Alright Charlotte — here are your final 5 steps (21–25) to fully secure your WordPress, Shopify, and static HTML environments.
These cover encryption, third-party audits, incident response, resource protection, and continuous testing — all free and practical.

21. Encrypt data at rest & in transit (CWE-200 / Sensitive Info Exposure)

WordPress

• You’ve already got HTTPS via Let’s Encrypt.

• Encrypt backups:

  tar -czf wpbackup.tar.gz /var/www/html
openssl enc -aes-256-cbc -salt -in wpbackup.tar.gz -out wpbackup.enc
rm wpbackup.tar.gz


• Don’t log PII in debug logs or plugin forms.

• For database-level encryption:

  • Use MySQL AES_ENCRYPT() / AES_DECRYPT() on sensitive fields:

    UPDATE users SET ssn = AES_ENCRYPT('123-45-6789','your_secret_key');


Shopify

• Customer & payment data are encrypted automatically.

• You can’t modify encryption behavior, but:

  • Disable customer accounts if not needed.

  • Delete old draft orders and unused customer records.

Static HTML

• Host with full-disk encryption (LUKS or BitLocker).

• Secure uploads & data directories:

  sudo chmod 700 /var/www/uploads


• If storing contact form data, encrypt before writing:

  file_put_contents('msgs.txt', openssl_encrypt($msg, 'AES-256-CBC', getenv('KEY'), 0, $iv));


22. Audit third-party integrations / APIs (CWE-862 Missing Authorization)

WordPress

• Review all plugins in Plugins → Installed Plugins → “View details.”

• Delete those that:

  • Haven’t updated in 1 year,

  • Request broad permissions,

  • Or aren’t from WordPress.org.

• Plugin audit helper:
  “Plugin Security Scanner” (free) → shows vulnerable/outdated ones.

• Cloudflare → “Firewall → Tools” → block calls from suspicious API origins.

Shopify

• Settings → Apps → View App Permissions → check every app’s data access.

• Delete unused or legacy apps.

• Audit “Custom Apps” → ensure tokens are rotated regularly.

Static HTML

• Review JS calls to third-party APIs — especially analytics & widgets.

  • Use Mozilla Observatory or SecurityHeaders.io.

• Only call APIs from HTTPS, never hardcode tokens in JS.

• Implement simple key rotation using cronjob + env variables.

23. Define & test an incident response plan

WordPress

• Use Wordfence Free or WP Security Audit Log for intrusion alerts.

• Create a free Google Sheet “Incident Response Plan” template with:

  • Detection → Containment → Eradication → Recovery → Lessons.

• Test by:

  • Restoring a backup to verify RTO/RPO (Recovery Time & Point Objectives).

  • Changing all admin passwords quarterly.

Shopify

• Go to Settings → Security → View account activity regularly.

• Schedule monthly export of orders & customer lists (CSV) for offline recovery.

• Document who responds if your store is compromised (who resets passwords, contacts Shopify Support).

Static HTML

• Use Fail2Ban logs to detect repeated IP attacks:

  sudo zgrep "Ban" /var/log/fail2ban.log*


• Test restore from backup quarterly.

• Keep an emergency “offline mirror”:

  wget --mirror -p --convert-links https://yoursite.com


24. Resource consumption & DDoS protection (CWE-400)

WordPress

• Cloudflare Free → Security → DDoS Protection → Enable.

• Block XML-RPC:

  add_filter('xmlrpc_enabled', '__return_false');


• Limit comment spam:

  • Enable Akismet (free personal license).

  • Or install “Antispam Bee” (100% free, GDPR-friendly).

• Add to .htaccess:

  LimitRequestBody 10485760


  (limits uploads to 10 MB)

Shopify

• Built-in DDoS mitigation from Shopify edge.

• Still: disable unnecessary sections like “product recommendations” or large sliders to reduce load times.

• Use image compression app (free ones like TinyIMG Free plan).

Static HTML

• Use Cloudflare:

  • Under Attack Mode for high-traffic events.

  • “Rate Limiting” on POST endpoints.

• On Apache:

  Timeout 45
KeepAliveTimeout 5


• On Nginx:

  limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;
limit_req zone=mylimit burst=20;


25. Continuous vulnerability scanning & testing

WordPress

• Free scanners:

  • WPScan CLI or website (free API):

    wpscan --url https://yoursite.com --enumerate p,u,vt


  • Detectify Free Lite for light scanning.

• Run monthly and log results in your sheet.

• Verify your .htaccess, headers, and plugin updates.

Shopify

• Use ImmuniWeb Community Test to scan your Shopify store.

• Use built-in Shopify Analyzer (free) → https://analyze.shopify.com for performance/security hints.

Static HTML

• Use:

  nikto -h https://yoursite.com


  (Free, open-source web vulnerability scanner)

• And:

  nmap -sV --script vuln yoursite.com


• Monitor with UpGuard Free scan.