WordPress layer
WordPress is the world's most popular CMS, making it the most targeted. Audits start with checking the core version โ it must be the latest stable. Then verify all plugins and themes are updated, and unused ones are fully removed. A deactivated plugin is still a risk since files remain on the server and may contain vulnerable code.
Next step โ user accounts. Admin rights only for those who need them. No user named "admin" โ that's the first name attackers try. Verify strong passwords, two-factor authentication enabled, and wp-admin folder protected by IP whitelisting.
Server layer
Server-level audit begins with OS updates: apt update and apt upgrade bring all packages current. Then check running services โ netstat -tlnp shows open ports. Only necessary services should run; others stop or get removed.
SSH configuration needs special attention: password login disabled, root login forbidden, default port 22 changed, key authentication enabled. PHP configuration: display_errors off, expose_php = Off, dangerous functions (exec, shell_exec, system) in disable_functions list.
SSL and encryption
SSL certificate status is checked via SSL Labs (ssllabs.com/ssltest) โ minimum rating A. TLS 1.0 and 1.1 disabled, TLS 1.2 and 1.3 enabled. Weak encryption algorithms (RC4, DES, 3DES) removed, HSTS header configured, certificate chain complete.
Also verify: database connections use SSL, passwords hashed with bcrypt or Argon2, API keys stored in environment variables not in code.
Backups and recovery
Having backups isn't enough โ test that they work. During the audit, take the latest backup and run a test restore in an isolated environment. Check backup age, frequency, and storage security (password-protected, encrypted, offsite copies). The 3-2-1 rule: 3 copies, 2 different media, 1 offsite.
User permissions
File system permissions matter for security: web files 644, folders 755, config files 600. Owner is the right user (usually www-data or nginx). Web server shouldn't have shell access, database user has only necessary rights (not GRANT ALL).
Sayt.uz Practice
Sayt.uz hosting clients receive a free annual security audit. The report covers all found vulnerabilities, severity levels, and specific remediation recommendations. For commercial audits, order through the client panel or contact our technical support.