WPScan gives you an external perspective that internal audits cannot replicate. It identifies exposed version numbers, known vulnerable plugins, and potential attack vectors from the attacker's vantage point. Run it against your own site monthly:
wpscan --url https://yoursite.com \
--enumerate vp \
--enumerate ap \
--enumerate p \
--format=json \
--output=vulnerability-report.json
Review the JSON output and prioritize fixes by CVE severity. The WPScan database covers more than 60,000 known WordPress vulnerabilities. If your site runs a plugin flagged by WPScan, update or remove it immediately.

The Attack Surface Mapping Framework
Most WordPress security guides treat each misconfiguration as an isolated problem. Professional security teams think differently. They map the attack surface holistically. Every exposed endpoint, every outdated plugin, every default admin path contributes to your site's overall attack surface score. Here is a framework for thinking about it that goes beyond basic checklist security.
Layer 1: The Network Perimeter
What endpoints are reachable from the internet? XML-RPC? REST API? Debug endpoints? Each one increases your attack surface. Restrict what is necessary. Block what is not. Use Cloudflare or a WAF to add another layer of filtering before requests reach your server.
Layer 2: The Application Layer
Outdated core versions, vulnerable plugins, and custom code with known exploits form your application attack surface. This is where most sites fail. WordPress releases security patches regularly. Applying them promptly reduces your attack surface dramatically. For sites with custom code, maintain a security review schedule that tests against the latest REST API security best practices.
Layer 3: The Authentication Layer
Weak admin paths, exposed login forms, and missing two-factor authentication create your authentication attack surface. This is the easiest layer to harden and the most impactful. Two-factor authentication alone neutralizes the vast majority of credential-based attacks. For MSPs managing enterprise clients, passkey rollout provides the strongest possible authentication layer.

Quick Reference: The 10-Minute Emergency Security Audit
Found your site in a scan? Run this emergency checklist immediately. Each step takes under two minutes.
- Check WordPress version: Dashboard > Updates. If an update is available, apply it now.
- Disable XML-RPC: Add the Nginx or Apache rule above, then retest the endpoint.
- Change admin URL: Install WPS Hide Login or a similar plugin to move the default login path.
- Enable two-factor auth: Install Wordfence or a TFA plugin and enable it for all admin accounts.
- Remove inactive plugins: Dashboard > Plugins. Delete anything not actively used.
- Check for admin usernames: Review user list for accounts named “admin” or “administrator.” Create a new admin account with a unique username and delete the default one.
- Verify backup accessibility: Ensure backup files in
wp-content/uploadsare not publicly accessible. - Review user roles: Remove any unnecessary administrator accounts.
- Test your site: Open
yourdomain.com/xmlrpc.phpin an incognito window. Confirm it returns 403 Forbidden. - Document everything: Record what you changed and when. Future audits will thank you.
FAQ: WordPress Security Surface Audits
How often should I run a WordPress security audit?
Run automated scans weekly using WP-CLI scripts. Perform a manual review monthly. After any major WordPress core update or plugin update, run an immediate check. Sites handling payments or customer data need weekly manual reviews regardless of the automated schedule.
Is it safe to leave XML-RPC enabled if I use Jetpack?
Yes, but you should still restrict it. Configure server-level rules that limit XML-RPC requests to Jetpack's known IP ranges only. This preserves Jetpack functionality while preventing brute-force amplification attacks. Use the server-level blocking rules mentioned above with an allowlist for Jetpack IPs instead of a blanket deny.
What is the single most impactful WordPress security fix?
Two-factor authentication on every administrator account. It neutralizes password-based attacks completely. Even if an attacker obtains your password through a breach, phishing, or brute-force method, they cannot access your dashboard without the second factor. No server configuration or plugin beats this for sheer impact.
Can I audit my site without technical knowledge?
Yes. Steps like checking your WordPress version, updating plugins, and enabling two-factor auth require only admin dashboard access. For server-level configurations like XML-RPC blocking, you will need hosting panel access or a developer. MSPs can automate the entire process with the WP-CLI script provided above.
Should I be worried about 1.4 million scanned sites?
It is a warning, not a catastrophe. The fact that 1.4 million sites got scanned means the scanning infrastructure is active and continuously looking for new targets. Your job is not to panic. It is to make your site harder to exploit than the next one. Every misconfiguration you fix reduces your attack surface and pushes your site further down the scanner's priority list.
The 1.4 million site scanning incident was not a mystery. It was a predictable outcome of preventable misconfigurations across a massive portion of the WordPress ecosystem. Every checklist item in this article is a door you can close right now. Stop waiting for a breach to happen before you act. Audit your configuration today. Fix what is broken. Then automate the whole process so it never happens again.
Found this guide useful? Share it with your team or explore more WordPress security guides on our blog. Subscribe to our newsletter for actionable security frameworks, hardening techniques, and attack surface analysis that protect your site before attackers find the gaps.
WP-CLI is your automation backbone. Run these commands to audit any WordPress installation in under two minutes:
#!/bin/bash
# WordPress surface audit script
SITE="$1"
cd "$SITE"
echo "=== CORE CHECK ==="
wp core version
wp core verify-checksums
echo "=== PLUGIN AUDIT ==="
wp plugin list --status=inactive
wp plugin list --format=csv | awk -F, '{print $2","$3}'
echo "=== USER AUDIT ==="
wp user list --role=administrator --field=user_login
echo "=== XML-RPC CHECK ==="
curl -s -o /dev/null -w "%{http_code}" https://$(wp option get siteurl)/xmlrpc.php
Save this as audit.sh, make it executable, and run it against any site. For MSPs managing dozens of clients, wrap this in a cron job that emails you a weekly report. Automation beats manual checks every single time.
External Scanning with WPScan
WPScan gives you an external perspective that internal audits cannot replicate. It identifies exposed version numbers, known vulnerable plugins, and potential attack vectors from the attacker's vantage point. Run it against your own site monthly:
wpscan --url https://yoursite.com \
--enumerate vp \
--enumerate ap \
--enumerate p \
--format=json \
--output=vulnerability-report.json
Review the JSON output and prioritize fixes by CVE severity. The WPScan database covers more than 60,000 known WordPress vulnerabilities. If your site runs a plugin flagged by WPScan, update or remove it immediately.

