Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
25 Million+
Websites using our plugins
Years of WordPress experience
WordPress tutorials
by experts

How to Perform a WordPress Security Audit (Complete Checklist)

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

How do you know if your website is secure? Would you like to perform a thorough security audit to find out?

WordPress is very secure right out of the box. However, if you suspect that something is not right, then a security audit can help you identify any issues that you need to address.

In this article, we will show you how to easily perform a WordPress security audit without taking down your site.

Easily perform a complete WordPress security audit

What Is a WordPress Security Audit?

Performing a security audit on your WordPress website means checking your site for signs of a security breach. You can perform a WordPress check to look for suspicious activity, malicious code, or an unusual drop in performance.

We will show you how to perform a basic security audit by following simple steps that you can perform manually. We will also show you how to use WordPress security audit tools and services to perform the security checks automatically.

If you find something suspicious, then you can isolate, remove, and fix it.

When to Perform a WordPress Security Audit

You should perform a WordPress security audit at least once a quarter. This allows you to stay on top of everything and close security loopholes even before they cause any trouble.

However, you should perform a security audit immediately if you notice anything suspicious, such as:

  • Your website is suddenly slow and sluggish.
  • You witness a drop in website traffic.
  • There are suspicious new accounts, forgotten password requests, or login attempts on your website.
  • You see suspicious links appear on your website.

That being said, let’s take a look at how to easily perform a WordPress security audit.

Performing a Basic Manual WordPress Security Audit

Here is a checklist of some steps you can take to perform a basic manual WordPress security audit on your website.

1. Update WordPress Core, Plugins, and Themes

WordPress updates are really important for the security and stability of your website. They patch security vulnerabilities, bring new features, and improve performance.

Make sure your WordPress core software, all plugins, and themes are up to date. You can easily do that by visiting the Dashboard » Updates page inside the WordPress admin area.

WordPress updates

WordPress will look up if any updates are available and then list them for you to install. If you need more help, then see our guides on how to properly update WordPress and how to properly update WordPress plugins.

2. Check User Accounts and Passwords

Next, you need to review WordPress user accounts by visiting the Users » All Users page. Look for suspicious user accounts that shouldn’t be there.

If you run an online store, a membership site, or sell online courses, then you may have user accounts for your customers to sign in.

However, if you run a blog or a business website, then you should only see user accounts for yourself or any other user that you have manually added.

Edit a user profile in WordPress

If you see suspicious user accounts, then you need to delete them.

Now, if your website doesn’t require users to create an account, then you need to visit the Settings » General page and make sure that the box next to the ‘Anyone can register’ option is unchecked.

Open user registration in WordPress

As an extra precaution, you need to change your WordPress admin password. We highly recommend adding two-factor authentication to strengthen password security on your site.

3. Run a WordPress Security Scan

IsItWP Security Scanner

The next step is to check your website for security vulnerabilities. Luckily, there are several online security scanners that you can use to check for malware.

We recommend using the IsItWP Security Scanner, which checks your website for malware and other security vulnerabilities.

These tools are good, but they can only scan the public-facing pages of your website. We will show you how to perform deeper audits later in this article.

4. Check Your Website Analytics

Website analytics help you keep track of your website traffic. They are also a pretty good indicator of your website’s health.

If your website has been blacklisted by search engines, then you will see a sudden drop in your website traffic. If your website is slow or unresponsive, then your overall page views will drop.

We recommend using MonsterInsights to track your website traffic. It not only shows your overall pageviews, but you can also use it to track registered users, your WooCommerce customers, form conversions, and more.

5. Set Up and Check WordPress Backups

If you haven’t already done so, then you need to immediately set up a WordPress backup plugin. This ensures that you always have a backup of your site in case anything goes wrong.

Many beginners forget about their WordPress backup plugin after setting it up. Sometimes, backup plugins may stop working without any notice. It is a good idea to make sure that your backup plugin is still working and saving backups.

Performing an Automatic WordPress Security Audit

The above checklist allows you to go through the most important aspects of a security audit. However, it is not a very thorough process, which means your website may still be vulnerable.

