WordPress is undoubtedly the most widely used CMS in the world. As a result, it is also one of the most widely targeted CMS on the internet. Often in the news, there are reports of multiple WordPress sites hacked in a single malware campaign. Most of the time, many websites have a common vulnerability that goes unpatched. This leads to the compromise of multiple websites in one go. A WordPress security audit is an answer to all these problems. 

According to Ira Winkler, president of the Internet Security Advisors Group,

โ€œSecurity audits, vulnerability assessments, and penetration testing are the three main types of security diagnostics. Each of the three takes a different approach and may be best suited for a particular purpose.โ€

This article explains what is a WordPress security audit and why you need one. Also mentioned are the steps and tools to perform it.

What is a Security Audit?

A WordPress security audit is testing your website against a specific list of security measures. This assessment includes testing all the core WordPress files, plugins, and themes, etc. Various tools can be used to speed up the audit. The results can then be analyzed by the professionals to give your precise advice regarding your WordPress security measures.

The next step after the WordPress security audit is to go for a penetration test. This means that the issues found during the security audit are tested to see if they are exploitable. This helps in assessing the level of threat a particular vulnerability or misconfiguration poses. It goes a long way in securing your WordPress site against hackers.

Why do you need to audit your WordPress?

There is more than one reason for doing a WordPress security audit. The main one being to find security issues on your website before the hackers do. There are a lot of places that security issues may be hiding like plugins, themes, etc. In order to search for each one of them, a security audit is definitely needed.

Another reason being to avoid the hassle faced in case your WordPress site is hacked. It may be a tedious and costly process to remove malware from your website. Not to mention the downtime that your WordPress site will face leading to loss of revenue as well as the reputation of your site. So a stitch in time by doing a WordPress security audit can save you nine.

Depending on the sector that your WordPress site operates, there are certain regulatory guidelines that need to be followed. For example, GDPR for sites operating within the European Union. In such cases, there are certain security standards that each site needs to follow. Hence, a WordPress security audit becomes compulsory in these cases.

How to carry out a WordPress Security Audit? (Include Tools)

In order to start any work, you need the right set of tools. So, in order to conduct a WordPress security audit, the tools needed can be found bundled in one operating system called Kali Linux. There are multiple ways to use this OS on your system. One is you can dual boot your system. The other one is using it by means of Virtual Box. The latter option is easy for average users to follow. Now that everything is ready, letโ€™s proceed for our audit.


WPScan is a tool specifically designed to uncover vulnerabilities in WordPress. It maintains a database of vulnerabilities in WordPress. Thereafter, it scans the various components on your WordPress site like plugins, versions, etc and matches them against the database. In case a vulnerability is detected, it notifies you. To use this tool to WordPress security audit your site, fire up Kali. Then, open the terminal and run the following command:

wpscan --url http://www.example.com

Here replace example.com with the URL of your site and the scan will start.

WP Scan Example

While scanning, if any vulnerability is found, WPScan will notify you as shown in the image below. Update the vulnerable plugin. In case no update is available, use an alternative for the time being.

WordPress security audit using wpscan
WordPress security audit using wpscan


Sqlmap can help you uncover SQL injection bugs in your WordPress site. These are fairly common due to poor coding standards adopted by some plugin developers. An SQLi bug can lead to the compromise of the entire database of your WordPress site. To start finding some of them in your site, make a list of all the URLs you want to scan. Save them to file say target.txt. Then, fire up your Kali, open the terminal, and type the following command:

sqlmap -m "/root/home/target.txt" --random-agent --dbms="MySQL" --dbs --batch

Here, replace /root/home/target.txt with the location of your target file. The option –dbs will try to enumerate your WordPress database in case an SQLi bug is exploited. While the –batch option will automate the option selection.

WordPress Security Audit using SQLMAP
WordPress Security Audit using SQLMAP


Nikto is a tool designed to find common server misconfiguration and vulnerabilities. At times, the server you host your site may be vulnerable. So this tool cal help with WordPress security audit. To use this tool, open Kali Linux, open the terminal and run the following command: 

nikto -h www.example.com

Replace example.com with the URL of your WordPress site. Thereafter Nikto will start finding misconfigurations and vulnerabilities as shown in the image below.

WordPress security audit using Nikto
WordPress security audit using Nikto


XSS is also one of the common vulnerabilities found in WordPress plugins, themes, etc. XSSer is the perfect tool to find them during a WordPress security audit. For beginners, it would be best to use the GUI version of this tool. To do so, open the terminal in Kali and run the following command:

xsser --gtk

This will open a graphical interface like the one shown in the image below.

WordPress scan using XSSer
WordPress scan using XSSer

Simply enter the options and start finding XSS bugs on your WordPress site. If you need to know more about usage then, follow this documentation.


This tool can be used to audit your WordPress security and your static PHP code. It can detect various kinds of coding errors. You will have to install this tool separately in Kali. Alternatively, you can use a WordPress extension of PhpStan. To download and install it in Kali, follow this documentation. Make a local copy of your WordPress site to analyze the code. Then, open the terminal and run the following command:

vendor/bin/phpstan analyse WpFolder

Replace WpFolder with the folder in which the local copy of your WordPress site is present which you wish to scan.

Professional WordPress Penetration Testing

This article covers only the basics of WordPress security audit as it is not possible to include everything in one article. These basics ensure that your site is secure on a basic level. However, a more skilled hacker can easily find his/her own way through the security of your website.

So, in order to increase your security level, a WordPress security audit by professionals is a must. Even if you are a small blog, there is nothing to worry about budget constraints as Astra has got you covered with its affordable plans. It provides a comprehensive range of security tests for your WordPress site.

WordPress Security Issues Infographic

Categorized in: