WordPress Security Audit: How to Scan and Harden Your Site in 2026
A step-by-step WordPress security audit: how to scan for vulnerable plugins, exposed endpoints and misconfigurations, then harden your site against the most common WordPress attacks.
Why WordPress needs its own audit
WordPress powers a huge share of the web, which makes it the most-attacked platform on the internet. The core is reasonably secure; the risk lives in plugins, themes, weak configuration, and exposed endpoints. A WordPress-specific audit targets exactly those weak points. Here is how to run one.
1. Inventory and assess plugins and themes
Vulnerable plugins are the number-one cause of WordPress compromises. Audit steps:
- List every active and inactive plugin and theme — inactive code still ships vulnerabilities.
- Cross-reference each against public vulnerability databases.
- Remove anything unused, abandoned, or unmaintained.
- Confirm auto-updates or a patching routine for the rest.
2. Lock down exposed endpoints
WordPress exposes several endpoints attackers love:
- xmlrpc.php — abused for brute-force amplification and DDoS; disable it if unused.
- wp-login.php / wp-admin — rate-limit, add MFA, and consider IP restrictions.
- REST API user enumeration — restrict so attackers cannot list usernames.
- readme.html and version banners — remove the giveaways that reveal your exact version.
3. Audit the technical fundamentals
WordPress sites need the same baseline as any site:
- Enforced HTTPS + HSTS and proper security headers
- Email authentication so transactional mail cannot be spoofed
- No directory listing, no exposed wp-config backups, no publicly reachable database
- Aligned defences against the OWASP Top 10 and SQL injection
- No leaked admin credentials in breach data
4. Harden configuration
- Enforce strong passwords and phishing-resistant MFA for all admins
- Apply least-privilege roles — not everyone needs to be an Administrator
- Disable file editing in the dashboard
- Set correct file permissions and move or protect wp-config.php
- Keep regular, off-site, tested backups
5. Watch the surface over time
Every plugin update and new page changes your external attack surface. Forgotten staging copies (staging.yoursite.com) are a classic subdomain takeover and exposure risk. Re-audit after major changes, not just once.
The WordPress audit checklist
- All plugins/themes inventoried, patched, unused ones removed
- xmlrpc.php and REST user enumeration locked down
- wp-admin protected with rate limiting + MFA
- HTTPS/HSTS and security headers enforced
- SPF/DKIM/DMARC configured
- No exposed backups, configs, or database
- Version banners suppressed
- Least-privilege roles and strong auth
- Tested off-site backups
The fastest way to run it
Plugin-based security scanners run inside WordPress — useful, but they only see what the application sees, and a compromised site can hide from them. A passive external audit sees your site the way an attacker does, from the outside. Exarlo's $149 audit checks your WordPress site's public surface for the issues above and delivers a prioritised report in 48 hours. Pair it with the platform's own hardening guidance for defence in depth, and benchmark the cost against alternatives in our security audit pricing guide.
Find your vulnerabilities before attackers do.
Our automated $149 security audit maps your public attack surface and checks for misconfigurations, outdated components, and missing security headers.
Get Your Security Audit