WordPress Security Checklist: How To Secure Your WordPress Website

The WordPress Security checklist, like any other check list contains a number of requirements you need to fulfill in order to reach the goal of securing your WordPress website against vulnerabilities & hacking.

If you can implement all the items mentioned in this checklist your website would become virtually impossible to hack & more importantly give you the piece of mind to allow you focus on your core business.

Wordpress security checklist

The list requires your to persorm certain tasks in ordeer to keep your WordPress core, theme, and plugins up-to-date along with using a strong password and setting a limit to login attempts. The checklist also, recomend advanced security measures such as two-factor verification and setting up a firewall for your website.

While WordPress is undoubtedly the most popular open-source Content Management System for developing a website or opening an e-commerce store. Unfortunately, due to the open source ature of the platform, it invites a lot of attention from hackers, who actively prey on you data. 

In this post we will cover the WordPress Security Checklist to secure your WordPress site from most common cyberattacks. 

Check more: PageSpeed Optimization Service

Why Do You Need To Secure Your WordPress Site?

Your website is your money making machine (hopefully!), and you need to protect those who help you make that money, your users & their sensitive. Implementing a proper WordPress security checklist can protect your website from cyberattacks & prevent data breaches.


Get The Best PageSpeed Score

For Your WordPress Website

All in One Optimization Plugin
No Coding Knowledge Required
  1. Prevent hacking

Due to its widespread use, WordPress sites are easiest targets for hacking. Implementing WordPress security would protect your website from unauthorized access, malware, and other types of cyberattacks.

  1. Protecting the Data and Maintaining the Client’s Trust

Your website might contain valuable information about your users such as sensitive financial data, payment details, or business-related infiormation. Any breach to this data, no matter how small, would reflect posivitly toward your business.

Adding security ensures that the data is safe from hackers and builds trust among your users.

  1. Preserving your SEO rankings

Google prioritizes secure websites for SEO rankings, a hacked website would start loosing its SEO ranking farly quickly. While this decline in ranking is temporary, if your website stays hacked for weeks or longer, it might have a huge negative impact on your websites organic ranking which might take months to overcome.

Keeping your WordPress website secure helps you retain your SEO rankings and your investments in it.

View also: Http 3.0

The Common WordPress Security Issue

First lets understand the the common WordPress security issues faced by the WordpRess users. It could be as benign as an outdated WordPress core, theme or plugins. Weak passwords, SQL injection, cross-site scripting are also very common security issues found in WordPress eco-system.

Outdated WordPress Core, Theme, And Plugins

Using an outdated WordPress version, themes, or plugins can lead to compatibility issues and security vulnerabilities. Regular updates are crucial to secure your WordPress site.

WordPress’s auto update feature might not always word if you are on a poor quality host.

Weak Passwords

If you are using a password you used when you were in school & still using it even after having 2 kids & 3 pets, there’s high chance that it got leaked in the numerous data breaches from a myriad of websites over the years.

Similarly using a easily guessable password or using the default password makes it easier to break your password and get unauthorized access to your website.

SQL Injection

SQL injection (SQLI) is a common cyberattack that uses malicious SQL code to manipulate the backend database of websites and access information that was intended to be confidential. 

WordPress Security Checklist, sql injection

Its an older & overused technique to gain unauthorized access to the website’s backend database and sensitive information.

Adding scripts from untrusted sources 

Another extremely common security attack involves making the site owner upload a malicious JavaScript file containing an infected web file. The attacker then begins stealing data and other valuable assets through these files.

Bruteforce Attack

The attackers try multiple usernames and passwords in order to guess your password and access your website. This is known as a brute force attack. 


Phishing is a type of cyber attack in which attackers use fake login or payment pages to obtain the user’s sensitive information, such as login ID, password, credit card details, and other personal data.  

How To Check Your WordPress Site’s Security?

Several online tools, such as Sucuri, UpGuard, VirusTotal, SiteLock, and many more, are available to check your website’s security. These tools can also check for vulnerabilities, malware, and other security issues.

Its never a bad time to protect your investments, wheater its in the form of time or money.

The WordPress Security Checklist.

below id the checklist to help you secure your WordPress website, implement these techniques to keep your WordPress site secure.

  • Update your WordPress theme and plugins.
  • Make sure you are using the latest WordPress version
  • Use a strong password
  • Add two-factor Authentication (2FA)
  • Regularly Backup your WordPress website’s database
  • Update your PHP version
  • Set up a web application firewall
  • Switch to a good WordPress hosting provider
  • Limit Login Attempts
  • Use CloudFlare

Let’s see how to implement each of these techniques to keep your website secure.

Make Sure You are Using the Latest WordPress Version

Using the most recent version of WordPress needs to be a priority on your security checklist.

By keeping WordPress updated, you can ensure your website is reliable and safe from hackers. Follow these steps to check and update your WordPress version.

Wordpress current version

If your WordPress version is outdated, you can see the Please Update Now button after logging into your WordPress dashboard. Click that button to update your WordPress. 

Note: For few plugin developers take time to support the latest version of WordPress, while this this might seem like an obssticle when updating the WordPress version, it might be time to look for their alternatives.

Update Your WordPress Theme and Plugins

According to WPScan reports, approximately 53.98% of WordPress website vulnerabilities are due to WordPress Plugins.


To secure your website, the first thing you need to do is keep your WordPress theme and plugins up to date. Besides an incompatibility issue, an older version of the WordPress plugin and theme can be the reason for your security issues.  

Use a Strong Password

According to WP Manage Ninja’s statistical report, 8% of WordPress websites were hacked in 2020 due to weak passwords. To protect your website from hackers, you need to create a strong password.

As per Microsoft, a strong password should consist of more than 12 characters, including uppercase and lowercase letters, symbols, and numeric numbers. It should not be a common word such as the name of the person, product, or organization.

use a strong password

Instead of using a common word you can use a memorable phrase such as 123MonkeysRLooking#.  

After generating a strong password, you need to keep your password secure by following the below guidelines:

  1. Never share your password with anyone.
  1. Use a different password for each website or account.

If hackers guess the password of your one website, they will try to use that password on your other website, such as social media, or banking. This is known as a “Credential stuffing attack. To avoid credential stuffing attacks, Create a unique password for different websites.

  1. Never share your password through messages or emails that are not secure.

Add Two-Factor Authentication (2FA)

No matter how strong your your a password is one-step verification sometime might not be enough to secure your WordPress website. 

two step authentication, 2FA

Using two-factor authentication (2FA) would make your WordPress website a lot more secure. This identity and access management security technique requires two different forms of identification to grant access to resources and data.

Several WordPress plugins are available for adding two-factor authentication:

  1. MiniOrange Google Authenticator.
  2. Two Factor Authentication.
  3. WP-2FA.
  4. Two-Factor.
  5. Duo
  6. Wordfence Security.
  7. Shield Security.
  8. iThemes Security.

Limit Login Attempts

Limiting login attempts is one of the best ways to save your WordPress website from brute-force attacks. WordPress’s default settings permit unlimited login attempts. Therefore, hackers take advantage of this by using bots that guess passwords.

login limit exsusated

By adding a limit on login attempts, your system can temporarily block the user if the limit is exceeded. You can use limit login attempts WordPress plugins such as Sucuri, Configurable lockout timings, Limit logins, Login Lockdown, and others.

Regularly Backup Your WordPress Website’s Database

Regularly backing up your WordPress website’s crucial databases can be one of the best ways to secure it. If you are technically sound, you can do this manually. Here are the steps:

  1. Download your WordPress website’s files (you can access them via FTP or the file manager that is provided by your WordPress hosting provider) from the root directory to your local system.
  1. Select your WordPress database from phpMyAdmin, available in your WordPress hosting control panel, and explore the database.
  1. Save this database in Excel or SQL files.
Daily Backup WordPress

If you are looking for the easiest solution, you can use a WordPress plugin to back up your website’s database. Here we are mentioning some plugin names that you can use:

  1. Nexcess
  2. UpdraftPlus
  3. BlogVault
  4. Duplicator
  5. Jetpack Backup

There are plenty of hosting providers who would save a backup version of your website for a liitle additional fee, this could a good insuarance premium to pay in most cases.

Check and Update Your PHP Version

PHP is one of the programming languages on which WordPress is based. The hosting provider determines which PHP versions are available for your website, most hosting providers allow you to update the Php version. 

PHP Version

You should update your PHP version for security purposes. To check your PHP version in the health section, follow the below steps.

  1. After logging into your WordPress dashboard, go to the Tools section and select Site Health.
  2. Go to the Info section and click on server.

At the time of this writing, the latest version of PHP 8.3. If your PHP version is less than the latest version, you need to contact your hosting provider. Now, some hosting providers are able to automatically update your PHP version.

Switch to a Good WordPress Hosting Provider

Before you start thinking about your website’s design, it is essential to choose a good WordPress hosting provider. Website owners often use cheap WordPress Hosting to save money. As a result, they would suffer the security issues.

WordPress Security Checklist , good hosting provider

In order to protect your website from unauthorized access, you need to use managed hosting which has the following features:

  1. Provides you the strong security
  2. Scan malware and delete them
  3. Implement DDoS protection. (protecting your server from malicious traffic)
  4. Regular database backup
  5. Automatically update the latest version of your WordPress core, plugins, and theme.

Set Up a Firewall

A firewall scans your website’s traffic and prevents malicious requests such as SQL injection, adding scripts from untrusted sources, and others. Let’s talk about the most common firewalls:

  1. Web application firewall: Scan your HTTP traffic and block malicious action.
Web application firewall
  1. Network Address Translation (NAT) Firewall: Only a secure private network can access your origin server.
Network address translation
  1. Domain Name System (DNS) firewall: Prevent the access of the malicious domain in your network.
DNS firewall

Use CouldFlare

If you are already on a hosting & even setting up a firewall seems like a daunting task you should consider using Cloudflare. it can protect from various attack including DDos attacks.


The Best 7 WordPress Plugins to Secure Your Website

There are plenty of options in WordPress to secure your website. However, you need to choose a plugin that would protect you from cyber attack & not lead to your a trial & error marathon. Here’s a list of of trusted plugins that you can use to protect your WordPress website from cyber attack.

See more: Cache Invalidation

  1. Wordfence Security
Rating (out of 5)4.7
Key featuresTwo-factor authentication, a web application firewall, shows you the line traffic.
  1. iTheme Security
Rating (out of 5)4.6
Key featuresFile change detection, Local and network brute force protection.
  1. Defender Security
Rating (out of 5)4.8
Key featuresAudit logging, Google blocklist auto-check
  1. All-in-one WP Security & Firewall
Rating (out of 5)4.8
Key featuresLogin lockdown, Cookies-based brute force protection.
  1. BulletProof Security
Rating (out of 5)4.8
Key featuresRegular database backup, MScan malware scanner, idle session log out (ISL), JTC anti-spam
  1. Sucuri Security
Rating (out of 5)4.3
Key featuresCache clearing, secret or security keys, protection for brute force attacks
  1. Security Ninja
Rating (out of 5)4.8
Key featuresEvents logger, cloud firewall, core scanner, scheduled scanner


According to Hostinger, around 90,000 hackers attack your WordPress website per minute. Here we have already covered the most common reason behind this website hacking. We also talk about the manual solutions and mention 7 WordPress plugins to secure your website.


Get The Best PageSpeed Score

For Your WordPress Website

All in One Optimization Plugin
No Coding Knowledge Required

9 Smart Techniques to Avoid Enormous Network Payloads Warnings

Are you struggling to fix the avoid enormous network payloads warning on Google PageSpeed Insights?

Avoid Enormous Network Payloads is one of the most common warnings you come across when auditing your website’s page speed performance on Google PageSpeed Insights or Lighthouse. This warning indicates you need to reduce the page size of your WordPress website.

avoid enormous network payloads

There are several ways to mitigate this warning such as by optimizing all images, implementing lazy loading, using CDNs for the distribution of the static resources, and other optimization techniques. Let’s understand these optimization techniques in detail.  

What is The Meaning of Network Payloads?

Before diving into the avoid enormous network payload warnings, first, we will explain what is network payloads.  

network payloads

When a user loads your website, the browser sends the HTTP requests to your server. The origin server transfers your website’s resources through the HTTP response. Network payloads indicate the total size of these transferred resources such as:

  • HTML files
  • CSS styles sheets
  • JavaScript files
  • Media files (Images and videos).  

Understanding The Avoid Enormous Network Payloads Warning

In a simple word, this avoids enormous network payload warnings, indicating your web page size is too large than the recommended page size (less than 1600 KiB) by Google PageSpeed Insight. This large page size is correlated with the longer loading time. 


Get The Best PageSpeed Score

For Your WordPress Website

All in One Optimization Plugin
No Coding Knowledge Required

This enormous network payload warning is triggered by Google PageSpeed Insights when your Page size is larger than 1600 KiB or 1.6 MB. In order to achieve a good Google PSI score, you need to reduce your page size. 

Why Fix Avoid Enormous Network Payloads Warning

This enormous network payload indicates a large page size which negatively impacts your WordPress website’s PageSpeed performance, Core Web Vital’s performance (especially in Largest Contentful Paint), and the user experience.

avoid enormous network payloads warning

Therefore, by reducing network payloads you can improve your:

  • Improving the loading time
  • Reducing Largest Contentful Paint (LCP) time
  • Improving the overall pagespeed Insight score 
  • Enhance the user experience 

Let’s discuss these in detail.

