Website security isn't something you set up once and walk away from. New vulnerabilities are discovered constantly, plugins push updates weekly, and attackers are always probing for the weak link. A monthly security review catches problems before they become incidents.
Here are 15 items to check every month. Bookmark this page and work through it on the same day each month.
Software and Updates
1. Update Your CMS Core
WordPress, Joomla, Drupal, or whatever you're running. Core updates patch known security vulnerabilities. Delaying updates leaves your site exposed to exploits that are already public knowledge and actively being used. Check for pending updates and apply them.
2. Update All Plugins and Extensions
Outdated plugins are the most common entry point for website hacks. Log into your admin panel, review every installed plugin, and update any that have new versions available. If a plugin hasn't been updated by its developer in over a year, consider replacing it with a maintained alternative.
3. Update Your Theme
Themes can contain vulnerabilities too, especially premium themes with lots of built-in functionality. Update to the latest version and verify your customizations still work afterward.
4. Check Your PHP Version
PHP versions reach end-of-life and stop receiving security patches. As of 2026, you should be running PHP 8.2 or newer. Check your current version in cPanel and upgrade if you're behind. Test your site after upgrading to catch any compatibility issues.
Access and Authentication
5. Review User Accounts
Check your CMS user list for accounts that shouldn't be there. Remove anyone who no longer needs access. Downgrade permissions for users who don't need admin-level privileges. The principle of least privilege applies to websites just as much as any other system.
6. Verify 2FA Is Active
Confirm that two-factor authentication is still enabled on all admin accounts. Check that it's also active on your cPanel login and your hosting account login. If a team member replaced their phone recently, make sure they reconfigured their authenticator app.
7. Audit Saved Passwords
Check your password manager for any website-related passwords that are weak, reused, or older than six months. Rotate FTP credentials, database passwords, and any API keys that have been in use for a while.
Backups and Recovery
8. Verify Backup Jobs Are Running
Don't assume your backup system is working just because you set it up months ago. Log into your backup tool and confirm that recent backups exist with the expected file sizes. A backup that silently failed three weeks ago is useless when you need it today.
9. Test a Backup Restore
At least once a quarter (more often for critical sites), restore a backup to a staging environment and verify it works. A backup you've never tested is a gamble, not a safety net.
10. Confirm Offsite Backup Copies
If your only backups are stored on the same server as your website, a server failure or a hack that gains root access wipes out both your site and your backups. Make sure copies are stored in a separate location, whether that's a different server, cloud storage, or a local machine.
File and Server Security
11. Scan for Malware
Run a malware scan using your security plugin (Wordfence, Sucuri, MalCare) or your host's built-in scanner. Look for flagged files, suspicious code injections, or unexpected modifications to core files.
12. Check File Permissions
Correct file permissions prevent unauthorized modification:
- Directories: 755
- Files: 644
- wp-config.php (WordPress): 440 or 400
- Nothing should ever be 777
Incorrect permissions are a common finding after plugin installations or manual file uploads. A quick check in your file manager or via SSH catches these before they become a problem.
13. Review .htaccess and Configuration Files
Attackers sometimes modify .htaccess to redirect traffic or hide malicious files. Open your .htaccess file and verify its contents match what you expect. Also check wp-config.php (or your CMS equivalent) for any unfamiliar code additions.
Monitoring and Logging
14. Review Security Logs
Check your security plugin's activity log for unusual events: failed login attempts from unfamiliar IPs, file changes you didn't make, or blocked attack patterns. Patterns in the logs can reveal ongoing threats that haven't succeeded yet but might if you don't act.
15. Check SSL Certificate Status
Verify your SSL certificate is valid and not approaching expiration. While auto-renewal handles this on SpectraHost, certificates from third-party providers may need manual renewal. Also check that all pages load over HTTPS without mixed content warnings.
Making This Sustainable
Fifteen checks sounds like a lot, but once you've done it a few times, the whole process takes about 30 minutes. Set a recurring calendar reminder for the first Monday of every month. Keep a simple spreadsheet or checklist where you log the date and note anything you fixed.
If you manage multiple sites, prioritize the ones that handle sensitive data or generate revenue. Those can't afford to wait for a quarterly review.
For sites on SpectraHost, several of these items are handled automatically. Automated daily backups, free SSL with auto-renewal, and server-level malware scanning cover items 8, 10, 11, and 15 without any effort on your part. That lets you focus your monthly review on the items that only you can check, like user accounts, password hygiene, and software updates.