90 Day Cybersecurity
That's an excellent goal! Combining your technical background (especially with Linux) and your renewed focus on WordPress development with cybersecurity knowledge will make you a formidable and highly sought-after freelancer. You're strategically positioning yourself for success.
Here is a comprehensive 90-Day Cyber Security Learning Plan structured in a day-by-day format, specifically tailored to strengthen your WordPress freelancing career by focusing on fundamental web security concepts and practical application.
This plan integrates foundational knowledge, networking essentials, operating system security (Linux/WordPress-focused), web application security (OWASP Top 10), and practical tools.
90-Day Cyber Security Learning Plan for WordPress Freelancing 🛡️💻
Phase 1: Foundations and Networking (Days 1–30)
| Day | Topic | Activity & Focus Area |
|---|---|---|
| Day 1 | Introduction to Cyber Security | Learn the CIA Triad (Confidentiality, Integrity, Availability). Understand the basic threat landscape (Malware, Phishing, DoS). |
| Day 2 | Key Concepts & Terminology | Define: Vulnerability, Exploit, Threat, Risk, Patching, Encryption. Research CompTIA Security+ objectives. |
| Day 3 | Network Basics: TCP/IP | Understand the TCP/IP Model (4 Layers) and what each layer does. Research IP addressing (IPv4 & IPv6 basics). |
| Day 4 | Network Basics: Ports & Protocols | Learn the purpose of common ports: 21 (FTP), 22 (SSH), 25 (SMTP), 80 (HTTP), 443 (HTTPS). Research DNS and how it works. |
| Day 5 | Network Devices & Security | Learn about Routers, Switches, Firewalls, and WAFs (Web Application Firewalls). Focus on the Firewall's role. |
| Day 6 | Introduction to Cryptography | Understand Hashing, Symmetric, and Asymmetric Encryption. Relate this to secure passwords and SSL/TLS. |
| Day 7 | Secure Communication: SSL/TLS | Deep dive into SSL/TLS (HTTPS). Understand certificates and why every WordPress site must use HTTPS. |
| Day 8 | Linux Security Focus (Review) | Review Linux basics: User accounts, File permissions (rwx), and the concept of Principle of Least Privilege (PoLP). |
| Day 9 | Linux Hardening | Learn about SSH hardening: disabling root login, key-based authentication, changing the default port. |
| Day 10 | Linux Tools: Logs | Practice navigating and reviewing system logs (e.g., /var/log/auth.log, /var/log/apache2/error.log). |
| Day 11 | Virtualization and Lab Setup | Set up a Virtual Machine (VM) environment (VirtualBox or VMware). Install a basic Linux distro (e.g., Ubuntu). |
| Day 12 | Introduction to Kali Linux | Install and explore the interface of Kali Linux within your VM. Understand its purpose (Penetration Testing). |
| Day 13 | Introduction to Scanning: Nmap | Learn basic Nmap commands: -sT (TCP connect scan), -sV (version detection), -p- (port range). |
| Day 14 | Nmap Practice | Practice scanning your own local network or your newly set up VM with Nmap. |
| Day 15 | Review & Catch-Up | Review all topics from Days 1-14. Revisit weaker areas. Watch a summary video on basic network security. |
| Day 16 | Authentication vs. Authorization | Understand the difference between Authentication (Who you are) and Authorization (What you can do). |
| Day 17 | Strong Passwords & MFA | Learn about Password Managers and the critical need for Multi-Factor Authentication (MFA) on all platforms (hosting, WordPress admin). |
| Day 18 | Physical Security Basics | Understand the physical risks to servers and devices. Focus on data center security principles. |
| Day 19 | Malware Types | Study different types: Viruses, Worms, Trojans, Ransomware, Spyware. Focus on how they infect systems. |
| Day 20 | Social Engineering | Learn about Phishing, Spear Phishing, Vishing, and Baiting. Understand the human factor in security. |
| Day 21 | SQL (Structured Query Language) | Review basic SQL commands (SELECT, INSERT, UPDATE, DELETE) as a foundation for understanding SQL Injection. |
| Day 22 | Web Basics: HTTP/HTTPS | Deep dive into HTTP Methods (GET, POST, PUT, DELETE) and how data is transmitted in a web environment. |
| Day 23 | Web Basics: Cookies & Sessions | Understand how web servers track state using Cookies and Session Management. Learn about common session hijacking risks. |
| Day 24 | Backup Strategy | Focus on the 3-2-1 Backup Rule (3 copies, 2 different media, 1 offsite). This is crucial for WordPress freelancing. |
| Day 25 | Incident Response Basics | Learn the 6 steps of Incident Response: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. |
| Day 26 | Cloud Security Concepts | Introduction to Cloud Computing (IaaS, PaaS, SaaS) and the Shared Responsibility Model (important for hosting). |
