Inventory assets and owners
Document domains, hosting, DNS, admin accounts, databases, email, plugins, themes, APIs, forms, and third-party services. Record ownership and recovery paths.
Protect identities
Use individual accounts, unique passwords, multifactor authentication, least privilege, and periodic access reviews. Remove former staff and vendor access promptly.
Reduce unnecessary components
Remove unused plugins and themes. Prefer maintained products with clear documentation and avoid untrusted or pirated sources.
Patch through a controlled process
Prioritize critical security updates, back up before material changes, and test important sites. Assign a recurring owner rather than relying on memory.
Back up and restore
Keep multiple copies, use separate locations, and test restoration. Define how much data may be lost and how long the website may be unavailable.
Protect forms and user data
Collect only necessary data, use HTTPS, validation, CSRF protection, spam controls, sanitization, and clear retention rules. Explain processing transparently.
Monitor meaningful events
Watch uptime, failed logins, new admin accounts, file and DNS changes, resource spikes, and unusual errors. Prioritize alerts that require action.
30-day baseline
- Enable MFA for critical accounts.
- Remove unused accounts and components.
- Patch and document exceptions.
- Test one off-site backup restoration.
- Review forms and retention.
- Enable uptime and change monitoring.
- Write incident contacts and recovery steps.
Primary references
Use trusted primary guidance such as CISA Secure Our World, the OWASP Top 10, and official WordPress security documentation, adapting controls to the site’s actual risk.
