URL.

In terms of the security scan, the tool promises to interpret other vulnerabilities such as malicious code and spam injection.

In addition, it also checks the URL for 8 different blacklisted data.

IsitWP Site Check

IsitWp is another online tool that lets you do a lite security audit for your WordPress website.

The tool is powered by Sucuri with some distinctive security features. However, the results are more likely to be the same as Sucuri.

It scans your website on parameters with the integrated tools such as Google Safe Browsing, Safe Web, PhishTank, The Opera browser, SiteAdvisor, The Sucuri Malware Labs, SpamHaus DBL, Yandex (via Sophos), and ESET.

Google Safe Browsing

As all we know, Google is the largest search engine.

Google has tons of crawlers and security measures to depict whether a URL is safe to visit or not.

You can also use the Google Safe Browsing tool to know whether your URL has malicious code or not. It also portrays the malware scan for that URL.

Moreover, if you are using Google Search Console, you will be notified of all the vulnerabilities and malware that are blocked due to various means.

The following images show no issues in terms of security in the Google Search Console.

#9 Regenerating wp-config salts & Keys

For acknowledgment, Salts keys are a type of hash codes that are used to encrypt sensitive data.

Without these salt keys, anybody can read sensitive information such as username, password, card details, etc.

That’s why it is better to reset WordPress salt keys and generate wp-config salts.

Moreover, if your website gets hacked then it is far better to change them asap.

To change and regenerate these salts keys, there are a lot of sequential codes to write which could be hard and confusing for beginners.

So, I came up with a beginner-friendly alternative plugin— Salt Shaker Plugin.

You only have to install and activate it.

In addition, you can also schedule the change. And I would suggest, you should stick with the monthly auto-salt key generator option.

#10 Force Through SSL

I am pretty assured that you all have an SSL certificate. It is quite common for your website security.

Installing an SSL certificate doesn’t make your website fully secure.

In general, your website has two versioned URLs i.e., HTTP and HTTPS.

As you know, HTTPS means the URL has an SSL certificate. But it alone doesn’t force the HTTP version of your site to redirect through HTTPS.

To do so, you need to change your .htaccess file. The following video will help you with that.

But if you want a simple solution to force redirect every URL of the website to HTTPS, you can simply install Really Simple SSL plugin.

Just install, and activate it. That’s all.

#11 Disable File Editor for Plugins and Themes

Most of the coding stuff is in plugins and themes. That’s why hackers add malicious code into the plugins and themes files.

Once malicious code is injected into plugins and themes files, it is tough to find and decipher them.

In order to protect your plugins and themes source code, it is better to disable the file editor option in the WordPress dashboard.

To disable the file editor module, just follow the following pointers:

  1. Login to your cPanel account.
  2. Search and open the file explorer.
  3. Open your website file (usually in public.html)
  4. Click and open wp-config.php file.
  5. Paste the following code in between the code.
define( 'DISALLOW_FILE_EDIT', true );
  1. Now, click on the Save button.

Please Note: Before editing codes to wp-config.php file, make a copy or download it locally. So, if something gets wrong, you can replace the original one.

#12 Change the Prefix in the Database Tables

After the WordPress plugin and theme files, the next most vulnerable data is your WordPress database tables.

In general, each table in your WordPress database has a prefix “wp_” like for post: “wp_post”, for users: “wp_users”, and so on…

First of all, it is not the vulnerability, but by changing so, your website is more secure than ever.

So, you can change the prefix with something not-so-common word or alphanumeric codes. It is fully up to you, which combination you will use.

To change all the prefix values of tables, do the same:

  1. Login to cPanel and click on phpMyAdmin.
  2. You got a list of 11 tables with a default name “wp_”
  3. Now, click on the SQL button and paste the following code.
RENAME table `wp_commentmeta` TO `myweb21a_commentmeta`;
RENAME table `wp_comments` TO `myweb21a_comments`;
RENAME table `wp_links` TO `myweb21a_links`;
RENAME table `wp_options` TO `myweb21a_options`;
RENAME table `wp_postmeta` TO `myweb21a_postmeta`;
RENAME table `wp_posts` TO `myweb21a_posts`;
RENAME table `wp_terms` TO `myweb21a_terms`;
RENAME table `wp_termmeta` TO `myweb21a_termmeta`;
RENAME table `wp_term_relationships` TO
RENAME table `wp_term_taxonomy` TO `myweb21a_term_taxonomy`;
RENAME table `wp_usermeta` TO `myweb21a_usermeta`;
RENAME table `wp_users` TO `myweb21a_users`;
SQL button and paste the following code.

You can change the value “myweb21a_” with any value you want.

