WordPress Security Audit Checklist: 15 Steps to Protect Your Site

Introduction

assorted icon lot
Photo by Stephen Phillips – Hostreviews.co.uk on Unsplash

WordPress security dashboard displaying green checkmarks for secure items and warning icons for potential issues

Running a WordPress site means you are responsible for its security. Whether you manage a single business site or a dozen client projects, threats evolve constantly. A plugin you trusted last year might have a new vulnerability today. A weak password you set months ago could already be compromised. This checklist is built for site owners and administrators, not just developers. It gives you 15 concrete steps to audit your site’s security posture. You don’t need to be a security expert to run through these. You just need access to your admin dashboard and about an hour of focused time.

Why a Regular Security Audit Matters

Security is not a one-time setup. It is ongoing maintenance. Most breaches happen because of outdated plugins, weak passwords, or abandoned user accounts. A regular audit catches those issues before attackers exploit them. Think of it like checking your car’s oil and tire pressure. The routine is quick, but skipping it invites real problems. A structured checklist removes the guesswork. You work through each item, confirm it is handled, and move on. Over time, the process becomes fast and automatic. Your site stays safer, and you get peace of mind knowing exactly where you stand.

Before You Start: What You’ll Need

Gather these items before you begin the audit so you don’t have to hunt for credentials mid-process.

  • Admin access to your WordPress dashboard
  • FTP or SFTP credentials (for checking file permissions and config files)
  • A security plugin (Wordfence, Sucuri, or iThemes Security recommended)
  • A backup plugin with recent backup files you can verify
  • A password manager (to check password strength across accounts)
  • Two-factor authentication app (Authy or Google Authenticator) if not already set up

The 15-Step WordPress Security Audit Checklist

Step 1: Update WordPress Core, Themes, and Plugins

Go to your dashboard and check for updates. Apply every pending update. Outdated software is the most common entry point for attackers. Turn on automatic updates for minor core releases and security patches after the audit.

Step 2: Verify User Roles and Permissions

Review every user account. Confirm that each person has the correct role. No subscriber should have Editor access. No former employee should remain on your site with any role. Remove or downgrade accounts that do not fit their current role.

Step 3: Remove Unused Themes and Plugins

Delete any themes and plugins you are not actively using. Inactive plugins can still contain vulnerabilities. Keep only what your site needs. A lean install is a more secure install.

Step 4: Review User Accounts and Delete Spammers

Look for suspicious accounts, especially those with usernames that look like random strings. Spammers often create accounts to inject content or links. Delete any accounts you do not recognize or trust.

Step 5: Change the Admin Username

If your admin user is still named “admin,” change it immediately. That username is the first thing bots try when brute-forcing a login. You can create a new admin account with a unique name and delete the old one, or use a plugin to rename it safely.

Step 6: Enforce Strong Passwords

Use a password manager to generate and store complex passwords for every user. Weak passwords like “password123” or “wordpress” are still shockingly common. Force password resets for any user with a weak password.

Step 7: Enable Two-Factor Authentication (2FA)

Install a 2FA plugin and require all admin users to set it up. This adds a second layer of protection. Even if a password is stolen, the attacker cannot log in without the one-time code from the user’s phone.

Server security audit checklist on a clipboard next to a computer screen displaying security settings

Step 8: Check File Permissions

Directories should be set to 755. Files should be set to 644. Your wp-config.php file should be set to 600 or 640. Overly permissive file settings make it easy for attackers to overwrite your files.

Step 9: Review .htaccess Security Rules

Check your .htaccess file for recommended security rules. Common protections include blocking direct access to wp-includes, disabling directory browsing, and limiting access to wp-admin by IP.

Step 10: Disable File Editing via wp-config

Add define('DISALLOW_FILE_EDIT', true); to your wp-config.php file. This disables the theme and plugin editor inside the dashboard. If an attacker gains admin access, they cannot inject malicious code through that editor.

