When I worked at HP I was a JAVA security developer for one of their enterprise network management tools. I used to run a cross divisional weekly security meeting where we discussed things like cryptography, SSO, MD5 Hashes, SAML, and other technical topics, none of which you need to understand to audit your WordPress site. Don’t let the word security scare you. If you follow this simple monthly WordPress security audit you are well on your way to keeping your site from being hacked and will prevent more than the 60% of breaches that target outdated software (https://www.bitdefender.com/en-us/blog/businessinsights/60-of-breaches-in-2019-involved-unpatched-vulnerabilities).

Many businesses first call us after a security breach. Hacked sites often mean lost data, frightening virus warnings, and business owners worried about lost revenue and reputation.

The truth? 51% of small businesses have no cybersecurity measures in place (Source: Cybersecurity & Infrastructure Security Agency 2024 https://www.getastra.com/blog/security-audit/small-business-cyber-attack-statistics/).

Fortunately, regular audits and updates, using a good hosting company, and choosing well-maintained plugins will prevent most WordPress security issues from ever happening to your site.

The following quick audit steps help you catch vulnerabilities before hackers do, potentially saving your business a lot of money and time.

Quick Start Security Checklist (15 Minutes)

Short on time? Start with these critical steps that prevent 80% of common WordPress security issues:

Immediate Actions (Do This Now)

• [ ] Check for Updates: Go to Dashboard → Updates. Update WordPress core, all plugins, and themes immediately
• [ ] Review Admin Users: Go to Users → All Users. Remove any Administrator accounts you don’t recognize
• [ ] Install a Security Plugin: Add Wordfence (free) or Sucuri Scanner and run an initial scan
• [ ] Verify Backups: Confirm you have recent backups (check with your hosting provider if unsure)
• [ ] Check SSL Certificate: Ensure your site shows “https://” and a padlock icon in the browser

This Week (When You Have More Time)

• [ ] Change Weak Passwords: Replace any passwords like “admin” or your business name
• [ ] Remove Unused Plugins: Delete any plugins you’re not actively using
• [ ] Configure Security Plugin: Follow the detailed settings in Section 5 below
• [ ] Review User Permissions: Ensure users only have the access level they need

This Month (Full Security Audit)

• [ ] Complete the comprehensive audit outlined in the detailed sections below
• [ ] Test your backup restoration process
• [ ] Review hosting security features
• [ ] Document your security settings for future reference

🚨 Red Alert – Call for Help Immediately If You See:

• Unrecognized admin users
• Your site redirects to strange websites
• Google search warnings about your site
• Massive slowdown or site won’t load

For complete details on each step, continue reading the comprehensive guide below.

Why WordPress Security Matters for Your Business

Your website isn’t just a digital business card. For many businesses, it’s your most important sales tool. When hackers compromise your site, they don’t just steal data. They destroy customer trust, damage your search rankings, and can take your business offline for days or even weeks.

Consider the real costs of a security breach:

• Immediate revenue loss: Every hour offline costs money.
• Customer trust damage: Security breaches significantly impact customer relationships.
• SEO penalties: Google temporarily blacklists compromised sites, destroying your search rankings.
• Legal liability: Data breaches trigger notification requirements and potential lawsuits if customer data was breached.
• Recovery costs: Emergency security fixes can often cost significantly more than preventive maintenance.

WordPress powers 43% of all websites (Source: W3Techs 2024 https://w3techs.com/technologies/details/cm-wordpress), making it a prime target for automated attacks. Hackers use bots to scan thousands of sites daily, looking for common vulnerabilities. They target outdated plugins, weak passwords, and unpatched security holes.

The good news? Regular security checks, good hosting, and proactive maintenance prevent many of these threats.

Easy Step By Step WordPress Security Audit

Use this process regularly to catch common security problems on your WordPress site.

1. Check Software Versions

Keeping WordPress, themes, and plugins updated is one of the best ways to secure your site.

How to Check for Updates

1. Log into WordPress:
   • Go to your website’s login page (usually something like https://yourdomain.com/wp-admin).
   • Enter your username and password.
2. Access the Updates Screen:
   • In the left-hand menu of your dashboard, click Dashboard, then click Updates.
3. This screen shows updates for WordPress core, plugins, and themes all in one place.

Why Updates Matter

Updates patch known security holes that hackers actively exploit. Ignoring updates leaves your site vulnerable to attacks already circulating in the wild.

