In our business we see a LOT of small business websites! Often we upload the web copy or blog posts that we have written to WordPress websites for our clients, and we see the same mistakes being made over and over with their websites.
Today we will share the top WordPress mistakes we see that lead to them being hacked, as well as share some of our favourite plugins. We look at how to secure your WordPress website from hackers and what to do if you get hacked. We also point you in the direction of some great companies that can help you with your small business website.
Why is Hacking a Problem?
On a business level it can affect your leads into your business while you get the hacking dealt with and your site restored. It can also cost a small fortune in remedying the problem, which can often extend far beyond sorting out your website.
Site hacks can filter into your whole business, so you may need to find ways to de-encrypt all your business emails and files (which may or may not include paying ransom to hackers), and sort out liabilities for privacy breaches.
Legal liabilities and mandatory reporting of data breaches can really add add to the fixing cost. Remember, the Panama Papers started with a hacked website, which then led to all the emails and files being accessed for the law firm. They are likely to be the subject of lengthy and expensive court cases.
To give you some idea of the scale, ChoicePoint had to pay $10 million in penalties and $5 million to consumers for their data hack! That’s why many businesses are investing in cyber-insurance to cover costs associated with fixing the breach and dealing with any liabilities arising from the problem. Talk with a good insurance broker to find out more information.
On a search engine level, being hacked can tank your rankings in Google (often Google is your first warning you have been hacked). Your rankings can take a while to recover after you have been hacked, and you need to take action to proactively communicate with Google after resolving your hacking.
On an email level, if your site is used to send out spam emails, your email, server and website can be blacklisted. This means that you will need to fix the problem, and then go email provider by email provider to have your blacklisting removed, otherwise none of your emails for your business will get through the spam filters.
Even if you have regularly updated your site and run security, you can STILL be hacked. The difference is how fast you can fix the problem and get functioning again. Wordfence has a great article on how to know if your site has been hacked. Google also has some useful information to help you if your website has been hacked as does WordPress.
Number 1 Most Common Problem: Not Updating Stuff
WordPress websites are like any piece of technology – there are regular updates to all of the pieces of your site as developers find bugs in their code, add new features or close access points to hackers.
There Are a Few Parts to Any WordPress Site
- WordPress – This is similar to an operating system such as Microsoft or IOS.
- Theme – This is what gives your website a particular look and feel. There are hundreds of thousands of themes on the market. We favour sites built using Divi or Genesis Themes purely because of the quality of the code.
- Child Theme – Some sites have what is called a Child Theme. These contain tweaks that are unique to your site and sit on top of your main theme. The benefit of this approach is that your main theme can be updated without wrecking all the special tweaks that make your site look the way it does.
- Plugins – These are similar to Apps in a smartphone, and give extra functionality to your site.
It Is YOUR Responsibility to Update Your Website
On any given day, you may find WordPress, your theme or your plugins may have been updated by the developers.
However, these updates are NOT automatically applied to your website. You have to take physical action to click the update button and watch when the updates are installed to make sure they have updated correctly and haven’t created problems with your website.
The number one way that hackers get into WordPress websites is through themes and plugins that have not been updated.
Most business owners don’t realise that unless they have bought ongoing maintenance packages with their website (which is different than a hosting package), then they are personally responsible for doing the updates.
Most web developers do not do regular site maintenance updates for sites they have built. Always assume that YOU are responsible for keeping your site updated (and be pleasantly surprised if someone else is doing it for you).
Questions to Ask Your Web Developer
If you don’t know who is maintaining and updating your website, first check with your web developer.
Ask them, “Are you regularly updating my plugins and theme on my WordPress site for me?”
If they say yes, ask them, “How often do you go into my site and run updates?” If their answer is more than every few days, then you need to find a better option.
Also ask your web developer, “Are there any paid themes or plugins that you own the license for? How are they going to get updated?”
I often see problems when a web developer has paid for a theme or plugin from their own account, and then doesn’t run the updates for the paid theme or plugin. The small business owner doesn’t know what they don’t know about their website. They are not aware that many paid themes or plugins only have a limited update term, and then they are on their own unless the developer pays the licence fee and actively goes in and runs the updates on their behalf or gets the person to buy their own licence.
The last question to ask your developer relates to the theme itself. If the web developer has tweaked the theme code of your site to get a particular look or feel, and hasn’t used a child theme, then any theme updates will over-write the tweaks of the theme and the changes will be lost.
Ask your developer, “If I update the theme, will it break? Have you edited the base code for the theme?”
Web Developer Question Summary:
- “Are you regularly updating my plugins and theme on my WordPress site for me?”
- “How often do you go into my site and run updates?”
- “Are there any paid themes or plugins that you own the license for? How are they going to get updated?”
- “If I update the theme, will it break? Have you edited the base code for the theme?”
Read more about other things to ask your web developer in this article: You Have An Exciting new website – Now What?
How to Maintain Your WordPress Website
You can easily learn to DIY WordPress website maintenance. The best resource I have found to learn to DIY is from MaAnna Stephenson over at BlogAid. Her WP starter videos only cost $1 and are clear, easy to follow and explain what you need to do.
If you want someone to do your WordPress maintenance for you, then there are companies out there who can proactively manage the updates for you each month, as well as take care of little jobs around your website for you.
Why Do Problems Occur During WordPress Updates?
You need to be aware that updates can sometimes break websites. Sometimes a particular function no longer works the way you expect after an update, and sometimes the whole site can crash.
Why? Remember I mentioned the huge number of themes on the market? WordPress and plugin developers can’t test each update on every theme before pushing them out. They test the main ones and hope for the best.
Some of the themes have clean code that is externally audited to ensure minimal bugs and problems (Divi & Genesis). Other themes are written by enthusiastic amateurs or well-meaning solo web developers, which means that the code is often less than fantastic and breaks when updates are applied.
That’s why the theme you use for your website is important, and you need to ask your web person what theme they will be using for your site before they launch into building it for you.
The same goes with your plugins. Some plugins have great code – others not so much. If the code is buggy, then problems can occur with a plugin update.
Then there is the variety of website hosting options and servers out there. Some web hosting companies run on old, unpatched servers which can create their own raft of problems.
Ways to Minimise WordPress Update Problems
Before you click any update button, make sure you first run a full backup of your site.
We also add the WP Rollback plugin and a few other essential plugins on every website we work with. That way, if a plugin goes feral during an update you can easily roll back to the previous version and get your site back.
I also recommend updating the site in order: plugins, then the themes, WordPress updates always happen last. I also prefer doing plugins one at a time, so I can test the functionality after each update to make sure they work correctly after the updates.
Problem Number 2: Nil or Poor Security
Given WordPress’s popularity, it is a prime target for hackers. If you don’t take action to actively secure your website, then it is like leaving your house doors and windows unlocked and open, with all your valuables out on display.
When you combine poor security with unpatched plugins, you are setting out the welcome mat and actively inviting people to take what they want.
Think I am kidding? You may have heard of the Panama Papers, also known as the Mossack Fonseca case in the past few weeks. That is where the biggest data breach in history just happened – all due to an unpatched WordPress slider (another reason not to use sliders on your website) and poor security.
Every site needs security installed. While there are loads of options out there, at varying levels of cost and complexity, we have a few plugins that we use to harden security and reduce spam.
I use and recommend the paid version of Wordfence. (There is a free version available, but the paid version has more features and
While no system is perfect and a determined hacker can still get in, Wordfence substantially reduces your risks.
A few things with your Wordfence set up. It can
- Turn OFF
real timelive logging(live traffic view).
- Make sure you have no other caching plugin running if you are going to use that feature.
two factorauthentication ON (paid feature).
- Block access to your login page for all countries other than the one you are in (paid feature).
- You can safely turn off a few of the alerts so you don’t get bombarded with emails. I turn off alert when IP address is
blocked,when someone with administrator access logs in and when someone with non-administrator access logs in).
- Turn your firewall on.
- My rate limiting rules have been tweaked. I use these:
- Immediately block fake Google Crawlers.
- Verified Google gets unlimited access to the site.
- Anyone requests exceed 240 per minute, then throttle it.
- Crawlers page views exceed 240 per minute, then throttle it.
- Crawlers not found exceed 15 per minute, then block it.
- Human’s page views exceed 240 per minute, then block it.
- If human’s not found exceed 15 per minute, then block it.
- 404s for known vulnerabilities exceed 15 per minute, then block it.
- I block IP’s out for a month if they break the rules.
- I lock people out for failed passwords after 3 failed attempts over a 1-day period.
- I lock them out for 60 days.
- I immediately lock out invalid usernames.
Other Security Risks
While there is a lot you can do to harden your security, there are a few major risks to address. For full protection, I recommend having a site security audit done to highlight problems you’re your website
Don’t Use Admin as a Username
Most hacking bots start with trying the usernames admin and administration. By not having a username “admin”, you stop a world of problems.
If you currently have admin as a username, don’t just hit delete as you will lock yourself out. Set up yourself as a new user with a new email and password first. There is an art to it, so read up on these simple steps from BobWP on what to do first.
Harden Your Passwords
Don’t use the name of the website as a password, or the name of the person, or the business. Set up strong passwords, and change them a few times each year.
Delete Old Themes & Plugins
Many sites are filled with old themes that are not in active use, as well as more plugins than Kim Kardashian has shoes. Just like Ms Kardashian’s shoes, many of the plugins have been tried on and have not been used since the initial testing.
Think of each plugin and theme as if you have given a key to your house to someone. You want to reduce the number of keys you have floating around out there, and only hand keys out to people actually staying in your house.
If you are not using a theme or a plugin, delete it to reduce the security risk. You can always reinstall it later if needed.
Delete Old Users
While we are on the subject of tidying up access, delete all non-active admins of your website.
Many sites we see are filled with users with admin access for people who have left the company – often using private emails rather than company emails. This is just asking for trouble! The day someone leaves your business is
This also goes for non-current web developers and virtual assistants!
Problem Number 3: No Site Backup
There is no substitute for running your own backups for your website. That way, if your site is hacked, you have a problem updating something or you simply want to take your site and move somewhere else, by having control over your backups you can quickly get your site back up and running again.
Most web hosts offer some form of backups, but
I advise my clients to run their own site backups in addition to whatever their host may or may not do. I use and recommend Updraft Plus (Premium).
Don’t store your backups in the same place as your website. If hackers hit your site, they will also trash your backups. Keep your backups stored off your hosting – either with the backup company or stored in the cloud with somewhere like Dropbox.
One more thing, if you run your own backups, you need to know how to restore your site from the backup. Learn this before an emergency!
Problem Number 4: No Details
Getting a new website can be exciting and confusing all at once. It is easy to lose the details for your site in a pile of emails somewhere. Trying to reconstruct this information a few years down the track can be frustrating,
Having these details will help if something goes wrong with your site, and you manually need to get into the control panel side from your host (different to your normal WordPress dashboard) to delete or add something.
Doing this now will make your life easier in an emergency, it can also help you identify problems with things not being transferred correctly, such as your domain name ownership.
What To Put In Your Website Information Sheet
(You can download this sheet as a PDF)
- Who is your domain name registrar:
- URL of the registrar:
- Login for your domain name account:
- When is it due for renewal:
- Who is your website hosting with:
- URL of the web host:
- Login for your web hosting account:
- When is it due for renewal:
- Emergency contact details (for if the site goes down or is hacked):
- Who hosts your email. (Is it through your hosting or some other place?):
- URL of the email host:
- Login for your email hosting account:
- Login details for all your different email addresses:
- When is it due for renewal:
- Emergency contact details (for email problems):
- Who created your website:
- URL of the web developer:
- Are you paying for ongoing site maintenance:
- When is it due for renewal:
- What backups are being run:
- Any paid themes or plugins? (What are they and who created them?)
- Any login details for paid themes or plugins:
- Emergency contact details (for if the site is hacked):
- Google analytics details:
- Google web console details:
- Who wrote the copy for your website:
- URL of the web copywriter:
- Emergency contact details (if you didn’t have a backup and need a copy of your web words):
- Login URL to access your website:
- Access to your control panel for your site:
- FTP details for your site:
What to Do If Your Site is Hacked
What to do if your site has been hacked
- Get your Website Information Sheet. You are going to need ALL of that information to fix your site.
- Check your backups. Check that you can access your backups before you call your host. The reason is that some hosts have been known to delete entire hacked sites without warning to stop problems spreading across their network.
- Call your web host. Your host will need to check if anyone else on the server has been compromised and may help with some early troubleshooting.
- Call in the experts. Most hack recovery is beyond the skill set of small businesses (… and most web developers if truth be told). Contact BlogAid for a referral to an expert, or you can also contact Wordfence to clean and fix your site for you.
- Keep your WordPress site, themes and plugins regularly updated.
- Check if your web developer is doing the updates for you (most are not).
- Learn how to DIY WordPress updates (BlogAid)
- If you are not personally updating your site, hire someone who will do it for you.
- Install the WP Rollback plugin on your site.
- Backup your site before running any site updates.
- Back up WordPress, then themes, then plugins.
- Install Wordfence security (paid option).
- Configure Wordfence for greater control.
- Take regular backups of your site and store the backups
- Delete plugins and themes you are not currently using.
- Delete users with admin access who are not
currentin your business.
- Put together an information sheet about your website with all your site details and contacts.
- If hacked, check your information sheet and your backups before calling your host and then calling in the experts to fix the problem.
- Consider getting Cyber Insurance for your business.