Step 11: Check for Suspicious Admin Users

Review the list of users with Administrator or Editor roles. If you see an unfamiliar username, investigate immediately. Attackers sometimes create hidden admin accounts during a breach.

Step 12: Run a Malware Scan

Use your security plugin to run a full malware scan. Check for suspicious file modifications, backdoors, and injected code. If anything is flagged, follow your security plugin’s cleanup instructions.

Step 13: Verify Backup Integrity

Do not just assume backups are working. Restore a backup to a staging site or download a copy and confirm it opens correctly. Verify that your backup plugin is scheduled to run daily and that backup files are stored off-server.

Step 14: Monitor 404 Logs for Intrusion Attempts

Check your 404 error logs. A high number of 404s for wp-admin, xmlrpc.php, or plugin-specific paths often indicates automated scanning by bots. Block repeated offenders using your security plugin’s firewall settings.

Step 15: Test SSL Certificate Validity and Configuration

Check that your SSL certificate is active and not expired. View your site in a browser and confirm the padlock icon appears. Mixed content warnings mean some resources are loading over HTTP, which weakens security.

Automating Your Security Audits

Running a manual audit every month is effective, but automation makes it sustainable. Security plugins can handle the heavy lifting. Wordfence offers scheduled malware scans and firewall rule updates. Sucuri provides real-time monitoring and alerts for changes to your files. iThemes Security can enforce password policies and lock out users after repeated failed login attempts.

wordpress, blogging, blogger, editor, blog post, cms, blog, write, publish, publication, social media, wordpress, wordpr
Photo by pixelcreatures on Pixabay

For developers comfortable with the command line, WP-CLI makes automation even cleaner. You can run updates, check user lists, and verify plugin status with simple commands. A basic weekly script might look like this:

Illustration of a WordPress site icon shielded by a lock and protection symbols

wp plugin update --all
wp theme update --all
wp core update
wp user list > users.txt

Automated backups are non-negotiable. Choose a plugin that sends copies to a remote location like Amazon S3, Google Drive, or Dropbox. Verify the backup runs automatically at least once per day. Set up email alerts so you know immediately if a backup fails.

What to Do If You Find a Vulnerability

Discovering a vulnerability during your audit is not the end of the world. It is the entire reason you are running the audit. Act quickly but methodically.

  1. Isolate the site if possible. Put it behind a maintenance page or restrict access to your IP.
  2. Change all passwords immediately, including admin accounts, FTP, and database credentials.
  3. Run a full malware scan with your security plugin.
  4. Restore a clean backup if you have one from before the vulnerability appeared.
  5. Update every theme, plugin, and core file.
  6. Monitor site activity logs for the next few days to ensure no further intrusion.

Stay calm. Follow the steps in order. If you catch it early, most vulnerabilities can be resolved without data loss or downtime.

Frequently Asked Questions

How often should I run a security audit?

Monthly is the standard recommendation for most WordPress sites. High-traffic sites or sites handling sensitive data should consider weekly audits. Automated scans can run daily without any manual effort.

Can I do this audit without a security plugin?

Technically yes, but it is harder. You would need to manually check file permissions, review logs, and scan for malware using command-line tools. A good security plugin simplifies the process significantly for site owners.

What if I have no technical background?

Start with the steps that only require your dashboard, like updating plugins and reviewing user accounts. For the technical steps like .htaccess or file permissions, ask your developer or hosting support to walk through those with you.

Is a staging site necessary for audits?

Not required, but helpful. Running major updates or file permission changes on a staging site first lets you test for issues without risking your live site. Many hosting providers offer one-click staging.

Your Next Step: Keep Your Site Secure

This checklist works best when it becomes a habit. Run through it once a month and your site will be far safer than most. To make it easier, download our printable checklist and keep it with your site credentials. If you want monthly security reminders and tips, join our email list. No fluff, just practical guidance to keep your WordPress site running securely. Your site works for you. Make sure the security work happens in the background, quietly and reliably.