WordPress Maintenance Audit
FREE WordPress webite audit overview.
WordPress security audit checklist.
-
1Update Check
-
WordPress Core: Verify that the WordPress core is up-to-date.
-
Plugins and Themes: Check for updates on all installed plugins and themes to ensure they are running the latest versions.
-
2Update Check
-
Administrator Accounts: Review all administrator accounts to ensure only authorized users have admin privileges.
-
Username and Password Strength: Check the strength of all user passwords, especially administrators. Recommend strong passwords where necessary.
-
Unused Accounts: Identify any accounts that are no longer active or needed.
-
3File Permissions Review
-
Ensure that file permissions are correctly set for directories and files (e.g., directories at 755 and files at 644) to prevent unauthorized access or changes.
-
4Review Security Settings
-
SSL Check: Ensure that SSL is implemented correctly across the entire site for secure connections
-
Database Prefix: Check the default WordPress database prefix to reduce the risk of SQL injection attacks.
-
Firewall and Security Plugins: Verify security plugins installed and are configured properly. Security plugins that enhanced protection are Akeeba Admin, Wordfence, Sucuri, or iThemes Security.
-
5Check for Malware and Backdoors
-
Scan for Malware: basic scan for malware, viruses, and other malicious code.
-
Backdoor Checks: Check for unusual or suspicious files that might be used to regain access to the site.
-
6Review wp-config.php File
-
Security Keys: Ensure that security keys and salts are present and regenerated if necessary to enhance encryption of user data.
-
File Location: check the wp-config.php file location (this should be placed in a non-public directory to reduce the risk of access).
-
7Audit .htaccess for Security Enhancements
-
Check security rules in the .htaccess file, such as protecting system files, disabling directory browsing, and restricting PHP execution in sensitive directories.
-
8Plugins and Themes Security Review
-
Nulled Plugins/Themes: check there are no nulled plugins or themes installed, as they are common sources of malware.
-
Unused Plugins/Themes: Check plugins or themes that are not actively being used to minimise potential entry points for hackers.
-
9Logs Review
-
Examine logs for suspicious activity such as repeated failed login attempts, unusual admin activity, or unexpected changes in file sizes or types.
-
10Backup and Recovery Check
-
Check if there are regular backups of the website (files and database) and that a reliable recovery process is in place.
-
11Backup and Recovery Check
-
Document all findings during the audit.
-
Prepare a security audit report that outlines issues found and recommendations.