WordPress Security Audit: 8 Steps For Securing WordPress Website
Once upon a time you sat down and ran a complete WordPress security audit on your site. It wasn’t something you fancied, but you did it to keep the evil hackers at bay.
- You went ahead and installed a WordPress security plugin on your website because the gurus said so.
- You updated all your WordPress plugins and themes because you know exactly what happens if you don’t.
- You read up on website hardening measures and you implemented the ones that last.
In short: You were 100% sure that your website is safe and secure from hackers.
And then, a few months later, you woke up expecting things to be business as usual…
Only to find that your website has been hacked.
It could be absolutely anything. It may be a malicious redirection to another site. Or you might find out that your website has popups that are trying to sell something that has absolutely nothing to do with your business.
That’s when you realize that you have failed to secure your website.
This is a scenario faced by most WordPress site owners. And if this is what you’re facing, then you came to the right article.
Here’s the thing: Your only mistake was that you assumed that the WordPress security audit was a one-time activity. When you checked off all the boxes on the list, you thought that it was all done and dusted.
The truth is that your website security is just like advertising — it’s an ongoing activity. You wouldn’t stop advertising your business, would you?
Website security tools and preventative measures are constantly advancing, but the hackers aren’t going to sit back and just let you take control of your business. It’s your business and you’ll have to fight for it every day.
A WordPress security audit is the simplest way to figure out what’s working and what isn’t. Are your security measures obsolete?
Without WordPress security audits every 3 months, the chances of a hacker breaking into your website and damaging your business are much higher.
But don’t worry, this can all be avoided by ensuring your security measures are up to date. Today, we’ll show you the steps on how to run a successful WordPress security audit on your website.
TL;DR: To completely secure your WordPress site, we recommend using a security plugin. Install MalCare to scan and monitor your site regularly. It will also block hack attempts on your site. And yes, it also automatically does a WordPress security audit for you every day.
What Is A WordPress Security Audit?
Sooner or later, most WordPress websites run into security issues. For instance, plugins and themes can develop vulnerabilities that could be exploited by hackers to break into your website.
Once they gain access to your site, they can divert your traffic, display illegal content and ads, defraud your customers, and steal personal data, among a long list of malicious acts.
A WordPress security audit can help identify these issues promptly so that you can take measures to close any security gaps on your site. When you run a security audit, you will check the existing security measures on your website. And then identify what more security measures can you implement on your website to ensure that it’s protected.
A full security audit can involve several steps and can become a mess if you don’t have a process and a checklist in place.
Now, it’s quite likely that you’ve already done a WordPress security audit before. The point behind this article is to help you set up a process that you can repeat at the end of every 3 months. Ideally, a WordPress security audit should be done daily. But to be on the safe side and still be reasonable, we recommend doing this every month.
Today, we’re going to take you through our step-by-step WordPress Security Auditing Guide. This audit trail will enable you to conduct a complete and comprehensive audit of your website.
In this audit, we’ll thoroughly review your website’s security. Let’s begin.
- Evaluate your security plugin
- Test your WordPress backup solution
- Examine your current admin setup
- Remove unused plugins installed and active
- Delete Extra WordPress Themes Installed
- Evaluate your current hosting provider and plan
- Check users who have FTP access
- Check your WordPress Hardening measures
1. Evaluate your security plugin
Your website’s security plugin is your first checkpoint. If you aren’t already using a security plugin, consider activating one on your site immediately. A security plugin protects WordPress websites from hackers and bots. There are plenty of options to choose from. But not all of them are effective therefore you have to choose the right security plugin. Here’s a list of feature that your security plugin MUST offer:
1. Malware scan – Hackers are always on the lookout for vulnerable plugins. We strongly recommend using a plugin that will run a daily scan of your website. It should conduct a deep scan that checks every file and folder of your website, including your database.
2. Offsite scan – The scanning process requires a lot of server resources to run. If the plugin uses your own server, the scan can overload your site and cause it to slow down. Look for a plugin that uses its own servers to scan your site.
