The 5 Minute WordPress Security Audit

WordPress is the open-source CMS of choice.  But like any web platform, it isn’t perfect.  The biggest problem with WordPress is the people who use it, specifically, those who fail to use it responsibly. Keeping the installation secure and safe is your job, not that of a faraway corporation.

I am occasionally asked to peek “under the bonnet” of other WordPress sites, and I tend to go pale when I see a site that has no security safeguards in place.  It’s a bit like keeping your front door locked, but leaving the key under the mat.  Without some security precautions, breaking in is that easy.

There are plenty of lists and posts out there with excellent information on how to protect your WordPress site, but not everyone has the time or the technical inclination to see it through.  With that in mind, here is a list of a few critical steps you should take to protect your WordPress site.  These will take a minimum of five minutes, and no more than 15.  When I set up a new WordPress install, I do not do one click worth of work until I have run through these security safeguards. Make it your own habit to do the same.

  1. Create a new administrator user with a new login name.  Delete the default “admin” user. Don’t use obvious generic login names like “test”, “administrator”, or “root” either.
  2. Use random gibberish passwords of at least 12 characters.  Here’s a helpful random gibberish password generator.
  3. Install and activate the Login Lockdown plugin. This automatically locks out anyone who tries to log in with the wrong password more than three times in a short time span.
  4. Install, activate, and run the Secure WordPress plugin.
  5. Install, activate, and run the WP Security Scan plugin.  Run its File Permissions check, and change your folder permissions accordingly.
  6. Install, activate, and run the Lockdown WP Admin plugin. This denies access to the back-end of WordPress to anyone who is not logged in.
  7. Install, activate, and run the WP Maintenance Mode plugin to create a landing page and “cloak” the work in progress.

This audit will provide your WordPress site with a healthy standard of essential security and protection.  The three security scanner plugins do have some overlap, but I doubt you will mind.  If you want to explore more advanced options for protecting your WordPress sites, here are some definitive lists:

It goes without saying that you should keep your WordPress installation, plugins, and themes updated to their most recent version at all times. If you’re not willing to do that, all of the above guidelines are a waste of your time. If you have more than one site, use WP Remote to monitor and update all your installations at a click.

WordPress Security Audit
This is a great example of what the security audit can reveal. This is a client site I picked up from another designer. This screen grab from the WP Security Scan plugin shows that the site’s core files were all ripe for the picking. It’s a dangerous security hole that only took a minute to correct.

Use a good host

No web host is 100% safe from all forms of hacking and cracking; that simply is not possible. All that said, you will notice a major difference between good web hosts and bad web hosts. I have used bad, cheap web hosts and found myself up cleaning hacking code at 3 AM as a result. On the other hand, I have used good hosts like Krystal and never had to worry about a thing.

If you’ve paid under £20 for a year’s web hosting, or you’ve chosen your web host based on the celebrity faces in their banner ad, or you use a password like “123456”, do you really think you have a right to complain?


  1. I just started on doing some blogs, and you are right I must secure my log-in password so it can be protected from being opened by hackers. Thanks for the advice.

    • That “exploit” has proven to be overhyped nonsense. What’s more, if one of my clients phoned me up ordering me to take security precautious (IE telling me how to do my job) based on a scaremongering blog post they read on the internets, I’d tell them where to shove their business.

  2. Actually Heather, I wouldn’t call it overhyped nonsense… it’s very real, it just has nothing to do with a security hole in WordPress itself. It’s due to Network Solutions not having a very secure hosting setup, and I guess they don’t have the cojones to admit that the vulnerability is on their end so they are blaming it on WordPress.

    You can’t really blame the common person for not knowing that a company as large or as well established as Network Solutions could be that inept.

  3. I always return to this post when I set up my WP sites … I’m not a reseller, I’m a keen novice, so I wondered if you had changed your views on the favourite plugins you use?


  4. Thanks a lot for this info. I have been looking for some great plugins that will help secure my site more.

    I have found that most people don’t realize that keeping your user name as admin can have some serious implications.


  5. This is a great foundation for anyone running their own WP blog or providing support to others. I’d be interested in hearing what additional recommendations folks would make to secure and support WP blogs running in multi site mode.



  6. Hi Kristine,

    These plugins still see me right with each project. Of course, if anyone else has suggestions for new plugins which have come out in the past two years, I’m all ears.

    One plugin I now install with all of my projects at this initial setup phase is Revision Control This allows you to limit the number of revisions WP stores in memory; in its default settings it remembers every edit you ever do, which results in dozens or even hundreds of page drafts stored for one post.

    If you are just setting up Revision Control on an existing site it will control drafts going forward but not the ones stored in memory up until then. In that case, run this database query

    DELETE FROM wp_posts WHERE post_type = “revision”;

    I’ve watched WordPress databases shrink by 900kb or more with this trick.

    • Hey, thanks for the suggestion on Revision Control. I’m adding it to my list ;-)

      I noticed that WebsiteDefender now offers a third plugin, WebsiteDefender WordPress Security, that appears to combine the features of Secure WordPress and WP Security Scan. Could save a little bit of time to install one plugin instead of two. Do you think it is a sufficient replacement for the two.

  7. Great article. Was pleased to see that I am up to speed on most of the suggestions apart from the landing page while in maintenance mode. Will take a look at that pluigin, and the links to advanced options. Thanks again.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s