For instance, it is difficult to keep a manual record of all user activity, file differences, suspicious codes, and more. This is where you need a plugin to automate security auditing and keeping a record of everything.

You can automate this process with the help of a few WordPress security plugins.

1. Automatically Performing a Security Audit With WP Activity Log

WP Activity Log

WP Activity Log is the best WordPress activity monitoring plugin on the market.

It allows you to keep track of all user activity on your website. You can view all user logins, IP addresses, and what they did on your website.

WordPress activity log viewer to monitor events

You can track WooCommerce users, editors, authors, and other members who have an account on your website.

You can also turn on any events that you want to track and switch off the events that you don’t want to monitor.

Track events in WP Activity Log

The plugin also shows you a live view of all the users logged in to your website. If you see a suspicious account, then you can end their session right away and lock them out.

You can learn more in our guide on how to monitor user activity in WordPress using WP Activity Log.

2. Automatically Performing a Security Audit With Sucuri


Sucuri is the best WordPress firewall plugin on the market, and it is also the best all-in-one WordPress security solution that you can get for your website.

It provides real-time protection against DDoS attacks by blocking suspicious activity even before it reaches your website. This removes load from your server and improves your website speed/performance.

It comes with a built-in security plugin that checks your WordPress files for suspicious code. You also get a detailed look at the user activity across your website.

Most importantly, Sucuri offers malware removal for free with all their paid plans. This means that even if your website is already affected, their security experts will clean it for you.

Bonus: Hiring a WordPress Maintenance Service

Managing website security yourself can be time-consuming and complicated, especially for non-techy users. So, you may consider hiring a WordPress maintenance service that provides 24/7 security monitoring to save time and lighten your workload.

WPBeginner Pro Services offers reliable WordPress Maintenance Services at affordable pricing. It includes security monitoring, routine backups, updates, uptime monitoring, and much more.

WPBeginner WordPress website maintenance service

Simply choose a monthly maintenance package and you can relax knowing that your website security is being taken care of by experts.

Expert Guides on WordPress Security

Now that you know how to perform a WordPress security audit, you may like to see some other guides related to WordPress security:

We hope this article helped you learn how to perform a WordPress security audit on your website. You may also want to see our guide on how to improve your WordPress SEO or our expert picks for the best WordPress landing page plugins.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

10 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Dennis Muthomi says

    You recommends Sucuri as an all-in-one WordPress security solution. I’m wondering if Sucuri could replace needing separate plugins like WP Activity Log?
    I want to avoid cluttering my site with too many plugins if one could do the job.

    • WPBeginner Support says

      It would depend on the function of the plugin you are looking to replace but Sucuri does have an activity log option.


      • Dennis Muthomi says

        Great point that whether Sucuri meets my needs depends on the functionality I’m looking for. THANKS for replying!

    • WPBeginner Support says

      Instead of changing the login url we would normally recommend using a plugin like limit login attempts as changing the login URL has a higher chance of causing problems for beginners.


      • Eva says

        Well, I do both! And many more. Security is my number one priority. I see what you mean, but most words are as easy to memorize as /wp-admin or /wp-login especially for beginners in my opinion.

        • WPBeginner Support says

          It is less about remembering the login URL and more about if there are any errors when trying to change the URL, most beginners don’t have the tools to fix the login address.

        • Eva says

          I see, good point! In many cases, just renaming the plugin directory by FTP is enough to disable it and access again through /wp-login. But I get it, it is not beginner-friendly!

        • DW says

          Yeah, doing the login URI really doesn’t do much. It’s a technique known as “security by obscurity” – basically security by “hiding”.

          If someone is determined to get into your website, using these “Security by obscurity” techniques would at best slow them down by a few minutes. It’s not really a substitute for properly securing your website.

          You’re far better off securing your website properly. Techniques like plugins to prevent brute force attacks, enforcing strong passwords, enforcing multi-factor authentication for at the very least admin accounts, and if you have the luxury of having a Static IP address creating an .htaccess file that only allows access to the admin page from your IP address are all far better solutions.

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.