WordPress Security Audit


A thorough 30-point audit of the security of your WordPress website.

We audit your WordPress website to ensure it meets necessary but often overlooked cybersecurity best practices, including the following:

  1. Scan the site to look for malware, backdoors, trojans, or other malicious scripts.

  2. Review blacklists to ensure your site is not listed

  3. Complete Google’s safe browsing transparency report.

  4. Review your database to look for spam or malware.

  5. Look for logins that appear to be from suspicious locations.

  6. Look for any successful access to malware in the available log files.

  7. Confirm adequate log files available.

  8. Scan for any log files, debugging logs, or error logs that are publicly available.

  9. Verify any files that have a phpinfo function that are publicly available.

  10. Verify site content not at risk for blacklist.

  11. Avoiding advertising networks.

  12. Verify SSL installed and configured correctly.

  13. Confirm WordPress core and plugins updated.

  14. Confirm WordPress auto-updates are allowed.

  15. Secure wp-config.php secure with hash salts and set with adequate permissions.

  16. wp-admin file editing disallowed. If your site is not actively in development, disallowing file editing in wp-config.php limits the damage that can be done if an administrative login is compromised.

  17. Verify only utilized themes installed.

  18. Confirm all themes updated and actively maintained.

  19. Confirm theme core files unmodified.

  20. Verify no high-risk theme functions installed.

  21. Verify only utilized plugins installed.

  22. Confirm all plugins updated and actively maintained.

  23. Verify no high-risk plugins installed.

  24. Avoid redundant plugins.

  25. Validate administrative users.

  26. Ensure administrative users have email addresses.

  27. Confirm no extraneous admin users.

  28. Complete password strength audit.

  29. Confirm multisite network administration.

  30. Verify unique ID for administrators.

  31. Check public transaction or error logs.