WordPress Security Audit


A thorough 30-point audit of the security of your WordPress website.

We audit your WordPress website to ensure it meets necessary but often overlooked cybersecurity best practices, including the following:

  1. Scan the site to look for malware, backdoors, trojans, or other malicious scripts.

  2. Review blacklists to ensure your site is not listed

  3. Complete Google’s safe browsing transparency report.

  4. Review your database to look for spam or malware.

  5. Look for logins that appear to be from suspicious locations.

  6. Look for any successful access to malware in the available log files.

  7. Confirm adequate log files available.

  8. Scan for any log files, debugging logs, or error logs that are publicly available.

  9. Verify any files that have a phpinfo function that is publicly available.

  10. Verify site content is not at risk for blacklisting.

  11. Avoiding advertising networks.

  12. Verify SSL is installed and configured correctly.

  13. Confirm WordPress core and plugins are updated.

  14. Confirm WordPress auto-updates are allowed.

  15. Secure wp-config.php secure with hash salts and set it with adequate permissions.

  16. wp-admin file editing disallowed. If your site is not actively in development, disallowing file editing in wp-config.php limits the damage that can be done if an administrative login is compromised.

  17. Verify only utilized themes installed.

  18. Confirm all themes are updated and actively maintained.

  19. Confirm theme core files are unmodified.

  20. Verify no high-risk theme functions are installed.

  21. Verify only utilized plugins installed.

  22. Confirm all plugins are updated and actively maintained.

  23. Verify no high-risk plugins are installed.

  24. Avoid redundant plugins.

  25. Validate administrative users.

  26. Ensure administrative users have email addresses.

  27. Confirm no extraneous admin users.

  28. Complete password strength audit.

  29. Confirm multisite network administration.

  30. Verify unique ID for administrators.

  31. Check public transaction or error logs.