Run A WordPress Security Audit In 10 Steps

WordPress powers over 40% of all websites – it’s the single most popular website platform by far. Imagine then, you’re a hacker, looking to maximise your results. Which platform would you focus on?

WordPress, of course.

Staying on top of your WordPress security and knowing where you stand, is critical to fending off the inevitable attempts to hack your WordPress sites.

But how can we know how effective our WordPress security is in any given moment? How can we be sure we’re safe and doing everything we can to stay that way?

We achieve this through regular WordPress Security Audits.

In this post we’re continuing with our theme of demystifying WordPress Security. We’ll provide you with clear guidelines to follow to perform a Security Audit and know your sites are optimally protected.

But first, let’s get clear on what a WordPress Security Audit is.

What Is A WordPress Security Audit?

A WordPress Security Audit is an in-depth analysis of your WordPress website security at any given moment. It identifies key areas and examines them for possible issues, vulnerabilities and possible intrusion.

During the Security Audit process, you’ll look for suspicious activity, malicious code, unusual performance drops, and disfunctional security configurations, then take steps to isolate the causes and fix it.

Scheduling your security audits is strongly recommended, but sometimes you may need to take unplanned action when the need arises.

What Are The Signs That You Need To Run A Security Audit Now?

Security Audits should be performed at least once per month. This is the absolute minimum.

We also recommend taking a few minutes every week to do a lighter review of your sites to ensure you catch issues early.

If you’re running any sort of intrusion prevention systems, in the form of a WordPress security plugin for example, you may get warnings that a security audit is needed. Some signs that your site needs an audit include:

You Receive Security Alerts

Security alerts never follow your schedule, so if you’re using a tool like Shield Security and receive a security alert (from scans, for example), you should respond urgently.

Perhaps you, or another admin, modified key files on your site. That’s no problem, but you should still review the results and clear them out so you’re operating with a clean slate.

Unusual Website Performance Degradation

If you notice, or receive reports that, the site is performing poorly, you’ll want to get to the root cause. DoS/DDoS attacks, or sustained attacks to your WordPress login could be eating up your server resources, for example.

If you don’t review logs, then you won’t know what’s causing the degradation in performance.

Suspicious User Activities

Seeing an influx of new WordPress user registrations could indicate that something is going wrong, or perhaps your security plugin’s configuration has changed.

Sudden Comment SPAM floods can also point to a change that needs to be addressed.

The 3 examples above are just examples. The key point to take away from each of them is that when something “strange” is happening, then there is usually a problem, somewhere that needs investigating.

The sooner you find the cause, the better off your site security will be.

How To Perform A Security Audit On Your WordPress Website

To make WordPress security audits easy, we’ve provided a clear list of tasks. It isn’t exhaustive, but it’ll cover the most important areas.

You can follow the checklist in any order, but we’ve provided them in this order as they’re usually going to catch the most critical issues first.

As always, time is of the essence and the sooner you plug a gap, the better off you’ll be.

Critical Pre-Security Audit Step: Website Backup

Always, always have a usable and complete website backup at-hand in case trouble befalls your site after you make changes during the audit.

We can’t overstate this. Backups are crucial.

#1 Update Your WordPress Core, Plugins And Themes

WordPress updates are the most critical actions required for website security. They are essential for prevention and elimination of security vulnerabilities.

Always ensure that your WordPress core, plugins and themes are up-to-date. You can do this easily by selecting “Updates” directly from within the WordPress dashboard, or use Shield Security to automate it.

#2 Review Your User Accounts And Passwords

Review WordPress user accounts through WordPress’ Users > All Users page. If you notice suspicious user accounts, you should delete them.

If your WordPress website doesn’t require users to open an account, you should ensure that the “Anyone can register” option is disabled (unchecked) under Settings > General.

It is also essential to regularly monitor inactive/idle user accounts. Then, delete accounts that are unused after a set period of time.

You can use ShieldPRO to automatically suspend idle/inactive users which can go a long way to reducing the risk of unauthorised access to your website.

#3 Perform A WordPress Security Scan

The best way to check for malicious files is using an automated file scanner. There are many different types available, and the ShieldPRO Security plugin comes with everything you need to detect file changes and malicious code. 

Shield Security scans your website WordPress core, plugin and theme files (including premium ones) completely automatically for you, looking for 

• malware code (using AI technology)
• any files that might be modified or tampered with
• Any “unknown” files – not part of your original installation files
• security vulnerabilities in your plugins
• abandoned plugins which may have security vulnerabilities (see also #4 below)

Once the scans detect any suspicious files, you’ll need to examine the results and accept, repair or remove them from your website.

