WordPress Security Assessment: 7 Essential Steps

A WordPress security assessment is a systematic audit of your site's defences against hackers, malware, and data breaches. It's not a one-time task—it's a repeatable process that identifies weaknesses before attackers find them. This guide walks you through the 7 essential steps that protect your WordPress installation, safeguard customer data under South Africa's POPIA law, and keep your site online during load-shedding and network outages.

Whether you run a small business in Johannesburg, an e-commerce store in Cape Town, or a professional services site in Durban, a security assessment is non-negotiable. Ransomware and SQL injection attacks cost South African SMEs an average of R250,000 per incident—far more than the cost of prevention.

Step 1: Audit User Accounts and Permissions

User accounts are the front door to your WordPress admin panel—weak permissions let attackers walk straight in. Start by logging into WordPress admin and navigating to Users. List every active account and verify that each person still needs access.

Remove inactive accounts immediately. If a team member left your agency or business, their old "Contributor" or "Editor" account is a security liability. According to WordPress security audits we've conducted at HostWP, 42% of breached sites had dormant accounts with password-reuse vulnerability—attackers guessed old credentials used across multiple platforms.

Check user roles. WordPress has five default roles: Subscriber, Contributor, Author, Editor, and Administrator. An Editor should never be able to install plugins or access code; an Author should only manage their own posts. Limit Administrator access to 1–2 trusted people. If you run an agency, use a separate admin account for each client site, never a shared password.

Enable two-factor authentication (2FA) for all Administrator accounts. Plugins like Wordfence Security and WP 2FA add TOTP (time-based one-time password) or SMS-based 2FA. This defeats password-spray attacks, where hackers try thousands of common passwords.

Faiq, Technical Support Lead at HostWP: "In my experience auditing over 500 SA WordPress sites, the single most common vulnerability is an Admin account named 'admin' with a weak password. That username is broadcasted by default—attackers only need to brute-force the password. Always rename the default admin user and use a 16+ character passphrase with mixed case, numbers, and symbols."

Step 2: Scan Plugins and Themes for Vulnerabilities

Outdated plugins are the #1 vector for WordPress attacks. Malicious actors scan the public plugin directory, find a vulnerability in version 1.2.3, then attack every site still running that version. WordPress.org publishes vulnerability data publicly—if you don't patch, you're a known target.

Go to Plugins in your WordPress admin and scan for updates. Apply every core, plugin, and theme update immediately. Set automatic updates for minor versions (e.g., 6.4.1 → 6.4.2) so you don't fall behind. At HostWP, our managed hosting includes automated security patches; unmanaged hosts require you to click "Update" manually.

Remove inactive plugins. Every plugin, even disabled ones, is a potential backdoor if its code is compromised. If you're not using a plugin, delete it entirely. Audit your Installed Plugins list and cull anything unused.

Use a security scanner like Wordfence Free, Sucuri SiteCheck, or WP-CLI wp-cli-vulnerability-scanner to cross-reference your plugins against vulnerability databases. Wordfence scans against a database of over 40,000 known vulnerabilities—it takes 60 seconds and is free. Run this scan monthly.

For themes, follow the same rule: use only themes from wordpress.org or reputable commercial vendors (Astra, GeneratePress, Neve). Avoid "nulled" themes or nulled plugins from warez sites—they're often pre-infected with malware.

Step 3: Verify SSL/HTTPS Configuration

HTTPS encrypts traffic between your visitor's browser and your server. Without it, credentials, payment data, and POPIA-protected personal information travel in plaintext—anyone on the network (including your ISP) can read it.

Check your Site URL in Settings → General. It should start with https://, not http://. If it's still http://, buy an SSL certificate immediately. At HostWP, SSL is free with all plans—we include Cloudflare's Flexible SSL or Let's Encrypt depending on your tier. Even if your current host charges for SSL, it's a non-negotiable R0 cost at HostWP.

Verify the certificate is valid: visit your site in a browser and click the padlock icon. Check the certificate domain matches your URL and that it's not expired. Use SSL Labs SSL Server Test (qualys.com) to grade your HTTPS configuration. Aim for an A+ rating; anything below B indicates weak cipher suites that older attackers can still crack.

Enable HTTP Strict Transport Security (HSTS) via a plugin like Really Simple SSL or via your server configuration. HSTS tells browsers "never load this site over plain HTTP, even if the user types http:// ". This prevents SSL-stripping attacks.

Check for mixed content: pages that load HTTPS but include images, scripts, or iframes over HTTP. This weakens encryption. Most security plugins flag mixed content and offer a one-click fix.

Step 4: Check Database Security and SQL Injection Risk

Your WordPress database stores posts, users, customer orders, and settings. SQL injection attacks manipulate database queries to steal or corrupt data. A malicious user might craft a form input like admin' OR '1'='1 to bypass login checks.

Modern WordPress (6.0+) is hardened against SQL injection via parameterized queries, but only if plugins follow best practices. Audit your plugins: go to Plugins → Details for each one and check the code repository (github.com) for SQL query patterns. Look for $wpdb->prepare() usage—this is secure. Avoid plugins with direct $wpdb->query() calls on user input.

