How to Secure Your WordPress Website From Hackers

Man dressed as Braveheart with blue paint on his face attacking a colourful pinata with a sword

Most start-ups and small businesses choose a WordPress site for their first website. Here are the most common problems with WordPress websites that increase the risk of them being hacked, as well as some tips on how to secure your WordPress website from hackers.

Most start-ups and small businesses choose a WordPress site for their first website. Why? WordPress is the most popular content management system in the world, and is used by 43.1% of all websites. It is also the fastest-growing content management system . Every year over 2 million new WordPress sites are launched.

In our business we see a LOT of small business websites! Often we upload the web copy or blog posts that we have written to WordPress websites for our clients, and we see the same mistakes being made over and over with their websites.

Today we will share the top WordPress mistakes we see that lead to them being hacked, as well as share some of our favourite plugins. We look at how to secure your WordPress website from hackers and what to do if you get hacked.

What is the Impact of Hacking on Your Business?

site hackerHaving a website hacked creates a cascade of problems for a small business.

Emotional impact of being hacked

On a personal level, when your site has been hacked it feels as emotionally draining as being burgled. You feel confused, overwhelmed, and you lose trust in people and technology.

Lost business

A hacked website can channel all sales directly to a hackers bank account.

Even if you don’t run an e-commerce websites, a hacked website will impact leads to your business while you get the hacking dealt with and your site restored.

Financial cost

Having your site cleaned and restored to remedy the problem costs time and money.

Legal liabilities and mandatory reporting of data breaches can really add add to the fixing cost. Remember, the Panama Papers started with a hacked website, which then led to all the emails and files being accessed for the law firm. They are likely to be the subject of lengthy and expensive court cases.

To give you some idea of the scale,  ChoicePoint had to pay $10 million in penalties and $5 million to consumers for their data hack! That’s why many businesses are investing in cyber-insurance to cover costs associated with fixing the breach and dealing with any liabilities arising from the problem. Talk with a good insurance broker to find out more information.

Lost brand reputation

People lose trust in businesses that are hacked. When they lose trust, they don’t buy from that business.

How big the loss of trust is all depends on how public the hack was. If it was a simple defacement, only a few people will have seen it. If it hits the media or social media (think Medibank or Optus), then the reputational damage is higher.

Stolen intellectual property

What images and docuiments do you store on your website? In a hack, all of that intellectual property can be taken by hackers and used for their own purposes.

Breach of client details

If your clients leave their details on your site through ecommerce or contact form entries, when your site is hacked, then all of these details will be taken by the hacker.

You are then required to notify each of these people under Mandatory Reporting of Data Breaches legislation that their details have been breached, and what you are doing to protect their details from being used for adverse purposes.

Phishing risk

Even if you don’t store client details on your website through contact forms or ecommerce, all of the user email addresses will be able to be seen by hackers.

This will make these people more likely to be phished. This means that all staff would need to be trained and on higher alert not to click on any suspicious emails. If your business is phished, then you could end up in a ransomware situation, where all of your systems are copied over and then encrypted.

Lost search engine rankings

On a search engine level, being hacked can tank your rankings in Google (often Google is your first warning you have been hacked).

Your rankings can take a while to recover after you have been hacked, and you need to take action to proactively communicate with Google after resolving your hacking.

Blacklisted emails

On an email level, if your site is used to send out spam emails, your email, server and website can be blacklisted.

This means that you will need to fix the problem, and then go email provider by email provider to have your blacklisting removed, otherwise none of your emails for your business will get through the spam filters.

Impacts on other business systems

Depending on how your hosting has been set up, site hacks can filter into your whole business, so you may need to find ways to de-encrypt all your business emails and files (which may or may not include paying ransom to hackers), and sort out liabilities for privacy breaches.

In this post we will look at some of the most common ways that hackers get into WordPress websites, and what you can do to reduce your risk.

Number 1 Most Common Problem: Not Updating WordPress, Themes of Plugins

WordPress websites are like any piece of technology – there are regular updates to all of the pieces of your site as developers find bugs in their code, add new features or close access points to hackers.

There Are a Few Parts to Any WordPress Site

  • WordPress – This is similar to an operating system such as Microsoft or IOS.
  • Theme – This is what gives your website a particular look and feel. There are hundreds of thousands of themes on the market. We prefer sites built using Divi purely because of the quality of the code.
  • Child Theme – Some sites have what is called a Child Theme. These contain tweaks that are unique to your site and sit on top of your main theme. The benefit of this approach is that your main theme can be updated without wrecking all the special tweaks that make your site look the way it does.
  • Plugins – These are similar to Apps in a smartphone, and give extra functionality to your site.

It Is YOUR Responsibility to Update Your Website

On any given day, you may find WordPress, your theme or your plugins may have been updated by the developers.

However, these updates are NOT automatically applied to your website. You have to take physical action to click the update button and watch when the updates are installed to make sure they have updated correctly and haven’t created problems with your website.

The number one way that hackers get into WordPress websites is through themes and plugins that have not been updated.

Most business owners don’t realise that unless they have bought ongoing website maintenance packages with their website (which is different than a hosting package), then they are personally responsible for maintaining their website.

Most web designers do not do regular site maintenance updates for sites they have built (we  offer maintenance plans for all sites we build!)

Always assume that YOU are responsible for keeping your site updated (and be pleasantly surprised if someone else is doing it for you).

questions to askQuestions to Ask Your Web Designer

If you don’t know who is maintaining and updating your website, first check with your web designer.

Ask them, “Are you regularly updating my plugins and theme on my WordPress site for me?”

If they say yes, ask them, “How often do you go into my site and run updates?” If their answer is more than every few days, then you need to find a better option.

Also ask your web designer, “Are there any paid themes or plugins that you own the license for? How are they going to get updated?”

I often see problems when a web designer has paid for a theme or plugin from their own account, and then doesn’t run the updates for the paid theme or plugin. The small business owner doesn’t know what they don’t know about their website. They are not aware that many paid themes or plugins only have a limited update term, and then they are on their own unless the designer pays the licence fee and actively goes in and runs the updates on their behalf or gets the person to buy their own licence.

The last question to ask your designer relates to the theme itself. If the web designer has tweaked the theme code of your site to get a particular look or feel, and hasn’t used a child theme, then any theme updates will over-write the tweaks of the theme and the changes will be lost.

Ask your designer , “If I update the theme, will it break? Have you edited the base code for the theme?”

Web Designer Question Summary:

  • “Are you regularly updating my plugins and theme on my WordPress site for me?”
  • How often do you go into my site and run updates?
  • “Are there any paid themes or plugins that you own the license for? How are they going to get updated?”
  • “If I update the theme, will it break? Have you edited the base code for the theme?”

Read more about other things to ask your web designer in this article: You Have An Exciting new website – Now What?


Why Do Problems Occur During WordPress Updates?

brokenYou need to be aware that updates can sometimes break websites. Sometimes a particular function no longer works the way you expect after an update, and sometimes the whole site can crash.

Why? Remember I mentioned the huge number of themes on the market? WordPress and plugin developers can’t test each update on every theme before pushing them out. They test the main ones and hope for the best.

Some of the themes have clean code that is externally audited to ensure minimal bugs and problems (Divi). Other themes are written by enthusiastic amateurs or well-meaning solo web designers, which means that the code is often less than fantastic and breaks when updates are applied.

That’s why the theme you use for your website is important, and you need to ask your web person what theme they will be using for your site before they launch into building it for you.

The same goes with your plugins. Some plugins have great code – others not so much. If the code is buggy, then problems can occur with a plugin update.

Then there is the variety of website hosting options and servers out there. Some web hosting companies run on old, unpatched servers which can create their own raft of problems.

Ways to Minimise WordPress Update Problems

Before you click any update button, make sure you first run a full backup of your site.

We also add the WP Rollback plugin and a few other essential plugins on every website we work with. That way, if a plugin goes feral during an update you can easily roll back to the previous version and get your site back.

I also recommend updating the site in order: plugins, then the themes, WordPress updates always happen last.

How to Maintain Your WordPress Website

You can easily learn to DIY WordPress website maintenance or you can pay a web designer to proactively manage the updates for you each month, as well as take care of little jobs around your website for you.

We offer comprehensive WordPress website maintenance plans to help small business owners focus on their business and not on trying to stay on top of all the tech things that their website needs.

Problem Number 2: Nil or Poor Security

padlockGiven WordPress’s popularity, it is a prime target for hackers. If you don’t take action to actively secure your website, then it is like leaving your house doors and windows unlocked and open, with all your valuables out on display.

When you combine poor security with unpatched plugins, you are setting out the welcome mat and actively inviting people to take what they want.

Think I am kidding? You may have heard of the Panama Papers, also known as the Mossack Fonseca case in the past few weeks. That is where the biggest data breach in history just happened – all due to an unpatched WordPress slider (another reason not to use sliders on your website) and poor security.

Every site needs security installed. While there are loads of options out there, at varying levels of cost and complexity, we have a few plugins that we use to harden security and reduce spam.

I use and recommend the paid version of Wordfence. (There is a free version available, but the paid version has more features and real time protection.)

While no system is perfect and a determined hacker can still get in, Wordfence substantially reduces your risks.

security risksOther Security Risks

While there is a lot you can do to harden your security, there are a few major risks to address. For full protection, I recommend having a site security audit done to highlight problems you’re your website set ups, servers and other nasties.

Don’t Use Admin as a Username

Most hacking bots start with trying the usernames admin and administration. By not having a username “admin”, you stop a world of problems.

If you currently have admin as a username, don’t just hit delete as you will lock yourself out. Set up yourself as a new user with a new email and password first.

Harden Your Passwords

Don’t use the name of the website as a password, or the name of the person, or the business. Set up strong passwords, and change them a few times each year.

Delete Old Themes & Plugins

Many sites are filled with old themes that are not in active use, as well as more plugins than Kim Kardashian has shoes. Just like Ms Kardashian’s shoes, many of the plugins have been tried on and have not been used since the initial testing.

Think of each plugin and theme as if you have given a key to your house to someone. You want to reduce the number of keys you have floating around out there, and only hand keys out to people actually staying in your house.

If you are not using a theme or a plugin, delete it to reduce the security risk. You can always reinstall it later if needed.

Delete Old Users

While we are on the subject of tidying up access, delete all non-active admins of your website.

Many sites we see are filled with users with admin access for people who have left the company – often using private emails rather than company emails. This is just asking for trouble! The day someone leaves your business is they day their admin rights to access your website should be deleted.

This also goes for non-current web designers and virtual assistants!

Problem Number 3: No Site Backup

There is no substitute for running your own backups for your website. That way, if your site is hacked, you have a problem updating something or you simply want to take your site and move somewhere else, by having control over your backups you can quickly get your site back up and running again.

Most web hosts offer some form of backups, but generally these have limited storage timeframes. In other words, the backup they may have for your site may only be for your hacked website and not the one that was pre-hack a few weeks back.

I advise my clients to run their own site backups in addition to whatever their host may or may not do. I use and recommend UpdraftPlus.

Don’t store your backups in the same place as your website. If hackers hit your site, they will also trash your backups. Keep your backups stored off your hosting – either with the backup company or stored in the cloud with somewhere like Dropbox.

One more thing, if you run your own backups, you need to know how to restore your site from the backup. Learn this before an emergency!

Problem Number 4: No Details

Getting a new website can be exciting and confusing all at once. It is easy to lose the details for your site in a pile of emails somewhere.

When you have been hacked you need to be able to access that information instantly – and not take days hunting down records.

For each website you own, create a detailed information sheet for your files with logins & key contacts. That way everything is in the one place. 

Doing this now will make your life easier in an emergency, it can also help you identify problems with things not being transferred correctly, such as your domain name ownership.

What to Do If Your Site is Hacked

What to do if your site has been hacked

Even if you have regularly updated your site and run security, you can STILL be hacked. The difference is how fast you can fix the problem and get functioning again. Wordfence has a great article on how to know if your site has been hacked. Google also has some useful information to help you if your website has been hacked as does WordPress.
  1. Get your Website Information Sheet. You are going to need ALL of that information to fix your site.
  2. Check your backups. Check that you can access your backups before you call your host. The reason is that some hosts have been known to delete entire hacked sites without warning to stop problems spreading across their network.
  3. Call your web host. Your host will need to check if anyone else on the server has been compromised and may help with some early troubleshooting.
  4. Call in the experts. Most hack recovery is beyond the skill set of small businesses (… and most web designers if truth be told). Contact Wordfence to clean and fix your site for you.


  •  Keep your WordPress site, themes and plugins regularly updated.
  • Check if your web designer is doing the updates for you (most are not).
  • Learn how to DIY WordPress updates.
  • If you are not personally updating your site, hire someone who will do it for you. (We offer comprehensive website maintenance plans).
  • Install the WP Rollback plugin on your site.
  • Backup your site before running any site updates.
  • Back up WordPress, then themes, then plugins.
  • Install Wordfence security (paid option).
  • Configure Wordfence for greater control.
  • Take regular backups of your site and store the backups off site.
  • Delete plugins and themes you are not currently using.
  • Delete users with admin access who are not current in your business.
  • Put together an information sheet about your website with all your site details and contacts.
  • If hacked, check your information sheet and your backups before calling your host and then calling in the experts to fix the problem.
  • Consider getting Cyber Insurance for your business.

About the Author

Ingrid Moyle

Ingrid Moyle is a small business web designer and copywriter. When not hardwired to her computer, she quests for the perfect decaf coffee while chasing virtual reality creatures across the backstreets of Brisbane.
Bowler hat with lightbulb.

Join Our Newsletter

Related Posts