Security Audit Checklist for Your WordPress Site: A Practical Step-by-Step Guide

TLDR: I ran a full security audit on my WordPress site and distilled the process into a clear checklist you can run in a single day. This guide shows what a security audit is, why it matters, exactly how to do one (step by step), and common pitfalls to avoid. Follow the checklist, automate where you can, and document every change so you can sleep easier at night.

How I learned the hard way and how this checklist saved me

I remember the night my site was scrambled by a plugin vulnerability. I sat up until 3 a.m. cleaning files, restoring backups, and learning lessons the expensive way. After that incident I built a repeatable security audit routine that I run quarterly. In this article I explain that routine in first person and walk you through a practical WordPress security audit checklist that you can apply immediately.

What is a WordPress security audit?

A WordPress security audit is a systematic review of your site’s configuration, files, access controls, plugins, and server settings to find weaknesses before attackers do. It is a combination of automated scanning, manual inspection, and testing changes in a staging environment. The aim is to close attack vectors, improve monitoring, and ensure you can recover quickly if something goes wrong.

Why does a security audit matter?

Security audits matter because WordPress powers a large share of the web and is therefore a prime target. You can lose traffic, rankings, and revenue from a single breach. In addition, as you grow the site you add plugins, themes, and custom code which expand your attack surface. A routine audit helps you:

• Find and fix vulnerabilities before they are exploited.
• Ensure backups and recovery plans work when you need them.
• Limit the blast radius of compromised accounts with permission hygiene.
• Meet compliance or client security expectations.

How to prepare before you start the audit

Before you touch anything live, do these prep steps:

• Create a fresh backup and verify it. Make sure you can restore to a staging site.
• Clone the site to a staging environment and run tests there first.
• Gather access details: hosting control panel, SFTP, database, WordPress admin, and any CDN or WAF portals.
• Document current versions of WordPress, theme, and plugins so you can track changes.

Core checklist: items to run during every audit

Let’s break it down into the practical checks I run in order. You can follow them as a single checklist and tick items off as you go.

• Update matrix: Ensure WordPress core, theme, and plugins are updated in staging before updating production.
• Backup verification: Test a restore from the latest backup so you know recovery works. I always keep at least two backup copies stored offsite.
• User and permission review: Remove inactive admin accounts, limit user roles, and rotate passwords for privileged users. Enforce two-factor authentication (2FA) for all admins.
• File integrity check: Compare core files against a known-good WordPress build and look for unfamiliar files or modified timestamps.
• Vulnerability scan: Run a reputable scanner to detect known exploits, outdated libraries, or unsafe file permissions.
• Plugin audit: Remove unnecessary plugins and replace risky plugins with actively maintained alternatives.
• Database hygiene: Remove unused tables, orphaned options, and excessive post revisions. For database cleanup I use targeted queries and tools, and I refer to guides that explain how to clean WordPress database safely.
• Server configuration: Verify PHP version, disable risky PHP functions, and ensure appropriate file permissions (usually 644 for files and 755 for folders).
• HTTPS and headers: Confirm HTTPS is enforced site-wide and add security headers like Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security.
• Login protection: Limit login attempts, set strong password policies, monitor failed logins, and implement reCAPTCHA or similar protections.
• Monitoring and logging: Set up application and server logs and ensure alerting for suspicious activity. I also connect analytics so I can spot traffic anomalies and for some sites I choose to add Google Analytics 4 WordPress to monitor user behavior after changes.

Detailed technical checks

In addition to the core checklist, I run these deeper checks to harden the site.

• File and directory permissions: Ensure wp-config.php is non-readable by the web server user where possible and move it outside the webroot if your host allows it.
• Disable XML-RPC if you do not use it because it can be abused for brute force attacks.
• Secure wp-admin and wp-login.php with additional restrictions such as IP allowlisting, HTTP auth, or a WAF rule set.
• Scan for malicious code in uploads and theme files. Look for obfuscated PHP, base64_encode, eval, or unfamiliar cron jobs.
• Review cron jobs and scheduled tasks both in WordPress and in the server crontab to ensure they are expected and secure.
• Check database users: Use unique DB users per site where possible and ensure strong DB passwords. Limit remote DB access.
• SSL/TLS testing: Verify your certificate chain and supported cipher suites using online tools to avoid weak ciphers.

