# Your Small Business Probably Runs on WordPress. The 15-Minute Security Audit Most Owners Have Never Done. 43% of the internet runs WordPress. Most small-business WordPress sites haven't been audited since the day they were built. Here's the 15-minute self-audit, the seven checks that catch 90% of real risks, and the free tool that runs them for you. Author: J.A. Watte Published: May 14, 2026 Source: https://jwatte.com/blog/blog-wordpress-security-audit-smb/ --- About 43% of the public internet runs WordPress. That includes a disproportionate share of small-business websites, because the path of least resistance in 2015-2022 was "have your nephew/cousin/web-guy build it on WordPress." That percentage has held remarkably steady through the rise of Webflow, Wix, Squarespace, and a hundred newer site builders. WordPress is the dominant SMB website platform and is likely to stay that way for the rest of the decade. It also has a security profile that most owners have never thought about. Not because WordPress is insecure. The core is well-audited and maintained. The problems live in the layers around it: the plugins (60,000+ in the ecosystem, of varying quality and maintenance), the themes (often abandoned by their original developers), the hosting environment (frequently outdated), and the admin account hygiene (almost universally weak). If you run a WordPress site, here are the seven checks that catch most real risks, the time it takes to run each, and the [WordPress Security Audit](/tools/wordpress-security-audit/) tool that runs them for you in 30 seconds. ## Why this matters more than most SMB owners think Three real consequences of an unaudited WordPress site: **1. Credit-card and customer-data leak.** If you run WooCommerce, sell anything, or take any form submission, the data flowing through your site is a target. A compromised WordPress site that's processing payments is a regulatory disaster the day it gets flagged. **2. Search-engine deindex.** If your site gets infected with malware or starts serving spam pages, Google deindexes you. You lose your organic traffic overnight. For a service business that gets most of its leads from local search, that's a survival-level event. **3. Customer trust damage.** Browsers show a "this site may be dangerous" interstitial when malicious code is detected. Most customers turn around and don't come back. The damage outlasts the actual breach. The good news: most of these outcomes are preventable with checks that take less than an hour total. Here are the seven. ## Check 1. Are you running the current WordPress version? WordPress releases security updates roughly every 8-12 weeks. Major versions every 4-6 months. If your site is more than two versions behind, you're running known vulnerabilities. **How to check (manual).** Log in to wp-admin. Look at the top of the Dashboard page. The current version is listed; the latest is also shown if you're behind. **How to check (automated).** The [WordPress Security Audit](/tools/wordpress-security-audit/) tool can detect your installed version from the public-facing site without logging in. So can any visitor with browser DevTools, which is partly why this matters. **Fix.** Update from wp-admin → Updates. Back up first. Always back up first. ## Check 2. Are your plugins current and supported? The single biggest source of WordPress security incidents is outdated plugins. The 2025 Sucuri/Wordfence/iThemes incident reports consistently put plugin vulnerabilities at 50-70% of all WordPress hacks. **How to check (manual).** Log in to wp-admin → Plugins. Look for: - Plugins with an available update (the orange badge) - Plugins marked "incompatible with your version of WordPress" - Plugins that haven't been updated by their developer in 2+ years (visible on the plugin page in the WordPress.org directory) **How to check (automated).** The audit tool enumerates the visible plugins from your public site and flags the ones with known CVEs. **Fix.** Update everything. For plugins that haven't been updated by their developer in 2+ years, replace them with a maintained alternative. The "free plugin from 2018 that does one thing well" is often the breach vector. ## Check 3. Is your admin password strong, and is your username "admin"? Brute-force login attempts on `/wp-login.php` are constant. Every WordPress site on the internet gets hundreds to thousands of these per week. If your password is weak and your username is the default "admin," you're a couple of weeks of background brute-force away from compromise. **How to check.** Look at your wp-admin user list. Is there a user named `admin`? That's the first guess every brute-forcer makes. Is your password something you can remember and type easily? That's a problem. **Fix.** Create a new admin user with a non-obvious username. Set a 20+ character random password from a password manager. Delete or downgrade the old `admin` user. Bonus: install a 2FA plugin (the WordPress.org-listed [Two Factor](https://wordpress.org/plugins/two-factor/) is fine) and require it on admin accounts. ## Check 4. Is wp-admin restricted to known IPs or behind a basic-auth wall? Even strong passwords get phished. The next layer of defense is making wp-admin not reachable from the public internet at all. **How to check.