WordPress remains the most widely used content management system, powering over 43% of websites worldwide. However, this popularity makes websites built with WordPress a juicy target for cyberattacks. Over 13,000 WordPress websites are hacked daily, amounting to 4.7 million annually. To prevent your WordPress site from being the next data breach victim, the first step is to quickly check if it has any vulnerabilities.
A quick website audit (not a professional penetration test) can be conducted in just a few minutes if you have the right tools and knowledge. In this short article, I will guide you through the process of performing a simple security audit in under 30 minutes. Each audit step is straightforward, but by following them and implementing the recommended fixes, you can significantly boost your site’s security. Let’s begin with the preparation process.
Preparation
Before starting the actual audit, these are the crucial steps you should take:
What you will need:
- WordPress Login: Ensure you have access to the WordPress admin dashboard with an admin account username and password.
- Security Plugins: Install and activate a trusted security plugin such as Wordfence or Sucuri Security. Having one of these security plugins will simplify malware scanning, login monitoring, and vulnerability detection.
Backup Your Website Before Starting the Audit
Before making any changes, a backup ensures that you can restore your site in case something goes wrong during the audit. For backing up your site, I would recommend using a simple tool like All-in-one WP Migration. It allows you to create a backup file (Up to 32GB) for your site that you can store on your local machine or a cloud storage service of your choice.
Audit Steps
With everything we need in place, let’s proceed to the audit steps:
Step 1: Check WordPress Core, Plugins, and Themes
- Verify that WordPress is Updated to the Latest Version: Go to your site’s Dashboard > Updates and check if an update is available for WordPress core. If updates are pending, review the changelog and click Update Now to install the update.
- Review Installed Plugins: Go to Plugins > Installed Plugins. Browse through the list of plugins and update any with available updates. Deactivate and delete plugins that are inactive or unused to reduce vulnerabilities. You should also replace any plugins that haven’t received updates in a year with active alternatives.
- Review Installed Themes: Go to Appearance > Themes and delete themes you are not using, except one fallback theme (e.g., the default Twenty Twenty theme).
Step 2: Review User Accounts
- Check for Unused or Suspicious User Accounts: Go to Users > All Users, review the list, and delete accounts that are no longer needed or appear suspicious.
- Ensure Admin Accounts Are Legitimate and Secure: Verify the email addresses associated with admin accounts. You should also change weak passwords to strong ones using a mix of letters, numbers, and special characters.
- Reassess User Roles to Confirm Correct Permissions: Ensure users only have the permissions they need. For example, the admin roles should be limited to trusted users.
Step 4: Inspect Login Security
- Confirm That Two-Factor Authentication (2FA) Is Enabled: Use a security plugin like Wordfence along with an authentication app like Google Authenticator to enable 2FA for admin accounts. Test 2FA to ensure it works.
- Test the Strength of Your Admin Password: Your password should have a mix of lower and uppercase letters, numbers, and special characters. I would recommend using a Password Manager to generate and store strong and long admin passwords. A password manager will also alert you if any of your admin account login credentials were leaked in any recent data breach.
- Look for Failed Login Attempts in Security Logs: Wordfence provides a security log through its Audit Log feature. Use these logs to check for unusual login attempts and block repeated IP addresses, causing failed logins.
Step 5: Scan for Malware and Vulnerabilities
- Use a Security Plugin: Use a plugin like Wordfence to scan for any malware that could be present on your website. After the scan, Wordfence will provide additional instructions for cleaning up malware or vulnerabilities, if any are detected.
Final Thoughts
After completing your WordPress security audit, document the vulnerabilities you identified and the actions you took to address them. This step helps track recurring issues and refine future audits. You should also consider setting a reminder to perform regular audits, ideally monthly, to stay ahead of potential threats. For enhanced protection, consider enabling real-time monitoring and alerts using a security plugin to catch suspicious activity instantly.