Comprehensive WordPress Site Security Audit

• Complete website scan (inspection of all the website files for malicious code)
• Make sure that the site is not listed on blacklists
• Review Google Transparency report
• Make sure that the database is free of malware and spam
• Ensure log files and phpinfo files are not publicly available
• Look for suspicious logins
• Make sure that the adequate log files are available
• Check if there are any potentially vulnerable files
• Is Google Search Console and Google Analytics set-up for the site

• To check if your site is using the latest version of WordPress
• Enable auto updates as and where needed
• Check if wp-config.php is secured
• Check if wp-admin file editing is disallowed
• Manually inspect all the files in your WordPress installation directory

Themes and Plugins:

• Review all the themes
• Review all the plugins, add-ons and extensions
• Check if all the themes and plugins are updated & actively maintained
• Make sure that theme core files are unmodified (child theme is used for modifications)
• Make sure that the active theme is actively maintained by developers
• Make sure all the active plugins used are actively maintained by developers
• Prepare a list on unused themes and plugins (for deletion)
• Prepare a list of vulnerable themes and plugins (for review)
• Check basic plugins for leaks and recommend stronger ones where required
• Review and inspect mu-plugins folder
• Inspect uploads folder for possible security threat

• Scan WordPress database for any malicious code
• Check the permissions of MySQL user
• Make sure that the tables are optimized
• Make sure that the database is optimized
• PhpMyAdmin version check
• Password audit for MySQL user
• Make sure that remote database access disabled

• Review all the user accounts and make sure that all the administrators are valid users with correct email addresses
• Perform a password audit and make sure that each user account is using a strong and unique ID and password
• Limit access to WP admin based on user roles
• Make sure there are no public transaction logs that decrease site security
• Review network administration for multisite install

• Ensure that hosting is reliable and secure
• Is the site using Linux Hosting
• Check if SSL is installed and configured correctly
• Review the file permissions
• Check which PHP and web server version is in use
• Make sure there are no suspicious cron jobs
• Strong CPANEL / Hosting / FTP Password
• Review website backups and backup settings to make sure there are adequate backups
• Make sure that backups are not accessible publicly
• Make sure that credit card information is not stored on site

• Page speed analysis of the website
• Review caching configuration
• Check if the site is using Web Application Firewall (WAF)
• Review the configuration of security and performance plugins (if any)