WordPress security audit checklist

Ensuring your WordPress website’s security is vital for protecting sensitive data, keeping customer trust, and safeguarding your online business. A secure site defends against unauthorised access, data breaches, and harmful attacks, ensuring visitors can always access and use your site without interruption.

But how can you ensure that your WordPress website remains secure?

We’ve created a WordPress security audit checklist, designed to give you a few pointers and tips on how you can keep your WordPress site secure.

Ashley Porter emphasised, “It’s good to practice the principle of least privilege so that in the event a person or entity is hacked the least amount of damage is done.” Lead Developer for All-In-One Security (AIOS)

In this article, we’ll provide 9 effective tips to enhance the security of your WordPress website.

Let’s get started!

 

WordPress security checklist

1. Keep your WordPress core, themes, plugins, and PHP version up to date

Keeping your WordPress core, themes, plugins, and PHP version up to date is crucial for website security. Hackers often target outdated software, making it a common vulnerability. 

WordPress developers release updates which can include security patches for vulnerabilities found in previous versions. These updates protect your website from cybercriminals aiming to access, inject harmful code, or compromise user data.

Updating is simple. Login to your WordPress website’s admin panel and navigate to the Dashboard > Updates area. Here, you’ll find available updates for the core software, themes, and plugins.

 

Enabling automatic updates for WordPress core, themes, and plugins can help make sure your site is always up to date.

 

2. Keep regular backups of your website

Keeping backups protects your website from unexpected data loss, hacking, or server failures. It helps you restore your website to its previous state and minimise downtime.

While some hosting providers offer to take backups for you, you may prefer to use a WordPress plugin like UpdraftPlus for more control over your backups.

With a plugin, you can personalise your backup schedule and save your backups outside of your web server. Back up to various locations like Dropbox, Google Drive, Amazon S3, Rackspace, One Drive, SFTP, Azure, or WebDAV. 

 

Expert tip: Learn how to backup your WordPress website.

3. Install SSL certificate

Installing a SSL (Secure Sockets Layer) certificate secures your website’s interaction with visitors. It encrypts the data exchanged between the user’s browser and your server. You can secure sensitive information like login credentials, payment details, and other personal data. 

Setting up an SSL certificate is quite simple. Web hosting providers often include SSL certificates in their plans with one-click installation. You can also buy SSL certificates from trusted Certificate Authorities (CAs) such as DigiCert, Comodo SSL, GlobalSign, GeoTrust or others.

Here is an example of a website which has an active SSL certificate:

 

 

4. Ensure login security

To keep your WordPress site safe, it’s essential to prioritise login security. Unauthorised access and brute force attacks can pose a serious threat.

Here are some measures you can take to enhance your login security:

 

1. Encourage strong passwords: Encourage users to create complex passwords with a combination of uppercase and lowercase letters, numbers, and special characters. You can use password strength meters and enforce expiration of old passwords.

2. Limit login attempts: Setting login attempt limits helps prevent brute force attacks. By setting a maximum number of failed login attempts, you can temporarily lock out the user or IP address.

3. Integrate CAPTCHA verification: You can incorporate CAPTCHA or reCAPTCHA verification on your login page. It helps you deter automated bots from attempting to log in. 

While CAPTCHA is effective, alternative options include:

• Cloudflare Turnstile: This approach involves running JavaScript challenges on the browser without the user having to complete anything. 
• Honeypot Technique: You can use invisible form fields that bots fill out but humans don’t. This allows you to easily identify and block bots without user interaction.

5. Enable two-factor authentication (2FA)

Two-factor authentication (2FA) provides an extra layer of security for your WordPress website. It requires users to provide a second form of verification, along with their password, before gaining access to their accounts.

Implementing 2FA strengthens your website’s security by addressing the risks associated with weak or stolen passwords. Even if someone obtains a user’s password, they still need access to the user’s secondary authentication method, like a mobile device or authenticator app, to successfully log in.

 

6. Review current user permissions

Mismanaging user permissions can lead to security issues, data breaches, and unintended changes to your website. Giving users too much access increases the risk of unauthorised access and misuse of admin privileges.