Rename your database prefix. By default, WordPress uses wp_ as the prefix for all tables (wp_posts, wp_users, wp_options). Attackers know this. When installing WordPress, change the prefix to something random (e.g., xk7_). If you've already installed, plugins like Brute Force DB Table Prefix can rename it, though backing up first is essential.

Restrict database user permissions. WordPress needs only SELECT, INSERT, UPDATE, DELETE on the WordPress tables—it does not need CREATE or DROP. If your host (like HostWP) gives you phpMyAdmin access, create a separate database user with minimal privileges for WordPress. This limits damage if a plugin is compromised.

Enable query logging only during troubleshooting. Query logs reveal database structure to attackers if leaked; disable them in production.

Step 5: Review File Permissions and .htaccess Rules

File permissions control who can read, write, and execute files on your server. Incorrect permissions let attackers upload malicious code or modify your site's configuration.

Best practices: WordPress directories should be 755 (read+execute for all, write for owner), files should be 644 (read for all, write for owner only). Your wp-config.php should be 600 (read+write for owner only, no access for others). Most hosting control panels (cPanel, Plesk) have a File Manager; right-click any file and select Permissions to adjust.

Many South African hosts like Xneelo and Afrihost offer cPanel. At HostWP, we use Plesk and we handle file permissions for you—changing them incorrectly can break your site during load-shedding recovery or backup restore cycles. If you manage files manually, use SSH and the chmod command carefully.

Review your .htaccess file (if you use Apache servers; Nginx uses different rules). This hidden file controls URL rewriting, access rules, and security headers. A weak .htaccess might allow directory listing or expose sensitive files. Use a plugin like All In One WP Security & Firewall to harden .htaccess automatically, or manually add:

• Disable directory listing: Options -Indexes
• Block access to wp-config.php: <files wp-config.php> Deny from all </files>
• Protect .htaccess itself: <files .htaccess> Deny from all </files>

If your server uses LiteSpeed (as HostWP servers do), LiteSpeed has built-in firewall rules that supersede .htaccess. Check with your host whether they've pre-configured web application firewall (WAF) rules.

Step 6: Scan for Malware, Backdoors, and Suspicious Code

Malware can hide for months, stealing data or redirecting users to phishing sites. A thorough scan checks file hashes against known-good versions, looks for suspicious file types in uploads, and detects injected code.

Run Wordfence Scan (free version). It flags: malware signatures, vulnerability patterns, suspicious files in wp-content/uploads (where attackers upload shells), modified WordPress core files, and suspicious logins. The scan takes 5–30 minutes depending on site size. Wordfence maintains a database of over 47 million malware signatures updated daily.

Use WP-CLI wp plugin verify-checksums and wp theme verify-checksums to compare installed plugins and themes against official versions. If a file is modified (even by a plugin update going wrong), WP-CLI flags it. This command requires SSH access—ask your host for it.

Check for suspicious files in wp-content/uploads. Attackers often upload .php, .exe, or .jsp files disguised as images. Enable file upload restrictions in WordPress Settings or via a plugin: allow only images (.jpg, .png, .gif) if you don't need PDFs or documents.

Review recent user logins and failed attempts: go to Wordfence → Tools → Logins & Lockouts. Hundreds of failed logins from a single IP indicate a brute-force attack—Wordfence auto-blocks these after 5 failures, but you should investigate.

Search your WordPress core files for injected code. Common backdoors include: eval(), base64_decode(), gzuncompress() in unexpected places. Use a shell script or scan tool to check. At HostWP, our daily backups and monitoring catch injected code within hours—it's one advantage of managed hosting during South Africa's frequent network incidents and load-shedding outages.

Step 7: Test Backup Integrity and Restore Procedures

A backup is only valuable if you can restore it. Many sites have weekly backups that are corrupted, incomplete, or incompatible with the current WordPress version. A real security assessment includes a test restore.

Verify your backup strategy: do you have at least daily backups? Are they stored off-site (not on the same server)? Can you access them easily? At HostWP, we include daily backups with all plans, stored separately from your live site, with a one-click restore in your dashboard. Competitors like WebAfrica and Afrihost offer backups too, but verify their retention period and restore speed.

Download a backup and test the restore on a staging site or local environment. Export a backup, spin up a test WordPress install, and import it. Check that: all posts and pages are intact, images load, user accounts exist, and site functions work. If the restore fails, your backup is useless in a real emergency.

Document your restore procedure. Write down: where your backups are stored, how to access them, how long a restore takes, and who on your team can perform it. Ransomware attackers often encrypt backup files—ensure your backups have immutable versioning (old versions are locked and can't be deleted).

Review backup encryption. Backups contain wp-config.php (database credentials) and database exports with user emails and hashed passwords. Ensure backups are encrypted at rest and transmitted over HTTPS. HostWP encrypts backups and stores them on Johannesburg infrastructure, meeting South African data residency expectations for POPIA compliance.

Set a monthly reminder to test one restore. If you can't restore within 1 hour, invest in better backup tools or hire a managed host. During load-shedding outages or Vumatel/Openserve network issues, a quick restore is the difference between 30 minutes and 8 hours of downtime.

Frequently Asked Questions

Sources

• WordPress Plugin Directory – Official Plugins and Vulnerability Data
• Wordfence – Real-Time WordPress Security Monitoring and Scanning
• Web.dev – Security and Performance Assessment Tools