The Attack Surface Mapping Framework
Most WordPress security guides treat each misconfiguration as an isolated problem. Professional security teams think differently. They map the attack surface holistically. Every exposed endpoint, every outdated plugin, every default admin path contributes to your site's overall attack surface score. Here is a framework for thinking about it that goes beyond basic checklist security.
Layer 1: The Network Perimeter
What endpoints are reachable from the internet? XML-RPC? REST API? Debug endpoints? Each one increases your attack surface. Restrict what is necessary. Block what is not. Use Cloudflare or a WAF to add another layer of filtering before requests reach your server.
Layer 2: The Application Layer
Outdated core versions, vulnerable plugins, and custom code with known exploits form your application attack surface. This is where most sites fail. WordPress releases security patches regularly. Applying them promptly reduces your attack surface dramatically. For sites with custom code, maintain a security review schedule that tests against the latest REST API security best practices.
Layer 3: The Authentication Layer
Weak admin paths, exposed login forms, and missing two-factor authentication create your authentication attack surface. This is the easiest layer to harden and the most impactful. Two-factor authentication alone neutralizes the vast majority of credential-based attacks. For MSPs managing enterprise clients, passkey rollout provides the strongest possible authentication layer.

Quick Reference: The 10-Minute Emergency Security Audit
Found your site in a scan? Run this emergency checklist immediately. Each step takes under two minutes.
- Check WordPress version: Dashboard > Updates. If an update is available, apply it now.
- Disable XML-RPC: Add the Nginx or Apache rule above, then retest the endpoint.
- Change admin URL: Install WPS Hide Login or a similar plugin to move the default login path.
- Enable two-factor auth: Install Wordfence or a TFA plugin and enable it for all admin accounts.
- Remove inactive plugins: Dashboard > Plugins. Delete anything not actively used.
- Check for admin usernames: Review user list for accounts named “admin” or “administrator.” Create a new admin account with a unique username and delete the default one.
- Verify backup accessibility: Ensure backup files in
wp-content/uploadsare not publicly accessible. - Review user roles: Remove any unnecessary administrator accounts.
- Test your site: Open
yourdomain.com/xmlrpc.phpin an incognito window. Confirm it returns 403 Forbidden. - Document everything: Record what you changed and when. Future audits will thank you.
FAQ: WordPress Security Surface Audits
How often should I run a WordPress security audit?
Run automated scans weekly using WP-CLI scripts. Perform a manual review monthly. After any major WordPress core update or plugin update, run an immediate check. Sites handling payments or customer data need weekly manual reviews regardless of the automated schedule.
Is it safe to leave XML-RPC enabled if I use Jetpack?
Yes, but you should still restrict it. Configure server-level rules that limit XML-RPC requests to Jetpack's known IP ranges only. This preserves Jetpack functionality while preventing brute-force amplification attacks. Use the server-level blocking rules mentioned above with an allowlist for Jetpack IPs instead of a blanket deny.
What is the single most impactful WordPress security fix?
Two-factor authentication on every administrator account. It neutralizes password-based attacks completely. Even if an attacker obtains your password through a breach, phishing, or brute-force method, they cannot access your dashboard without the second factor. No server configuration or plugin beats this for sheer impact.
Can I audit my site without technical knowledge?
Yes. Steps like checking your WordPress version, updating plugins, and enabling two-factor auth require only admin dashboard access. For server-level configurations like XML-RPC blocking, you will need hosting panel access or a developer. MSPs can automate the entire process with the WP-CLI script provided above.
Should I be worried about 1.4 million scanned sites?
It is a warning, not a catastrophe. The fact that 1.4 million sites got scanned means the scanning infrastructure is active and continuously looking for new targets. Your job is not to panic. It is to make your site harder to exploit than the next one. Every misconfiguration you fix reduces your attack surface and pushes your site further down the scanner's priority list.
The 1.4 million site scanning incident was not a mystery. It was a predictable outcome of preventable misconfigurations across a massive portion of the WordPress ecosystem. Every checklist item in this article is a door you can close right now. Stop waiting for a breach to happen before you act. Audit your configuration today. Fix what is broken. Then automate the whole process so it never happens again.
Found this guide useful? Share it with your team or explore more WordPress security guides on our blog. Subscribe to our newsletter for actionable security frameworks, hardening techniques, and attack surface analysis that protect your site before attackers find the gaps.
For Apache, use your .htaccess security rules:
<Files xmlrpc.php>
Order deny,allow
Deny from all
</Files>
This blocks XML-RPC requests before they even reach PHP. No plugin processing overhead. No WordPress-level bypass. Just pure infrastructure defense.

Misconfiguration 3: Default Admin Paths Exposed
WordPress ships with two hardcoded admin URLs: wp-admin/ and wp-login.php. Scanners know these paths better than you know your own codebase. The default admin path is like leaving your bank vault door labeled “Enter PIN Here.” Every automated scanner in the world targets these endpoints continuously.
Defending against this requires layered thinking. First, change or restrict the login URL with a plugin like WPS Hide Login. Second, implement IP-based restrictions for admin access. Third, enforce two-factor authentication everywhere. For enterprise-grade protection, consider WebAuthn and passkey authentication that eliminates password-based attacks entirely.
The MSP Audit Toolchain: Automating Security Checks Across Client Sites
Managing security for a single WordPress site is straightforward. Managing it across fifty client sites? That requires a systematic toolchain. Here is the exact stack security teams use to automate surface audits at scale.
WP-CLI Audit Scripts
WP-CLI is your automation backbone. Run these commands to audit any WordPress installation in under two minutes:
#!/bin/bash
# WordPress surface audit script
SITE="$1"
cd "$SITE"
echo "=== CORE CHECK ==="
wp core version
wp core verify-checksums
echo "=== PLUGIN AUDIT ==="
wp plugin list --status=inactive
wp plugin list --format=csv | awk -F, '{print $2","$3}'
echo "=== USER AUDIT ==="
wp user list --role=administrator --field=user_login
echo "=== XML-RPC CHECK ==="
curl -s -o /dev/null -w "%{http_code}" https://$(wp option get siteurl)/xmlrpc.php
Save this as audit.sh, make it executable, and run it against any site. For MSPs managing dozens of clients, wrap this in a cron job that emails you a weekly report. Automation beats manual checks every single time.
External Scanning with WPScan
WPScan gives you an external perspective that internal audits cannot replicate. It identifies exposed version numbers, known vulnerable plugins, and potential attack vectors from the attacker's vantage point. Run it against your own site monthly:
wpscan --url https://yoursite.com \
--enumerate vp \
--enumerate ap \
--enumerate p \
--format=json \
--output=vulnerability-report.json
Review the JSON output and prioritize fixes by CVE severity. The WPScan database covers more than 60,000 known WordPress vulnerabilities. If your site runs a plugin flagged by WPScan, update or remove it immediately.