To review and adjust user permissions in WordPress, follow these steps:

• Log in to your WordPress dashboard as an administrator.
• Navigate to the Users > All Users section.
• Review the list of users and their associated roles and permissions.
• Check if each user needs their current access level or if adjustments are required.
• Edit each user’s profile and adjust their role or permissions.
• Consider creating custom user roles with specific permissions based on your needs.

 

7. Change the WordPress database table prefix

The default WordPress database table prefix is ‘wp_’, which is widely known to attackers. We recommend changing the prefix of your WordPress database table from ‘wp_’ to something else in the WP-config.php file.

By doing so, you can make it harder for hackers to guess the structure of your database. This, in turn, reduces the risk of SQL injection attacks aimed at accessing sensitive data.

To change the database table prefix in WordPress, follow these steps:

1. Use an FTP client or your web hosting provider’s file manager to access your website’s files.
2. Locate the ‘wp-config.php’ file in the root directory of your WordPress installation.
3. Open the ‘wp-config.php’ file in a text editor and find the line that defines the database table prefix. It should resemble this: $table_prefix = ‘wp_’;
4. Replace the default prefix ‘wp_’ with a unique prefix of your preference. For example: $table_prefix = ‘newprefix_’;
5. Save the changes to the ‘wp-config.php’ file and upload it back to your server.

Expert tip: Before modifying the ‘wp-config.php’ file, take a backup of your website.

8. Disable file editing within the WordPress dashboard

WordPress allows you to edit your theme and plugin files from the WordPress admin area using the built-in code editor. Hackers can easily abuse this feature if they get access to your website.

Disabling this means that if they do get access, they at least won’t be able to edit your theme or plugin files.

Add the following line of code to the ‘wp-config.php’ file to disable file editing:

define( ‘DISALLOW_FILE_EDIT’, true );

 

9. Disable PHP error reporting

Disabling PHP error reporting protects critical website details, like server environment and file paths, from unauthorised access. When you turn off error reporting, any mistakes in the website’s code won’t show up for users to see.

Instead of showing technical details to everyone, the website quietly deals with errors in the background. Site managers can still see these errors, but hackers can’t, which makes the website safer. This simple step lowers the risk of attacks and makes your WordPress site more secure.

Add the following lines of code to the ‘wp-config.php’ file, preferably near the end:

 

// Disable error reporting

ini_set(‘display_errors’,’Off’);

ini_set(‘error_reporting’, E_ALL );

define(‘WP_DEBUG’, false);

define(‘WP_DEBUG_DISPLAY’, false);

 

Final thoughts

Keeping your WordPress website safe is crucial. A successful security audit reduces unauthorised access, data leaks, and vulnerabilities. By following this checklist, you can strengthen your WordPress website’s security and protect it from malicious attacks. 

 

Frequently asked questions

Here are some common questions people often ask about WordPress security audits.

 

What is a WordPress security audit?

A WordPress security audit involves a comprehensive evaluation of your website’s security measures, configurations, and potential vulnerabilities. It inspects your website user access, file permissions, software versions, and server configurations. It helps find potential risks and weaknesses that attackers could exploit.

 

When should I conduct a WordPress security audit?

It’s recommended to perform a WordPress security audit regularly. You can do it at least once every few months to stay protected from new threats and vulnerabilities. Make sure to do audits after important updates or changes to your site.

 

What are the most common WordPress security vulnerabilities?

The most common WordPress security vulnerabilities are the following:

• Brute-force login attempts happen when a hacker uses automated tools to try different username and password combinations until they find the right one.
• Cross-site scripting (XSS) occurs when an attacker puts a harmful script into a trusted website, making users do things they didn’t intend to.
• SQL injection (SQLi) is when hackers inject malicious code into the database using a contact form or other input fields to manipulate data.
• Backdoors are files containing harmful code. It helps hackers bypass security measures and login restrictions to get unauthorised access to a website.
• Denial-of-service (DoS) attacks occur when a server is overloaded with traffic and blocks authorized users from assessing their websites.
• Local file inclusion (LFI) happens when hackers exploit vulnerabilities to add harmful files to a web server through a browser.

Can I perform a WordPress security audit, or should I hire a professional?

Yes, you can perform a basic security audit using articles like this one. But, it’s good to consider hiring a WordPress security expert or agency for more complex security audits. They offer detailed analysis, identify advanced threats, and suggest ways to improve security.