WordPress Security Audit: 7 Essential Steps

A WordPress security audit is a systematic review of your site's security posture to identify and fix vulnerabilities before attackers exploit them. In South Africa, where load shedding, fibre instability, and POPIA compliance create unique hosting challenges, a thorough audit is essential. At HostWP, we've audited over 500 WordPress sites across Johannesburg, Cape Town, and Durban, and we've found that 67% had at least one critical vulnerability that could have led to data breach or ransomware infection.

This guide walks you through the 7 essential steps we use during client security audits. Whether you're running an e-commerce site, agency portfolio, or SaaS platform, these steps will help you harden your WordPress installation and meet South African data protection obligations.

Step 1: Audit User Accounts & Permissions

Begin your security audit by examining all user accounts and their assigned roles. Weak user management is one of the fastest ways attackers gain access to WordPress sites. Check for inactive users, shared accounts, and users with unnecessary admin privileges.

Log in to your WordPress dashboard and navigate to Users. Review each account:

• Are there inactive or test accounts still active? Remove them immediately.
• Do all admins have strong, unique passwords at least 16 characters long?
• Are contributors and editors assigned the lowest privileges needed for their role?
• Do any accounts use generic usernames like "admin" or "administrator"?

In my experience at HostWP, over 40% of hacked sites had weak or reused passwords across multiple accounts. Enforce a password manager policy and consider implementing two-factor authentication (2FA) via plugins like Wordfence or iThemes Security. For POPIA compliance, document which employees have access and ensure you can audit this—South African data protection law requires you to log who accesses personal data.

Faiq, Technical Support Lead at HostWP: "When we migrated a Cape Town e-commerce site, we found seven inactive user accounts with admin access still enabled. The client hadn't touched those accounts in two years. That's a nightmare from a security standpoint. We immediately removed them and set up role-based access control. Within a month, malware attempts dropped by 65% because the attack surface was smaller."

Step 2: Check All Plugins & Themes for Vulnerabilities

Outdated or vulnerable plugins are responsible for approximately 55% of WordPress security incidents according to WordPress.org security data. During an audit, list every active plugin and theme, then cross-reference them against vulnerability databases.

Log into your WordPress admin, go to Plugins and Appearance > Themes, and create a spreadsheet with:

• Plugin/theme name and current version
• Last update date (if not auto-updated)
• Author and support status
• Known vulnerabilities (check WordPress.org plugin pages and WPScan Vulnerability Database)

Deactivate and delete any plugins you no longer use. Unused plugins are attack vectors even if inactive. Update all plugins and themes immediately—WordPress 6.4+ allows one-click updates for multiple plugins simultaneously. If a plugin or theme hasn't been updated in 12+ months, replace it with an actively maintained alternative.

At HostWP, we use automated vulnerability scanning on all managed hosting plans. Our LiteSpeed cache and Redis integration also reduce plugin overhead, so clients need fewer performance-focused plugins and therefore have fewer potential security liabilities. For SA agencies managing multiple client sites, this significantly reduces your audit workload.

Step 3: Scan for Malware & Backdoors

Even patched sites can harbour malware. Use a reputable malware scanner to inspect your site files for hidden backdoors, injected code, and suspicious patterns. WordPress sites in South Africa face unique risks—during load shedding periods, unstable connections sometimes leave partial uploads that create exploitable file states.

Recommended scanning tools:

• Wordfence (free tier scans 5,000 files; premium includes advanced threat intelligence)
• iThemes Security (includes brute-force protection + malware scanning)
• Sucuri SiteCheck (free online scanner for quick checks)

Run a full scan and review any flagged files. Check your /wp-content/uploads/ folder for suspicious PHP files—legitimate uploads should only contain images, PDFs, and media, never executable code. Examine /wp-admin/ and /wp-includes/ directories for modified core files (a sign of compromise).

If malware is detected, restore from your most recent clean backup. If backups are also infected, you'll need professional remediation. This is why daily, versioned backups are essential—HostWP provides 30-day backup retention as standard, so you can restore to a known-clean state even if malware sits undetected for weeks.

Step 4: Verify SSL/TLS & Encryption

SSL/TLS certificates encrypt data in transit and are non-negotiable for both security and SEO. Verify that your site is fully HTTPS, not mixed HTTP and HTTPS content.

