Simple steps to keep your WordPress secure

How to Audit and Secure your WordPress Site?

WordPress is an open-source platform and has a history of getting hacked many times. Also, It is the most used content management system which makes it more targeted by the bad guys. To keep your website safe and secure and never run into a problem, you need to perform a website audit from time to time. 

Read this article to learn more about how to perform a WordPress security audit without any downtime. 

What is Site Security Audit?

A WordPress site audit is identifying vulnerabilities that might be causing harm to your website. By performing a site audit, you can recognize malicious content on your website. This could also be in the form of comments that could slow down your website or even freeze it. 

There are two ways to run a WordPress website’s security audit. Manual audit or automated audit. For the best results, It is recommended to use a mix of both tactics to perform a security audit of your site.

The audit tool automatically performs some checks for you so you could take preventive measures. You can find online security services that audit your site and help you reach the root cause. 

You can later fix the issues found after site audit and make your site hack-free.

When Should You Go For A Security Audit?

Even though your site might be running smoothly, you should perform a WordPress security audit once in a quarter. This is because there might be loopholes that may cause an issue in the future. 

So, it is always a better approach to eliminate those security issues for the future. 

  • If at any time, you find your site running slow or is down, you should immediately perform a security audit. 
  • If you find too many failed login attempts, forgot password requests, or even traffic dropdown, then these are the signs of vulnerabilities. In such cases, you should go for a site audit without thinking twice.
  • In case your website redirects to unrecognized websites, it is due to a virus or malware residing in your server.

Once you know when to actually perform a security audit, it is the time to get started and initiate your first.

I have divided the steps into parts. The first part shows you basic manual steps and the second part shows automatic steps to perform a site audit. 

Part 1: Basic Steps

Core Updates:

Keeping your WordPress site up to date is the first and foremost step to easily secure your site. As far as your WordPress site is updated, it is stable and secure. Updating Core WordPress files bring in new features released by WordPress.

You should update all the themes and plugins along with WordPress core updates.

To update WordPress, you can navigate to your WordPress dashboard.

On the left hand side, you will see Updates below the Home tab. 

Click on Updates, and the system will show you the latest version of WordPress available for update. If already updated, it will show you that the latest version is installed and you could re-install it.

The system will also show you all the plugins and themes to be updated to the latest version. You can update all of them one by one.

User Accounts:

If you see unwanted user accounts created, then this is a sign of suspicious activities. To check user accounts, you can find the users tab on the left-side of the dashboard. 

Click on All users tab, and the list will populate showing all the users on your website.

The list will display username, name, email, and the role assigned to the account. 

If you are an eCommerce store, or someone offering online courses or subscription packages, you will see customers’ accounts. You can easily identify genuine customers and fake ones.

But if you have a business or blog website only, you should only see the accounts that you have manually created. Any account that you did not create is a suspicious one and should be deleted right away.

Delete such accounts as your site may get hacked and result in a complete data-loss.

You can also change the permissions to create an account. To disable the registration feature on your WordPress site, You can find the option in the Settings > General > Membership.

To strengthen WordPress login, you can enable two-factor authentication. 

Anyone trying to login from an unrecognized device will be asked to complete 2-factor authentication.

Scan Your Site:

If you want to test your WordPress site for vulnerabilities, you can use free online tools or WordPress Plugins.

These free tools help you scan the website for vulnerabilities and malware. 

Isitwp security scanner is one of the best website security scanner tools available to scan your complete website for security issues.

These kinds of free tools don’t scan all the pages but show you results of only public facing pages.

You can use any of the suggested tools below to completely scan your website for malware.

  1. Wordfence Security
  2. BitNinja Server Security Suite
  3. Astra Security Suite

Analyze Your Website:

If you’ve already added your website in Google Search Console, you will get a prompt in “Security & Manual Activities” tab. 

This will quickly tell you which URL is infected with malware. Thereafter, you can diagnose and scan accordingly using a plugin or third party service.

Backup Your Site:

What if you suddenly lose all the data due to a malware attack?

Chances are less that the hacker leaves your website with data. It is always a smart move to keep a backup of your website for any uncertainty. 

To have a complete site backup, you can install a backup plugin in WordPress and create scheduled backups. Not just backups, you can consult your hosting provider to enable snapshots for you. 

You can use any of the plugins below and create automated backups. 

  1. Updraft Plus
  2. Malcare
  3. BackupBuddy
  4. BlogVault
  5. Jetpack Backups

You can set up automatic backups daily, weekly or as you would like. This way, you don’t have to worry about backing up your site manually. 

Most free plugins will let you download the backup files on your local computer. Thereafter, you can upload it to a safe location such as Google Drive, Dropbox or your favorite cloud storage. 

But the best method to keep backups of a WordPress site is off-site incremental backups that you get with Jetpack Backup plans.


Above mentioned steps and tools are easy to use to run a detailed security audit. If you are using any WordPress plugin for site security, please feel free to share it with us on Twitter.

About the authorVashishtha Kapoor is a Web Hosting Expert and has over 5 years of experience in SEO, PPC, Website Management and WordPress development. Vashishtha writes about WordPress customizations, web design, server administration and ad-tech topics.

Share this post with your friends