To protect and monitor your files in a real time, we highly recommend keeping all scans running as frequently as possible.

#4 Remove Unused And Abandoned Plugins And Themes

Unused or abandoned WordPress plugins and themes can pose a security risk to your website. Good code needs to be maintained. If it’s left abandoned by the developer, you run the risk of having outdated, incompatible, and potentially vulnerable code on your site.

These plugins and themes should be removed from your website altogether and alternatives found.

An important point to note about abandoned plugins is that if you retain an abandoned plugin, and the code becoming increasingly out-dated, you’ll struggle to keep your entire website updated. New versions of WordPress, new version of PHP etc., will start to cause that old code trouble and you’ll eventually need to restrain from upgrading more components of your webhosting stack because of that outdated plugin. Keep on top of abandoned plugins and themes early.

Shield Security uses its Abandoned Plugins scanner to detect these types of plugins helping you identify this risk more easily.

#5 Check WordPress Website Analytics

Website analytics help you monitor traffic on your website. This can also be a great overall indicator of your site’s health.

Using tools like Google Analytics and Google Search Console, you can identify performance drops, or sudden traffic spikes and drops, and also be alerted when your site is blacklisted. Google Search Console also provides insights into the health of your website and how it appears in Google search results.

While these tools may not directly tell you there’s a security issue on your site, they can indicate a problem based on the secondary effects of these issues.

#6 Review Your WordPress Security Plugin Configuration

A security plugin plays a critical role in monitoring and protecting against attack.

Your WordPress security plugin should provide a quick at-a-glance way of reviewing your security posture. When it points out something need attention, take the recommended steps to resolve the issues.

Shield Security’s Overview page will give a clear overview of your entire security configuration and anything critical will be highlighted in red.

We strongly recommend that you use the overview dashboard regularly to keep on top of any issues that arise.

As an aside to this, using Shield’s Security Admin feature will ensure that your security configuration will never change without your say-so. This prevents uninformed admins from accidentally changing your security configuration. 

#7 Review Your Current User Permissions

Review and limit access to certain user roles. Only website admins should have full access to your website admin area.

The easiest way to achieve this is to apply the Principle of Least Privilege (PoLP). This is a security principle that requires limiting WordPress user access rights. Each user role should only have access to the areas of your website that are necessary to perform their tasks.

We go into further details on (PoLP) here.

You’ll want to limit administrator access to only those people that require full site access.

#8 Improve Your WordPress Hosting/Server Security

It’s important to ensure that your WordPress server hosting infrastructure is up-to-date and configured optimally.

Server admin isn’t for everyone, which is why there are many tools and resources out there to help you. We would rarely recommend that you manage your server directly, yourself.

Steps you can take during your Security Audit include:

1. Assessing your hosting provider
2. Monitor server resources to identify any issues that could be affecting website performance or security. You can use server monitoring tools, too.
3. Use ShieldPRO Traffic Rate Limiting feature – an additional security layer to protect your website from brute force attacks which can overwhelm your server.
4. Assess the need for a reverse proxy service such as CloudFlare – it’s rare to not need this. If you’re already using it, review the configuration for your domain to see if there are new features available

As for improving your website performance in general, we highly recommend not using page cache. Instead, here is the list of the rules you can implement for your website optimisation.

#9 Review Your Current FTP User Permissions

FTP users have access to your WordPress core files, themes, and plugins. This gives them permission to inject malicious code into your files, add backdoors, or make other changes that could result in serious security breaches.

FTP is the ultimate admin access to a WordPress site.

Even if FTP users don’t have bad intentions, they may accidentally remove or modify important files, which can break your website and make it unavailable for your customers.

Review user permissions and ensure that they get access only to what is absolutely necessary.

#10 Stay Safe: Harden Your WordPress Security

WordPress security hardening is the process of taking proactive steps to make your website more secure against potential vulnerabilities and overall security risks. It involves implementing a range of security measures to protect your website from unauthorized access, data breaches, and other security threats.

Make sure that security hardening is included in your WordPress Security Audit and here is a list of the core steps to get started.

WordPress Security Audit Summary

A security audit is not a 1-time only event. It’s an ongoing process of review and correction.

Sometimes you may make tweaks and changes and forget you’ve even done it, only to notice a few weeks later the impact that it has made. With a regular review of your security and site performance will you catch things like this and resolve them before they can escalate into bigger problem.

The key to all of this is schedule. Try to schedule in a regular time slot to run through your checklist and make sure nothing is amiss.

As we mentioned earlier, this isn’t an exhaustive list – perhaps you have important steps that you take regularly that aren’t mentioned here. We want to hear about and we’ll even update the article if it’s something that can be broadly applied to most folk. Let us know in the comments below.