With so many threats to your website, it’s important to make your WordPress site as secure as possible. Running a WordPress security audit of your website helps you prepare for and prevent successful attacks on your site. You can’t protect your site from every possible issue, but you can make sure you’re prepared for the most common threats by running a WordPress security audit.
How to Audit Your WordPress Security
Here are some questions to ask while running your WordPress security audit:
1. Do you have an “admin” user on your site?
Are you or another admin user on your site using admin as the account username? If so, you want to be sure and remove that user. Someone trying to access your through a brute force attack, for instance, will use a known username such as admin.
To do this, you would first create a new user for that admin user. You can then delete the admin user, assigning all content to the new user you created.
2. Are you requiring strong passwords?
The more difficult the password, the harder it is for it to be guessed. At the very least, you want to require all the admins on your website use strong passwords.
When thinking about strong passwords, you might also consider using WordPress two-factor authentication. Two-factor authentication requires users to not only enter a password but also to enter a code sent to their phone or their email to login. This means that someone trying to fraudulently log into an account won’t be successful even if they guess the password. They would also need access to the account holder’s phone and/or email.
3. Have you changed your WordPress salts & keys?
WordPress uses information stored in your browser known as cookies to verify logged in users and commenters on your site. These WordPress salts and keys were added to WordPress to better encrypt and protect the users’ information.
When going through your WordPress security audit, check your wp-config.php file to make sure you’ve changed these. You might even set yourself a reminder to change your salts and keys occasionally.
You can read about the more technical details of WordPress salts & keys in the WordPress Codex. They even have a salts & keys auto-generator you can use.
4. Is all software on your website up to date?
When going through your WordPress security audit, one easy but very important thing to check is whether or not everything is up to date on your website. This includes all plugins, themes and WordPress itself.
With WordPress especially, version updates often include security fixes and improvements. If you’re running older versions, any security issues are typically known and can be exploited.
Tip: Use a service like iThemes Sync to quickly run updates if you manage multiple WordPress websites.
5. Do you have any inactive users on your site?
Much like outdated plugins and themes on your site, inactive users can be exploited to attack your site.
Did you have a support person working on your site who you created a user for? Go ahead and delete that user. If they’re not active on your site, they don’t need a user account.
6. Do you have a WordPress backup solution in place?
Hackers are constantly coming up with new ways to access your site. No matter how secure your site may be, it’s still possible something can happen.
For this reason, when you are going through your WordPress security audit, it is very important that you have a WordPress backup solution as part of the security plan for your site. Using a WordPress backup plugin such as BackupBuddy is a good way to quickly get a solid WordPress backup solution up and running.
WordPress Security Audit Checklist
- Remove/change the “admin” user.
- Require strong passwords for admin users.
- Enable WordPress two-factor authentication for logins.
- Change your WordPress salts and keys.
- Update WordPress core, plugins and themes to the latest version.
- Remove inactive users.
- Make sure you have a solid WordPress backup strategy in place.
Using a WordPress Security Plugin
This list should be a good start for you as you walk through your WordPress security audit. However, there are even more things you can do to secure your site; many of these things would require a plugin to accomplish.
Installing a WordPress security plugin such as iThemes Security is a great way to strengthen your WordPress security efforts. iThemes Security has a feature that will run a WordPress security check of your site for you.
There are a number of features and settings within iThemes Security which we recommend running on every site to help keep things secure.
These features and settings include:
- Banned Users – This feature blocks specific IP addresses and user agents from accessing your site. For instance, as a getting-started point, you can include the excellent blacklist developed by Jim Walker of HackRepair.com.
- Database Backups – With this option enabled, iThemes Security creates database backups manually or on a schedule you create. Having a backup solution is an integral part of your WordPress security audit so that you can easily recover your site in the case of a successful attack.
- Local Brute Force Protection – This protects your site against attackers that try to randomly guess login details to your site. For an example, if they determine that your username is admin, it will bombard your site with login attempts for that particular user.
- Malware Scan Scheduling (Pro) – This option protects your site with automated malware scans. When this feature is enabled, your site will be automatically scanned each day. While you’re doing your best to keep the worst from happening, sometimes it still does. With this feature enabled, you will be made aware of the problem as soon as possible.
- Network Brute Force Protection – Protects your site against known attackers before they reach your site.
- Strong Passwords (Pro) – Helps enforce that powerful (admin) accounts choose strong passwords for their logins. You can select the minimal role you want to require strong passwords for.
Warning: If your site invites public registrations setting the role too low may annoy your members.
- Two-Factor Authentication (Pro) – Greatly increases the security of your WordPress user account by requiring additional information beyond the username and password to log in to the site. iThemes Security supports two-factor authentication apps such as Google Authenticator, Authy, Toopher and FreeOTP. These mobile apps are installed on a smartphone or tablet and generate a time-sensitive code that must be supplied when logging in. Or you can have the code sent to your email instead. Two-Factor Authentication is a great way to secure your site and is highly recommended.
- User Logging (Pro) – Logs user actions such as login, editing or saving content and other actions into a viewable list.
- WordPress Tweaks – This feature has a variety of settings that change the behavior of WordPress. For example, there is a Comment Spam option within the WordPress Tweaks which will cut down on comment spam by denying comments from bots with no referrer or without a user-agent identified.
Running a WordPress security audit doesn’t need to be too difficult or time-consuming but can save you hours of time and heartache should anything happen to your site.