WordPress security audit – what should it include to be valuable? A checklist for client and executor. A good audit isn't "run Sucuri scan" but systematic verification of all layers.

Audit Scope

Versions: WordPress, PHP, plugins, theme – are they current?
Hardening: DB prefix, disabled editor, strong passwords, 2FA
Login: attempt limit, URL change, IP blocking
Malware scan: Sucuri, Wordfence, MalCare
Backup: does it exist, where is it, does restore work?
HTTPS, security headers, file permissions

Report Format

List of findings with priority (critical/high/medium/low), step-by-step recommendations, time estimate for implementation. No technical jargon for decision-makers – technical details in appendix.

Frequency

Full audit – every 12 months. Quick review (versions, scan) – quarterly. After major changes (migration, new plugins) – ad hoc.

See: WordPress Security Checklist