Improving the Loading Time

The larger the page size, the longer it might take time to download and render the website’s resources on the browser. You can decrease your page size by reducing the network payloads. 

Page load time, avoid enormous network payloads

Therefore, loading your website’s resources would not take a long time and would improve your web page loading time.

Reducing Largest Contentful Paint (LCP) Time

LCP REDUCING, Overall performance score,

Largest Contentful Paint is a performance metric that calculates the time it takes to render the largest content (hero image, text block) on the browser. Reducing the network payload can improve the LCP time, resulting in a better user experience.

Improving the Overall PageSpeed Insight Score 

Overall performance score

Google PageSpeed Insights scores your website’s pagespeed performance based on the real user experience. By fixing this enormous network payload, you can achieve a good pagespeed score.

Enhance The User Experience 

user experience

As discussed, reducing the enormous network payload can improve your website’s loading performance. A fast-loading website meets user expectations and results in a good conversion rate. 

The Reason Behind This Network Payloads Warning

Before diving into the solution, it’s important to find the root cause behind this enormous network payloads warning. Here we will discuss the most common reason for this network payload warning which includes.

  • Unoptimized CSS and JavaScript files.
  • Large-sized images.
  • Using too many plugins 

Let’s cover these reasons in detail.

  • Unoptimized CSS and JavaScript Files: 

Unoptimized CSS and JavaScript files increase the file size. Therefore, they might be considered render-blocking resources and increase your website’s total blocking time.

  • Large-Sized Images: 

Large-sized unoptimized images often increase your page size and are considered the root cause of the enormous network payloads warning in Google PageSpeed Insights. 

  • Using Too Many Plugins 

Every WordPress plugin has its own HTML, CSS, and JavaScript files that need to be executed during your web page loading time. Therefore, using multiple plugins would increase your network payload by enlarging your page size.

9 Techniques to Fix This Avoid Enormous Network Payloads Warning

Now you already the reason behind this enormous network payloads warning. To pass your Google PSI audit, you need to fix this warning. There are several ways to fix this Google PSI warning including: 

  1. Selecting a fast-loading WordPress theme
  2. Optimizing all images
  3. Compression all resources
  4. Minify CSS and JavaScript files 
  5. Implement lazy load for above-the-fold content
  6. Apply browser caching mechanism 
  7. Use Content Delivery Network (CDN)
  8. Optimize the web fonts
  9. Avoid using too many plugins

Let’s see how to implement these 7 techniques to fix the enormous network payload warning.

Selecting a Fast-Loading WordPress Theme

A poorly developed WordPress theme might be the reason for an enormous network payload warning. If the fundamental resources of your WordPress theme such as HTML, CSS, and JavaScript are unoptimized then it would increase your page size.

wordpress theme

To avoid this issue, you should choose a fast-loading WordPress theme. Here we are listing 5 WordPress themes that you can consider for your website.

  1. Astra
  2. Divi
  3. OceanWP
  4. Avada
  5. Neve

Optimizing Your Images

In order to make your website more attractive, you often add high-resolution images to your website. This would increase the network payloads and reduce the PageSpeed performance of your website. 

optimize your images, image optimization

The most common way to optimize large PNG or JPEG images is to convert them into next-generation formats such as WebP or AVIF. By converting images into WebP or AVIF format, you can reduce the image size without compressing their original quality.

Manually optimizing your all images can be a time-consuming process. To save time you must use an optimizing plugin like RabbitLoader. In bellow, we will discuss how RabbitLoader will help you in image optimization.  

Compression All Resources

Another way you can reduce the enormous network payloads is by compressing the resources of your WordPress website such as HTML file, CSS stylesheet, and JavaScript file.

all resources compression, avoid enormous network payloads

There are two compression methods available to compress your website’s assets.

  1. GZIP is the traditional method for compressing your website’s resources, such as HTML files, CSS stylesheets, and JavaScript files before sending them to the network, improving the page load time.
  1. Brotli uses a modern compression algorithm to improve the compression ratio. Brotli compression is more flexible than GZIP with a higher compression ratio.

When you use RabbitLoader, it compresses all resources, such as HTML, CSS, and JavaScript files, using the Brotli algorithm and sends the compressed files over the network.  