** Open `yoursite.com/wp-admin/` in a private/incognito window from a coffee shop or your phone. Does the login form load? If yes, your wp-admin is publicly reachable. (For most SMBs it is, by default.) **Fix.** Either restrict /wp-admin/ to your office IP at the web-server level (nginx/Apache rule, or .htaccess for older hosts), or add an HTTP basic-auth wall in front of the login form so attackers have to clear two doors instead of one. Most managed WordPress hosts (Kinsta, WP Engine, Pressable) have this as a single-click option. If you have multiple staff who edit the site from different locations, IP restriction is impractical; the basic-auth wall is the better choice. ## Check 5. Is HTTPS forced, with HSTS configured? A site that's reachable over both http:// and https:// has a downgrade path that attackers can exploit. Modern WordPress sites should be HTTPS-only with the HSTS header set. **How to check.** Visit `http://yoursite.com/` (with the http://, not https://). Does it redirect to https://? Open DevTools → Network tab → look at the response headers. Is `Strict-Transport-Security` present? **How to check (automated).** The audit tool checks both for you in two seconds. **Fix.** Force HTTPS redirect in your hosting control panel (every modern host has this option). Add HSTS via a small plugin (Really Simple SSL is the common one) or via your CDN/host's interface. ## Check 6. Is XML-RPC disabled or rate-limited? XML-RPC is an old WordPress feature that lets external apps post to your site. It's also the second-most-attacked endpoint after wp-login.php, because it allows password attempts at higher rates and without rate-limiting on the default install. **How to check.** Visit `yoursite.com/xmlrpc.php`. If you see "XML-RPC server accepts POST requests only," it's enabled. (Most WordPress sites have it enabled by default.) **Fix.** Unless you use it (most modern WordPress users don't), disable it. Add the following to your `.htaccess` or have your host disable it server-side: ``` order deny,allow deny from all ``` Or use a security plugin (Wordfence, Sucuri, iThemes Security) that disables it for you. ## Check 7. Is your file editor disabled? The wp-admin file editor (Appearance → Theme File Editor; Plugins → Plugin Editor) lets a logged-in admin edit PHP files directly through the browser. If an attacker gets admin access, this is how they install a backdoor in 90 seconds without ever touching SFTP. **How to check.** Log in to wp-admin. Go to Appearance → Theme File Editor. If you see a code editor, it's enabled. **Fix.** Add this to your `wp-config.php` file (above the line that says "That's all, stop editing"): ``` define('DISALLOW_FILE_EDIT', true); ``` This removes the editor entirely. The cost: when you legitimately want to edit a file, you have to do it via SFTP or your hosting control panel. That's a tiny price for closing the most-used post-compromise expansion vector. ## What the tool does The [WordPress Security Audit](/tools/wordpress-security-audit/) tool runs checks 1-2, 5, 6 automatically against any public URL. You don't need to log in. You don't need to install anything. Paste your URL, click Audit, it reports: - Detected WordPress version + whether it's current - Visible plugins + known CVE matches - HTTPS + HSTS status - XML-RPC status (disabled / enabled / hardened) - Public exposure of wp-admin - A few other heuristic signals (default theme, common attack endpoints exposed) It emits an AI fix prompt at the bottom that you can paste into Claude (or any other LLM) to get a detailed remediation plan for whatever the audit caught. If you have a developer or web-guy, hand them the prompt; they'll move faster with it than without. For checks 3 and 7, you'll need to log in to wp-admin yourself. The tool can't check those without your credentials, and I don't want it to have them. ## A reasonable SMB WordPress security setup For a small business running a WordPress site with WooCommerce or contact forms, this is what I'd consider the baseline: 1. **Managed hosting** (Kinsta, WP Engine, Pressable, or similar). They handle WordPress core updates, server-level security headers, and backups. About $30-$60/month. 2. **Wordfence Free or iThemes Security Free.** Adds the application-level firewall, brute-force protection, and security hardening. Free tier is sufficient for most SMBs. 3. **All plugins current.** Set a monthly calendar reminder to check. 4. **Two-factor authentication on admin accounts.** The Two Factor plugin from wordpress.org. 5. **One non-admin author user for content publishing.** Never use the admin account for routine editing. 6. **Quarterly review** of the security audit against your site. 15 minutes a quarter is enough. Total monthly cost: $30-$60. Total time investment: 15-30 minutes a quarter. The cost of not doing this: variable, but the typical SMB WordPress breach in 2024-2025 cost $5,000-$20,000 in cleanup plus the SEO recovery. ## Where this fits in the broader SMB security story WordPress security is a piece of the broader "your small business runs on stuff that can break" story. The other pieces: - **Email deliverability.