WordPress Security Checklist in the Age of Gutenberg

WordPress dropped a massive update back in December 2018 with WordPress 5, codenamed Gutenberg. Gutenberg brought a radically different text editor for the masses. But did it necessarily improve the overall WordPress Security?

Today we will talk about the WordPress Security checklist you should maintain after WordPress released Gutenberg. Although Gutenberg was released a long time ago, and people are getting used to the editor, still it is important to know what security measures you should take to cope with the Gutenberg editor.

The Scenario After Gutenberg Editor Was Released

Every day around 70000 websites get hacked, reports internetlivestats.

Although the new editor faced some criticism when it was released, slowly people are getting used to the new editing experience. WordPress 5 Gutenberg was released on December 6, 2018, named for jazz musician Bebo.

This major release added more than 20 new features including the all new shiny block editor, table of contents block, new blockquote block, table block, cover image block, cover text and more.

However, every new feature means new opportunities for vulnerabilities, security loopholes and more. WordPress 5.0 had five significant security vulnerabilities including sensitive data exposure, PHP object injection, Privilege escalation /XSS, and unauthorized file deletion.

Hence, WordPress 5.0.1 was released immediately within a week and was labeled as an “immediate Update” from the security specialist guys over at WordFence.

8% of WordPress sites are hacked due to weak passwords. WordPress websites are particularly vulnerable when they're not updated regularly enough. 61% of attacked websites are outdated.

The WPScan Vulnerability Database discovered that more than 70% of attacks happen due to out-of-date software. The most vulnerable versions of WordPress are WordPress version 3.x

Then WordPress 5.0.2 was released as a maintenance release in the following week as people were having issues with the new block systems. There were bug fixes and new feature improvements in WordPress 5.0.2 release.

Now, WordPress is running the version 6.5.2. It was released with 2 bug fixes on Core, 12 bug fixes for the Block Editor, and 1 security fix.

Why You Should Take WordPress Security Issues Seriously!!

WordPress is always adding new features to improve the user experience. New features mean there will be risks of new vulnerabilities. Although WordPress adds many new features as we discussed before, did it do anything groundbreaking in terms of security?

The answer is- NO!

Because it's human nature, we do not worry about managing potential security risks until it's too late. How about one day you find that all the stuff in your house is gone because you didn't lock your front door? Or how about leaving your car unlocked for just a few minutes and finding out it's gone forever?

Once someone robs your house, steals your car, or hacks into your WordPress website, you would find yourself stupid not to do something beforehand.

The problem is, humans react to all these scenarios when it’s too late. By the time you should have done something, you will find out that you are trying to minimize your damage. Hence, pre-planning, prevention, being proactive, and taking appropriate security measures beforehand – ensure that your chance of data breach gets reduced significantly.

However, this article isn’t about your car or your house; it’s about securing your WordPress website in the age of Gutenberg. If you follow this article to the end, you will have a well-organized security checklist to minimize the security risk of your site.

Security Begins When You Are Ready to “ACT”

If you are too lazy about doing something to secure your WordPress website, you will not be able to minimize the security risks.

You have to be proactive because it’s not every day you notice your website is hacked, right? But when this happens and if you are unprepared at that time, then only God might save you!

It's crucial to secure your website before havoc wrecks upon. Any private or sensitive information may get breached. You remember the infamous iCloud hack right?

A security breach could potentially be destructive to your customers and you. Once you lose your customer's trust, you cannot regain their trust soon. Hence, we will be offering some of the best and industry-proven WordPress security tips to secure your website.

15+ WordPress Security Checklist to Protect Your Website [2024]

We already mentioned some of the best WordPress security tips in our article WordPress Security Guide. Chances are, you already came across the article.

But how can you improve your WordPress Security in the age of Gutenberg? We will list some of the best security measures that you should take to secure your WordPress website after the release of Gutenberg.

Before jumping to the checklist, check out the following infographic on the top 5 WordPress security issues.

• Security Vulnerabilities
• Bruteforce Attacks
• File Exclusion Exploits
• SQL Injections
• XSS- Cross Site Scripting
• Malware

Here are the WordPress Checklist you need to maintain your website-

1. Double Check Your Username and Password
2. Double Check Your Database User Permission
3. Prevent Bruteforce Attacks Using A Captcha Plugin
4. Make Use of the Best WordPress Security Plugins
5. Perform a WordPress Security Check
6. Use SSL With Cloudflare
7. Keep WordPress core, themes, and plugins up to date
8. Apply strict username and password policies
9. Enable 2FA for all user accounts
10. Limit login attempts
11. Enable user logging and monitoring
12. Monitor and update your PHP version
13. Regularly back up your site
14. Disable file editing
15. Automatically log out idle users in WordPress
16. Add security questions to WordPress login

Let's see the details-

1. Double Check Your Username and Password

You have heard it before, but we are emphasizing it anyway. More than 80% of security vulnerabilities are related to weak and obvious passwords.

This is the single WordPress security tips that you will find it across the web in every security related article.

It’s okay to use a memorable password. However, you should always choose a strong password that combines special characters, lower case, upper case combination.

You should NEVER use a password like “123456”. 123456 is the most common password, declared by Fortune. You can check the list of the most common passwords here, and you should avoid them at any cost.

You can use services like KeypassX, Bitwarden (an open source password manager), LastPass, 1Password to generate strong passwords.

It is wise not to use the default WordPress username “admin” too.

2. Double Check Your Database User Permission

This WordPress security tips will help you to secure your WordPress website from the backend. If you alter the permission of your database user, then even if your site gets hacked, a hacker will not be able to delete (or in this case drop) your data (in this case the database table).

