How to run a WordPress website security audit: includes a full checklist for 2023

Performing a WordPress website security audit is an essential step in safeguarding the security of your site. In this article, we will walk you through the process of conducting a WordPress security audit by following our handy checklist that will help you keep your site safe from hackers in 2023. Once you have completed your first audit, you might as well open up your calendar and schedule them for once per quarter so that you can stay on top of your website’s security and stay ahead of malicious hackers.

Taking these steps will not guarantee that your site will not get hacked. However, what you will be doing makes it more difficult for hackers to break into your site and cause problems for you and your customers.

Table of Contents:

What is a WordPress security audit?

An audit is an official inspection or examination of an individual or organization’s accounts that an independent entity typically conducts to ensure that the reports comply with the law. When you audit your WordPress installation, you are putting yourself in the shoes of a potential hacker so you can sniff out potential vulnerabilities and mitigate them before a hacker gets the chance to exploit them.

We will use a checklist and make a thorough examination of the security features of your WordPress website so that you can do everything possible to stay ahead of cyberattacks that could harm your site.

If you feel like the security of your online business might better be placed in the hands of WordPress experts, allow the website security specialists at FreshySites to handle it for you. With more than 300+ five-star Google reviews, we offer top-tier website support and maintenance plans so you can feel secure in the knowledge that your website is safe in the hands of industry-leading WordPress security experts. Contact us today to get a quote for our services.

laptop vector drawing with security icon on screen

How to perform a WordPress security audit

You will need to set aside some time, which will vary depending on the size of your website, to run through the WordPress security audit checklist. Ideally, you would conduct your audit at a time when you can complete all the tasks in the same sitting, ensuring that you finish the project. Also, ideally, you would perform a security audit at a time when site traffic is low, but you still want to create a page warning visitors that the site is temporarily down for maintenance.

You can print a copy of the audit checklist included in this article to check off each task as you do it, and then add a note to your website maintenance calendar so that you can track your audits over time.

Suppose you would instead leave this tedious task to a team of WordPress website maintenance specialists at FreshySites. In that case, we support our customers by managing the security and support of their WordPress websites so they can focus on revenue-generating activities.

Now, let’s look at some tools that can make your WordPress website security audit process more effective.

Five tools for scanning your WordPress website’s security status

  1. WPScan

    WPScan is a WordPress plugin that accesses a vulnerability database and reports back about which of your installed themes and plugins might be leaving you open to attack by hackers. It will also send you vulnerability email alerts when it detects a problem in the daily scan.

  2. WP Activity Log

    The WP Activity Log plugin identifies suspicious activity on your website by monitoring your WordPress logs to protect you from malicious attacks. It keeps you informed of what the people who are logged in to your site are up to, so you can spot suspicious behavior and neutralize it quickly.

  3. Google Authenticator Plugin

    Thanks to the fact that almost half a billion websites are running on WordPress, it makes the popular CMS a target for hackers looking to steal customer data that they can resell. To help circumvent the brute force hacking of your website’s login page, requiring two-factor authentication for logging in is an effective way to thwart one of the most common ways in which hackers hack their way into WordPress sites. Two-factor authentication (2FA) is not available out of the box with WordPress, but you can enable it by installing the Google Authenticator Plugin. Once you have installed the free plugin, it will prompt you to choose from a menu of available options of authentication methods from security questions, push notifications, or the use of an OTP (one-time-password) over email or an app. Once the setup is complete, the next time you try to log in, you will be required to enter the code from the Google Authenticator app.

  4. SiteCheck by Sucuri

    SiteCheck is a WordPress plugin that will let you know if your website has been blacklisted, has outdated software, themes, plugins, or has been infected by malware. It is a scanner where you can type in your website’s URL or install the plugin and run it from your dashboard.

  5. Detectify

    Detectify is a WordPress vulnerability scanner that tests for more than 500 vulnerabilities. In addition, this tool pulls research from an ethical hacking community to update their service with the latest security issues.

WordPress security audit checklist

  • Update WordPress software, themes, and plugins to the latest version

    Ensure that you are running the latest version of WordPress software, themes, and plugins because the outdated versions may contain vulnerabilities hackers are looking to exploit.

  • Change the default admin username and create strong passwords

    If you are still using “Admin” as your username, you have just cut the difficulty of brute force hacking in half. First, create a new admin username that contains a combination of upper and lowercase letters and numbers. Creating strong passwords that are at least eight characters long using upper and lowercase letters, numbers, and special symbols will make it more difficult for hackers to gain access to your site. However, Two-Factor authentication is a far more secure option.

  • Enable 2FA (two-factor authentication)

    2FA does not come with a WordPress install, but you can enable it by installing an app requiring anyone to log in to use an authentication code.

  • Change the default database prefix

    “wp_” is the default database table prefix on most WordPress sites. To improve security, you may want to change your website’s database prefix, which will thwart hackers who try to find a way to bring your site down and steal your data. Before you begin, make a full backup copy of your site and your database if anything unexpected occurs. Watch this YouTube video with step-by-step instructions.

  • Hide the login page

    Hiding your WordPress login page helps protect your site from brute force attacks. You can install a plugin such as WPS Hide Login, which will handle it for you. Another option, which the WordPress Codex recommends, is to hide your WordPress login page using your .htaccess file. Making this change will require a username and password to access the wp-admin page, but it can also restrict access to your wp-admin page by IP address range. 

  • Remove inactive users, outdated themes, and plugins

    Make sure that inactive users get deleted from your system along with themes and plugins that you are no longer using. Hackers scan these resources for vulnerabilities that they can exploit to access your site.

  • Establish a consistent backup routine

    Backing up your WordPress website should be a no-brainer. You should be running a WordPress backup plugin daily, especially if you add new content daily. Also, verify how often your web host runs backups of your website. Finally, you can restore your site from a backup copy if your site gets hacked despite your best efforts.


In this article, we have defined a WordPress security audit and why you might want to run one on your website, and we offered instructions on how to perform a WordPress security audit. Next, we outlined five tools you can use to determine the security status of your WordPress. Finally, we also included a security audit checklist that you can follow to ensure that you have completed all the necessary tasks each time.

One of the unfortunate drawbacks to being the most popular CMS (content management system) on the Internet is that WordPress websites become targets for hackers. So do not let all the time and energy you have invested in building your site go to waste.

Managing the security of your WordPress site is not something that you can put off until you find the time to do it. However, if you would rather invest your time attending to your customers’ needs, our WordPress website security experts at FreshySites are here to help you. We are already serving the WordPress maintenance, support, and security requirements of more than 1,000 sites. So contact us today to schedule a consultation and get a quote for our bespoke services.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Related articles