Every website I take over from another developer gets a security audit before I make any changes. That is a professional standard, not a formality. It is also the reason the phrase security audit comes up so often in this series.

Business owners hear the term regularly and often have no clear picture of what it actually involves. Here is what it looks like in practice.

User Access Review

The audit starts with who has access to the site and at what level. Every admin account is examined. User privilege levels are verified against each person’s actual needs. Inactive accounts are flagged. Old vendor or contractor access that was never removed is identified.

Forgotten user accounts are one of the most common entry points for attackers. An account created for a freelancer two years ago with administrator privileges is a credential that bots will eventually try if the password appears in any breach database.

Plugin and Software Inventory

Every plugin and theme installed on the site is reviewed: current version, last update date, and whether the developer is still maintaining it. Plugins abandoned by their developers are flagged for removal, regardless of whether they are active.

An abandoned plugin is not just outdated. It is a piece of software with known vulnerabilities that will never be patched. Leaving it in place, even if it is deactivated, does not eliminate the risk.

Login Path and Authentication

Default login paths are noted and assessed. On platforms that allow it, those paths are changed. Brute force exposure is evaluated. Two-factor authentication status is confirmed for all admin accounts.

This section does not require explaining the technical implementation to the client. It requires confirming that the most predictable entry points have been addressed.

File Integrity

Core files are reviewed for unauthorized changes. The modification timestamps on key files are checked against known update histories. Any scripts or files that do not belong in the installation are identified.

This is where an attack like the index.php injection described in Post 1 of this series would have been caught in advance, given regular file integrity monitoring as part of the ongoing relationship.

Backup Verification

Many businesses believe they have backups. The audit verifies whether those backups are recent, complete, and actually restorable. A backup that has never been tested is a hopeful assumption, not a recovery plan.

During the audit, backup frequency is confirmed, storage location is verified (off-site storage separate from the hosting account matters), and a test restore is recommended if one has not been performed recently.

Hosting and Infrastructure

The audit extends beyond the CMS itself to the hosting configuration, SSL enforcement, DNS records, and domain registrar access. Security is not contained within the website. The domain, the DNS, and the hosting account are all part of the attack surface.

A site with excellent CMS security but a domain registered to an old email account that no one monitors is still vulnerable. The infrastructure around the site is part of the picture.

Monitoring and Alerts

The audit confirms whether uptime monitoring is in place, whether file change alerts are configured, and whether any security scanning is running. Many sites have none of this.

Monitoring does not prevent attacks. It determines how quickly a problem is detected. The difference between a compromise that lasts hours and one that runs for months is often the presence or absence of monitoring.

What the Audit Is For

A security audit is not about finding fault with previous work. It is about understanding what a site is actually running before making changes to it. That understanding determines what needs attention immediately, what can be addressed over time, and what the ongoing maintenance should include.

Most sites that have never had a security audit have at least one significant issue waiting to be found. The audit is how you find it before a bot does.

Need a plan? Book a one-hour strategy session and walk away with a clear direction for your website, security, or digital strategy. All sessions are recorded with full transcription. $250 — Book a Strategy Call

Want to get to know me first? Book a free 15-minute intro call. No pitch, just a conversation. Book a 15-Minute Call

 

Cybersecurity Series

  1. The Hack I Couldn’t Fix Between Matches
  2. The Same Tools Powering AI Are Being Used to Attack Your Website
  3. 7 Signs Your Website May Already Be Compromised
  4. Why Small Business Websites Get Hacked (And Why It’s Usually Not Personal)
  5. What It Actually Costs to Clean a Hacked Website
  6. How Bots Actually Find Your Website
  7. Taking Over a Website Means Taking Over Its History
  8. What Website Monitoring Actually Means
  9. What a Real Website Security Audit Actually Includes (And Why Most Sites Never Get One)