The ultimate security audit checklist: 10 vital tasks to complete today

With the number of security threats plaguing website owners, staying on top of your site maintenance and protection should be of utmost importance. However, knowing which tasks to tackle, let alone prioritize, can be challenging.

This is why we highly recommend consistently performing a WordPress security audit on your website. Doing so will ensure that you won’t miss or overlook any critical steps. It also helps you cover all necessary bases to ensure your site is as safe as possible. 

In this post, we’ll provide you with a comprehensive list of ten must-do tasks, ranging from simple to complex, for a complete security audit checklist. Let’s get into it!

1. Make frequent backups

WordPress backups are vital parts of your website maintenance. If something goes wrong with your site, you’ll want to have an updated version of it to restore. Therefore, it’s essential to make sure that you have a backup solution in place.

Depending on your hosting provider, you may want to handle your backups through them. Alternatively, you could use a backup plugin such as UpdraftPlus:

UpdraftPus backup plugin

For a complete solution, you may want to consider hiring a WordPress backup professional service, such as what we offer at FreshySites. We include off-site and offline backups, a backup schedule, and a support team to help you with restoring your site. 

The correct backup frequency for your site depends on a handful of factors. They include the complexity of your website, how often you update your content, and how much storage space you can allocate for your backups.

Regardless of which methods you use, it’s wise to test your backup solution as part of your security audit. This way, you’ll know if something isn’t working correctly before it’s too late. 

2. Update all of your software

Outdated software can introduce a plethora of security vulnerabilities to your website. Therefore, it’s important to consistently make sure your programs are updated.

In addition to WordPress core, the software also includes your plugins and themes. You can update them by navigating to Dashboard > Updates from your WordPress admin. 

Then, click on any relevant buttons such as Update Plugins:

WordPress updates on admin dashboard

However, what if you’re busy or think that checking and updating your WordPress regularly may be an issue? In that case, we recommend implementing automatic WordPress updates

However, keep in mind that, occasionally, an update could cause a compatibility issue. Therefore, it’s essential to ensure everything is working correctly after you upgrade any software. 

3. Remove any unused plugins or themes

As we mentioned before, outdated plugins and themes are some of the weakest and easiest points for hackers to target. If the plugin or theme developers are not keeping the tools updated and well-maintained, there can be a slew of vulnerabilities. These can eventually become much more significant issues on your site.

As part of your WordPress security audit, take a look at both your installed plugins and themes. If there are any inactive or unused ones, it’s best to delete them.

It’s also wise to look for chances to consolidate your plugins. For example, you may remove some that serve the same function as others you have installed and activated. 

While conducting this process, you may come across a plugin or theme that you don’t recognize. Perhaps you installed it a long time ago or only wanted to try it for a certain period. This is a solid indicator that you no longer need to have it installed on your site.

Also, keep in mind that deleting plugins and themes doesn’t have to be permanent. If you ever need them in the future, you can always re-install them.

4. Review your users for suspicious accounts or activity

Similar to unused themes and plugins, stagnant or suspicious users on your WordPress admin team can introduce a whole host of issues. To prevent this from happening, it’s wise to review your users as part of your WordPress security audit.

You can find them by navigating to Users in your WordPress dashboard:

WordPress users on admin dashboard

Keep in mind that not every user needs admin-level access. For example, if you have multiple collaborators on your site, you may only need to grant them Author user roles. 

During your auditing, check to verify how many users have admin access. If there are any unnecessary administrators, you can lower their permissions levels. 

Also, be sure that you recognize all users. If not, delete any unknown or suspicious profiles. 

5. Frequently change your passwords

Weak or generic passwords can make it easier for hackers to exploit your site. Therefore, every time you create a new user role in WordPress, we suggest using the Generate password feature. It can make a long and complex password that will be difficult to guess:

form to generate new password

You might fear that overly complicated passwords will be challenging to remember. If that’s the case, you can use a tool such as LastPass:

LastPass website

This platform will help you generate complex passwords with ease. In addition, you can use it to store your passwords safely, so you don’t have to remember them off the top of your head.

However, you shouldn’t stop there. To increase your security even further, you might consider changing your user passwords every few months.

6. Implement Two-Factor Authentication (2FA)

In addition to generating complex passwords, it’s also a good idea to implement 2FA. It requires users to authenticate login attempts with extra information, such as a PIN or app-generated code.

2FA adds another layer of security to your site. It makes it more difficult for cybercriminals to break into your website.

There are a handful of tools that you can use for 2FA. A popular plugin we recommend is Jetpack

Jetpack plugin

This free tool can help you secure WordPress login access by requiring an authentication token. That way, even if hackers guess your username and password, they will still need the extra code.

7. Limit login attempts

By default, WordPress does not limit the number of failed login attempts a user can make. This is a leading cause behind brute-force attacks. Unfortunately, the WordPress setting makes it easier for hackers to continuously try to access your site with limitless password combinations. 

To prevent this from happening, we recommend limiting login attempts as part of your security audit. There are many tools you can use to do this, such as Limit Login Attempts Reloaded:

Limit login attempts

When you limit login attempts, you control how many tries a user gets before being locked out from your site. Furthermore, many tools will also keep track of the usernames or IP addresses of people with too many failed attempts. This makes it easier to add them to a blocklist. 

8. Install a WordPress security plugin

Another vital aspect of site security is a WordPress security plugin. Of course, this tool shouldn’t be your all-in-one solution. However, if you choose the right one, it can go a long way in helping to safeguard your website.

If you already use a security plugin, check to ensure it is updated and working correctly. If you don’t yet have one, it’s smart to look for an add-on that is widely used, actively maintained, and provides a range of essential features and tasks.

An example of this is Sucuri Scanner:

Securi plugin

With this tool, you can handle a variety of critical security-related projects. They include malware scanning, file monitoring, and auditing. 

9. Install a Secure Sockets Layer (SSL) certificate on your website

If you haven’t done so already, we strongly recommend installing an SSL certificate on your website. It enables a secure, HyperText Transfer Protocol Secure (HTTPS) connection. As such, it helps protect your data.

Most hosting providers include them with their plans. However, you can also get a free SSL certificate using issuing authorities such as Let’s Encrypt:

Let's Encrypt website

If you already have an SSL certificate installed on your website, make sure it is valid and up to date. If your certificate is issued and handled through your host, they’ll likely renew it for you.

10. Review your hosting provider and plan

Your hosting provider plays a pivotal role in both your website’s performance and its security. When conducting your security audit, it’s a good idea to review your current hosting plan. You can assess whether the services and solutions are on par with your specific needs.

For example, many startups and small to medium-sized websites opt for shared hosting due to its inexpensiveness. However, these plans require you to share resources with other sites, which can be a security risk. 

As your website grows, you may want to consider upgrading to a higher plan, such as managed or dedicated hosting. In addition, evaluate your current provider’s offerings to determine whether there are premium security add-ons worth purchasing. 


Keeping your WordPress website secure is not an easy task, but it is an important one. Fortunately, you can take some simple steps to safeguard your site and minimize the risk of an attack.

As we discussed in this article, we recommend regularly performing a WordPress security audit. By following our ten-point checklist, you will be taking the necessary preventative measures to help keep malicious threats at bay.

Do you need help staying on top of your WordPress security? At FreshySites, we offer a range of services and solutions that can keep your site protected year-round. Reach out to us today to learn more about how we can assist with everything from web design to web security!

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Related articles