3. Firewall – You need a firewall on your website that will proactively block hackers and malicious bots and IP addresses that attempt to break into your site. To set up a firewall, you need technical expertise. However, you can find security plugins that install and activate it for you.
4. Login protection – Hackers often attack your login page and try different combinations of usernames and passwords to break into your website (known as a brute-force attack). The security plugin should be able to block such attacks.
5. Real-time alerts – If there is suspicious activity on your site, the plugin should detect it and alert you immediately. This enables you to take prompt action.
6. Malware cleanups – A good security plugin will enable you to clean your website quickly. It should be able to clean your website completely.
7. Activity log – A WordPress security audit log tracks the user’s activity on your site such as who logged in, details of login attempts that failed, what WordPress users did on the website. An activity log comes in handy when you want to figure out how your site got hacked or what changes were made to cause it to malfunction.
If you feel your security solution isn’t effective, you can choose from the top security plugins available.
We recommend using MalCare as it covers all these features. It has one of the best malware scanners that can detect any kind of malware. And moreover, you can clean up any malware infection in under a few minutes!
Having a backup of your WordPress site can come in handy if anything were to go wrong. You can easily restore your backup and get your site back to normal.
But what happens if your backup fails? What happens if you can’t restore it?
This is why you need to test your backup. If you’re using a host backup, some of them don’t offer test options. Here’s what we recommend to test your back up:
Install BlogVault backup plugin on your WordPress site. It will automatically take a complete backup of your site.
Note that the first backup may take a while as it will copy the entire website onto its own servers. Subsequent backups are much faster as it uses incremental technology where it backs up only the changes made.
Once the backup is complete, from the BlogVault dashboard, access the option ‘Test Restore’.
3. Examine your current admin setup
WordPress allows multiple people to collaborate and contribute to WordPress development and WordPress maintenance. But not every WordPress user needs complete access to the site. For example, a writer would only need access to write and publish content. They needn’t have access to make other changes like installing plugins or changing the theme.
To prevent giving every user on your site complete access, WordPress has six different user roles that you can assign – Super Admin, Administrator, Editor, Author, Contributor, and Subscriber. Each role has different levels of permissions.
While conducting your WordPress security audit, the first thing you need to analyze is the users you have added to your WordPress site.
- Check how many of these users have admin access.
- Determine how many actually need admin access.
- Restrict access and grant lower permissions by changing the user roles for those who don’t need to be admins.
- Make sure you can recognise all users on your dashboard. Delete any users that you don’t recognise as they could be rogue user accounts created by hackers.
Next, ensure that anyone who is an admin on your website isn’t using the username ‘admin’. This is the most common username WordPress admins use for their accounts. Hackers are well aware of this and try to use the name to gain access to your site
To change the name from ‘admin’ to something more unique, you would need to first create a new user account for that person. You can assign all content to the new WordPress user you created. Next, you can delete the old ‘admin’ account.
Working with WordPress for over a decade, we’ve seen many cases of WordPress websites being hacked due to vulnerable plugins.
Plugins for WordPress are created by third-party developers who maintain and update them. However, like any software, over time, vulnerabilities appear. Developers are usually prompt at fixing them and releasing an update. This update will contain a security patch that will remove the vulnerability from your site.
If you delay the update, then your site remains vulnerable.
- During your audit, check the list of plugins you have installed. Many of us website owners tend to try out new themes and plugins. We don’t use most of them but forget that they’re still installed on our site. Delete the plugins that you don’t use. This will remove unnecessary elements from your site and reduce the chances hackers have of breaking into your site.
- Ensure you recognise all plugins installed. If you or your team don’t recognise any plugin, we advise deleting it. This is because when hackers break into your site, they sometimes install their own plugins. These plugins contain backdoors that give them secret access to your site.
- If you have installed any pirated or nulled version of plugins, delete them immediately. Such software often contains malware that infects your site when you install it. Hackers use pirated software to distribute their malware.