** Covered in [email infrastructure for small business](/blog/blog-email-infrastructure-small-business/). - **AI-vendor risk.** Covered in [the AI vendor markup audit](/blog/blog-spot-ai-vendor-markup/) and [the pre-agency self-audit](/blog/blog-pre-agency-ai-self-audit-part-1/). - **Agent-cost runaways.** Covered in [the AI agent cost-controls post](/blog/blog-ai-agent-cost-controls-smb/). - **Connector permissions.** Covered in [the connector permission cheat sheet](/blog/blog-connector-permissions-claude-smb/). Each one of these is a place where an SMB can lose money or trust through inattention. None of them require a consultant. All of them require an hour of one person's time and a willingness to read. ## The audit tools - **[WordPress Security Audit](/tools/wordpress-security-audit/).** The headline tool. Runs the 7 checks above plus a few more, emits an AI fix prompt. Free, no signup, browser-only. - **[WordPress WooCommerce Audit](/tools/wordpress-woocommerce-audit/).** Specific to WooCommerce sites. Adds checks for payment-gateway configuration, customer-data exposure, and PCI-relevant settings. - **[API Secret Leakage Audit](/tools/api-secret-leakage-audit/).** Scans your site's frontend for leaked API keys. WordPress plugins occasionally leak credentials into the page source; this catches it. - **[Third-Party Script Cost](/tools/third-party-script-cost/).** Maps every third-party script your WordPress site loads. WordPress sites accumulate scripts over years (old analytics, abandoned chat widgets, dead pixel trackers). Many of those scripts are themselves security risks. - **[Cookie Storage Drift Audit](/tools/cookie-storage-drift-audit/).** What's actually being set in your visitors' browsers. WordPress sites often set far more cookies than the owner realizes. - **[Mega Security Analyzer](/tools/mega-security-analyzer/).** Combines several of the above into one pass. Run this monthly. ## What to do this week 1. Run the [WordPress Security Audit](/tools/wordpress-security-audit/) on your site right now. 30 seconds. 2. Address any critical findings (outdated WP core, known-vulnerable plugins, missing HTTPS) today. 3. Address any warnings (HSTS not set, XML-RPC exposed, default username) this week. 4. Set up a quarterly reminder to re-run the audit and act on any new findings. 5. If you discover you're on shared hosting (GoDaddy classic, Bluehost, HostGator) and you also process payments, move to managed WordPress hosting this month. The $30-$60/month difference is the cheapest insurance you can buy. ## The deeper version The full SMB security stack (WordPress, email, payments, AI vendors, agent safety) is the spine of [The $100 Network](https://www.amazon.com/dp/B0FB1J28J9) (Digital Empire series, $9.99 on Kindle). Each chapter is one of the layers a small business can lose money through. WordPress is the foundational one because most SMBs already have a WordPress site whether they remember installing it or not. ## Related reading - [Email infrastructure for small business](/blog/blog-email-infrastructure-small-business/), the deliverability layer. - [AI fraud reflexes for SMBs in 2026](/blog/blog-ai-fraud-reflexes-smb-2026/), the social-engineering layer. - [Connector permission cheat sheet](/blog/blog-connector-permissions-claude-smb/), the access-control discipline that applies equally to WordPress users. - [Mega Security Analyzer](/blog/blog-tool-mega-seo-analyzer/), the omnibus audit that includes WordPress findings. - [Cookie Storage Drift Audit](/tools/cookie-storage-drift-audit/), the privacy-side companion. ## Fact-check notes and sources - WordPress's 43%-of-public-internet market share per [W3Techs' CMS usage statistics](https://w3techs.com/technologies/overview/content_management), updated weekly. - Sucuri's annual hacked-website reports for the plugin-vulnerability share of WordPress incidents: [Sucuri Annual Hacked Website Report 2024](https://sucuri.net/reports/) (and prior years' reports follow the same pattern). - Wordfence's [vulnerability database](https://www.wordfence.com/threat-intel/) tracks active CVEs in WordPress plugins. - The XML-RPC attack surface is described in detail in [the WordPress.org Hardening WordPress documentation](https://developer.wordpress.org/advanced-administration/security/hardening/). - `DISALLOW_FILE_EDIT` documented at [WordPress Codex / Disable the Plugin and Theme Editor](https://wordpress.org/documentation/article/edit-wp-config-php/#disable-the-plugin-and-theme-editor). - WordPress core release cadence per [the WordPress release archive](https://wordpress.org/download/releases/). *This post is informational, not security-engineering, legal, or PCI-compliance advice. If you process payments at meaningful volume, engage a qualified security professional for a real audit. The 7-check list is a baseline, not a comprehensive security program. Mentions of WordPress plugins, hosts, and security vendors are nominative fair use. No affiliation is implied.* --- Canonical HTML: https://jwatte.com/blog/blog-wordpress-security-audit-smb/ RSS: https://jwatte.com/feed.xml JSON Feed: https://jwatte.com/feed.json Hero image: https://jwatte.com/images/blog-wordpress-security-audit-smb.webp