Minify CSS and Javascript Files

Minification is a well-known optimization technique for reducing the network payloads on your website. By minifying your website’s fundamental assets (CSS and JavaScript files), you can remove unnecessary characters like spaces and comments from your CSS and JavaScript files.

css js minification, avoid enormous network payloads

When you are using RabbitLoader, why are you putting extra effort into installing another plugin to minimize your CSS and JavaScript files? RabbitLoader will automatically minify your CSS and JavaScript files to reduce your page size.

Implement Lazy Load for Above-The-Fold Content

If your WordPress website has a lot of images, you need to implement lazy loading. Lazy loading is an optimization techniques that allow your browser to load the above-the-fold images. The rest of the images will load once you scroll down to them.

lazy load above the fold, avoid enormous network payloads

By Implating lazy loading you can fix this enormous network payload warning and improve the pagespeed performance of your WordPress website. 

Lazy Loading can be easily implemented by installing a WordPress plugin, however, when you are using RabbitLoader for optimization, it will take care of your lazy loading along with other optimization features.

Apply Browser Caching Mechanism 

A browser cache temporarily stores your website’s static resources, such as HTML files, CSS stylesheets, and JavaScript files, to speed up the website loading. Thus it would reduce the HTTP requests to the server.

browser cache mecanishm, avoid enormous network payloads

Therefore, by applying the browser caching mechanism you can decrease the number of HTTP requests, reducing the network payloads in your WordPress website.

You can easily apply the browser caching mechanism by installing a WordPress plugin like RabbitLoader. 

Use Content Delivery Network (CDN)

A Content Delivery Network (CDN) reduces network latency by reducing the real-time distance between your user and the origin server. A CDN stores your website’s static content, such as CSS stylesheets, JavaScript files, and images, in the edge/ proxy server worldwide.


Therefore, when a user visits your website, the website’s static content will be served from the nearest proxy/ edge server instead of the origin server. This would reduce the network payload on your website.

If you are looking for a free Content Delivery Network (CDN) service for your WordPress website, you must install RabbitLoader. 

Optimize The Web Fonts

While web fonts make a website visually attractive, unoptimized fonts increase the website’s network payload. The best practice is to use a web-safe font to avoid this enormous network payloads warning.

webfont load,avoid enormous network payloads

However, if you want to use web fonts that are not web-safe, you must optimize these web fonts by adding the preload attribute in your HTML tag. For more information, go through our previous blog.

If you are looking for a non-coding solution, install RabbitLoader. It will optimize your web fonts, so you don’t need to put in any extra effort.

Avoid Using Too Many Plugins

In order to optimize your WordPress website’s performance, if you use too many plugins, it would increase your website’s network payload due to its inbuilt HTML, CSS, and JavaScript files.

In simple words, every plugin has its own HTML, CSS, and JavaScript files. These files are also executed during the web page’s loading, automatically increasing the network payload. 

avoid too many plugins,avoid enormous network payloads

To avoid this enormous network payloads warning, you should choose a WordPress plugin that has multiple optimization features. Thus, you don’t need to install other WordPress plugins.

When you are using RabbitLoader, you don’t need any other WordPress plugins for image optimization, lazy load implementation, and other optimization techniques.

How RabbitLoader will help you mitigate this enormous network payloads warning?

At this point, you already know how to fix your avoid enormous network payloads warning and speed up your WordPress site. Let’s explore RabbitLoader’s core features to mitigate this enormous network payloads warning.

  1. RabbitLoader converts your all images into WebP and AVIF format. For its in-built bulk image optimization feature, it lossless compresses your images and reduces the network payload, resulting in a faster WordPress website.
  1. By implementing lazy loading, RabbitLoader will reduce the rendering time of your website’s largest contentful element. Thus, it will improve your LCP performance, enhancing the user experience.
  1. By generating a critical CSS file, RabbitLoader will eliminate your render-blocking resources and reduce the CSS file size by 98%, decreasing your website’s Total Blocking Time.
  1. RabbitLoader compresses your all website’s assets like HTML, CSS, and JavaScript by using Brotli methods. It would reduce your enormous network payloads, increasing your WordPress website’s performance.
  1. RabbitLoader has an advanced caching mechanism that helps you avoid enormous network payloads warnings by reducing the number of HTTP requests to the origin server.
  1. RabbitLoader has an in-built Content Delivery Network (CDN) with 300+ edge servers worldwide, reducing the network latency.

If you come across this avoid enormous network payloads warning during your website’s pagespeed audit, and you are looking for a non-coding solution, you need to install RabbitLoader to fix this warning.


Get The Best PageSpeed Score

For Your WordPress Website

All in One Optimization Plugin
No Coding Knowledge Required