WP Security Check: Use Site Safe Check List

Performing a WP Security Check by using this Site Safe Check List. It helps to have a WordPress Site that’s safe for everyone. This helps show things to look for as well as tools and resources to improve your own WordPress security check. This is one of several posts in the Website Security category. Also, as this is a specific security area of performing a site safe check, read more about my overall “Complete Guide to Security of WordPress Sites“.

WP Security Check Introduction

Performing your own WP Security Check is a good start. It’s important to look over these steps and perform the ones you can. Don’t worry if you can’t perform them all. That’s because WordPress and Site security are a specialty area of knowledge. However, don’t forget about them. Learning more about these common security practices is important. Consider hiring out or using an online service, even if temporarily, until you can learn to do it yourself or just parts of it.

WordPress Security Check Types: Internal & External

WP Security Check from internal and external threats

There are two types of WP security checks to perform. There is an internal WP security check and an external one. Some will consider networking and physical access are more but, I consider most of those as external. In reality, it doesn’t matter what you label it, as long as it’s a part of your checking. A good article to read is “12 Ways to Protect Your Website From Internal and External Threats” by AdVanSys.com.

Internal WordPress Security Check

1. WordPress Hosting with Security (Managed or Self)

Check to ensure your site and server can’t be logged in or accessed remotely using unsecured Wi-Fi.
Review what security options are available from your web hosting provider. A very popular service is Immunify 360. More expensive plans include it free from your host; low end plans charge a hefty monthly fee.

Some hosts offer constant site safe check with Immunify 360

Ensure there is at least a basic antimalware protection for the server. Also, if available, populate notifications of malware with your preferred email address or SMS phone number.
Finally, if the hosting provider doesn’t seem to offer good enough security protections, there’s always external services. A serious leader of website protections that many world class hosts use is PatchStack. It’s intended for multisite developers or Enterprise customers. Review PatchStack vulnerability protections pricing of their security for websites of various quantities. Lots of positive comments from leaders of MainWP, WP Rocket, Elementor, Clicky by Yoast, and more.

2. Site Reliability

You’ll want to have something in place to monitor your site up time. There are plenty of free services available for this. It’s less work on your server and site if you use an external monitor service for this internal check.
Site performance also is an indicator of site reliability. You want your site to serve pages and perform processes within a reasonable amount of time. This is especially true for processing orders or payments. Finally, for SEO, you want a robust site for a good visitor experience, which will reflect on your search engine rank positioning also. And that translates over to security. In other words, if you notice your ranking dropping, it’s a flag to investigate your site performance and if your server or site are getting slowed down due to excessive traffic hits like a brute force attack.

3. Updates to WordPress, Plugins, & Hosting Server

WordPress security check for site health shows UpToDate plugins, theme, and WP core

Not keeping software and systems updated leaves them vulnerable to security flaws and exploits. Hackers can take advantage of these vulnerabilities to gain access to your systems and data.
Ensure you have a plan or schedule to periodically check for items that receive updates. The most common are the WordPress core, the site theme, and the site plugins. Other items might involve the hosting server itself such as apps, services, communications, etc.

4. Backups

Ensure your server account is backed up. That’s typically done at the root level, which is why root level access is an important feature to have. Also, backup of the site is a starting point when you install WordPress in the following manner.
- Install WordPress Using Softaculous cPanel
Regarding backups, your server backup frequency is important but, for low importance, low traffic sites, you might be fine with just monthly backups. However, I always recommend at least weekly or daily backups. However, the server account backups consume a lot of storage space so, that might not be available on a low budget.

Using WPvivid to create and verify scheduled backups is a basic WordPress security check

Site backups are a lot easier to get done and you’ll have complete control over this. While there are plenty of plugins available for this, I recommend WPvivid. It has a vast number of options, including scheduling, as well as backups to many cloud services. Also, it has an encryption option.
WPvivid Backup (free version)
WPvivid Professional backups: WPvivid for entire site with options, subscription or lifetime

5. Internal Access Security

Using unsecured Wi-Fi networks can expose your data to potential hackers and should be avoided whenever possible. So, ensure all internal users follow that practice.
Weak passwords are a major security risk and should be avoided at all costs. So, check WordPress users’ accounts to confirm none are flagged for weak passwords. A simpler method is to make it a practice to create new users with the setting of a requirement to disallow weak passwords.
For internal users, consider Two-factor authentication (2FA) as a requirement. It adds an extra layer of security and should be used whenever possible.

Using 2FA for internal access security is a part of a WP Security Check best practice

Ensure all internal users are aware of how to recognize phishing scams from communications such as email, SMS, Social Platforms, and other forms of technical communications that care links or <Submit> processes.

6. Internal Monitoring: Alerts & Logs

There are several methods of how to monitor internally. However, it requires some settings to be enabled which will include communications such as email or SMS alerts. Most often, the types of minimum alerts you’ll want are those about the server or site being down. Other types of notifications you might want is when the CPU or Memory hit over 95%. Another kind of alert to monitor would be if storage space is low, e.g., below 80%.

External WordPress Security Check

1. Firewalls (WAF)

A Web Application Firewall is a higher level of protection. Here are some items it works on protecting.

WAFs can stop malicious traffic before it gets to your web app.
Also, WAFs can improve protection of sensitive customer information and credit card numbers.
It can get your closer to compliance requirements like PCI, DSS, and by blocking traffic incompatible with those standards.
WAFs also work together with other security tools, including other firewalls for an added defense layer.

