How to Perform a WordPress Security Audit

Nadejda
How to Perform a WordPress Security Audit

Want to make sure your site is secure by performing a security audit?

WordPress is a very secure platform, but if you have suspicions that there might be issues with your site, it’s best to perform a full security audit and make sure security is not compromised.

Today we will guide you step by step on how to do a complete audit without taking down your website.

What is a Security Audit?

This is the process of checking if there are any security breaches on your website. You can check for malicious code, suspicious activity and any unusual performance.

The basics steps when checking your site’ security can be done manually.

If you wish to do a deeper audit, you can use security audit tools for WordPress which will perform automatic checks.

If you do find any suspicious activity, you can remove it and fix it.

When should you perform a Security Audit?

A security audit on WordPress needs to be done at least once a quarter. This will allow you to keep track of everything and prevent future issues.

If you do see anything out of line, however, perform a security audit immediately.

You may need an audit if some of the following signs occur:

  • Site is becoming too slow
  • Drop of traffic
  • You have noticed a new account, requests for forgotten password or failed attempts to log into your site
  • Suspicious links appear suddenly on your website

Security Audit Checklist

These are some of the basic steps you need to make when performing a security audit.

1. Update your software In order for your website to be stable and secure, updates are pretty important. You can patch any vulnerabilities in security, improve overall performance and install new features.

Check to make sure that all plugins, software and themes on your website are up to date. This can be done from: Dashboard – Updates page from your WP Admin board.

Update your software

2. Check all passwords and user accounts

Go to Users – All Users and review all user account. Check for any suspicious users which should not be there.

If you own a ecommerce store or teach online classes then there will be accounts which belong to your customers.

If you, however, have a business site or personal blog, only your own account should be visible, as well as users you have personally added.

users

If you encounter any suspicious account, delete them.

If the website does not require any users in order for it to create an account, then go to Settings – General page and make sure to uncheck the box next to Anyone can register.

register

Just to be on the safe side, change your WP admin password, as well as add a two-factor authorization to strengthen your security.

3. Run a security scan

Run a security scan

Next step is checking your site for any vulnerabilities. With the help of a number of online security scanners, you can safely check for any malicious malware.

You can use IsItWP Security Scanner, which will check your site for malware and any other potential problems.

Note that these tools are able to scan just the public facing pages on your site.

4. Check the site’s Analytics

Regularly analyzing your site’s data will help you keep track of traffic and overall health.

If you notice a certain drop of traffic, then your site has been most likely blacklisted. If the site is unresponsive and too slow, then there will be a drop in the overall page view.

Try out MonsterInsights to check your site’s traffic. It will also keep track of users, WooCommerce customers, etc.

Do your security Audit with FixedNet

Every new client who comes to us on a maintenance plan gets their site fully audited by one of our engineers. We make sure to look for any potential problems and recommend how to fix them of required.

This not only show us the issues your website may be having, but it also gives us a deeper understanding of its functionality.

An essential part of the services we offer here at fixed.net is website security. Before doing any work on your site we make sure it’s entirely clean and safe.

  • Malware scan This scan is based on our own backups and checks files against our own internal signature database. We use a variety of other scans for issues such as javascript injection. If any suspicious malware is found on your site, it gets removed immediately.

  • Plugin or software fixing This is always an urgent task and will be fixed straight away. Although amazing in their functionality, WordPress plugins can be very vulnerable from time to time.

  • A check will be run on file permissions, .htaccess rules in the hosting environment.

  • Are there remnant software admin users, ftp users or database users added - or is remote database access enabled to unknown IPs?
  • Permissions on your database configuration file – if set incorrectly, it could allow others access to your database.
  • Old version of adminer.php, as well as other database management software in the file system.
  • If you do not have a generic security plugin installed, we will make the necessary recommendation.

We hope this article was useful in explaining the most basic ways in performing a security audit on your website. Share with us your personal experience below in the comments!