Security Audit

How to Do a WordPress Security Audit?

Updated on: April 13, 2020

How to Do a WordPress Security Audit?

Article Summary

WordPress is one of the most widely used CMS around the world. However, over 70% of WordPress websites are vulnerable to attacks. Shockingly most people don’t know if they are vulnerable or not. Most web owners go years without ever checking their website’s security status. No wonder they are the first to get hacked. Knowing your vulnerabilities is the first step in patching them. This is where the WordPress security audit comes in.

WordPress is one of the most widely used CMS around the world. However, over 70% of WordPress websites are vulnerable to attacks. Shockingly most people don’t know if they are vulnerable or not. Most web owners go years without ever checking their website’s security status. No wonder they are the first to get hacked. Knowing your vulnerabilities is the first step in patching them. This is where the WordPress security audit comes in.

News of exploitation on WordPress websites has stopped surprising us, it’s so common. Commenting on WordPress security Matt Mullenweg, the developer of WordPress writes in his blog:

A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for bloggers as well — a little bit of work on an upgrade now saves a lot of work fixing something later.

More often than not, there is some missing update, security patch or a plugin vulnerability that culminate into a hack. In fact, according to WordPress hacking statistics, more than 64 % of users run outdated versions.

So have you checked your website for vulnerabilities yet? If not, use this vulnerability scanner to check now.

Continue reading this article to know what is a WordPress security audit and why your website needs it. Read till the end to find tools to conduct a WordPress security audit.

What is WordPress Security Audit?

A WordPress security audit is a careful assessment of your website and its assets (including plugins, themes, etc.). A viable audit uses both automated tools and human intelligence to make the precise judgment of your website’s current security structure. The prime aim of a security audit is to identify any underlying WordPress security issues.

A WordPress security audit is closely followed by the WordPress penetration test. Which intends to exploit the vulnerabilities found in the audit to get a real picture of the situation and risk. The penetration test also helps in segregating false positives from genuine threats.

Why you need a WordPress Security Audit?

There is not much rocket science as to why you need a WordPress security audit. The logic is simple if you have a website and it is vulnerable, anyone can hack it.

Hence, a WordPress security audit becomes necessary to find & patch those vulnerabilities while there is time. Otherwise, if the hackers find them before you then they can:

  • Delete all the data of your WordPress site or encrypt it and ask for a ransom.
  • Sell the data of your website or users on the dark web.
  • Inject spam into the pages of your WordPress site leading to a search engine blacklist.
  • Steal the credit card info of your WordPress site info leading to lawsuits and hefty fines against you.
  • Use your website to infect others and much worse things!

Is your website security up to date? Find out in 15 seconds.

How to carry out a WordPress Security Audit?

For a WordPress security audit, firstly you need the right toolset. Manually downloading and installing each tool may become cumbersome. So, the best option available to us is to use Kali Linux. It is a special type of operating system that comes bundled with a wide variety of security tools.

To use Kali Linux on your machine you have many options. For the convenience of beginners, we will follow the approach of using virtualization. This can be done by a software called Virtual Box on the windows OS. Here’s how you can setup Virtual Box on Kali Linux. Now that our setup is ready we will take a look at the tools and how to use them.

1. WPScan

When it comes to WordPress security audit perhaps there is no specialized tool than WPScan. This vulnerability scanner can scan your WordPress site and determine things like what plugins you use, WordPress version number, etc. Thereafter, it uses a vulnerability database to inform you if any of those plugins etc have a vulnerability in them. To use this tool open the terminal in your Kali Linux and type:

wpscan --url https://www.wordpress.org
WordPress security audit wpscan tool

2. PHPStan

PHPStan is a tool that can do a complete code analysis of your WordPress site and uncover any hidden bugs. It also comes in the form of a PHPStan extension specifically for WordPress. This tool may not come with the default Kali bundle so you will have to download it separately. Once some additional tweaks are done, to use this tool open up the terminal in Kali and type this command:

vendor/bin/phpstan analyze Dir1 Dir2

Replace Dir1 and Dir2 with the directories containing the WordPress code that you wish to scan for bugs.

3. Sqlmap

One of the most common vulnerabilities found on the websites is an SQL injection. Although there are fewer chances of WordPress core being vulnerable a great number of modules can be vulnerable to SQLi. Sqlmap is the right tool to check for this kind of vulnerability during the WordPress security audit. It can not only enumerate databases but can also help in obtaining reverse shells too! To use Sqlmap, open your terminal and type:

sqlmap -u "www.your-site.com/module?param=" --random-agent --dbs

Here, replace URL with the one you wish to test and param with the parameters you wish to test. The option –random-agent means the user agent will be chosen randomly. While the option –dbs means enumerate databases.

WordPress Security Audit SQLMAP

4. XSSer

Another most common vulnerability found in websites is the Cross-Site scripting. XSSer is just the right framework to find and exploit XSS bugs on your WordPress. Using this tool even the modules of WordPress can be checked. Moreover, this tool also allows you to bypass certain security filters. To use the graphical version of this tool, open the terminal in Kali and type:

xsser --gtk

Thereafter, it will open a graphical interface. Just set the necessary options and begin!

