Imagine this, you sat down one day and ran a complete security setup on your site. You installed a WordPress security plugin on your site, you updated all your plugins and themes, you implemented website hardening measures. You’re sure your site is safe and secure from hackers.
A few months later, you wake up to find that your website has been hacked. When you try to access your site, you’re being redirected to another. Or you might see malicious pop-ups and ads on your site. You realize your security measures failed!
This is a scenario faced by many WordPress site owners.
Many mistake security to be a one-time task. They set it all up and then forget about it. But the truth is your website security needs to be constantly monitored and updated.
Security tools and measures are constantly advancing, but hackers aren’t far behind in successfully breaking them. This highlights the need for security audits where you evaluate your existing security measures and check to see if it’s still effective.
Without security audits in place, the chances of hackers breaking into your site is much higher. Once they gain access to your site, they can divert your traffic, display illegal content and ads, defraud your customers and steal personal data, among a long list of malicious acts.
But don’t worry, this can all be avoided by ensuring your security measures are up to date. Today, we’ll show you the steps on how to run a successful security audit on your WordPress site.
What Is A WordPress Security Audit?
Sooner or later, most WordPress websites run into security issues. For instance, plugins and themes can develop WordPress vulnerabilities that could be exploited by hackers to break into your website.
A WordPress Security Audit can help identify these issues promptly so that you can take measures to close any security gaps on your site. When you run a security audit, you will check the existing security measures on your website. And then identify what more security measures can you implement on your website to ensure that it’s protected.
A full security audit can involve several steps and can become a mess if you don’t have a process and a checklist in place.
Today, we’re going to take you through our step-by-step WordPress Security Auditing Guide. This audit trail will enable you to conduct a complete and comprehensive audit of your website.
How To Run A Successful Security Audit?
In this audit, we’ll thoroughly review your website’s security. Let’s begin.
1. Evaluate your security plugin
Your website’s security plugin is your first checkpoint. If you aren’t already using a security plugin, consider activating one on your site immediately. A security plugin protects WordPress websites from hackers and bots. There are plenty of options to choose from. But not all of them are effective therefore you have to choose the right security plugin. Here’s a list of feature that your security plugin MUST offer:
i. Malware scan
Hackers are always on the lookout for vulnerable plugins. We strongly recommend using a WordPress Malware scan plugin that will run a daily scan of your website. It should conduct a deep scan that checks every file and folder of your website, including your database.
ii. Activity log
A WP security audit log tracks the users activity on your site such as who logged in, details of login attempts that failed, what WordPress users did on the website. An activity log comes in handy when you want to figure out how your site got hacked or what changes were made to cause it to malfunction.
iii. Malware cleanups
A good security plugin will enable you to clean your website quickly. It should be able to clean your website completely.
iv. Real-time alerts
If there is suspicious activity on your site, the plugin should detect it and alert you immediately. This enables you to take prompt action.
v. Login protection
Hackers often attack your login page and try different combinations of usernames and passwords to break into your website (known as a brute-force attack). The security plugin should be able to block such attacks. You can read our guide on WordPress login security.
You need a WordPress firewall on your website that will proactively block hackers and malicious bots and IP addresses that attempt to break into your site. To set up a firewall, you need technical expertise. However, you can find security plugins that install and activate it for you.
vii. Offsite scan
The scanning process requires a lot of server resources to run. If the plugin uses your own server, the scan can overload your site and cause it to slow down. Look for a plugin that uses its own servers to scan your site.
If you feel your security solution isn’t effective, you can choose from the top security plugins available.
We recommend using MalCare as it covers all these features. It has one of the best malware scanners that can detect any kind of malware. And moreover, you can clean up any malware infection in under a few minutes!
2. Test your WordPress backup solution
Having a backup of your WordPress site can come in handy if anything were to go wrong. You can easily restore your backup and get your site back to normal.
But what happens if your backup fails? What happens if you can’t restore it?
This is why you need to test your backup. If you’re using a host backup, some of them don’t offer test options. Here’s what we recommend to test your back up:
Install BlogVault backup plugin on your WordPress site. It will automatically take a complete backup of your site.
Note that the first backup may take a while as it will copy the entire website onto its own servers. Subsequent backups are much faster as it uses incremental technology where it backs up only the changes made.
Once the backup is complete, from the BlogVault dashboard, access the option ‘Test Restore’.
Once done, it will alert you that your restore was successful.
3. Examine your current admin setup
WordPress allows multiple people to collaborate and contribute to WordPress development and WordPress maintenance. But not every WordPress user needs complete access to the site. For example, a writer would only need access to write and publish content. They needn’t have access to make other changes like installing plugins or changing the theme.
To prevent giving every user on your site complete access, WordPress has six different user roles that you can assign – Super Admin, Administrator, Editor, Author, Contributor and Subscriber. Each role has different levels of permissions.
While conducting your WordPress security audit, the first thing you need to analyze is the users you have added to your WordPress site.
- Check how many of these users have admin access.
- Determine how many actually need admin access.
- Restrict access and grant lower permissions by changing the user roles for those who don’t need to be admins.
- Make sure you can recognise all users on your dashboard. Delete any users that you don’t recognise as they could be rogue user accounts created by hackers.