The Attack Surface Mapping Framework
Most WordPress security guides treat each misconfiguration as an isolated problem. Professional security teams think differently. They map the attack surface holistically. Every exposed endpoint, every outdated plugin, every default admin path contributes to your site's overall attack surface score. Here is a framework for thinking about it that goes beyond basic checklist security.
Layer 1: The Network Perimeter
What endpoints are reachable from the internet? XML-RPC? REST API? Debug endpoints? Each one increases your attack surface. Restrict what is necessary. Block what is not. Use Cloudflare or a WAF to add another layer of filtering before requests reach your server.
Layer 2: The Application Layer
Outdated core versions, vulnerable plugins, and custom code with known exploits form your application attack surface. This is where most sites fail. WordPress releases security patches regularly. Applying them promptly reduces your attack surface dramatically. For sites with custom code, maintain a security review schedule that tests against the latest REST API security best practices.
Layer 3: The Authentication Layer
Weak admin paths, exposed login forms, and missing two-factor authentication create your authentication attack surface. This is the easiest layer to harden and the most impactful. Two-factor authentication alone neutralizes the vast majority of credential-based attacks. For MSPs managing enterprise clients, passkey rollout provides the strongest possible authentication layer.

Quick Reference: The 10-Minute Emergency Security Audit
Found your site in a scan? Run this emergency checklist immediately. Each step takes under two minutes.
- Check WordPress version: Dashboard > Updates. If an update is available, apply it now.
- Disable XML-RPC: Add the Nginx or Apache rule above, then retest the endpoint.
- Change admin URL: Install WPS Hide Login or a similar plugin to move the default login path.
- Enable two-factor auth: Install Wordfence or a TFA plugin and enable it for all admin accounts.
- Remove inactive plugins: Dashboard > Plugins. Delete anything not actively used.
- Check for admin usernames: Review user list for accounts named “admin” or “administrator.” Create a new admin account with a unique username and delete the default one.
- Verify backup accessibility: Ensure backup files in
wp-content/uploadsare not publicly accessible. - Review user roles: Remove any unnecessary administrator accounts.
- Test your site: Open
yourdomain.com/xmlrpc.phpin an incognito window. Confirm it returns 403 Forbidden. - Document everything: Record what you changed and when. Future audits will thank you.
FAQ: WordPress Security Surface Audits
How often should I run a WordPress security audit?
Run automated scans weekly using WP-CLI scripts. Perform a manual review monthly. After any major WordPress core update or plugin update, run an immediate check. Sites handling payments or customer data need weekly manual reviews regardless of the automated schedule.
Is it safe to leave XML-RPC enabled if I use Jetpack?
Yes, but you should still restrict it. Configure server-level rules that limit XML-RPC requests to Jetpack's known IP ranges only. This preserves Jetpack functionality while preventing brute-force amplification attacks. Use the server-level blocking rules mentioned above with an allowlist for Jetpack IPs instead of a blanket deny.
What is the single most impactful WordPress security fix?
Two-factor authentication on every administrator account. It neutralizes password-based attacks completely. Even if an attacker obtains your password through a breach, phishing, or brute-force method, they cannot access your dashboard without the second factor. No server configuration or plugin beats this for sheer impact.
Can I audit my site without technical knowledge?
Yes. Steps like checking your WordPress version, updating plugins, and enabling two-factor auth require only admin dashboard access. For server-level configurations like XML-RPC blocking, you will need hosting panel access or a developer. MSPs can automate the entire process with the WP-CLI script provided above.
Should I be worried about 1.4 million scanned sites?
It is a warning, not a catastrophe. The fact that 1.4 million sites got scanned means the scanning infrastructure is active and continuously looking for new targets. Your job is not to panic. It is to make your site harder to exploit than the next one. Every misconfiguration you fix reduces your attack surface and pushes your site further down the scanner's priority list.
The 1.4 million site scanning incident was not a mystery. It was a predictable outcome of preventable misconfigurations across a massive portion of the WordPress ecosystem. Every checklist item in this article is a door you can close right now. Stop waiting for a breach to happen before you act. Audit your configuration today. Fix what is broken. Then automate the whole process so it never happens again.
Found this guide useful? Share it with your team or explore more WordPress security guides on our blog. Subscribe to our newsletter for actionable security frameworks, hardening techniques, and attack surface analysis that protect your site before attackers find the gaps.
For Nginx configurations, add this to your server block:
location = /xmlrpc.php {
deny all;
return 403;
}
For Apache, use your .htaccess security rules:
<Files xmlrpc.php>
Order deny,allow
Deny from all
</Files>
This blocks XML-RPC requests before they even reach PHP. No plugin processing overhead. No WordPress-level bypass. Just pure infrastructure defense.

