How to Run a WordPress Security Audit (Step-by-Step)

A WordPress security audit is a systematic review of your site's security posture — examining everything from user accounts and file integrity to plugin vulnerabilities and server configuration. Regular audits catch problems before attackers exploit them, identify configuration drift, and verify that your protective measures are working correctly. Whether you manage a personal blog, a business site, or a hosting server with dozens of WordPress installations, a structured audit process is essential.

This guide walks you through a comprehensive WordPress security audit using the VistoShield WordPress Edition tools along with manual checks that every administrator should perform. The process is organized into phases, each covering a specific security domain.

When to Run a Security Audit

At minimum, run a full security audit monthly. Additionally, audit after any of these events:

• A WordPress core, plugin, or theme update (especially major version changes)
• Adding a new plugin or theme to the site
• Granting access to a new user or developer
• After discovering a security incident on any site in your infrastructure
• Before and after a site migration or hosting change
• After a prolonged period without active maintenance
• When taking over management of an existing site

Phase 1: WordPress Core, Plugin, and Theme Updates

Check WordPress Core Version

Verify that WordPress core is running the latest stable version. Outdated WordPress versions are the most commonly exploited vulnerability because attack tools target known flaws in specific versions.

In the WordPress dashboard, navigate to Dashboard > Updates and verify the core version. The VistoShield Security Scanner also reports the core version and flags it if it is outdated.

Audit All Plugins

Plugins are the largest attack surface in a WordPress installation. Each plugin adds code that runs with full WordPress privileges, and vulnerabilities in plugins are discovered regularly.

For each installed plugin, check the following:

Check	What to Look For	Action
Version	Is it the latest version?	Update immediately if outdated
Last updated	Updated within the last 12 months?	Consider replacing abandoned plugins
Compatibility	Tested with your WP version?	Test on staging before updating core
Active installs	Widely used (1,000+ installs)?	Low-usage plugins have less scrutiny
Known vulnerabilities	Any reported CVEs?	Update or remove if unpatched
Necessity	Is this plugin still needed?	Remove unused plugins entirely
Source	Installed from WordPress.org?	Verify third-party plugin legitimacy

Critical: Deactivated plugins are still a security risk. Their PHP files are accessible on the server and can be exploited even when inactive. If you are not using a plugin, delete it entirely — do not just deactivate it.

Audit All Themes

Apply the same checks to themes. Keep only the active theme and the latest default WordPress theme (as a fallback). Delete all other themes. Like plugins, inactive themes can contain exploitable vulnerabilities.

Automated Scanning

The VistoShield Security Scanner automates version checking and vulnerability matching for WordPress core, all installed plugins, and all installed themes. It cross-references installed versions against known vulnerability databases and generates a prioritized report of issues requiring attention.

Phase 2: User Account Audit

Review All User Accounts

Navigate to Users > All Users and review every account. For each user, verify:

• Is this account still needed? Former employees, past contractors, and test accounts should be removed.
• Is the role appropriate? Follow the principle of least privilege — editors should not be administrators, subscribers should not be authors.
• Is the email address valid and current? Accounts with outdated email addresses cannot receive password resets or security notifications.
• Has this account been active recently? Dormant accounts with administrator privileges are a significant risk.

Administrator Account Review

Administrator accounts require special attention. For every administrator-level account, confirm:

• The person is a current, authorized administrator
• Two-factor authentication is enabled (see Login Guard)
• The account does not use a weak or commonly breached password
• The username is not "admin" (the first target for brute force attacks)

The VistoShield Activity Log shows login history for each user, making it easy to identify dormant accounts and unusual login patterns.

Check for Unauthorized Accounts

A common post-compromise action is creating a new administrator account as a backdoor. Look for:

• Administrator accounts you do not recognize
• Accounts created recently that were not authorized
• Accounts with generic names like "admin2", "support", or "test"
• Accounts with email addresses from free email providers when your organization uses a company domain

You can also check the database directly for unauthorized administrator accounts:

-- Find all administrator user IDs
SELECT user_id FROM wp_usermeta WHERE meta_key = 'wp_capabilities' AND meta_value LIKE '%administrator%';

-- Cross-reference with user table
SELECT u.ID, u.user_login, u.user_email, u.user_registered
FROM wp_users u
JOIN wp_usermeta m ON u.ID = m.user_id
WHERE m.meta_key = 'wp_capabilities' AND m.meta_value LIKE '%administrator%'
ORDER BY u.user_registered DESC;

Phase 3: File Integrity Scan

WordPress Core Files

WordPress core files should never be modified. Any modification to a core file is either a customization that should have been done through hooks/filters, or evidence of compromise. The VistoShield Security Scanner compares every core file against the official checksums from WordPress.org and flags any differences.