Check the WordPress Core Version

• On the Updates page, look for a message telling you:

“You have the latest version of WordPress” which means you don’t need to do anything.

Or “An updated version of WordPress is available”. Which means you need to update.

How to Update:

• Click the button that says Update Now and wait for it to finish. It may take a minute.

TIP: Always back up your website before updating WordPress core. In fact, having regular backups of your site is an important step in keeping your site secure and running smoothly.

Check Active Plugins

1. In your dashboard, click Plugins, then click Installed Plugins.
2. Look for:
   • Red update notices under plugin names.
   • Warnings like “This plugin has not been tested with your current version of WordPress.”

What to Do:

• Click Update Now for any plugin with an update available.
• If a plugin:
  • Hasn’t been updated for a year or more, or
  • Shows warnings of being incompatible with your WordPress version,
• Replace it with a well-maintained alternative.

TIP: On high-traffic or ecommerce sites, update plugins one at a time and test your site after each update to avoid compatibility issues.

Check Active Theme

1. In your dashboard, click Appearance, then Themes.
2. Hover over your active theme. You may see a notice like:
   • “New version available.”
3. If there’s an update, click Update Now.

TIP: Themes, like plugins, can contain security holes. Don’t skip these updates!

Record Your Findings

• Make a simple list (e.g. in a Google Doc, spreadsheet, or notebook) of:
  • What needs updating.
  • The current versions of your WordPress core, themes, and plugins.

This helps track progress and ensures accountability for your next audit.

2. Review User Accounts and Permissions

Too many admin accounts or unknown users can be a big security risk. You should review your user list at least a few times every year.

How to Review Users

1. In the dashboard, go to Users, then click All Users.

You’ll see a list of everyone who has an account on your WordPress site.

Audit Administrator Accounts

• Look at the Role column for users with the role “Administrator.”
• Ideally, you should have only a handful of Administrator accounts. These accounts can:
  • Install plugins
  • Change themes
  • Edit settings
  • Change code

If you see extra Administrator accounts:

• Check if they’re still necessary.
• If not, either:
  • Change their role to Editor, Author, or Subscriber.
  • Or delete them.

How to change a user role:

• Edit the user’s profile, then choose the new role from the “Role” dropdown, and click Update User.

Check for Suspicious or Unknown Accounts

• Review the list for names or email addresses you don’t recognize.
• Look at:
  • Registration dates (visible if your site allows user registration).
  • Strange usernames like random letters/numbers.

Suspicious signs:

• Accounts created during odd hours (e.g. middle of the night).
• Accounts with Administrator rights you didn’t create.

Check for Weak Usernames

• Look for usernames like:
  • admin
  • administrator
  • yourbusinessname

These are easy targets for hackers trying to guess your login.

Fix this:

• Create a new user with a unique username and assign them the Administrator role.
• Log in with that new account.
• Delete the old, generic “admin” account.

Review Account Activity

• WordPress itself doesn’t show last login dates by default.
• Some security plugins (like Wordfence, Sucuri, or WP Activity Log) let you see:
  • Last login dates
  • Inactive accounts
  • Suspicious activity

What to do:

• Delete inactive accounts with Administrator access.
• Lower permissions for users who don’t need high-level access.

3. Scan for Malware and Suspicious Files

Install security plugins if you don’t have them active. We typically recommend using both Wordfence and Sucuri Scanner. Together they complement each other’s strengths and provide comprehensive protection.

• Wordfence Setup: Install Wordfence (free version available) for real-time malware scanning and firewall protection.
• Sucuri Scanner Addition: Add Sucuri Scanner for additional monitoring and cleanup capabilities.
• Check Recent File Changes: Review files modified in the past 30 days. Legitimate changes should correlate with recent updates or content additions. Unexplained file modifications often indicate compromise.
• Monitor Failed Login Attempts: Review recent login attempts and failures. Multiple failed attempts from foreign IP addresses suggest a brute force attack in progress.
• Verify File Integrity: Compare core WordPress files against original versions. Modified core files usually indicate malware injection, although some managed WordPress hosting companies like Flywheel make modifications to the core WordPress files to ensure their system works correctly.

TIP: Some hosts provide server-level malware scanning. Check with your host to avoid duplicating efforts.

4. Test Backup Integrity and Restoration

Backups only matter if they actually work when you need them.