Misconfiguration 3: Default Admin Paths Exposed
WordPress ships with two hardcoded admin URLs: wp-admin/ and wp-login.php. Scanners know these paths better than you know your own codebase. The default admin path is like leaving your bank vault door labeled “Enter PIN Here.” Every automated scanner in the world targets these endpoints continuously.
Defending against this requires layered thinking. First, change or restrict the login URL with a plugin like WPS Hide Login. Second, implement IP-based restrictions for admin access. Third, enforce two-factor authentication everywhere. For enterprise-grade protection, consider WebAuthn and passkey authentication that eliminates password-based attacks entirely.
The MSP Audit Toolchain: Automating Security Checks Across Client Sites
Managing security for a single WordPress site is straightforward. Managing it across fifty client sites? That requires a systematic toolchain. Here is the exact stack security teams use to automate surface audits at scale.
WP-CLI Audit Scripts
WP-CLI is your automation backbone. Run these commands to audit any WordPress installation in under two minutes:
#!/bin/bash
# WordPress surface audit script
SITE="$1"
cd "$SITE"
echo "=== CORE CHECK ==="
wp core version
wp core verify-checksums
echo "=== PLUGIN AUDIT ==="
wp plugin list --status=inactive
wp plugin list --format=csv | awk -F, '{print $2","$3}'
echo "=== USER AUDIT ==="
wp user list --role=administrator --field=user_login
echo "=== XML-RPC CHECK ==="
curl -s -o /dev/null -w "%{http_code}" https://$(wp option get siteurl)/xmlrpc.php
Save this as audit.sh, make it executable, and run it against any site. For MSPs managing dozens of clients, wrap this in a cron job that emails you a weekly report. Automation beats manual checks every single time.
External Scanning with WPScan
WPScan gives you an external perspective that internal audits cannot replicate. It identifies exposed version numbers, known vulnerable plugins, and potential attack vectors from the attacker's vantage point. Run it against your own site monthly:
wpscan --url https://yoursite.com \
--enumerate vp \
--enumerate ap \
--enumerate p \
--format=json \
--output=vulnerability-report.json
Review the JSON output and prioritize fixes by CVE severity. The WPScan database covers more than 60,000 known WordPress vulnerabilities. If your site runs a plugin flagged by WPScan, update or remove it immediately.

The Attack Surface Mapping Framework
Most WordPress security guides treat each misconfiguration as an isolated problem. Professional security teams think differently. They map the attack surface holistically. Every exposed endpoint, every outdated plugin, every default admin path contributes to your site's overall attack surface score. Here is a framework for thinking about it that goes beyond basic checklist security.
Layer 1: The Network Perimeter
What endpoints are reachable from the internet? XML-RPC? REST API? Debug endpoints? Each one increases your attack surface. Restrict what is necessary. Block what is not. Use Cloudflare or a WAF to add another layer of filtering before requests reach your server.
Layer 2: The Application Layer
Outdated core versions, vulnerable plugins, and custom code with known exploits form your application attack surface. This is where most sites fail. WordPress releases security patches regularly. Applying them promptly reduces your attack surface dramatically. For sites with custom code, maintain a security review schedule that tests against the latest REST API security best practices.
Layer 3: The Authentication Layer
Weak admin paths, exposed login forms, and missing two-factor authentication create your authentication attack surface. This is the easiest layer to harden and the most impactful. Two-factor authentication alone neutralizes the vast majority of credential-based attacks. For MSPs managing enterprise clients, passkey rollout provides the strongest possible authentication layer.

Quick Reference: The 10-Minute Emergency Security Audit
Found your site in a scan? Run this emergency checklist immediately. Each step takes under two minutes.
- Check WordPress version: Dashboard > Updates. If an update is available, apply it now.
- Disable XML-RPC: Add the Nginx or Apache rule above, then retest the endpoint.
- Change admin URL: Install WPS Hide Login or a similar plugin to move the default login path.
- Enable two-factor auth: Install Wordfence or a TFA plugin and enable it for all admin accounts.
- Remove inactive plugins: Dashboard > Plugins. Delete anything not actively used.
- Check for admin usernames: Review user list for accounts named “admin” or “administrator.” Create a new admin account with a unique username and delete the default one.
- Verify backup accessibility: Ensure backup files in
wp-content/uploadsare not publicly accessible. - Review user roles: Remove any unnecessary administrator accounts.
- Test your site: Open
yourdomain.com/xmlrpc.phpin an incognito window. Confirm it returns 403 Forbidden. - Document everything: Record what you changed and when. Future audits will thank you.
FAQ: WordPress Security Surface Audits
How often should I run a WordPress security audit?
Run automated scans weekly using WP-CLI scripts. Perform a manual review monthly. After any major WordPress core update or plugin update, run an immediate check. Sites handling payments or customer data need weekly manual reviews regardless of the automated schedule.
Is it safe to leave XML-RPC enabled if I use Jetpack?
Yes, but you should still restrict it. Configure server-level rules that limit XML-RPC requests to Jetpack's known IP ranges only. This preserves Jetpack functionality while preventing brute-force amplification attacks. Use the server-level blocking rules mentioned above with an allowlist for Jetpack IPs instead of a blanket deny.
What is the single most impactful WordPress security fix?
Two-factor authentication on every administrator account. It neutralizes password-based attacks completely. Even if an attacker obtains your password through a breach, phishing, or brute-force method, they cannot access your dashboard without the second factor. No server configuration or plugin beats this for sheer impact.
Can I audit my site without technical knowledge?
Yes. Steps like checking your WordPress version, updating plugins, and enabling two-factor auth require only admin dashboard access. For server-level configurations like XML-RPC blocking, you will need hosting panel access or a developer. MSPs can automate the entire process with the WP-CLI script provided above.
Should I be worried about 1.4 million scanned sites?
It is a warning, not a catastrophe. The fact that 1.4 million sites got scanned means the scanning infrastructure is active and continuously looking for new targets. Your job is not to panic. It is to make your site harder to exploit than the next one. Every misconfiguration you fix reduces your attack surface and pushes your site further down the scanner's priority list.
The 1.4 million site scanning incident was not a mystery. It was a predictable outcome of preventable misconfigurations across a massive portion of the WordPress ecosystem. Every checklist item in this article is a door you can close right now. Stop waiting for a breach to happen before you act. Audit your configuration today. Fix what is broken. Then automate the whole process so it never happens again.
Found this guide useful? Share it with your team or explore more WordPress security guides on our blog. Subscribe to our newsletter for actionable security frameworks, hardening techniques, and attack surface analysis that protect your site before attackers find the gaps.
The vast majority of WordPress sites do not need XML-RPC. Jetpack users need it. Mobile publishers who use the WordPress app need it. Everyone else? Close it at the server level:
Server-Level XML-RPC Blocking
For Nginx configurations, add this to your server block:
location = /xmlrpc.php {
deny all;
return 403;
}
For Apache, use your .htaccess security rules:
<Files xmlrpc.php>
Order deny,allow
Deny from all
</Files>
This blocks XML-RPC requests before they even reach PHP. No plugin processing overhead. No WordPress-level bypass. Just pure infrastructure defense.

