WordPress: Health Check



  • Site free of malware. Scan the site to look for malware, backdoors, trojans, or other malicious scripts.

  • Site not listed on blacklists. We review the following blacklists to ensure your site is not listed:

    • McAfee Site Advisor

    • Norton SafeWeb

    • etc.

  • Google transparency report clear. Google’s safe browsing transparency report can often indicate problems.

  • Database free of malware. We reviewed your database to look for spam or malware.

  • No suspicious logins. We look for logins that appear to be from suspicious locations.

  • No successful malware accesses. We look for any successful access to malware in the available log files.

  • Adequate log files available. We look for at least 30 days of log files. We would recommend that you store up to 12 months of log files if possible.

  • No publicly available log files. We look for any log files, debugging logs, or error logs that are publicly available.

  • No publicly available phpinfo files. We look for any files that have a phpinfo function that are publicly available. These files can often provide attackers too much information about server configurations.

  • Site content not at risk for blacklist. Some site content such as pharmaceutical, fashion, or other
    highly competitive niches, can be at risk for erroneous blacklisting.

  • No advertising networks. Some advertising networks do not monitor their ad stock well and can be a source of malware served up to site visitors. While the target site is not affected, an ad network can often be a security risk if not effectively managed.

  • SSL installed and configured correctly. We look to see that the site has an SSL certificate installed and configured correctly. SSL certificates ensure that site traffic between your server and your site visitors is encrypted.

WordPress Core

  • WordPress updated. Keeping WordPress updated to the most current version ensures all security fixes are installed.

  • WordPress auto-updates are allowed. We recommend allowing security patches to be automatically applied.

  • wp-config.php is secured. We look for hash salts within wp-config.php and ensure the file is set with adequate permissions. This file contains database credentials and requires additional security measures.

  • wp-admin file editing disallowed. If your site is not actively in development, disallowing file editing in wp-config.php limits the damage that can be done if an administrative login is compromised.

Themes and Plugins

  • Only utilized themes installed. We recommend that you do not have extraneous themes installed.

  • All themes updated and actively maintained. We check to ensure that the theme(s) installed are updated and are actively maintained by their developers.

  • Theme core files unmodified. Modifying theme files is not recommended. If you need to make changes, use a child theme.

  • No high risk theme functions installed. We look for high risk theme functionality such as uploading scripts, remote tunnel access, etc.

  • Only utilized plugins installed. We recommend that you do not have extraneous plugins installed.

  • All plugins updated and actively maintained. We check to ensure that all plugins, both premium and repository, are updated to the current versions. We check to see if plugin development appears to be abandoned. We check to ensure installed plugins have been updated in the last 2 years.

  • No high risk plugins installed. We look for functions within plugins that might allow for uploading, administrative tunnels, etc.

  • No redundant plugins. We look for plugins that may have overlapping functionality.

Administrative Accounts

  • Valid administrative users. We check to see that administrative users appear to be valid.

  • Administrative user emails. We ensure administrative users have email addresses.

  • No Extraneous admin users. We check to see if there are an inordinate number of administrative users. We recommend limiting administrative access and using contributor, editor, store manager, and other user types.

  • Password audit. We check to see that all passwords appear to be strong and unique.

  • Multisite network administration. If your site is a multisite installation, we ensure that you have network administrative capabilities.

  • Unique ID for administrators. We evaluate whether administrators appear to have unique user IDs and that logins are not shared. Each user should have their own login for PCI compliance.

  • No public transaction or error logs. We check for any public transaction or error logs that might provide attackers information about your site configuration.