While creating your database user, you should not allow your database user to drop database tables. (Read more on database user security)

On a side note, you should know that WPERP utilizes all WordPress security standard.

3. Prevent Brute-Force Attacks Using A Captcha Plugin

Bruteforce attacks are one of the most common forms of attack. Brute force attack tries all possible combinations of password unless it matches to one. Hackers use scripts to automate the whole process.

You can install the plugin No CAPTCHA reCAPTCHA from WordPress Repository.

This plugin integrates Google's spam blocking service reCAPTCHA to your WordPress website.

This plugin will lower the extra CPU usage you might have due to continuous brute-force attacks.

4. Make Use of the Best WordPress Security Plugins

There are many WordPress security plugins out there including the most famous ones such as Sucuri, WordFence, Ninjafirewall and more. Each one has its own functionalities.

Wordfence is the most popular one among these security plugins. Various websites have also featured Wordfence as the most useful security plugin in their best WordPress plugins list. Wordfence has more than 2 million active installs along with a rating of 4.8 stars of average rating. For a plugin, the stats are certainly impressive.

Wordfence includes all the essential security features including login security, IP blacklist, security scanning, and firewall for your WordPress site.

[Companion reading: Best WordPress Security Plugins Overview]

5. Perform a WordPress Security Check

Professional security checking websites often require payments to perform a comprehensive security check. Security scans are helpful for finding security vulnerabilities. Here's a list of websites where you can schedule a free security scan.

• Hackertarget WordPress Security Scan
• ScanWP’s WordPress Security Scan
• WPScans WordPress Security Scan
• WP Neuron
• WP Loop
• Acunetix
• WP Recon WordPress Security Scan
• Sucuri’s Site Check

6. Use SSL With Cloudflare

There's no reason not to use Cloudflare. Cloudflare provides free CDN and SSL. You can take advantage of both if you use Cloudflare. Cloudflare also provides security features including DDoS protection, IP blacklisting, load balancing and more.

We recommend using a security and site acceleration service like Cloudflare or Incapsula.

7. Keep WordPress Core, Themes, and Plugins up to Date

Make sure to keep your WordPress version up to date. Because WordPress releases every version with some security patches and fixes to site vulnerabilities. The same goes for WordPress themes, and plugins as well. Keep them up to date.

In the WordPress version 6.5.2, A cross-site scripting (XSS) vulnerability affecting the Avatar block type, was fixed.

To save you time, you can enable the auto-update feature as well. It will automatically update the plugins and themes when there is a new update.

To update WordPress, just go to Dashboard–> Updates from the WP-Admin dashboard. Click on the update button to get the latest version of WordPress.

8. Apply Strict Username and Password Policies

This goes without saying. Along with checking your passwords and usernames, you need to apply strict usernames and passwords as well. We have already mentioned what kind of passwords you need to use to protect your website.

9. Enable 2FA for All User Accounts

If you are using Gmail, Facebook, Twitter, or any other social media platforms, you will notice they encourage you to enable the 2FA for your account. It has already become a popular term in the web. You should also enable the 2-factor authentication for your website.

This will give you an extra layer of security and hackers will not easily gain access to your website. You can use the Jetpack’s Secure Authentication functionality. 

10. Limit Login Attempts

The base of brute force attacks is to look for sites with weak credentials and sites that won't block even after hundreds of login attempts.

By limiting the login attempt, you can save your website from brute-force attacks. A regular user may forget their passwords or usernames, but they won't try to log in hundreds of times. Jetpack also provided a feature for you to limit the login attempts.

Related – How to Limit Login Attempts in WordPress (Plugin+Code)

11. Enable User Logging and Monitoring

Regularly monitor who is logging into your website. This will help you spot any irregularities and take action if you find anything suspicious. A website security log will help you monitor your website and keep your website safe from hackers.

12. Monitor and update your PHP version

Having a backdated PHP version can also become a threat to your website's security. It also ensures compatibility to the latest WordPress features.

You can check which version of PHP your site uses by navigating to Tools → Health → Info → Server in the dashboard.

Related – How to Check and Update PHP Version in WordPress in 2026

13. Regularly Back up Your Site

After all the measures you have taken, you can still face security issues and lose your website. So, keeping a backup of your website regularly should be of your daily tasks and an important point of your WordPress security checklist.

There are quite a few WordPress backup plugins available you can use to back up your website automatically.

14. Disable File Editing

In WordPress, you can edit the files of your themes and plugins to make the necessary changes. This is one of the advantages of using WordPress. But in the wrong hands, it can be fatal.

So, make sure to turn file editing off. Just turn it off when you need to edit the files.

You can easily do this by adding the following code to your wp-config.php file or with a code snippet plugin like WPCode-

Disallow file editdefine( 'DISALLOW_FILE_EDIT', true )

15. Automatically Log out Idle Users in WordPress

Sometimes a user may forget to log out of the site. This also poses a security threat as someone may change the password, and change their account activities.

That is why it is important to log out the users after they are idle for some time. You will see that banking and other financial systems practice this. This is why. You can use the Inactive Logout plugin to add this feature to your website.

16. Add Security Questions to WordPress Login

Adding security questions will make it harder for users trying to get unauthorized access. You can use the 2FA to add security questions. Only your logged-in user will know the answers to these questions and able to log in to your website.

Wrap-Up on WordPress Security

Security is one of the most important aspects of a website. You should always take your website's security seriously. WordPress is evolving daily, so you have to keep yourself updated against the latest security vulnerabilities, malware, and threats. We listed some of the best WordPress security tips here, but no system can be 100% secured.

If you have some more WordPress security tips to share, feel free to let us know via comments. However, if emergencies occur and you find your website is already hacked, showing symptoms like redirection, popups – you can try replacing your WordPress core files.