• Locate Recent Backups: Find your three most recent backup files. Note their creation dates and file sizes. Backups should be consistent in size unless you’ve made major content changes.
• Test Restoration Process: If possible, restore a backup to a staging environment. This identifies restoration issues before you face an emergency. Making sure your backup system works is a good idea.
• Check Backup Frequency: Confirm backups run automatically and frequently enough for your business needs. High-traffic sites need daily backups; simple business sites can backup weekly.
• Off-Site Storage: Consider storing backups off-site (e.g. Google Drive, Dropbox, Amazon S3) in case your server becomes compromised.
• Encryption: For sensitive sites, ensure your backups are encrypted to protect customer data.

Most major managed WordPress hosts like WP Engine, Kinsta, Pressable, and Flywheel have built-in backups. You can also use systems like WP Remote or Manage WP to make regular backups of your WordPress site. We have found WP Remote to be a really good product both for backups and for scanning your site daily for malware.

Red Flags That Require Immediate Action

These findings indicate active security threats requiring immediate attention:

• Unrecognized Admin Users: Unknown administrator accounts suggest successful compromise. Change all passwords immediately and investigate the account’s creation method.
• Multiple Plugin Vulnerabilities: Plugins that haven’t been updated in over a month create significant risk. Update your plugins immediately or deactivate unused plugins.
• Failed SSL Certificate: Missing or expired SSL certificates expose customer data and trigger browser security warnings.
• Malware Detection: Any malware discovery requires professional cleaning.
• Excessive Login Failures: Hundreds of failed login attempts indicate active brute force attacks. Implement login limiting and strong password requirements immediately.
• Security Warnings in Google Search Console: If Google flags your website for malware, act quickly to clean the infection and request a review.

Beyond the Audit: Ongoing Protection

Monthly audits catch most security issues, but comprehensive protection requires ongoing vigilance.

• Establish Maintenance Schedules: Create recurring reminders for plugin updates, password changes, and security reviews. Consistency prevents small issues from becoming major problems.
• Monitor Professional Resources: Subscribe to WordPress security bulletins and vulnerability databases. Early warning helps you patch critical issues before exploitation.

Examples:

• WPScan Vulnerability Database
• Wordfence Blog
• WordPress.org Security team blog

5. Optimize Your Security Plugin Settings

After installing security plugins, most beginners don’t realize they need to turn on specific features for maximum protection. Here are the most important settings to enable:

Wordfence Security Settings

Essential Features to Enable:

1. Go to Wordfence → Firewall
   • Turn on “Extended Protection” (if available)
   • Enable “Brute Force Protection”
   • Set maximum login attempts to 5
2. Go to Wordfence → Scan
   • Enable “Scan for malicious URLs”
   • Turn on “Scan core files against repository versions”
   • Enable “Scan themes and plugins against repository versions”
   • Set automatic scans to daily
3. Go to Wordfence → Login Security
   • Enable “Lock out invalid usernames immediately”
   • Turn on “Prevent users registering ‘admin’ username”
   • Enable “Prevent discovery of usernames through ‘/?author=N’ scans”

Optional but Recommended:

• Two-Factor Authentication: Not everyone likes 2FA but if you want extra security go to Login Security → Two-Factor Authentication and enable for all admin users
• Real-time IP Blacklist: Usually enabled by default, but check to make sure it’s on.

Sucuri Security Settings

Key Settings to Enable:

1. Go to Sucuri Security → Dashboard
   • Complete the initial setup wizard
   • Enable API service connection
2. Go to Sucuri Security → Hardening
   • Click “Harden” for these options:
     • Hide WordPress version
     • Block PHP files in uploads directory
     • Block proxy comment posting
     • Remove WordPress generator meta tag
     • Restrict PHP file execution
3. Go to Sucuri Security → Settings
   • Enable “File Integrity Monitoring”
   • Turn on “Security Activity Auditing”
   • Enable email alerts for security events

All In One WP Security Settings

If you prefer this plugin instead:

1. Go to WP Security → User Login
   • Enable “Login Lockdown”
   • Set “Max Login Attempts” to 5
   • Enable “Force Logout”
2. Go to WP Security → Brute Force
   • Enable “Login Captcha”
3. Go to WP Security → Scanner
   • Enable “File Change Detection”
   • Turn on “Malware Scanner”

Solid Security (formerly iThemes Security)

Note: This plugin is now called “Solid Security” – look for it in your plugins menu.

