With so many threats to your website, it’s important to make your WordPress site as secure as possible. Running a WordPress security audit of your website helps you prepare for and prevent successful attacks on your site. You can’t protect your site from every possible issue, but you can make sure you’re prepared for the most common threats by running a WordPress security audit.

How to Audit Your WordPress Security

Here are some questions to ask while running your WordPress security audit:

1. Do you have an “admin” user on your site?

Are you or another admin user on your site using admin as the account username?  If so, you want to be sure and remove that user.  Someone trying to access your through a brute force attack, for instance, will use a known username such as admin.To do this, you would first create a new user for that admin user.  You can then delete the admin user, assigning all content to the new user you created.

2. Are you requiring strong passwords?

The more difficult the password, the harder it is for it to be guessed.  At the very least, you want to require all the admins on your website use strong passwords.When thinking about strong passwords, you might also consider using WordPress two-factor authentication. Two-factor authentication requires users to not only enter a password but also to enter a code sent to their phone or their email to login. This means that someone trying to fraudulently log into an account won’t be successful even if they guess the password.  They would also need access to the account holder’s phone and/or email.

3. Have you changed your WordPress salts & keys?

WordPress uses information stored in your browser known as cookies to verify logged in users and commenters on your site.  These WordPress salts and keys were added to WordPress to better encrypt and protect the users’ information.When going through your WordPress security audit, check your wp-config.php file to make sure you’ve changed these.  You might even set yourself a reminder to change your salts and keys occasionally.You can read about the more technical details of WordPress salts & keys in the WordPress Codex.  They even have a salts & keys auto-generator you can use.

4. Is all software on your website up to date?

When going through your WordPress security audit, one easy but very important thing to check is whether or not everything is up to date on your website. This includes all plugins, themes and WordPress itself.With WordPress especially, version updates often include security fixes and improvements.  If you’re running older versions, any security issues are typically known and can be exploited.Tip: Use a service like iThemes Sync to quickly run updates if you manage multiple WordPress websites.

5. Do you have any inactive users on your site?

Much like outdated plugins and themes on your site, inactive users can be exploited to attack your site.Did you have a support person working on your site who you created a user for?  Go ahead and delete that user.  If they’re not active on your site, they don’t need a user account.

6. Do you have a WordPress backup solution in place?

Hackers are constantly coming up with new ways to access your site. No matter how secure your site may be, it’s still possible something can happen. For this reason, when you are going through your WordPress security audit, it is very important that you have a WordPress backup solution as part of the security plan for your site. Using a WordPress backup plugin such as BackupBuddy is a good way to quickly get a solid WordPress backup solution up and running.

WordPress Security Audit Checklist

  • Remove/change the “admin” user.
  • Require strong passwords for admin users.
  • Enable WordPress two-factor authentication for logins.
  • Change your WordPress salts and keys.
  • Update WordPress core, plugins and themes to the latest version.
  • Remove inactive users.
  • Make sure you have a solid WordPress backup strategy in place.

Source: How To Run A WordPress Security Audit