WordPress Security Auditing Tools

WordPress keeps growing. Years ago, it used to be that 12% of the web was powered by WordPress, but now it is over 34% and growing. It is popular because it is very powerful and so easy that my mom could even get WordPress up and running with a YouTube video or two (you’re welcome, Mom!).

With the popularity of WordPress comes danger. There aren’t as many people trying to hack into unpopular Content Management Systems. It is like Microsoft Windows when they have 80% or more of the market share, hackers will target Microsoft Windows versus Linux or MacOS. WordPress is exactly the same. Why try to hack into obscure systems when most sites are running WordPress?

This doesn’t mean you shouldn’t use WordPress, but it does mean you need to be aware that there are people trying to hack into your site. Sometimes the hackers aren’t even trying to get data off of your site. They just want to be able to put a “You’ve Been Hacked” animation on the home page. They don’t care if it is just a web site dedicated to underwater basket weaving tips, if they hack it, they win.


Backups are the most important thing you can do to make sure your site stays safe. There are a slew of WordPress plugins that can do backups. My agency uses, along with automatic backups generated by the hosting company, ManageWP. One of the great things about ManageWP is that you can get monthly backups without paying a penny. Obviously, we do more than monthly for our clients that are on a maintenance plan, but that’s at least a start if you don’t have backups running currently.

WordPress Secure Hosting Basics

Before we get into security audits, let’s talk about some security basics. If these things are not followed, running audits will all be in vain. There is no point in trying to secure a site that has security holes that will not be fixed.

1) PHP

WordPress.org recommends that the site run on PHP 7.3. It is recommended because every version below 7.1 has, or is about to reach the “End of Life” and they will no longer get security updates. PHP is a maintained programming language but when the developers say it has reached the end, security becomes impossible to maintain. So if a hacker finds an exploit in an unpatched (or out of date) version, they will be able to hack it no matter what you do. Never run a version that is “dead” defined by the list of supported versions on PHP.net. If you notice that your site is running an old version, just ask your hosting company if you could be upgraded.

2) Forms

Sites are often hacked by a form submission. When data is submitted into WordPress, it should   validate and sanitize the data. There are some great form builders out there that keep the data clean and won’t allow a hacker to submit data like “drop table wp_users” into the SQL query. I always recommend Gravity Forms or Ninja Forms for form creation. If you don’t want to use those and you are building forms from scratch, make sure you sanitize the data.

3) WordPress and Plugin Updates

Keep your plugins and WordPress core up-to-date. Updates to these include not only new features but often, security updates.

Preventative Plugins

We could spend all day talking about preventative measures and we would still miss some cases where a specific plugin should be installed. I’m keeping this pretty generic. 

These two are only required, IMHO, if you aren’t using Managed WordPress hosting. Where we host, these two plugins have not been needed but when we had the site on a standard cPanel VPS, these were helpful. 

The first preventative plugin I recommend is called Meta Generator and Version Info Remover. It just stops WordPress from appending the version of WordPress on files that are served. So instead of the code looking like this:

It looks like this:

It stops hackers from automatically knowing which version of WordPress it is running.

The second one is called Disable XML-RPC Pingback and it helps prevent Brute Force attacks and Denial of Service attacks via Pingback by simple disabling that feature of WordPress. When XML-RPC is active a hacker could try unlimited username and password combinations until they are in. Note: if you are using a feature that uses XML-RPC, you can’t use this plugin.

Plugins for Managing Security

Now the whole point of the article: There are three security audit plugins that I recommend, and finally, here they are.


One of the best tools is ManageWP. There is the backup feature and two security features that ManageWP offers that I think make them shine:

  1. Backups

This tool gives you a free backup once a month. If you want to pay a little extra ($2 a month) you can get daily backups. If you currently don’t have backups running, why not get a free one?

  1. Vulnerability Updates

This tool not only allows you to see when an update is available but will let you know if it is a security update. Security updates are much more important than an update that has new features.

  1. Security Checks (based on Sucuri)

If you hook ManageWP to your site, the free version lets you scan whenever you want. It will detect malware and checks to see if the site has been added to a blacklist. (Sometimes when a site is hacked it will be marked as such, and one result could be that Chrome would not let a user access the site). The Premium version lets you set a time to scan, for example, every night or once a week.

Sucuri Scanner

Sucuri is security focused and does not have backups, SEO scans, plugin updates, etc., that ManageWP offers. Yet, because Sucuri and ManageWP are owned by the same company, ManageWP has Sucuri’s scans built-in. But, if you are already using something to manage backups and updates, Sucuri can handle the security side. Here is what you get out of the box:

  • Security Activity Auditing
  • File Integrity Monitoring
  • Remote Malware Scanning
  • Blacklist Monitoring
  • Firewall (premium version)

One of the greatest features is the “File Integrity Monitoring.” If one of WordPress’ files have been hacked, Sucuri will find the change and download a clean copy (WordFence has this feature too).


WordFence is more “stand-alone” than the other two mentioned. Meaning, there isn’t a seperate site you log into to run the scans. WordFence is self-contained and stays within your WordPress instance. With over 2,000,000 installs of WordFence, you know that the plugin is worth checking out. Here are some of the features that it offers:

  • File Integrity Checker
  • Firewall rule and malware signature updates
  • Real-time IP Blacklist blocks all requests from the most malicious IPs (premium feature)
  • Integrated malware scans
  • Limits login attempts

Wrap Up

I’ve seen websites using a total of nine security plugins and that is overkill. You should not need to have ManageWP, Sucuri, and WordFence installed on one site. There would be too much overlap. Pick one of the three that fits your budget and your needs. There are some other niche plugins out there that might be needed for some cases, but by running one of these scans on a regular basis, you will be preventing a lot of the issues that are out there.

Leave a Comment