You can also verify core file integrity manually using WP-CLI:

# Check core file integrity
wp core verify-checksums

# Expected output for a clean installation:
# Success: WordPress installation verifies against checksums.

Plugin and Theme Files

For plugins and themes installed from WordPress.org, file integrity can be verified against repository versions. The Security Scanner handles this automatically. For premium plugins and themes from third-party sources, baseline checksums should be recorded during installation so future scans can detect modifications.

Scan for Malware Signatures

Beyond file integrity checks, scan for known malware patterns. Common indicators include:

• PHP files with heavily obfuscated code (base64-encoded strings, eval statements, character-code-to-string conversions)
• Files with names designed to blend in (e.g., wp-config-backup.php, class-wp-cache.php)
• PHP files in the wp-content/uploads/ directory (PHP execution should be blocked here)
• Recently modified core files
• Files with unusual permissions (world-writable, executable)

Check .htaccess and Nginx Configuration

Server configuration files are a common target for malicious redirects and SEO spam injections. Review your .htaccess file (Apache) or Nginx server block configuration for:

• Redirect rules you did not add (especially conditional redirects based on User-Agent or Referer that target search engine traffic)
• Rewrite rules pointing to external sites
• PHP execution directives in upload or cache directories

Phase 4: Security Configuration Review

wp-config.php Audit

The WordPress configuration file contains critical security settings. Verify:

• File permissions: Should be 400 or 440 (readable only by the web server user).
• Authentication keys and salts: Should be set to unique, random values. If your site has been compromised, regenerate these to invalidate all active sessions.
• Database table prefix: Should not be the default wp_ (though this is low-impact security through obscurity).
• Debug mode: WP_DEBUG should be false on production sites. Debug output can reveal sensitive path and configuration information.
• File editing: DISALLOW_FILE_EDIT should be true to prevent the theme and plugin editors from being used (a common post-compromise tool).

// Recommended wp-config.php security settings:
define('WP_DEBUG', false);
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', false);  // Set true to prevent updates via dashboard
define('FORCE_SSL_ADMIN', true);

Database Security Check

Review the database for injected content. Common database-level compromises include:

• JavaScript injections in post content or widget text
• Spam links hidden in post metadata
• Unauthorized administrator accounts (covered in Phase 2)
• Modified site URL or home URL settings (pointing to a phishing or spam site)
• Injected cron events that execute malicious code

-- Check site URL settings
SELECT option_name, option_value FROM wp_options WHERE option_name IN ('siteurl', 'home');

-- Check for suspicious scheduled events
SELECT option_value FROM wp_options WHERE option_name = 'cron';

-- Search for common malware patterns in posts
SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%eval(%' OR post_content LIKE '%base64_decode(%';

SSL/TLS Configuration

Verify that your SSL certificate is valid, not expiring soon, and that HTTPS is enforced site-wide:

• Certificate not expired or expiring within 30 days
• All site URLs use HTTPS (no mixed content)
• HTTP requests redirect to HTTPS
• HSTS header is set to enforce HTTPS in browsers

Phase 5: Firewall and Protection Review

VistoShield Firewall Status

Verify that the VistoShield Firewall is active and properly configured. Check:

• Firewall module is enabled and running
• WAF rules are up to date (last update timestamp)
• No legitimate services are being blocked (review recent block log)
• Custom rules are still relevant and not overly permissive

Login Protection Status

Verify that Login Guard is active with appropriate settings:

• Progressive lockouts are enabled with escalating durations
• Honeypot fields are active
• Two-factor authentication is enabled for all administrator accounts
• XML-RPC is blocked or restricted (see brute force protection guide)
• Login attempt logs show the system is actively blocking attacks

Bot Detection Status

Review the Bot Detector configuration and activity:

• Signature database is up to date
• Verified bot policy is correctly allowing search engines
• Review recent bot detections for false positives
• Check bot traffic volume trends for anomalies

See our bot detection guide for detailed configuration recommendations.

Server-Level Firewall (if applicable)

If the VistoShield Server Edition is installed, verify server-level protection:

• Firewall is active with correct port policy
• Blocklist feeds are refreshing on schedule
• Brute force detection is active for all services (SSH, FTP, mail, DirectAdmin)
• GeoIP policies are appropriate (if configured)

Phase 6: Activity Log Review

The VistoShield Activity Log provides a comprehensive audit trail of all WordPress activity. During the security audit, review the log for:

Suspicious Login Activity

• Successful logins from unexpected IP addresses or countries
• Logins outside normal business hours
• Multiple failed login attempts followed by a success (possible credential compromise)
• Simultaneous sessions for the same account from different locations

Unauthorized Changes

• Plugin or theme installations you did not authorize
• Settings changes made by unexpected users
• User role modifications (especially escalations to administrator)
• New user account creations
• Core, plugin, or theme file modifications through the WordPress editor

Content Modifications

• Posts or pages modified by users who should not have edit access
• New posts with suspicious content (spam, phishing links)
• Widget or menu changes that add external links
• Theme customizer changes that inject code

Phase 7: Backup Verification

Backups are your recovery mechanism. Verify:

• Backups are running: Check that your backup solution completed its last scheduled run successfully.
• Backups are complete: Verify that both files and database are included.
• Backups are stored off-site: Backups on the same server as the site are destroyed if the server is compromised.
• Backups are restorable: Periodically test restoration on a staging environment.
• Retention is adequate: At least 30 days of daily backups. A compromise discovered after a week requires restoring from before the compromise.

