Performing a Comprehensive Audit of Your WordPress Site

Opened laptop on table of office worker

If you own a car, you know that it needs to be inspected every year. When you take it in, the mechanic does a thorough check to identify any potential issues and make sure that everything is working properly.

Likewise, you should inspect and audit your WordPress site at least annually! I manage many sites for clients, and run through the following items each year to keep their sites running as smooth as possible.

Contact Form

The contact form is one of the most important parts of your website!

  • Test your contact form regularly to make sure messages are being delivered
  • If they aren’t, consider an email deliverability service like MailGun or SendGrid
  • If you’re getting a lot of spam, add a honeypot or a zero spam plugin
  • You can also try a Recaptcha to limit spam, but consider using v3 as v2 is not very accessible
  • Direct your visitor to a thank you page after they submit the form, or make sure the message that’s displayed after the form submits is informative and working properly
  • Consider automatically emailing people who filled out the form

If you don’t have a contact form on your website, you may want to mask your email address to limit spam.


Your host may offer backups (check with them to see) but I also recommend your own, off-site backups. It’s so important to have a recent backup of your WordPress site that you can access in case something goes wrong.

I use UpdraftPlus to back up all of my sites and store the backups on Dropbox. I keep 21 backups — daily for the last 14 days and 7 additional weekly backups prior to those.

When I audit a site, I verify the settings, check the backups, rescan both local and remote storage and clean up any old backups as needed.


I use Wordfence to scan my sites regularly.

During an audit, I verify that the site is connected to Wordfence Central (so that I can see all of my sites in one place), double-check the Wordfence settings and look at the scan results.


Abandoned Plugins

You may see abandoned plugins listed in the scan results.

Abandoned plugins aren’t always a problem, but I like to replace them with an updated plugin if possible. If a plugin has not been updated in a long time, it may cause issues with newer versions of PHP or conflict with other plugins.

Abandoned plugin in Wordfence.

Another way to tell if a plugin has been abandoned is to click View Details under each plugin on the plugins screen. If you’re using a service like MainWP, you can also check under Sites, Updates, Abandoned Plugins to see which plugins are abandoned.

Plugin not tested with current version of WordPress (hence abandoned).

Plugins with Vulnerabilities

You may get emails from Wordfence that a plugin has a vulnerability.

Email from Wordfence about plugins with vulnerabilities.

If you receive an email like this, be sure to update the plugin as soon as possible.

Best Practices

Having managed WordPress sites for a number of years, here are the best practices that I follow.

  • Update your plugins regularly (weekly, bi-monthly or monthly)
  • Only use necessary plugins on your site (keep the list as trim as you can)
  • Remove any plugins that are no longer needed
  • Keep only active plugins (remove inactive plugins)
  • Use reputable plugins that are well supported


I have not noticed abandoned themes listed in Wordfence, but it is important that you update your theme regularly. You may see up to three themes on your WordPress site — the active theme (often this is a child theme), the parent theme and a default WordPress theme (I like the most recent one; in this case Twenty Twenty-Four).

Theme list.

If you click on the parent theme, you can see what version you’re using and compare that to the most recent version wherever you purchased the theme.


Audit your users at least yearly.

  • Remove anyone who is no longer with your organization
  • Give each user the lowest level of permission (not everyone needs to be an administrator)
  • Review the last login date; if users haven’t logged in in over a year, consider removing them
  • Consider setting up 2FA for administrator users in Wordfence; when admins log in, they’ll need to enter the code from an authentication app

Site Health

You may want to check your site health (Tools, Site Health) to determine if there are any additional actions WordPress would like you to take.

On some hosts (like Flywheel), there may be notifications that are misleading. For example, Background updates are not working as expected. Because Flywheel releases WordPress to you on their own schedule, the settings are different than a typical WordPress site. Learn more about Site Health with Flywheel.

The Info tab under Site Health will also show you additional information about your WordPress site. Check your PHP version under Server and compare that to the current, supported PHP versions. If your PHP version needs to be updated, check with your host.


The speed of your site is important in that if it takes too long to load, visitors won’t stay. Here are a few best practices for site speed:

  • Use a quality website host
  • Try a caching plugin if needed
  • Upload smaller images and consider an image compression plugin like ShortPixel


Privacy Policy

If a website has a contact form, it needs a Privacy Policy.

Contact forms ask for a “name” and “email”, which are examples of “Personally Identifiable Information” (PII). A Privacy Policy is already required by law for websites that collect PII. Some states are proposing laws that will enable its citizens to sue businesses (of any size) located anywhere in the United States for not having the proper policies. 

Websites that collect email address for email marketing or use Google Analytics also need a Privacy Policy.

Terms & Conditions

If a website offers links to third party websites (eg. Facebook, Twitter, etc), it should have Terms & Conditions.

Terms & Conditions limit a company’s liability. If you provide a link to a 3rd party website that gets hacked, you don’t want to be liable for the users that visited the site because you provided a link to it; adding Terms & Conditions helps with this.


If a website offers affiliate links, it should have a Disclaimer.

A lot of affiliate programs will require you to have a disclaimer, and consumers want to know when you’re getting paid for links you put on your website.

Websites that display advertisements or give health, fitness or legal advice also need a Disclaimer.


Many WordPress sites will automatically update the copyright to the current year, but you should also consider having the year that your business first started. See my footer for an example.


If you haven’t checked your analytics recently, now is a great time! Make sure you’re seeing website visits and that you attend to any alerts from Google Analytics (or another analytics provider like Plausible).

One last thing to check is the last post date (if your site has a blog). Google and other search engines like updated content, so try to get into a regular rhythm of posting.

As I mentioned at the beginning, I do a comprehensive annual site audit for all of my clients as part of their monthly care plan. If you would like a site audit and are looking for help maintaining your WordPress website, get in touch.

Scroll to Top