Next, ensure that anyone who is an admin on your website isn’t using the username ‘admin’. This is the most common username WordPress admins use for their accounts. Hackers are well aware of this and try to use the name to gain access to your site
To change the name from ‘admin’ to something more unique, you would need to first create a new user account for that person. You can assign all content to the new WordPress user you created. Next, you can delete the old ‘admin’ account. Check our guide on how to change default WordPress username.
4. Remove unused plugins installed and active
Working with WordPress for over a decade, we’ve seen many cases of WordPress websites being hacked due to vulnerable plugins.
Plugins for WordPress are created by third-party developers who maintain and update them. However, like any software, over time, vulnerabilities appear. Developers are usually prompt at fixing them and releasing an update. This update will contain a security patch that will remove the vulnerability from your site.
If you delay the update, then your site remains vulnerable.
- During your audit, check the list of plugins you have installed. Many of us website owners tend to try out new themes and plugins. We don’t use most of them but forget that they’re still installed on our site. Delete the plugins that you don’t use. This will remove unnecessary elements from your site and reduce the chances hackers have of breaking into your site.
- Ensure you recognise all plugins installed. If you or your team don’t recognise any plugin, we advise deleting it. This is because when hackers break into your site, they sometimes install their own plugins. These plugins contain backdoors that give them secret access to your site.
- If you have installed any pirated or nulled version of plugins, delete them immediately. Such software often contains malware that infects your site when you install it. Hackers use pirated software to distribute their malware.
Now that you have only the plugins you use, ensure you update them as and when developers release updates.
5. Delete Extra WordPress Themes Installed
As website owners, we tend to install different themes to find one we like. However, many times, we forget to delete the ones we don’t need. Just like plugins, themes can also develop vulnerabilities.
We advise deleting all other themes and keeping only the theme you’re using. Ensure your using the latest version available of your active theme.
6. Evaluate your current hosting provider and plan
Thanks to shared hosting, more people can create websites without a big investment. Shared hosting plans are cheaper and tailored for small WordPress sites.
You may have opted for a shared hosting plan when you began, but as you grow, you need to evaluate if you need to upgrade.
Shared hosting plans means you share a server with other websites. You have no control over what the other websites sharing your server do. If their WordPress site is hacked, it can consume too much of the server’s resources. This will slow down your website and bring down its performance. There’s also a slight chance that any malware infection can spread to sites sharing the same server. So, if you can afford an upgrade, we advise switching to a dedicated server. You can check here if your site is hacked.
If you aren’t satisfied with your current host’s service, you can compare different hosts and see if you want to migrate your website to a better one.
7. Check users who have FTP access
An FTP is File Transfer Protocol that enables you to connect your local computer to your website server. You can access the files and folders of your website and make changes.
Since you can add, modify and delete files of your WordPress site, access to FTP should be granted only to those you trust and absolutely need access.
We recommend checking the list of FTP users and resetting your FTP passwords, if needed. To do this, you need to access your WordPress hosting account > cPanel > FTP accounts.
Here, you will see a list of all the FTP accounts created for your website. You can delete the ones that don’t need access.
8. Check your WordPress Hardening measures
WordPress recommends certain hardening measures that make your website more secure. These include:
- Disabling file editor in plugins and themes
- Disabling plugin installation
- Resetting WordPress keys and salts
- Enforcing strong passwords
- Limiting WordPress login attempts
- Implementing two factor authentication
During your WP security audit, we recommend checking that these measures are in place. For example, if you’re using a plugin to limit login attempts or 2 factor authentication, make sure the plugin still works and is up to date. Check to see if there are better options available.
Many of the hardening measures require technical expertise to implement. However, if you’re using the MalCare security plugin, you can implement WordPress hardening measures in a few clicks.
These are eight very important tasks to carry out regularly. We recommend doing an audit bi-annually or at least annually. To sum up what we covered, here’s a checklist you can follow:
Checklist For WordPress Security Audit
- Security Plugin – Evaluate your security plugin. We recommend using MalCare.
- WordPress Backup – Test your website backup to make sure it can be restored. We recommend using BlogVault’s test restore option.
- Admin Users – Examine your current admin setup. Ensure you have granted admin privileges only to those who need it. Delete any inactive users.
- Plugins – Remove unused plugins installed and active. Keep only the plugins you actually use and ensure they are updated regularly.
- Themes – Delete Extra WordPress Themes Installed. Keep only the active theme on your site and ensure your using the latest version available.
- Web Host – Evaluate your current hosting provider and plan. We recommend using trusted web hosts and a dedicated server plan.
- FTP – Check users who have FTP access. Grant access only to those who need it.
- Hardening – Ensure your WordPress Hardening measures are intact and up to date.
Besides these, you can take a few more security measures. We strongly suggest following this guide – Secure Your WordPress Site With wp-config.php.
With that, we come to an end on your WordPress Security Audit. By taking these steps to re-check your security on a regular basis, you can prevent hackers from breaking into your site. It may involve several tasks but it’s well worth the time spent.
If you find WP security audits too tedious, you can reduce the load by taking measures like IP blocking, protecting the login page, following this guide on WordPress security, and by installing the MalCare security plugin on your site. A security plugin will take care of many of the tasks for you through automation such as malware scans and cleanups, backups, firewalls, and WordPress hardening.
Your WordPress site’s security will be more robust and at the same time easier on you!
Secure your WordPress Site with MalCare!