| Day 27 | Domain Name Security | Learn about DNS Records (A, CNAME, MX, TXT) and defense mechanisms like DNSSEC. |
| Day 28 | Cyber Laws & Ethics | Research basic concepts of Cyber Law in a freelancing context and the Ethical Hacker's Code of Conduct. |
| Day 29 | Basic Security Policy | Draft a personal "Freelancer Security Policy" for your clients (e.g., requirements for password strength, update frequency). |
| Day 30 | Final Review & Self-Assessment | Test your knowledge on Phase 1 concepts (CIA Triad, Nmap basics, Linux permissions, MFA). |
Phase 2: WordPress & Web Application Security (Days 31–60)
| Day | Topic | Activity & Focus Area |
|---|---|---|
| Day 31 | The OWASP Top 10 | Introduce the OWASP Top 10 project. Focus on A01: Broken Access Control. |
| Day 32 | OWASP A01: Broken Access Control | Understand how poor user roles/permissions can be exploited in web apps, specifically in WordPress. |
| Day 33 | WordPress Roles & Permissions | Deep dive into WordPress user roles (Subscriber, Contributor, Author, Editor, Admin) and securing them. |
| Day 34 | OWASP A03: SQL Injection (SQLi) | Learn the concept of SQLi and how it exploits data input. Understand Prepared Statements as a defense. |
| Day 35 | OWASP A07: Cross-Site Scripting (XSS) | Learn about Stored, Reflected, and DOM-based XSS. Focus on input validation and output encoding as defense. |
| Day 36 | OWASP A04: Insecure Design | Focus on security as a design requirement, not an afterthought. Research secure development principles. |
| Day 37 | OWASP A02: Cryptographic Failures | Understand the risks of plain text data and improper encryption. Review SSL/TLS from Day 7. |
| Day 38 | WordPress Hardening Basics | Learn to secure wp-config.php, disable file editing, and change the default login URL. |
| Day 39 | The robots.txt File |
Understand how robots.txt and directory indexing work. Ensure sensitive directories are protected/hidden. |
| Day 40 | Web Application Firewalls (WAFs) | Research popular WAF solutions (like Cloudflare and Sucuri) and their role in blocking attacks before they hit WordPress. |
| Day 41 | Brute-Force Attack Mitigation | Learn how to protect the WordPress login page using CAPTCHA, rate limiting, and blocking specific IPs. |
| Day 42 | Vulnerability Scanners (WordPress) | Research plugins like Wordfence or Solid Security. Understand the function of a vulnerability scanner. |
| Day 43 | Practical: Set up a Security Plugin | Install and configure a major WordPress security plugin (like Wordfence) on a test/staging site. |
| Day 44 | WordPress Plugin/Theme Security | Learn the risk of using null/pirated themes and the importance of regular updates. |
| Day 45 | Review & Catch-Up | Review all Phase 2 topics. Focus on the practical implementation of OWASP defenses in a WordPress context. |
| Day 46 | Burp Suite Community Edition | Download and set up Burp Suite (a tool for web app testing). Learn how to use the Proxy to intercept your traffic. |
| Day 47 | Burp Suite: Practice Interception | Practice intercepting a form submission on a test WordPress site using Burp Suite. |
| Day 48 | OWASP A05: Security Misconfiguration | Learn how default credentials, unused services, and lack of hardening contribute to this vulnerability. |
| Day 49 | File Integrity Monitoring (FIM) | Understand FIM (File Integrity Monitoring) and its importance in detecting changes in core WordPress files. |
| Day 50 | Database Security | Learn how to secure the WordPress database (e.g., using a non-default prefix, securing credentials in wp-config.php). |
| Day 51 | OWASP A08: Software and Data Integrity Failures | Focus on unverified updates/libraries. Relate this to supply chain risks with WordPress plugins/themes. |
| Day 52 | Input Validation & Sanitization | Study the key defense mechanisms against XSS and SQLi by validating and sanitizing all user input. |
| Day 53 | Introduction to Python for Security | Review basic Python syntax and understand its role in creating small security scripts (e.g., log parsing). |
| Day 54 | Basic Python Scripting Practice | Write a simple Python script to read a log file and search for "404" errors or failed login attempts. |
| Day 55 | Vulnerability Disclosure | Learn the process of responsible vulnerability disclosure if you find a flaw in a client's site or a plugin. |
| Day 56 | TryHackMe/HackTheBox Introduction | Sign up for a beginner-friendly platform (TryHackMe recommended). Complete the "Start Here" room. |
| Day 57 | Practical: TryHackMe Walkthrough | Complete an easy introductory room on TryHackMe focused on web security fundamentals. |
| Day 58 | WordPress Malware Cleanup Process | Learn the steps for cleaning a compromised WordPress site (backup, identify infection, clean, harden, monitor). |
| Day 59 | The .htaccess File (Security) | Master security directives in .htaccess: blocking access to sensitive files (e.g., wp-config.php) and IP whitelisting. |
| Day 60 | Final Review & Prepare for Pen Testing | Review Phase 2, focusing on the OWASP Top 10 and practical WordPress defenses. |
Phase 3: Risk, Pen Testing & Professionalization (Days 61–90)
| Day | Topic | Activity & Focus Area |
|---|---|---|
| Day 61 | Introduction to Risk Management | Learn the basic formula: Risk = Threat x Vulnerability. Understand how to quantify and communicate risk to clients. |
| Day 62 | Penetration Testing Phases | Learn the five phases: Reconnaissance, Scanning, Gaining Access, Maintaining Access, Covering Tracks. |
| Day 63 | Reconnaissance Tools (Basic) | Learn and practice with tools like Whois, NSLookup, and Google Dorks to gather info on a target. |
| Day 64 | Reconnaissance Tools (Web) | Use the browser Developer Tools (Inspect Element) for basic web reconnaissance. |
| Day 65 | Exploitation Frameworks (Concept) | Introduce Metasploit (conceptually) as a tool for packaging exploits. Understand its modules. |
| Day 66 | Cross-Site Request Forgery (CSRF) | Learn how CSRF works and its defense: Anti-CSRF Tokens (nonces in WordPress). |
| Day 67 | Denial of Service (DoS/DDoS) Attacks | Understand the effect and common mitigation strategies (rate limiting, CDN/WAF). |
| Day 68 | Vulnerability Scanning Practice | Use an open-source scanner like OpenVAS or a simple online tool against your test environment. |
| Day 69 | Security Auditing | Learn to perform a basic security audit of a WordPress site (checking updates, user accounts, security headers). |
| Day 70 | Review & Catch-Up | Revisit weaker areas in Phases 1-3. Focus on a practical TryHackMe or HackTheBox exercise. |
| Day 71 | Security Headers | Learn about critical HTTP security headers like Content Security Policy (CSP), HSTS, and X-Frame-Options. |
| Day 72 | Reporting Vulnerabilities | Practice writing a basic vulnerability report with Risk, Vulnerability, Impact, and Remediation. |
| Day 73 | Web Service Security (FTP/SFTP/SSH) | Focus on SFTP/SSH as the secure alternative to FTP. Ensure all client access is secure. |
| Day 74 | Choosing Secure Hosting | Understand the security features to look for in a web host (Firewall, DDoS protection, automatic backups). |
| Day 75 | Cloudflare Security Features | Deep dive into Cloudflare's Free/Pro WAF and DDoS Protection features for a client site. |
| Day 76 | WordPress Theme/Plugin Development Security | If you code, focus on Nonces and sanitizing/validating all data used in your custom code. |
| Day 77 | Data Privacy Regulations | Research basic concepts of GDPR and CCPA related to website data collection. |
| Day 78 | Cyber Security Certifications | Research entry-level certifications: CompTIA Security+ and eJPT (Junior Penetration Tester). |
| Day 79 | Project: Set up a Secure Staging Site | Create a local or cloud staging environment for a WordPress site and secure it using all learned principles. |
| Day 80 | Review & Catch-Up | Final review of all core concepts. Solidify understanding of security headers and reporting. |
| Day 81 | Freelancing: Security as a Service | Define a new service offering: "WordPress Security Audit" or "Hardening Service" based on your skills. |
| Day 82 | Freelancing: Scope of Work & Contracts | Learn to clearly define your security services' scope and liability in client contracts. |
| Day 83 | Practical: Security Plugin Review | Review the logs and reports generated by the security plugin you installed on Day 43. |
| Day 84 | Advanced Log Analysis (Web Server) | Practice identifying suspicious requests (e.g., attempts to access sensitive files) in web server logs (Apache/Nginx). |
| Day 85 | Web Shells and Backdoors | Learn how an attacker maintains access via a web shell and how FIM (Day 49) helps detect them. |
| Day 86 | Honeypots and Decoy Techniques | Introduction to using simple techniques to detect attackers, like a "fake" admin page. |
| Day 87 | Final CTF/Practical Challenge | Dedicate the day to an intermediate challenge on TryHackMe or HackTheBox. |
| Day 88 | Document & Create a Checklist | Consolidate all learned best practices into a "WordPress Freelancer Security Checklist" for future client work. |
| Day 89 | Continuous Learning Plan | Create a plan for continuous learning (e.g., following security blogs, subscribing to vulnerability feeds, next steps for certification). |
| Day 90 | Integrate & Market Your New Skills | Update your freelance profile/CV to highlight your cybersecurity expertise and the specific hardening services you now offer. Congratulations! 🎉 |