← All posts

How to audit a WordPress site in 5 minutes

WordPress runs roughly 43% of the web. It is also the single largest target on the internet — outdated plugins, weak admin passwords, and stale themes account for the vast majority of small-business website breaches.

The good news: you do not need a pentester to find the obvious problems. You need five minutes and a checklist.

1. Verify the WordPress core version

Open https://yoursite.com/readme.html (or the WP-Admin dashboard). If the major version is more than two behind current, you are exposed to publicly disclosed vulnerabilities. Action: patch within 7 days of every release; enable auto-updates for minor versions.

2. Audit the active plugins

Log in to WP-Admin → Plugins. Three rules:

  • Disable any plugin you do not actively use. A disabled plugin still ships code if its files are reachable.
  • Replace any plugin not updated in 12+ months. It is abandoned. Look for an actively maintained alternative.
  • Audit one-star reviews on the WP repo. Reviewers often flag security regressions before disclosure.

3. Check user accounts

WP-Admin → Users. Look for:

  • Accounts named admin, administrator, or the site owner's first name. These are the targets of every brute-force attempt.
  • Editor / Author roles for users who left the company. Revoke immediately.
  • Any user whose email is on a personal Gmail rather than a company domain.

4. Look for unexpected changes to wp-config.php

The file should be outside the public web root or, at minimum, have permissions 400 for the web server user. If chmod shows 644 or 666, anyone reading the disk reads your DB credentials.

5. Test the login URL

Visit /wp-login.php. If it loads with no rate limit, no MFA prompt, and no IP allowlist, anyone in the world can guess passwords. Recommended: WordFence, iThemes Security, or your hosting provider's WAF — pick one and turn on rate limiting.

6. Verify the SSL certificate

Open the site in an incognito window. The lock should be green; the certificate should be valid for at least the next 30 days. Expired certificates are the single most common cause of preventable downtime.

7. Check the security headers

Open browser DevTools → Network → click the document → Response Headers. You want to see:

  • Strict-Transport-Security
  • Content-Security-Policy
  • X-Frame-Options: DENY
  • Referrer-Policy: strict-origin-when-cross-origin

If any are missing, your site is one cross-site-scripting bug away from a cookie-stealing attack.

What we automate

NoDowntimeShield runs all seven of the checks above (and 23 others) every day on every domain we monitor. If you want the audit running on autopilot — including alerts when a new plugin vulnerability is disclosed for software you have installed — start a free scan at /check.