Misconfiguration 3: Default Admin Paths Exposed
WordPress ships with two hardcoded admin URLs: wp-admin/ and wp-login.php. Scanners know these paths better than you know your own codebase. The default admin path is like leaving your bank vault door labeled “Enter PIN Here.” Every automated scanner in the world targets these endpoints continuously.
Defending against this requires layered thinking. First, change or restrict the login URL with a plugin like WPS Hide Login. Second, implement IP-based restrictions for admin access. Third, enforce two-factor authentication everywhere. For enterprise-grade protection, consider WebAuthn and passkey authentication that eliminates password-based attacks entirely.
The MSP Audit Toolchain: Automating Security Checks Across Client Sites
Managing security for a single WordPress site is straightforward. Managing it across fifty client sites? That requires a systematic toolchain. Here is the exact stack security teams use to automate surface audits at scale.
WP-CLI Audit Scripts
WP-CLI is your automation backbone. Run these commands to audit any WordPress installation in under two minutes:
#!/bin/bash
# WordPress surface audit script
SITE="$1"
cd "$SITE"
echo "=== CORE CHECK ==="
wp core version
wp core verify-checksums
echo "=== PLUGIN AUDIT ==="
wp plugin list --status=inactive
wp plugin list --format=csv | awk -F, '{print $2","$3}'
echo "=== USER AUDIT ==="
wp user list --role=administrator --field=user_login
echo "=== XML-RPC CHECK ==="
curl -s -o /dev/null -w "%{http_code}" https://$(wp option get siteurl)/xmlrpc.php
Save this as audit.sh, make it executable, and run it against any site. For MSPs managing dozens of clients, wrap this in a cron job that emails you a weekly report. Automation beats manual checks every single time.
External Scanning with WPScan
WPScan gives you an external perspective that internal audits cannot replicate. It identifies exposed version numbers, known vulnerable plugins, and potential attack vectors from the attacker's vantage point. Run it against your own site monthly:
wpscan --url https://yoursite.com \
--enumerate vp \
--enumerate ap \
--enumerate p \
--format=json \
--output=vulnerability-report.json
Review the JSON output and prioritize fixes by CVE severity. The WPScan database covers more than 60,000 known WordPress vulnerabilities. If your site runs a plugin flagged by WPScan, update or remove it immediately.

The Attack Surface Mapping Framework
Most WordPress security guides treat each misconfiguration as an isolated problem. Professional security teams think differently. They map the attack surface holistically. Every exposed endpoint, every outdated plugin, every default admin path contributes to your site's overall attack surface score. Here is a framework for thinking about it that goes beyond basic checklist security.
Layer 1: The Network Perimeter
What endpoints are reachable from the internet? XML-RPC? REST API? Debug endpoints? Each one increases your attack surface. Restrict what is necessary. Block what is not. Use Cloudflare or a WAF to add another layer of filtering before requests reach your server.
Layer 2: The Application Layer
Outdated core versions, vulnerable plugins, and custom code with known exploits form your application attack surface. This is where most sites fail. WordPress releases security patches regularly. Applying them promptly reduces your attack surface dramatically. For sites with custom code, maintain a security review schedule that tests against the latest REST API security best practices.
Layer 3: The Authentication Layer
Weak admin paths, exposed login forms, and missing two-factor authentication create your authentication attack surface. This is the easiest layer to harden and the most impactful. Two-factor authentication alone neutralizes the vast majority of credential-based attacks. For MSPs managing enterprise clients, passkey rollout provides the strongest possible authentication layer.

Quick Reference: The 10-Minute Emergency Security Audit
Found your site in a scan? Run this emergency checklist immediately. Each step takes under two minutes.
- Check WordPress version: Dashboard > Updates. If an update is available, apply it now.
- Disable XML-RPC: Add the Nginx or Apache rule above, then retest the endpoint.
- Change admin URL: Install WPS Hide Login or a similar plugin to move the default login path.
- Enable two-factor auth: Install Wordfence or a TFA plugin and enable it for all admin accounts.
- Remove inactive plugins: Dashboard > Plugins. Delete anything not actively used.
- Check for admin usernames: Review user list for accounts named “admin” or “administrator.” Create a new admin account with a unique username and delete the default one.
- Verify backup accessibility: Ensure backup files in
wp-content/uploadsare not publicly accessible. - Review user roles: Remove any unnecessary administrator accounts.
- Test your site: Open
yourdomain.com/xmlrpc.phpin an incognito window. Confirm it returns 403 Forbidden. - Document everything: Record what you changed and when. Future audits will thank you.
FAQ: WordPress Security Surface Audits
How often should I run a WordPress security audit?
Run automated scans weekly using WP-CLI scripts. Perform a manual review monthly. After any major WordPress core update or plugin update, run an immediate check. Sites handling payments or customer data need weekly manual reviews regardless of the automated schedule.
Is it safe to leave XML-RPC enabled if I use Jetpack?
Yes, but you should still restrict it. Configure server-level rules that limit XML-RPC requests to Jetpack's known IP ranges only. This preserves Jetpack functionality while preventing brute-force amplification attacks. Use the server-level blocking rules mentioned above with an allowlist for Jetpack IPs instead of a blanket deny.
What is the single most impactful WordPress security fix?
Two-factor authentication on every administrator account. It neutralizes password-based attacks completely. Even if an attacker obtains your password through a breach, phishing, or brute-force method, they cannot access your dashboard without the second factor. No server configuration or plugin beats this for sheer impact.
Can I audit my site without technical knowledge?
Yes. Steps like checking your WordPress version, updating plugins, and enabling two-factor auth require only admin dashboard access. For server-level configurations like XML-RPC blocking, you will need hosting panel access or a developer. MSPs can automate the entire process with the WP-CLI script provided above.
Should I be worried about 1.4 million scanned sites?
It is a warning, not a catastrophe. The fact that 1.4 million sites got scanned means the scanning infrastructure is active and continuously looking for new targets. Your job is not to panic. It is to make your site harder to exploit than the next one. Every misconfiguration you fix reduces your attack surface and pushes your site further down the scanner's priority list.
The 1.4 million site scanning incident was not a mystery. It was a predictable outcome of preventable misconfigurations across a massive portion of the WordPress ecosystem. Every checklist item in this article is a door you can close right now. Stop waiting for a breach to happen before you act. Audit your configuration today. Fix what is broken. Then automate the whole process so it never happens again.
Found this guide useful? Share it with your team or explore more WordPress security guides on our blog. Subscribe to our newsletter for actionable security frameworks, hardening techniques, and attack surface analysis that protect your site before attackers find the gaps.
The fix requires discipline, not expertise. Enable automatic minor updates through your wp-config.php file. Add this line to force automatic minor core updates:
add_filter( 'allow_major_auto_core_updates', '__return_false' );
For plugins, adopt a quarterly audit cycle. Remove any plugin inactive for 90 days. Each inactive plugin is an unpaid security consultant for hackers. Even our comprehensive audit checklist covers manual plugin review in detail, but automation should do the heavy lifting for MSPs managing multiple client environments.
Misconfiguration 2: XML-RPC Left Wide Open
Here is the counter-intuitive insight that separates junior security work from professional-grade hardening: XML-RPC is not a vulnerability itself, but it is a force multiplier that turns a manageable threat into a weapon. Every XML-RPC endpoint on your site can accept multicommand requests. One request can test thousands of password combinations simultaneously. This is how bots amplify login attacks into DDoS-grade events.
The vast majority of WordPress sites do not need XML-RPC. Jetpack users need it. Mobile publishers who use the WordPress app need it. Everyone else? Close it at the server level:
Server-Level XML-RPC Blocking
For Nginx configurations, add this to your server block:
location = /xmlrpc.php {
deny all;
return 403;
}
For Apache, use your .htaccess security rules:
<Files xmlrpc.php>
Order deny,allow
Deny from all
</Files>
This blocks XML-RPC requests before they even reach PHP. No plugin processing overhead. No WordPress-level bypass. Just pure infrastructure defense.