Read more about “What is a WAF?” from Cisco.com, a world leader in networking and web security.

2. External Access Security

A very important measure of protections against external threats is to work on getting your website to lean towards PCI compliance. A leader in PCI DSS compliance programs is Viking Cloud. Here are some website security measures you can take for adding external access protections.

Periodically, update yourself with the latest motivations of hackers and current trends.
Updates to your sites’ plugins, WordPress core, and themes often will also lend to updated security hole protections.
External access leans strongly towards a need to tighten control to site access and hosting server access.
Installing a WAF (previous discussed) is a direct improvement to external access.
When possible, limit direct access for uploading files. Security experts convey to not let it permitted directly at all. In other words, always use a specific tool designed for adding files or removing files. For example, using WordPress to upload images, instead of uploading them through FTP or even SFTP.
Change the URL of your WP Admin login page. Also, hide admin files using your robots text file is another good practice.
Security experts also say to disable or remove your internal users’ auto-fill features. The reason is if their own devices are compromised, it would give access to that info form the invader.

3. External Monitoring: Site Safe Checks, Alerts, & Logs

Here are some ways you can enhance your external monitoring.

Test website for malware. This is a common practice for antivirus/anti-malware services and tools.
Scan site for Vulnerabilities. There are tools and services available for this.
Check for unauthorized access and attempts. There are plenty of logs available for this.
Investigate unplanned site changes that are discovered. Try to check if they were done by internal users or by an external source.

Website Security Tools & Resources

Here are some online and local services and tools you can use for a site safe check.

Site Safe Check using Website Security Checker

WP Sec online security scan for WordPress vulnerabilities: Automated WordPress scans. Limited free scan and paid plans.
Online Malware & URL Security Tester: Also checks with other security vendor reports. Note that this free online service says it will automatically share results with the security community.
URL Void: This is a website reputation checker. In other words, if your site is causing an external security issue to visitors or search engines, this is one method of revealing it.
IP Void: This can check a single IP or a range. It will display identifying info you can use to ensure you are still in full control. It shows things like, WhoIs Lookup, DNS, and a Blacklist check.
WOT’s Website Safety Check: Check your website’s reputation, based on ratings, blacklists, and 3rd party information. WOT also incorporates its own machine learning algorithms and states its updated regularly.
Website Trustworthiness Check: Tool includes security factors such as blacklist status, SSL certificate, page content, etc. Also includes other domain details like DMARC, suspicious redirects, valid https, and others.
- You can also use this as a safety check on a domain before using their plugin, tool, or other service.
- To enhance domain authority a little more and secure domain emails better, read my post on “How to Add DMARC Records“.

WordPress Security Plugins

Below is a list of some popular WordPress security plugins. Some have multipurpose functions that also include some security protection options. Also, read my post “My WP Plugin List” on an entire list of plugins, including a section of security WordPress plugins.

WordFence free version or WordFence Pro version: subscription only
WP Security Ninja free version or WP Security Ninja Pro version: subscription only
WP Force SSL free version or WP Force SSL Pro version: Subscription or lifetime
Advanced Google reCaptcha free version or WP Captcha Pro: subscription only
Admin & Site Enhancements Plugin free version & ASE Pro version
Free Plugin to Allow Someone (like support) to Login Temporary without Password
AIOS: All In One Security – Security and Firewall

WP Security using Local Software

One method of WP Security is to ensure all internal users have a preferred antivirus or antimalware software installed. It’s a good idea to have it for all devices they use such as mobile, tablet, and desktop. Here’s a good set of lists shown by Safety Detective. And, for over 15 years, antivirus protection apps have long covered many forms of security protection features far beyond just viruses.

Better WP Security

Technical audit as a part of a WordPress security check

WordPress Security Audit

Top 30 Network Security Audit Tools
Github Security Audits public repository
If you’re wanting to consolidate, instead of just a WordPress security audit, you can consider a general website audit or a Technical site audit, like via SiteChecker.Pro. Although it’s emphasis is SEO and on-page technical issues, that type often includes some security checks as well.
Finally, as an FYI, most consulting auditors will just use their white label version of purchased software that you also can have access to. Getting your own can save a lot money for a one time deep scan.

What are common security mistakes to avoid?

Common security mistakes to avoid include using weak passwords, not keeping software and systems updated, clicking on suspicious links or attachments, and not using encryption for sensitive data.

Why is using weak passwords a security mistake?

Using weak passwords makes it easier for hackers to gain unauthorized access to your accounts and sensitive information. It is important to use strong, unique passwords for each of your accounts to enhance security.

Internal users blindly clicking on links or opening attachments in communications & platforms

Clicking on suspicious links or attachments can lead to malware infections, phishing attacks, and other security breaches. It is important to be cautious and verify the legitimacy of links and attachments before clicking on them.

Not using encryption for sensitive data

Using encryption for sensitive data helps protect it from unauthorized access and ensures that it remains secure, even if it is intercepted or stolen. Encryption adds an extra layer of security to sensitive information.

Conclusion of WP Security Check

Now you’ve seen through a full list of options to perform a WP Security Check on your own, online, as well as resources to reach out for professional help. Also, you’ve seen dozens of links for both free and paid services, scans, and other checklists to implement your own WordPress Security Check. Let me know which things helped you in your search and share it with a comment. Also, don’t forget to share this post’s link socially.