Post-change steps and verification

After you update or harden the site, do these steps to finish the audit:

• Functionality test: Walk through core site flows like login, checkout, forms, and sitemap to ensure nothing broke.
• Performance check: In addition to security, pay attention to performance; clear caches after changes. If you need to purge cache WordPress make sure you do it in a controlled window and monitor for anomalies.
• Re-scan: Run the vulnerability scanner again to confirm fixes been applied.
• Document changes: Keep a changelog of what you changed, why, and when so future audits are faster.

How often should you run a security audit?

I run a quick audit monthly and a deep audit quarterly. If your site has high traffic, financial transactions, or sensitive user data I recommend running the full audit more frequently and after any major plugin or theme update.

What should you avoid when auditing?

Here are common pitfalls I see and what to avoid.

• Do not run updates directly on production without testing in staging first. You risk breaking live functionality.
• Do not trust a single security plugin to catch everything. Use a layered approach: hardening, monitoring, backups, and scanning.
• Avoid keeping unused plugins and themes installed even if deactivated. They can still be exploited.
• Do not ignore server-level issues. Security is not only within WordPress; your hosting environment matters.
• Avoid poor backup habits. Backups are useless if you never test them. I always test restores in staging as part of the audit routine and I verify my restore path by practicing a migration. For planning migrations I rely on proven workflows for WordPress backup and migration so I can recover quickly.

Quick checklist you can copy and run now

Use this condensed actionable checklist for a single audit session. I print this and follow it when I run audits.

• Backup site and test restore
• Clone to staging and run updates there
• Audit active plugins and remove unused ones
• Rotate admin passwords and enforce 2FA
• Run vulnerability scan and review results
• Check file permissions and wp-config.php
• Review scheduled tasks and database users
• Test SSL and security headers
• Monitor logs and set alerts
• Purge cache, re-scan, and document changes

Frequently Asked Questions

How long does a WordPress security audit take?

It depends on site size and complexity. A basic audit can take 1 to 3 hours. A thorough audit with code review, server checks, and restoration tests usually takes 4 to 8 hours. For e-commerce sites plan a full day and a maintenance window.

Can I run the audit myself or hire a professional?

You can run the basic checks yourself if you follow a checklist and test in staging. However, for deep code review, threat hunting, or compliance audits I recommend hiring a security professional or agency. I combine in-house checks with annual third-party audits for peace of mind.

Which plugins do you recommend for security scanning?

I use a combination of a reputable malware scanner, a WAF at the host or CDN layer, and hardening plugins for 2FA and login protection. Do not rely on any single vendor. Test how each plugin affects performance and compatibility in staging.

How do I practice restoring from backups?

Set up a staging site and perform a full restore from your latest backup there. Verify functionality, database integrity, and media files. I also occasionally perform a local restore so I can test restore speed and reliability offsite. When I practiced restores it taught me to automate backup rotation and retention policies so restores are reliable during an incident.

Is monitoring enough to prevent attacks?

Monitoring helps you detect attacks faster but it does not prevent them. Prevention requires hardening, patching, least privilege, and network protections. Monitoring simply reduces time to detect and respond which limits damage.

Final thoughts

To summarize, a WordPress security audit is a mix of preparation, automated scans, manual inspection, and verification. In addition to hardening, you must practice restores and document every action. Security is not a one-time task; it is an ongoing process that gets easier when you make it repeatable.

If you follow this checklist and build it into a quarterly routine you will dramatically reduce risk and recover faster when things go wrong. As you know, the cost of prevention is always lower than the cost of cleanup.