Misconfiguration 3: Default Admin Paths Exposed
WordPress ships with two hardcoded admin URLs: wp-admin/ and wp-login.php. Scanners know these paths better than you know your own codebase. The default admin path is like leaving your bank vault door labeled “Enter PIN Here.” Every automated scanner in the world targets these endpoints continuously.
Defending against this requires layered thinking. First, change or restrict the login URL with a plugin like WPS Hide Login. Second, implement IP-based restrictions for admin access. Third, enforce two-factor authentication everywhere. For enterprise-grade protection, consider WebAuthn and passkey authentication that eliminates password-based attacks entirely.
The MSP Audit Toolchain: Automating Security Checks Across Client Sites
Managing security for a single WordPress site is straightforward. Managing it across fifty client sites? That requires a systematic toolchain. Here is the exact stack security teams use to automate surface audits at scale.
WP-CLI Audit Scripts
WP-CLI is your automation backbone. Run these commands to audit any WordPress installation in under two minutes:
#!/bin/bash
# WordPress surface audit script
SITE="$1"
cd "$SITE"
echo "=== CORE CHECK ==="
wp core version
wp core verify-checksums
echo "=== PLUGIN AUDIT ==="
wp plugin list --status=inactive
wp plugin list --format=csv | awk -F, '{print $2","$3}'
echo "=== USER AUDIT ==="
wp user list --role=administrator --field=user_login
echo "=== XML-RPC CHECK ==="
curl -s -o /dev/null -w "%{http_code}" https://$(wp option get siteurl)/xmlrpc.php
Save this as audit.sh, make it executable, and run it against any site. For MSPs managing dozens of clients, wrap this in a cron job that emails you a weekly report. Automation beats manual checks every single time.
External Scanning with WPScan
WPScan gives you an external perspective that internal audits cannot replicate. It identifies exposed version numbers, known vulnerable plugins, and potential attack vectors from the attacker's vantage point. Run it against your own site monthly:
wpscan --url https://yoursite.com \
--enumerate vp \
--enumerate ap \
--enumerate p \
--format=json \
--output=vulnerability-report.json
Review the JSON output and prioritize fixes by CVE severity. The WPScan database covers more than 60,000 known WordPress vulnerabilities. If your site runs a plugin flagged by WPScan, update or remove it immediately.

The Attack Surface Mapping Framework
Most WordPress security guides treat each misconfiguration as an isolated problem. Professional security teams think differently. They map the attack surface holistically. Every exposed endpoint, every outdated plugin, every default admin path contributes to your site's overall attack surface score. Here is a framework for thinking about it that goes beyond basic checklist security.
Layer 1: The Network Perimeter
What endpoints are reachable from the internet? XML-RPC? REST API? Debug endpoints? Each one increases your attack surface. Restrict what is necessary. Block what is not. Use Cloudflare or a WAF to add another layer of filtering before requests reach your server.
Layer 2: The Application Layer
Outdated core versions, vulnerable plugins, and custom code with known exploits form your application attack surface. This is where most sites fail. WordPress releases security patches regularly. Applying them promptly reduces your attack surface dramatically. For sites with custom code, maintain a security review schedule that tests against the latest REST API security best practices.
Layer 3: The Authentication Layer
Weak admin paths, exposed login forms, and missing two-factor authentication create your authentication attack surface. This is the easiest layer to harden and the most impactful. Two-factor authentication alone neutralizes the vast majority of credential-based attacks. For MSPs managing enterprise clients, passkey rollout provides the strongest possible authentication layer.

