Resource Security audit
A WordPress security audit checklist built from the WPVanguard scanner we run as a SaaS. Six categories, dozens of individual checks, all of them battle-tested against real WordPress sites in the wild.
We built WPVanguard to automate the audit checklist below. The checklist itself is what informed the scanner. Use the checklist to run a manual audit, or use WPVanguard to run the same checks automatically every week.
What is inside
Each category covers a real failure mode we have seen on compromised WordPress sites. The full checklist is what runs against every WPVanguard scan.
01
Verify wp-admin and wp-includes against checksums for the installed WordPress version. Detect modified core files. Detect injected files in core directories. The first thing the WPVanguard scanner runs against any site.
Tampered core files detected in seconds.
02
Inventory installed plugins and themes. Cross-reference against WPScan and Patchstack vulnerability databases. Surface known CVEs. Surface plugins that have not received an update in 12 plus months. Recommend updates with risk-ranked priority.
Vulnerable plugins surfaced with severity, not just count.
03
Inventory all users with administrative capabilities. Detect hidden admins (admin users hidden from the user list via filter). Audit application passwords. Surface stale accounts. Recommend access reviews.
Hidden admin accounts surface in audit.
04
Hash every file in wp-content. Cross-reference against malware signature database. Scan for common webshell patterns, eval-based malware, base64 encoded payloads, suspicious obfuscation. Scan uploads directory for executable file types.
Malware found before it gets used.
05
Check options table for spam content. Check posts for injected JavaScript. Check user_meta for capability injection. Check for unauthorized cron events. Check for SQL injection markers in known tables.
Database-level compromise detected, not just file-level.
06
wp-config.php audit (debug mode, salts, file editing). .htaccess hardening. File permission audit. SSL configuration. REST API exposure check. Application password availability. Recommend hardening with one-click apply where safe.
Hardening recommendations come with apply paths.
The downloadable version is in progress. The current internal version is shared on request and goes out within four business hours. WPVanguard runs the same checks automatically as a paid SaaS at wpvanguard.com.
Run a baseline audit against your WordPress site today. Document findings. Triage by severity. Fix the criticals immediately. Schedule the non-criticals into your next maintenance window. Re-run monthly to catch drift. Re-run after any major plugin update or unusual traffic event immediately.
A real penetration test by a security firm. The checklist surfaces common WordPress-specific issues. A pen test surfaces application logic vulnerabilities the checklist will not catch. Both are valuable for different stages of security maturity.
Common questions
The downloadable version is in progress. The current internal version is shared on request and goes out within four business hours. WPVanguard runs all of these checks automatically as a paid service.
Yes. Each item on the checklist can be run manually or with WP-CLI. WPVanguard packages them into a SaaS so you do not have to. For one-off audits, manual is fine. For ongoing monitoring, automation is cheaper.
For active sites with frequent plugin updates, monthly or weekly. For low-change sites, quarterly. After any major plugin update or after any unusual traffic event, immediately.
Severity-ranked findings, with remediation steps for each. Critical findings (active malware, compromised admin) trigger emergency response procedures. Non-critical findings go into the next maintenance window. WPVanguard automates the common remediation steps.
Want continuous WordPress security monitoring?
WPVanguard runs the same checks automatically every week. Manual checklist is yours on request.
After 16 years of buying WordPress themes and plugins, I know exactly what bad support looks like and Wbcom Designs is the polar opposite. My setup was a nightmare: multiple tools, deep integrations, custom configurations that required…