Phase 8: External Verification

Check Blacklist Status

Verify that your site and server IP are not on any security blacklists:

• Google Safe Browsing (search site:yourdomain.com in Google and look for warnings)
• Spam blocklists (check your server IP against Spamhaus, SORBS, Barracuda)
• Malware databases (Sucuri SiteCheck, VirusTotal)

SSL Certificate Verification

Use external tools to verify your SSL configuration from the outside:

# Check SSL certificate expiration and configuration
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com < /dev/null 2>/dev/null | openssl x509 -noout -dates

Test Login Page Security

From a non-whitelisted IP, verify that your login protection is working:

• Try accessing wp-login.php — does it load or is it protected?
• Submit several incorrect login attempts — do lockouts activate?
• Try accessing xmlrpc.php — is it blocked?
• Try accessing /?author=1 — does it reveal the username?

Security Audit Checklist Summary

Phase	Items	VistoShield Tool
1. Updates	Core, plugins, themes up to date; unused items removed	Security Scanner
2. Users	All accounts reviewed; 2FA enforced for admins	Login Guard
3. Files	Core integrity verified; malware scan clean	Security Scanner
4. Configuration	wp-config secured; debug off; SSL valid	Security Scanner
5. Protection	Firewall active; login protection on; bot detection running	Firewall, Bot Detector
6. Activity	No suspicious logins; no unauthorized changes	Activity Log
7. Backups	Running; complete; off-site; tested	Manual verification
8. External	Not blacklisted; SSL verified; login protection tested	Manual verification

Automating Your Audit Process

While a manual audit is thorough, automating the repeatable checks saves time and ensures consistency. The VistoShield Security Scanner can be configured to run on a schedule and report findings to the site administrator. Configure scheduled scans to run weekly at minimum, with email notifications for critical findings.

For hosting environments managing multiple WordPress sites, the VistoShield Server Edition provides a centralized view of security status across all sites on the server. This is far more efficient than auditing each site individually through its WordPress dashboard.

What to Do When You Find Problems

Outdated Software

Update immediately. Test on a staging environment first if the update is a major version change. If a plugin has been abandoned (no updates for over a year), find a replacement.

Unauthorized User Accounts

Delete the account immediately. Check the Activity Log for what actions the account performed. If the account made changes, those changes need to be reviewed and potentially reversed.

Modified Core Files

Restore from the official WordPress release. Do not attempt to manually clean modified core files — replace them entirely. Use wp core download --force to overwrite core files with clean copies.

Malware Detected

If the Security Scanner detects malware, the response depends on the scope of the infection. For isolated infections (a single malicious file), remove the file and investigate how it was placed. For widespread infections (multiple files, database injections), consider restoring from a clean backup taken before the compromise date and then applying all available updates before reconnecting to the internet.

Suspicious Login Activity

If you see successful logins from unexpected locations, immediately change the affected user's password, revoke all active sessions (WordPress Dashboard > Users > Edit User > Log Out Everywhere Else), enable 2FA if not already active, and review any actions taken by the compromised account in the Activity Log.

Key Takeaways

A WordPress security audit is a systematic, repeatable process that catches vulnerabilities and compromises before they cause damage. The VistoShield plugin suite automates the most time-consuming checks while providing the data you need for manual review.

• Audit monthly at minimum, and after any significant change to your site.
• Update everything: Outdated software is the most common attack vector. Remove plugins and themes you do not use.
• Review all users: Unauthorized or dormant accounts are a persistent backdoor risk. Enforce 2FA for all administrators.
• Verify file integrity: The VistoShield Security Scanner automates core, plugin, and theme file verification.
• Check your protections: Verify that your Firewall, Login Guard, and Bot Detector are active and configured correctly.
• Review the Activity Log: The Activity Log reveals suspicious activity that other checks miss.
• Test your backups: A backup you cannot restore is not a backup.
• Respond quickly: When you find a problem, act immediately. Delayed response allows attackers to establish persistence.

For server-level hardening that complements your WordPress audit, see our Linux server security hardening checklist. For complete deployment instructions, visit the VistoShield documentation.