Quick Reference: The 10-Minute Emergency Security Audit
Found your site in a scan? Run this emergency checklist immediately. Each step takes under two minutes.
- Check WordPress version: Dashboard > Updates. If an update is available, apply it now.
- Disable XML-RPC: Add the Nginx or Apache rule above, then retest the endpoint.
- Change admin URL: Install WPS Hide Login or a similar plugin to move the default login path.
- Enable two-factor auth: Install Wordfence or a TFA plugin and enable it for all admin accounts.
- Remove inactive plugins: Dashboard > Plugins. Delete anything not actively used.
- Check for admin usernames: Review user list for accounts named “admin” or “administrator.” Create a new admin account with a unique username and delete the default one.
- Verify backup accessibility: Ensure backup files in
wp-content/uploadsare not publicly accessible. - Review user roles: Remove any unnecessary administrator accounts.
- Test your site: Open
yourdomain.com/xmlrpc.phpin an incognito window. Confirm it returns 403 Forbidden. - Document everything: Record what you changed and when. Future audits will thank you.
FAQ: WordPress Security Surface Audits
How often should I run a WordPress security audit?
Run automated scans weekly using WP-CLI scripts. Perform a manual review monthly. After any major WordPress core update or plugin update, run an immediate check. Sites handling payments or customer data need weekly manual reviews regardless of the automated schedule.
Is it safe to leave XML-RPC enabled if I use Jetpack?
Yes, but you should still restrict it. Configure server-level rules that limit XML-RPC requests to Jetpack's known IP ranges only. This preserves Jetpack functionality while preventing brute-force amplification attacks. Use the server-level blocking rules mentioned above with an allowlist for Jetpack IPs instead of a blanket deny.
What is the single most impactful WordPress security fix?
Two-factor authentication on every administrator account. It neutralizes password-based attacks completely. Even if an attacker obtains your password through a breach, phishing, or brute-force method, they cannot access your dashboard without the second factor. No server configuration or plugin beats this for sheer impact.
Can I audit my site without technical knowledge?
Yes. Steps like checking your WordPress version, updating plugins, and enabling two-factor auth require only admin dashboard access. For server-level configurations like XML-RPC blocking, you will need hosting panel access or a developer. MSPs can automate the entire process with the WP-CLI script provided above.
Should I be worried about 1.4 million scanned sites?
It is a warning, not a catastrophe. The fact that 1.4 million sites got scanned means the scanning infrastructure is active and continuously looking for new targets. Your job is not to panic. It is to make your site harder to exploit than the next one. Every misconfiguration you fix reduces your attack surface and pushes your site further down the scanner's priority list.
The 1.4 million site scanning incident was not a mystery. It was a predictable outcome of preventable misconfigurations across a massive portion of the WordPress ecosystem. Every checklist item in this article is a door you can close right now. Stop waiting for a breach to happen before you act. Audit your configuration today. Fix what is broken. Then automate the whole process so it never happens again.
Found this guide useful? Share it with your team or explore more WordPress security guides on our blog. Subscribe to our newsletter for actionable security frameworks, hardening techniques, and attack surface analysis that protect your site before attackers find the gaps.
You just found your WordPress site in a list of 1.4 million exposed installations. The bad news: it happened because of a configuration nobody thought about. The good news: you can fix it in 30 minutes without touching a single line of code.
Mass scanners did not find these sites through clever hacking. They found them through laziness on your part. Default paths left open. XML-RPC still accepting requests. Plugins that have not been updated since 2023. These are the silent vulnerabilities turning WordPress into a free buffet for automated scanning bots.
Key Takeaways: The 1.4 million WordPress site exposure event exposed three critical misconfigurations: outdated core and plugin versions, exposed XML-RPC endpoints, and unprotected admin paths. This post gives you an automated audit toolkit and the attack surface mapping framework that MSPs and security teams use to close these gaps across hundreds of client sites simultaneously.

Why 1.4 Million Sites Got Caught in Mass Scans
The number 1.4 million sounds apocalyptic. But the story behind it is painfully mundane. Security researchers at Wordfence and WPScan have tracked similar waves for years. Each wave follows the same pattern: a massive automated scan sweeps the internet, cataloging every WordPress installation it can find, flagging vulnerable ones, and selling the data to the highest bidder.
Here is the uncomfortable truth that most WordPress guides skip. Most compromised sites did not need a zero-day exploit. They needed a site administrator who cared enough to run through a basic security checklist. Once a year? Every month? No. Daily automation should do this work for you.
The Three Misconfigurations That Make Mass Scanning Possible
Misconfiguration 1: Outdated Core and Plugin Ecosystems
Outdated software is the number one reason scanners succeed at scale. When WordPress releases a security patch, vulnerability databases update within minutes. Automated scanners then query those databases and cross-reference your installed plugin list. If you run WooCommerce 8.2 and it just had a critical CVE, your site gets flagged before lunch.
The fix requires discipline, not expertise. Enable automatic minor updates through your wp-config.php file. Add this line to force automatic minor core updates:
add_filter( 'allow_major_auto_core_updates', '__return_false' );
For plugins, adopt a quarterly audit cycle. Remove any plugin inactive for 90 days. Each inactive plugin is an unpaid security consultant for hackers. Even our comprehensive audit checklist covers manual plugin review in detail, but automation should do the heavy lifting for MSPs managing multiple client environments.
Misconfiguration 2: XML-RPC Left Wide Open
Here is the counter-intuitive insight that separates junior security work from professional-grade hardening: XML-RPC is not a vulnerability itself, but it is a force multiplier that turns a manageable threat into a weapon. Every XML-RPC endpoint on your site can accept multicommand requests. One request can test thousands of password combinations simultaneously. This is how bots amplify login attacks into DDoS-grade events.
The vast majority of WordPress sites do not need XML-RPC. Jetpack users need it. Mobile publishers who use the WordPress app need it. Everyone else? Close it at the server level:
Server-Level XML-RPC Blocking
For Nginx configurations, add this to your server block:
location = /xmlrpc.php {
deny all;
return 403;
}
For Apache, use your .htaccess security rules:
<Files xmlrpc.php>
Order deny,allow
Deny from all
</Files>
This blocks XML-RPC requests before they even reach PHP. No plugin processing overhead. No WordPress-level bypass. Just pure infrastructure defense.

