WordPress Security Audit Checklist: Complete Guide

Regular security audits identify vulnerabilities before attackers do. Use this checklist to systematically review your WordPress security posture.

WordPress Core

Version and Updates

• [ ] Running latest WordPress version
• [ ] Automatic updates enabled for core
• [ ] No beta/development versions in production
• [ ] Previous versions removed after update

Configuration

• [ ] Debug mode disabled (WP_DEBUG = false)
• [ ] File editing disabled (DISALLOW_FILE_EDIT)
• [ ] Strong database prefix (not wp_)
• [ ] Unique authentication keys and salts
• [ ] Correct file permissions (644/755)

Plugins and Themes

Plugin Audit

• [ ] All plugins from reputable sources
• [ ] All plugins updated to latest versions
• [ ] No inactive plugins installed
• [ ] No abandoned plugins (12+ months without update)
• [ ] Checked for known vulnerabilities

Theme Audit

• [ ] Active theme from trusted source
• [ ] Theme updated to latest version
• [ ] Only one theme installed (plus default)
• [ ] Child theme used for customizations
• [ ] No nulled/pirated themes

Access Control

User Accounts

• [ ] No "admin" username
• [ ] All accounts have strong passwords
• [ ] Two-factor authentication enabled
• [ ] No unused accounts
• [ ] Appropriate role assignments
• [ ] No shared accounts

Login Security

• [ ] Login attempt limiting enabled
• [ ] CAPTCHA on login form
• [ ] SSL enforced for login
• [ ] Login URL protected or hidden
• [ ] Failed login logging

Infrastructure

Hosting

• [ ] PHP version supported and secure (8.0+)
• [ ] MySQL/MariaDB version supported
• [ ] Server software patched
• [ ] Firewall configured
• [ ] Malware scanning active

SSL/TLS

• [ ] Valid SSL certificate
• [ ] HTTPS everywhere (no mixed content)
• [ ] TLS 1.2+ only
• [ ] HSTS enabled
• [ ] Certificate auto-renewal working

Data Protection

Backups

• [ ] Automated backups configured
• [ ] Backups stored off-site
• [ ] Backups encrypted
• [ ] Backup restoration tested
• [ ] Adequate retention period

Database

• [ ] Database user has minimal permissions
• [ ] Database not remotely accessible
• [ ] phpMyAdmin protected or removed
• [ ] Sensitive data encrypted

Security Features

Headers

• [ ] X-Frame-Options set
• [ ] X-Content-Type-Options set
• [ ] Content-Security-Policy configured
• [ ] Referrer-Policy set
• [ ] Permissions-Policy configured

Firewall

• [ ] Web Application Firewall active
• [ ] Common attack patterns blocked
• [ ] Bad bots blocked
• [ ] Rate limiting configured

Monitoring

Logging

• [ ] Security events logged
• [ ] Logs stored securely
• [ ] Log retention adequate
• [ ] Log review scheduled

Alerting

• [ ] Admin notifications working
• [ ] Alert thresholds configured
• [ ] Uptime monitoring active
• [ ] File change detection enabled

Code Review

Custom Code

• [ ] Input validation implemented
• [ ] Output escaping used
• [ ] SQL queries use prepare()
• [ ] Nonces verify form submissions
• [ ] Capability checks on admin functions

File System

Access Restrictions

• [ ] wp-config.php protected
• [ ] .htaccess hardened
• [ ] No PHP execution in uploads
• [ ] Directory listing disabled
• [ ] Sensitive files not web-accessible

Audit Frequency

• Weekly: Update checks, log review
• Monthly: User audit, plugin review
• Quarterly: Full security audit
• Annually: Penetration testing

Conclusion

Regular security audits catch issues before they become breaches. Work through this checklist systematically and address any gaps discovered. Document findings and track improvements over time.