Basic Settings to Enable:

1. Go to Solid Security → Dashboard
   • Run the “Security Check” for one-click setup
   • Enable recommended security measures
2. Go to Solid Security → Local Brute Force
   • Enable protection
   • Set max attempts to 5
3. Go to Solid Security → Strong Passwords
   • Require for administrators
   • Set minimum length to 12 characters
4. Go to Solid Security → File Change Detection
   • Enable monitoring
   • Exclude log files and cache files

Universal Security Tips for Any Plugin

Always Enable These Features (if available):

• Login attempt limiting (5-10 attempts max)
• Malware scanning (daily if possible)
• Brute force protection
• Hide WordPress version
• File integrity monitoring
• Security notifications via email

Settings to Be Careful With:

• Aggressive firewall rules – can block legitimate visitors
• Automatic IP blocking – might lock you out
• Cache clearing – can slow down your site

Test After Enabling:

1. Log out of WordPress
2. Try logging back in with wrong password a few times to test lockout
3. Visit your site from a different device/browser to ensure it loads normally
4. Check that contact forms still work

Additional Quick Wins

Monitor Your Website’s Health

Weekly Security Habits

• Check your website admin email for security alerts
• Look at your user list for any new, unknown accounts
• Quickly scan your recent posts/pages for anything you didn’t create
• Check if your site loads normally on both desktop and mobile

Simple Red Flags to Watch For

Contact your web development provider immediately if you see:

• Your site redirects to strange websites
• New admin users you didn’t create
• Your Google search results show warnings
• Emails from your hosting provider about suspicious activity
• Your site loads much slower than usual

Basic Password Security

What Makes a Good Password:

• At least 12 characters long
• Mix of letters, numbers, and symbols
• Not related to your business name
• Different from passwords used elsewhere

SSL and Basic Hosting Security

SSL Certificate Check

Most web hosts automatically handle SSL certificates, but you should verify yours is working:

1. Look for the padlock icon in your browser when visiting your site
2. Your URL should start with “https://” not “http://”
3. If you don’t see these, contact your hosting provider

Basic Hosting Security Questions to Ask Your Provider:

• Do you provide automatic backups?
• Is server-level malware scanning included?
• Do you automatically update server software?
• Is there a Web Application Firewall (WAF)?

Keep a Security Log

Create a simple document to track:

• When you last updated plugins/themes
• Any security alerts you’ve received
• Changes you’ve made to security settings
• Your backup schedule

Hosting Security Considerations

Your hosting provider is your first line of defense. Even the best WordPress security practices can’t overcome poor hosting security. Here’s what to look for:

Essential Hosting Security Features

Server-Level Security

• Automatic server updates: Your host should keep server software current
• Web Application Firewall (WAF): Blocks malicious traffic before it reaches your site
• DDoS protection: Prevents attacks that try to overwhelm your server
• Malware scanning: Server-level scanning catches threats that bypass WordPress plugins

WordPress-Specific Features

• Automatic WordPress core updates: Many hosts can safely update WordPress automatically
• Staging environments: Test updates safely before applying to your live site
• One-click restores: Quick recovery from backups without technical knowledge
• PHP version management: Ability to use current, secure PHP versions

Backup and Recovery

• Automatic daily backups: Minimum requirement for most business sites
• Off-site backup storage: Backups stored separately from your main server
• Point-in-time recovery: Ability to restore to specific dates/times
• Backup testing: Some hosts automatically verify backup integrity

Red Flags in Hosting Providers

Avoid hosts that:

• Don’t offer SSL certificates or charge extra for basic security
• Use outdated PHP versions (anything below 8.1)
• Don’t provide any backup services
• Have frequent unexplained downtime
• Offer unlimited everything for extremely low prices
• Don’t have 24/7 support available

Questions to Ask Potential Hosts

Before choosing a hosting provider, ask:

1. Security: “What server-level security measures do you provide?”
2. Updates: “Do you handle server software updates automatically?”
3. Monitoring: “How do you monitor for and respond to security threats?”
4. Backups: “What’s included in your backup service, and how do I restore if needed?”
5. Support: “What’s your response time for security emergencies?”