Misconfiguration 3: Default Admin Paths Exposed
WordPress ships with two hardcoded admin URLs: wp-admin/ and wp-login.php. Scanners know these paths better than you know your own codebase. The default admin path is like leaving your bank vault door labeled “Enter PIN Here.” Every automated scanner in the world targets these endpoints continuously.
Defending against this requires layered thinking. First, change or restrict the login URL with a plugin like WPS Hide Login. Second, implement IP-based restrictions for admin access. Third, enforce two-factor authentication everywhere. For enterprise-grade protection, consider WebAuthn and passkey authentication that eliminates password-based attacks entirely.
The MSP Audit Toolchain: Automating Security Checks Across Client Sites
Managing security for a single WordPress site is straightforward. Managing it across fifty client sites? That requires a systematic toolchain. Here is the exact stack security teams use to automate surface audits at scale.
WP-CLI Audit Scripts
WP-CLI is your automation backbone. Run these commands to audit any WordPress installation in under two minutes:
#!/bin/bash
# WordPress surface audit script
SITE="$1"
cd "$SITE"
echo "=== CORE CHECK ==="
wp core version
wp core verify-checksums
echo "=== PLUGIN AUDIT ==="
wp plugin list --status=inactive
wp plugin list --format=csv | awk -F, '{print $2","$3}'
echo "=== USER AUDIT ==="
wp user list --role=administrator --field=user_login
echo "=== XML-RPC CHECK ==="
curl -s -o /dev/null -w "%{http_code}" https://$(wp option get siteurl)/xmlrpc.php
Save this as audit.sh, make it executable, and run it against any site. For MSPs managing dozens of clients, wrap this in a cron job that emails you a weekly report. Automation beats manual checks every single time.
External Scanning with WPScan
WPScan gives you an external perspective that internal audits cannot replicate. It identifies exposed version numbers, known vulnerable plugins, and potential attack vectors from the attacker's vantage point. Run it against your own site monthly:
wpscan --url https://yoursite.com \
--enumerate vp \
--enumerate ap \
--enumerate p \
--format=json \
--output=vulnerability-report.json
Review the JSON output and prioritize fixes by CVE severity. The WPScan database covers more than 60,000 known WordPress vulnerabilities. If your site runs a plugin flagged by WPScan, update or remove it immediately.

The Attack Surface Mapping Framework
Most WordPress security guides treat each misconfiguration as an isolated problem. Professional security teams think differently. They map the attack surface holistically. Every exposed endpoint, every outdated plugin, every default admin path contributes to your site's overall attack surface score. Here is a framework for thinking about it that goes beyond basic checklist security.
Layer 1: The Network Perimeter
What endpoints are reachable from the internet? XML-RPC? REST API? Debug endpoints? Each one increases your attack surface. Restrict what is necessary. Block what is not. Use Cloudflare or a WAF to add another layer of filtering before requests reach your server.
Layer 2: The Application Layer
Outdated core versions, vulnerable plugins, and custom code with known exploits form your application attack surface. This is where most sites fail. WordPress releases security patches regularly. Applying them promptly reduces your attack surface dramatically. For sites with custom code, maintain a security review schedule that tests against the latest REST API security best practices.
Layer 3: The Authentication Layer
Weak admin paths, exposed login forms, and missing two-factor authentication create your authentication attack surface. This is the easiest layer to harden and the most impactful. Two-factor authentication alone neutralizes the vast majority of credential-based attacks. For MSPs managing enterprise clients, passkey rollout provides the strongest possible authentication layer.

Quick Reference: The 10-Minute Emergency Security Audit
Found your site in a scan? Run this emergency checklist immediately. Each step takes under two minutes.
- Check WordPress version: Dashboard > Updates. If an update is available, apply it now.
- Disable XML-RPC: Add the Nginx or Apache rule above, then retest the endpoint.
- Change admin URL: Install WPS Hide Login or a similar plugin to move the default login path.
- Enable two-factor auth: Install Wordfence or a TFA plugin and enable it for all admin accounts.
- Remove inactive plugins: Dashboard > Plugins. Delete anything not actively used.
- Check for admin usernames: Review user list for accounts named “admin” or “administrator.” Create a new admin account with a unique username and delete the default one.
- Verify backup accessibility: Ensure backup files in
wp-content/uploadsare not publicly accessible. - Review user roles: Remove any unnecessary administrator accounts.
- Test your site: Open
yourdomain.com/xmlrpc.phpin an incognito window. Confirm it returns 403 Forbidden. - Document everything: Record what you changed and when. Future audits will thank you.
FAQ: WordPress Security Surface Audits
How often should I run a WordPress security audit?
Run automated scans weekly using WP-CLI scripts. Perform a manual review monthly. After any major WordPress core update or plugin update, run an immediate check. Sites handling payments or customer data need weekly manual reviews regardless of the automated schedule.
Is it safe to leave XML-RPC enabled if I use Jetpack?
Yes, but you should still restrict it. Configure server-level rules that limit XML-RPC requests to Jetpack's known IP ranges only. This preserves Jetpack functionality while preventing brute-force amplification attacks. Use the server-level blocking rules mentioned above with an allowlist for Jetpack IPs instead of a blanket deny.
What is the single most impactful WordPress security fix?
Two-factor authentication on every administrator account. It neutralizes password-based attacks completely. Even if an attacker obtains your password through a breach, phishing, or brute-force method, they cannot access your dashboard without the second factor. No server configuration or plugin beats this for sheer impact.
Can I audit my site without technical knowledge?
Yes. Steps like checking your WordPress version, updating plugins, and enabling two-factor auth require only admin dashboard access. For server-level configurations like XML-RPC blocking, you will need hosting panel access or a developer. MSPs can automate the entire process with the WP-CLI script provided above.
Should I be worried about 1.4 million scanned sites?
It is a warning, not a catastrophe. The fact that 1.4 million sites got scanned means the scanning infrastructure is active and continuously looking for new targets. Your job is not to panic. It is to make your site harder to exploit than the next one. Every misconfiguration you fix reduces your attack surface and pushes your site further down the scanner's priority list.
The 1.4 million site scanning incident was not a mystery. It was a predictable outcome of preventable misconfigurations across a massive portion of the WordPress ecosystem. Every checklist item in this article is a door you can close right now. Stop waiting for a breach to happen before you act. Audit your configuration today. Fix what is broken. Then automate the whole process so it never happens again.
Found this guide useful? Share it with your team or explore more WordPress security guides on our blog. Subscribe to our newsletter for actionable security frameworks, hardening techniques, and attack surface analysis that protect your site before attackers find the gaps.