Check:

1. Visit your site in a browser. Does the URL show a green padlock icon?
2. Go to Settings > General in WordPress. Is both "WordPress Address" and "Site Address" set to https://?
3. Use SSLShopper's SSL Checker to verify certificate validity and expiration date.
4. Check for mixed content warnings using your browser's Developer Tools (F12 > Console). Are any assets (images, scripts, stylesheets) loading over HTTP?

If mixed content is detected, use a find-and-replace plugin to swap http:// to https:// across your database. At HostWP, we include free SSL certificates (auto-renewal via Let's Encrypt) with all plans, and our Cloudflare CDN integration ensures certificates are served from our Johannesburg edge nodes with minimal latency across South Africa. This is particularly important during fibre congestion when local CDN points of presence reduce your TTFB (Time to First Byte).

Step 5: Harden Database & File Permissions

Your WordPress database contains passwords, personal data, and transactional records. Hardening database security and file permissions prevents unauthorized access at the filesystem level.

Database hardening steps:

• Change your database prefix from the default wp_ to something unique like abc123_. This prevents automated SQL injection attacks that assume the standard prefix.
• Remove any unused database tables (e.g., from deleted plugins).
• Ensure database user credentials are not shared across multiple sites.
• Regular backups must be encrypted and stored off-server. POPIA requires this if your database contains personal data of South African residents.

File permissions audit:

• /wp-config.php: 600 (read/write by owner only)
• wp-content/ directory: 755 (read/execute for web server, write restricted)
• wp-admin/ and wp-includes/: 755 (prevent unauthorized modifications)
• Disable file editing via FTP/SFTP by adding to wp-config.php: define('DISALLOW_FILE_EDIT', true);

At HostWP's Johannesburg data centre, we manage these permissions as part of our managed hosting service, so clients don't need to manually configure them. If you're on shared hosting with competitors like Xneelo or Afrihost, verify their file permission defaults—many still allow overly permissive settings.

Step 6: Verify Backup Integrity & Restoration

A backup is worthless if you've never tested restoration. Many site owners discover their backups are corrupted only after an attack, by which time data loss is inevitable.

Backup audit checklist:

• Are backups scheduled daily or more frequently? WordPress sites should back up at least once per 24 hours.
• Are backups stored off-server (cloud storage, external drive)? On-server backups are lost if your server is compromised.
• Do backup files include database and all site files? Partial backups can't fully restore your site.
• Test restoration: restore a backup to a staging environment and verify that the site loads, plugins work, and data is intact.
• For POPIA compliance, ensure backups are encrypted in transit and at rest, especially if they contain personal data.

HostWP includes automated daily backups on all plans, with 30-day retention stored on redundant servers in our Johannesburg facility. We also provide a one-click restore feature in the client dashboard. For clients with sensitive data or high transaction volumes, our white-glove support team can configure incremental backups and test restoration procedures quarterly.

Step 7: Confirm POPIA & Data Protection Compliance

The Protection of Personal Information Act (POPIA) applies to any WordPress site collecting data from South African residents. A security audit must verify compliance to avoid R10 million fines and reputational damage.

POPIA audit steps:

• Do you have a Privacy Policy that discloses data collection, use, and retention? Link it in your footer and make it easily accessible.
• Is personal data encrypted at rest and in transit? (SSL/TLS + database encryption)
• Do you have a Data Processing Agreement (DPA) with your hosting provider? Request one from HostWP if you don't have it—we provide DPA documentation upon request.
• Can users request their data, update it, or request deletion? Implement a consent management or GDPR/POPIA plugin like Cookiebot or OneTrust.
• Is there a documented incident response plan if data is breached? POPIA requires notification within 31 days.
• Do you conduct regular security audits? Document them for compliance audits.

Many South African small businesses assume POPIA applies only to large corporates—it doesn't. Even a contact form collecting names and emails triggers POPIA. We've seen Durban and Johannesburg agencies caught off-guard by this. Build compliance into your security audit from day one.

Frequently Asked Questions

Sources

• WordPress.org Hardening Guide
• POPIA Implementation Guide & Resources
• WPScan Vulnerability Database