Recommended Hosting Types for Different Needs

Managed WordPress Hosting (Recommended for most businesses)

Examples: WP Engine, Kinsta, Pressable, Flywheel

Pros: WordPress-specific security, automatic updates, expert support Cons: Higher cost, WordPress-only

Quality Shared Hosting (Good for smaller sites)

Examples: SiteGround

Pros: Lower cost, good for beginners Cons: Shared resources, limited customization

VPS/Dedicated Hosting (For advanced users)

Examples: DigitalOcean, Linode, LiquidWeb, AWS, Google Cloud

Pros: Full control, scalable Cons: Requires technical knowledge, you handle security

When to Get Professional Help

While this guide helps you handle basic WordPress security, some situations require professional intervention. Here’s when to call for help:

Immediate Emergency – Call Now

Don’t try to fix these yourself:

Active Security Breaches

• Your site displays content you didn’t create
• Visitors see warnings about malware or viruses
• Your site redirects to unrelated websites
• You find administrator accounts you didn’t create
• Google Search Console shows security warnings

Site Completely Down

• White screen of death (blank page)
• Database connection errors
• Server errors (500, 502, 503)
• Site won’t load at all

Suspicious Activity

• Massive spike in server resource usage
• Hundreds of unknown user registrations
• Email reports of spam coming from your domain
• Hosting provider contacts you about suspicious activity

Schedule Professional Help Soon

These issues need expert attention but aren’t emergencies:

Complex Technical Issues

• Need to migrate to a new hosting provider
• Want to implement advanced security measures (WAF, CDN, etc.)
• Need custom security configurations for ecommerce
• Require compliance with regulations (HIPAA, GDPR, PCI DSS)

Performance and Security Optimization

• Site loading slowly despite basic optimization
• Need advanced caching and security configuration
• Want professional security audit and penetration testing
• Require custom backup and disaster recovery solutions

Development and Maintenance

• Need custom plugin or theme development
• Want ongoing professional maintenance and monitoring
• Require staging site setup for safe testing
• Need advanced user role and permission management

Consider Professional Maintenance If

You Value Your Time

• Monthly security tasks take too long
• You forget to perform regular maintenance
• You’d rather focus on running your business
• You don’t enjoy technical work

Your Site is Business-Critical

• Downtime directly costs you money
• You handle customer data or payments
• Your site is your primary marketing tool
• You can’t afford to learn through trial and error

You’re Growing

• Need multiple sites managed consistently
• Require advanced security features
• Want professional monitoring and alerts
• Need guarantee of update compatibility

How to Choose a WordPress Professional

Red Flags to Avoid

• Promises to fix everything for unrealistically low prices
• Can’t explain their process in simple terms
• Doesn’t ask about your backups before starting work
• Guarantees your site will never be hacked
• Pressures you to buy services immediately

Good Signs to Look For

• Asks good questions: About your business, current setup, goals
• Explains clearly: Can describe what they’ll do and why
• Shows credentials: WordPress experience, client testimonials
• Discusses prevention: Not just fixing problems but preventing them
• Transparent pricing: Clear costs and what’s included

Questions to Ask Potential Providers

1. Experience: “How many WordPress sites do you manage?”
2. Process: “What’s your process for handling security emergencies?”
3. Communication: “How will you keep me informed of issues and updates?”
4. Backup policy: “What’s your backup strategy before making changes?”
5. Response time: “How quickly do you respond to urgent issues?”
6. Ongoing support: “What happens if something breaks after you fix it?”

Preparing for Professional Help

Before Calling for Emergency Help

• Document the problem: Screenshots, error messages, timeline
• Gather login information: WordPress admin, hosting account, domain registrar
• Note recent changes: Recent updates, new plugins, theme changes
• Check email: Look for any notices from hosting provider or security plugins

Information Professionals Will Need

• WordPress admin login credentials
• Hosting account access (cPanel, hosting dashboard)
• Domain registrar information
• Details about recent changes or issues
• Business requirements and constraints

DIY vs Professional: Making the Decision

Stick with DIY when:

• You enjoy learning technical skills
• Your site isn’t business-critical
• You have time to troubleshoot issues
• The problem is covered in this guide
• You’re comfortable with the risk of making mistakes

Call a professional when:

• You suspect an active security breach
• Your site is down and you can’t fix it
• You’re uncomfortable with the technical complexity
• Mistakes could cost you significant money
• You need expertise you don’t have time to develop

Remember: The cost of professional help is almost always less than the cost of a compromised website affecting your business.

Remember: Start Small

Don’t try to implement everything at once. Consistent small improvements are better than trying to do everything and getting overwhelmed.

The most important things for beginners:

1. Keep WordPress, themes, and plugins updated
2. Use strong passwords
3. Install a reputable security plugin and configure it properly
4. Have working backups
5. Monitor your site regularly

Everything else is extra protection that you can add over time.

Regular monthly prevention beats days or possibly weeks of emergency recovery every time. If you don’t want to do this yourself then professional WordPress maintenance might be worthwhile.