Here comes the checklist! More than a fad, know that a plane doesn't take off if it doesn't pass through one or more of these, so it might be boring but we must pass through all of them!

The ten items listed are mandatory for anyone who wants to maintain minimal WordPress security in their project and has not hired any professional service to monitor and protect the site.

There are also other ways and methods to protect your online business and ensure the sustainability and likelihood of success of your site (such as our security service for WordPress sites for example).

I will briefly explain how each of these items are important and essential to reduce the vulnerability of your project.

It is also worth remembering that the tool itself requires some security items and offers several tips for the user. So if you haven't started your business yet, pay attention to these items, study and read a lot about security.

However, if your business already exists, make sure you are taking all basic security measures for your business. And if you haven't already, put them into practice as soon as possible.

Item 1: Keep WordPress up to date

As it is a well-known and open source platform, it is essential that you keep your WordPress always up to date.

This is because, due to its popularization and ease of working, it is easy to understand the code, break it and verify the flaws that may have, making scams easier and more frequent.

The good news is that there are actually more good hackers than bad hackers. And many report to the platform when they find any failure, especially security.

That's why updates are released frequently.

Normally, small updates are installed automatically, by the platform itself, but larger and more complex ones need to be done manually.

Keeping the outdated version of your WordPress means keeping a version with known flaws, making life easier for malicious hackers.

Item 2: Strong Passwords

These days, we have so many passwords to memorize that many people limit themselves to making passwords that are easy to memorize.

And also hacking.

Creating a strong password and keeping it updated periodically is an easy, quick and efficient WordPress security measure that can prevent a lot of problems.

When crafting your password, keep these basic tips in mind:

• Avoid sequential numbers and letters: 123456 or abcdef
• Avoid numbers and letters that are the same: 000000 or aaaaaa
• Avoid names and dates of birth of close people: mother's name, child's date of birth, etc.
• Mix uppercase and lowercase letters, numbers and characters whenever possible;
• Update your password frequently: Every two to three months, update your passwords;
• Avoid using the same password on other portals: this way, you also avoid having your life hacked.
• Avoid obvious passwords: if your site is about programming, for example, avoid passwords that are intuitive and obviously related to your business, such as: software;
• Avoid using the same username and password.

Item 3: User Permission

Be careful when deciding what type of access and permissions users will have to your site.

Be sure what exactly each type of user will be able to do, read, modify and view in WordPress. Do a detailed analysis whenever you need/want to add new users.

It is important for you to be very sure of the level of trust you can have with users and, consequently, the level of freedom you will allow them.

If you have, for example, a large team, it is advisable that you also have a high level of criteria and rigor, so that things do not get out of control.

Item 4: Remove unused plugins and themes

There is a term in security called "Attack surface". Basically, when you keep plugins and themes that you aren't using, you increase your attack surface.

What happens is that these plugins will not slow down your WordPress or have any effects while they are disabled, but if any of these plugins or themes have flaws, they can easily be exploited even with it disabled.

Item 5: Backups

It is also important to pay attention to saving complete backups in different and remote places.

These backups should be made frequently, compatible with your update pace, be it daily, weekly, monthly... it doesn't matter.

To ensure the WordPress security of your project, try to do it with as little gap as possible. And there? Do you know if your server has backup? Do you know what is and frequency? Here's your homework!

Item 6: Lodging

Hosting services are perhaps the most hacked, so it is extremely important when it comes to WordPress security.

The different hosting providers also offer the most varied security measures for the most common threats.

Item 7: Invest in WordPress security plugins

Yes, they are very good and avoid many unpleasant situations.

There are free security plugins that pretty much address the most common WordPress security issues.

These systems act as a kind of armor for your WordPress.

Plugins usually run periodic scans (manual, scheduled or automatic) on WordPress, notify whenever they detect threats to the site and take some immediate security measures when they notice an attack.

Some even offer more complete versions, including email and mobile notifications, Google blacklist scanning, malware scans, login attempt limits, and integrity and vulnerability monitoring.

We list the 5 most common and accessible WordPress security plugins in the current market:

1. WordFence: It is the most popular of all, best rated by users and has a very efficient free version.
2. Sucuri Security: It has a free version provided by WordPress itself.
3. iThemes Security: Offers over 30 different ways to protect your website.
4. Google Authenticator: It has a two-step authentication system, reducing the risk of attack.
5. BulletProof Security: Offers easy and quick security measures, locks user home from long period of inactivity.

Item 8: Limit login attempts

The WordPress standard allows users to try, several times, to log in. Therefore, by limiting login attempts, you reduce the likelihood of attacks.

It is the same logic used by credit cards and banks, for example. After a certain number of attempts, the system blocks the user's access. The release is made only after a verification or a second login step, which can be through an email confirmation, answering a registered key question or a verification code sent to the registered cell phone or email.

This simple measure, available in the vast majority of WordPress security plugins, can prevent many of the most common types of attacks and threats.

Item 9: Change Username

In addition to keeping your passwords updated frequently (Item 2), updating and changing your username also helps increase your WordPress project's security.

The same tips for creating passwords are valid when defining your username.

Remember that malicious hackers will work with the logic of trial and error, in other words: they will try everything until they succeed.

Therefore, the better your username and password are, the lower the hacker's chances of success.

Avoid names like “admin”, “administrator”, “marketing”, “{your site name}”

Item 10: If using a “premium” plugin or theme, pay for it

Unfortunately, a very common practice among unprofessional/ethical developers is the use of Plugins and Themes that are paid for, but are illegally downloaded from the internet.

This is done most of the time, because the developer competes on price, not quality, that is, he charges cheaper, and downloads plugins and themes irregularly.

By doing so, you lose any support you would get from a professional theme or plugin.

The cheap is expensive, the vast majority of these plugins and Themes have loopholes that allow other people to control your site by deleting content, directing it to a third-party site and sending virus installations to your customers. Only download plugins and themes from trusted sources.

Now, the importance of combining the various WordPress security items listed is evident. See the following example.

By applying the items listed above, you can imagine the scenario:

Item 2: Strong passwords: the hacker will have difficulty deciphering the access password;

Item 3: User Permission: even if the hacker is able to access the system using a certain combination of username and password, access may be limited.

Item 7: Security plugins: the system detects possible attacks and suspicious behavior, blocks access, notifies the user and executes security measures;

Item 8: Limit access attempts: the various attempts to combine username and password block access, requiring a second verification step;

Item 9: Change Username: Variation of username limits ease of re-attack after some time.

item 10: You will have support and guarantee that the code that is running in your installation is a validated code and constantly updated by the developer who received it.