Please Note: It is an advanced security measure. So, only use it when your website was already hacked in the past.

#13 Create a Password Protected Directory

Another advanced security protection measure for your WordPress site auditing.

By creating a password-protected directory, even if someone has access to your WordPress files, they can’t change it. Unless they have a second security password that I am going to show you how to add them to your wp-admin folder.

But why only to the wp-admin folder? Because it has most of the sensitive data that a hacker may use to create a backend access door to your website.

To password protect the wp-admin folder, you have to:

  1. Login to cPanel.
  2. Search for “Directories Privacy”
  3. A new window will appear, browse to your wp-admin folder in the directory.
  4. Now, on the right, click on the edit button.
  1. Check the “password protect this directory”
  2. Now, in the column “Enter a name for the protected directory:”, it gets automatically filled.
  3. Now, in the bottom window, fill the new username and password.
  4. And click on “Add/modify authorized users”.

With this, you add a new layer of security that is harder to breach.

Removing the “lost password” link from the login page makes you unable to access lost password functionality.

So, I better suggest writing your password down. Otherwise, it could be another tedious task to recover your own forgettable password.

But, what’s the point of removing a lost password link?

This is very helpful when your email gets hacked which is linked to your website. So, even the hacker can’t change the password of your website. That all means, your website will be safe.

You only have to add the following code to your “login-style-perso.cc” file.

p#nav { 
display: none;

For additional safety, you can also remove the “«Back to the site»” link that allows users to return to the homepage.

Just add the following code to “style-login.css” file:

p#backtoblog {
display: none;

#15 Hosting Too Many Website To The Same Server

Hosting too many websites on the same server is cost-effective. But it could also be a nightmare for you.

Because if one website gets hacked, there is a higher chance that all the websites on the same server will also be hacked.

And this is what happens to me. Here is my story.

I have an A2 hosting plan where I hosted 3 of my sites. And once, I uploaded a GPL plugin of SocialShare.

But, it was a blunder.

After uploading and activating the plugin, it automatically gets vanished from the plugin panel. And a new plugin with some title—I don’t remember the full name— but with a prefix ‘ads’.

Moreover, I was automatically logged out. And can’t access the dashboard.

I checked other websites too.

They also get hacked.

I was fully anxious. I even think for a second, what happens to me.

All 3 websites got hacked. And in the next 10 to 12 hours, I had done only one thing, removing malicious plugins and new users from phpMyAdmin.

That day was terrible for me. But I learned my lesson.

This could happen to any of you. So, first, don’t upload any GPL plugins and themes, and secondly, don’t host your all-important website on the same server.

I hope you understand my point of saying.

Therefore, don’t even dare to host all of your important website of the same hosting, even their security level is best.

#16 Evaluate Your Hosting Provider Security

Finally, we are at our last pointer i.e. how secure is your hosting provider.

If your server is not safe, there is no use in dwelling time on the above pointers.

This is why it is better to choose a reliable and trusted hosting provider.

Final Checklist for Your WordPress Security Audit

The following is the final checklist that you should follow in order to make your website more secure.

In this final checklist, I only included the crucial pointers that enhance your WordPress security.

1. Be Updated: Be regular in updating plugin, themes, and WordPress.

2. Create a Strong Username & Password: Create an unpredictable username, and for password try to use the combination of words, special letters, and symbols.

3. Check Restorable WordPress Backup Suite: Always take backups regularly and also before updating WordPress.

4. Flush out Unused themes, Plugins, and Files: Try to delete plugins, themes, and files that are no longer of use.

5. Stay away from GPL: Don’t use GPL license themes and plugins because it may lead to a security breach.

6. Restrict and Delete Authors Role: Remove or modify the passwords of non-active authors.

7. Block All means of Brute Force Attacks: You can add 2-step authentication, limit login attempts, change the login URL, add Cloudflare CDN, and reCAPTCHA to protect your website from brute force attacks.

8. Eliminate On-site Vulnerabilities: You can use on-site plugins such as Wordfence and Sucuri to find vulnerabilities. Sucuri SiteCheck and IsitWp are the online tools to scan your website for malware and in blacklisted databases.

9. Reset WordPress Salts: Regularly (at least a month) reset the WordPress salts key for giving more protection to your site’s sensitive data.

10. Disable File Editors For Plugins & Themes: Doing this, resist any change and code injection by hackers.

11. Force Through SSL: Redirect every page with HTTP to HTTPS. You can use the Really Simple SSL plugin for that.

12. Don’t host too many Sites on Single Hosting: Read what happens to me, in section #15 in this post.

I hope you like my efforts on “How you can do WordPress Security Audit by yourself“.