5. Delete Extra WordPress Themes Installed
As website owners, we tend to install different themes to find one we like. However, many times, we forget to delete the ones we don’t need. Just like plugins, themes can also develop vulnerabilities.
6. Evaluate your current hosting provider and plan
Thanks to shared hosting, more people can create websites without a big investment. Shared hosting plans are cheaper and tailored for small WordPress sites.
You may have opted for a shared hosting plan when you began, but as you grow, you need to evaluate if you need to upgrade.
Shared hosting plans means you share a server with other websites. You have no control over what the other websites sharing your server do. If their site is hacked, it can consume too much of the server’s resources. This will slow down your website and bring down its performance. There’s also a slight chance that any malware infection can spread to sites sharing the same server. So, if you can afford an upgrade, we advise switching to a dedicated server.
7. Check users who have FTP access
An FTP is File Transfer Protocol that enables you to connect your local computer to your website server. You can access the files and folders of your website and make changes.
Since you can add, modify and delete files of your WordPress site, access to FTP should be granted only to those you trust and absolutely need access.
We recommend checking the list of FTP users and resetting your FTP passwords, if needed. To do this, you need to access your WordPress hosting account > cPanel > FTP accounts.
Here, you will see a list of all the FTP accounts created for your website. You can delete the ones that don’t need access.
8. Check your WordPress Hardening measures
WordPress recommends certain hardening measures that make your website more secure. These include:
- Disabling file editor in plugins and themes
- Disabling plugin installation
- Resetting WordPress keys and salts
- Enforcing strong passwords
- Limiting WordPress login attempts
- Implementing two factor authentication
If you need more guidance, we recommend reading our Comprehensive Guide to WordPress Hardening.
During your WordPress security audit, we recommend checking that these measures are in place. For example, if you’re using a plugin to limit login attempts or 2 factor authentication, make sure the plugin still works and is up to date. Check to see if there are better options available.
Many of the hardening measures require technical expertise to implement. However, if you’re using the MalCare security plugin, you can implement WordPress hardening measures in a few clicks.
These are eight very important tasks to carry out regularly. We recommend doing an audit bi-annually or at least annually. To sum up what we covered, here’s a checklist you can follow:
Checklist For WordPress Security Audit
1. Security Plugin – Evaluate your security plugin. We recommend using MalCare.
2. WordPress Backup – Test your website backup to make sure it can be restored. We recommend using BlogVault’s test restore option.
3. Admin Users – Examine your current admin setup. Ensure you have granted admin privileges only to those who need it. Delete any inactive users.
4. Plugins – Remove unused plugins installed and active. Keep only the plugins you actually use and ensure they are updated regularly.
5. Themes – Delete Extra WordPress Themes Installed. Keep only the active theme on your site and ensure you use the latest version available.
6. Web Host – Evaluate your current hosting provider and plan. We recommend using trusted web hosts and a dedicated server plan.
7. FTP – Check users who have FTP access. Grant access only to those who need it.
8. Hardening – Ensure your WordPress Hardening measures are intact and up to date.
We hope that this article helped you create a repeatable process for a WordPress security audit. If you can keep executing this process on a regular basis, we guarantee you can prevent hackers from bypassing your site security.
Yes, a full WordPress security audit is a long and tedious process. But the truth of the matter is that it can help protect your business for a long time.
And if you think that a WordPress security audit is too tedious, you can automate the process by installing the MalCare plugin. Unlike most other website security plugins, MalCare offers a comprehensive suite of security tools that can do a lot more than a WordPress security audit.
MalCare automates many tedious and manual security activities such as malware scanning and removal, regular site backups, installing firewalls and bot protection, and WordPress hardening.
You can get all of this done with just a few clicks in a state-of-the-art easy to use dashboard.
Secure your WordPress Site with MalCare!
Melinda is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Melinda distils the wisdom gained from building plugins to solve security issues that admins face.