WordPress security audit XSSer

5. WPSpolit

WPSpoilt is a customization of the famous Metasploit framework specifically for WordPress. Therefore, it contains a collection of WordPress specific exploits. These are currently 15 in number. To use this tool, download the exploits and auxiliaries and then export them to the Metasploit directory. Thereafter, open the terminal in Kali and type:

msfconsole

This command will open the Metasploit framework. From here these exploits can be accessed and run to conduct a WordPress security audit.

Professional WordPress Penetration testing With Astra

The steps mentioned above touch the surface of WordPress security audit and pen-testing. A more detailed approach is beyond the scope of this article. So, beginners will find it easy to follow the procedures mentioned above. While this is good to get started with, it is not fool-proof. Thus, a more detailed approach is needed to secure your website.

This detailed audit can only be done by professionals like the ones at Astra. The security audit done by Astra can pinpoint the security loopholes which average users like you would have missed. Astra’s Vulnerability Assessment & Penetration Test covers vulnerabilities like:

  • Configuration and Deployment Misconfiguration.
  • WordPress Core, Plugins & Theme Specific Vulnerabilities.
  • Broken or Improper Authentication.
  • Identifying Technical & Business Logic Vulnerabilities.
  • 1250+ Active Security Tests.
Vulnerability Assessment & Penetration Testing by Astra
Vulnerability Assessment & Penetration Testing by Astra

And the best part is that all this comes at an affordable price.

Get the ultimate WordPress security checklist with 300+ test parameters

Was this post helpful?

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France).At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

16 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Karen
Karen
4 months ago

I used a wordpress-based website for quite a long time now. I’ve heard recently that wordpress pages get hacked. Can you tell us how we can avoid that happening?

Sai Krishna
Editor
4 months ago
Reply to  Karen

Thanks for responding to our article. WordPress, one of the largest and most used website making platforms in the world, has often been an eye candy for people with malicious intent. No matter the amount of work gone into securing this platform, hackers tend to come up with new ways to circumvent security measures. As its reputation grows, so does the notoriety surround the diverse forms of malpractices possible with it.
For more information visit here: https://www.getastra.com/blog/911/wordpress-hacked/

Arline R. Hill
Arline R. Hill
4 months ago

How long does full security auditing take if I opt for wordpress audit?

Sai Krishna
Editor
4 months ago
Reply to  Arline R. Hill

Thanks for responding to the article. The security audit is started within 24-hours of your signing-up on a working day. You start seeing vulnerabilities on your dashboard once the audit begins & a final report can be expected within 4-7 days. The turnaround time can be a function of how big the website is.

Williamson
Williamson
4 months ago

I would like to opt for a security audit for my WordPress site? Can you provide more details about audit and pricing?

Sai Krishna
Editor
4 months ago
Reply to  Williamson

Thanks for responding to the article. Sure, you can visit here to know more on our WordPress security audit: https://www.getastra.com/wordpress-vapt#securityAuditFrequencySelection

R. Starks
R. Starks
4 months ago

I noticed that many WordPress sites are getting hacked again and again because of backdoors. What are these and how can I defend from happening this to me?

Sai Krishna
Editor
4 months ago
Reply to  R. Starks

Thanks for responding to the article. Hackers are always at play trying to inject WordPress backdoor. There have been multiple plugins over the years used to spread infection. Therefore, the threat could be from anywhere. Later on, it can be a time and resource consuming process to remove WordPress backdoors. For more info, visit here: https://www.getastra.com/blog/911/wordpress-backdoor-hack/

Glen K. Juarez
Glen K. Juarez
4 months ago

what are the common files that have a high chance of getting hacked. I own a website running on WordPress.

Sai Krishna
Editor
4 months ago
Reply to  Glen K. Juarez

Thanks for responding to the article. You can go through this article to know more info on common files that get hacked and how to protect the: https://www.getastra.com/blog/911/wordpress-files-hacked-wp-config-php-hack/

Lowry
Lowry
4 months ago

I have noticed that my blog is getting redirected to strange websites. How can I solve this?

Sai Krishna
Editor
4 months ago
Reply to  Lowry

Thanks for responding to the article. WordPress redirect hacks have been a menace for such a long time now. It metamorphs itself into new redirect hacks every few weeks. For more info, visit here: https://www.getastra.com/blog/911/adaranth-wp-blog-redirection-hack/

Theresa C. Tate
Theresa C. Tate
4 months ago

I think my database has some infected files. In which tables I can possibly find them? I am using wordpress

Sai Krishna
Editor
4 months ago

Thanks for responding to the article. For any WordPress website, the database is the biggest asset. It stores all the crucial information of a website i.e. user info, site URLs, posts, pages, comments, custom fields, etc. An improperly secured WordPress database is like an open invitation to hackers. For more info, visit here: https://www.getastra.com/blog/911/how-to-secure-wordpress-database/

James H. Arthur
James H. Arthur
4 months ago

What features does the Astra firewall offers for wordpress security and can you provide more info on pricing and details?

Sai Krishna
Editor
4 months ago

Thanks for responding to the article. You can visit here for features and more information of Astra firewall: https://www.getastra.com/wordpress-firewall and for more details on wordpress vapt visit here: https://www.getastra.com/wordpress-vapt

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany