How to keep your WordPress website from getting hacked

WordPress is an “open source” software. This means everyone has access to the core code. While this allows anybody to develop themes and plugin software, it also means hackers have access to all of that as well. There are several precautions you can, and should take, to keep your WordPress website from getting hacked.

In the last month I had two clients come to me needing a new website because their WordPress site had been hacked and couldn’t be fully recovered. This process can be stressful and scary, and can cost your business website downtime and thousands of dollars to fix.

In both cases, my clients decided to rebuild on Squarespace. Squarespace is another CMS platform, but it is not an open source platform. This means it is secure. You don’t need to install security plugins, update themes and software, and it isn’t targeted with brute force attacks like WordPress is. If you are interested in switching to Squarespace, learn more here.

In 11 years of developing WordPress websites, I’ve never had any of mine sites, or my clients sites, hacked (knock on wood). Regardless, I now build exclusively on Squarepace because it is much safer for my clients. In general, I have found it is difficult for clients to update their WordPress websites, keep up with changing software, and address plugin conflicts. This is why most small businesses on WordPress are sitting ducks for a hack.

Steps you need to take to keep your WordPress website from getting hacked

Update themes, plugins, and WordPress Software once a month

Outdated themes, plugins, and WordPress software can lead to vulnerabilities. When a software developer becomes aware of a security threat, they will patch it up and release an update. It is critical to update your internal software as often as possible. I recommend about once a month.

You can enable auto updates on your plugins but be aware that they may have conflicts with other plugins or themes. Therefore, it is recommended to update everything manually so you can address issues as they come up.

Erase inactive plugins

Plugins only need to be active if you are using them. If you deactivate a plugin and haven’t used it for a while, it’s a good practice to erase it. However, if you want to keep it, be sure to always update it, even though it is inactive. This is one instance where you can enable auto updates. Just make sure to check the plugin on occasion to ensure it is still being supported by the developer.

Update extra themes (or erase theme)

Every WordPress site comes with a few themes installed. It is a good practice to erase themes you aren’t using. These will require updates over time as well. I like to keep one of the default WordPress themes for testing, but I delete the rest. When doing updates, update these themes as well, even though you aren’t using them.

Replace outdated plugins and themes

Just because a plugin stops receiving updates, doesn’t mean it is safe. In fact, if a plugin or theme stops being supported by the developer, it is time to replace it. While this can be time consuming, it is critical to the safety and functionality of your website.

Install a security plugin

Every WordPress website needs at least one security plugin. Some developers believe one is not only enough, but best. At minimum, you’ll want to install and configure something such as Wordfence to protect against brute force attacks.

Brute force attacks are when hackers try to guess your password by running a computer program to try hundreds of variations. A security plugin will restrict their access to the login page after a number of attempts.

I see email notifications almost daily of brute force attacks on my websites and client websites. The plugins are doing their job by locking out the intruders. However, it happens way more often than you would think and every website is venerable to this type of attack.

Never Use “admin” as a username

When setting up a new WordPress build the default username is Admin. Hackers count on the fact that people won’t change this. Often they will try a brute force attack with the name “admin”. If they already have your username, it is that much easier to guess the password.

Also, avoid using a username that is obvious such as the name of your business or your first and last name combined such as “firstlast”. These are easily guessed as well.

Limit Admin access

Every admin on your site has their own username and password. Each of these accounts is a security vulnerability. It is a good practice to limit admin access. Give staff members limited access to just editing and blogs. For the people on your site that have admin access, make sure they have chosen a very strong password and follow the other best practices on this blog.

Consider 2-step verification

While this isn’t necessary if you follow all the other precautions, it does add an extra layer of security. It is particularly useful if you have several admins on your site.

Most security plugins will give you the option to enable 2-step verification for admins. This means your admin users will need to verify login with an email code each time they log in.

Pro tip: You can have them select “remember me” when logging in and they will only need to use that verification code once every two weeks.

Backup your website

Always backup your website. I use Updraft Plus. You can backup a copy to your server, but I recommend backing up your website to an external service such as Dropbox or Google Drive. This way, if your site every does get hacked, YOU have a full copy of your website prior to it getting hacked and can restore the entire thing if needed. I set Updraft to save regular updates, but you can also do this manually as needed.

FAQ