New Jersey Tech, Business, & Creative Resources
WordPress Security Audit (Free Checklist)
Jersey Devil Web
NJ Tech, Business & Creative Resources
WordPress Security Audit
Free 25-point checklist for NJ businesses
0/25
Not started
Work through each section below to audit your site
0 critical
0 high
0 passed
0% done
Critical Core updates & versions
0/5 â–¶
WordPress core is running the latest version
Dashboard → Updates. Outdated core is the #1 exploit vector.
All plugins are updated to their latest versions
Plugins → Installed Plugins → filter by “Update available.”
Active theme (and its parent) is up to date
Appearance → Themes. Includes the parent of any child theme.
PHP version is 8.1 or higher
Tools → Site Health → Info → Server. PHP 7.x is end-of-life and unpatched.
Inactive plugins and themes are fully deleted, not just deactivated
Deactivated plugins still sit on disk and can still be exploited.
Critical Login & admin access
0/5 â–¶
Admin username is NOT “admin”, “administrator”, or your domain name
These are the first guesses in any brute-force attack. Create a new admin and delete the old one.
All admin accounts use strong, unique passwords (16+ characters)
Use a password manager. Users → Profile → Generate Password.
Two-factor authentication (2FA) is enabled for all admin users
WP 2FA, Wordfence, or Google Authenticator plugin all work great.
Login attempts are rate-limited or brute-force protection is active
Wordfence, Loginizer, or your host’s WAF. WP Engine has this built in.
User roles reviewed — no unnecessary admins, editors, or old accounts
Users → All Users. Remove former employees, contractors, and test accounts.
High SSL, HTTPS & hosting
0/5 â–¶
SSL certificate is valid and not expiring within 30 days
Check the padlock in your browser. Set a calendar reminder for renewal.
All HTTP traffic is force-redirected to HTTPS
Check .htaccess or your host panel. Run a mixed-content checker after.
wp-config.php is outside the public web root or access-restricted
Ask your host, or confirm a direct URL to the file returns a 403 error.
Directory listing is disabled on the server
Visit yoursite.com/wp-content/uploads/ — you should get a 403, not a file list.
Site is hosted on a managed WordPress platform (WP Engine, Kinsta, Pressable)
Managed hosts include server-level firewalls, malware scanning, and automatic updates.
High Backups & recovery
0/5 â–¶
Automated daily backups are running and stored offsite
UpdraftPlus → S3/Dropbox, or your managed host’s backup system — not on the same server.
A backup restore has been successfully tested in the last 90 days
An untested backup is not a backup. Restore to a staging environment to verify.
Database is included in backup (not just files)
Many hosts only back up files. Your DB holds all posts, users, and settings.
At least 30 days of backup history is retained
Ransomware can be dormant for weeks before triggering. 30-day history is your safety net.
Backup credentials are stored securely (not only inside a WordPress plugin setting)
If your site is compromised, attackers could delete cloud backups if credentials are exposed there.
Monitoring Malware scanning & monitoring
0/5 â–¶
A security plugin with malware scanning is active (Wordfence, Sucuri, or iThemes)
Free tiers scan for known malware signatures. Premium adds real-time firewall rules.
Uptime monitoring is configured with alerts (UptimeRobot, Better Uptime)
Free tools alert you within 5 minutes of downtime. You should know before your customers do.
File integrity monitoring is enabled (alerts on unexpected file changes)
Wordfence Premium or Sucuri monitors for modified core/plugin files — a classic hack signature.
Admin activity logging is active (who changed what and when)
WP Activity Log plugin. Essential for shared-access sites and client accountability.
Google Search Console is connected and checked for security alerts
Google flags hacked sites and malware in Search Console — often before the owner notices.
Want our mechanics to handle all of this for you?
Jersey Devil Web offers managed WordPress care plans for NJ businesses — security, updates, backups, and expert support, all covered.