WordPress is the most popular CMS (Content Management System) in the world with almost 40% of all websites using it to power their internet presence.  Because of its widespread popularity as a CMS, WordPress is also a popular target for hackers.

Hacking attacks are mostly opportunistic rather than about targeting (although big brand websites may be specifically targeted). Most attacks are automated, with bots searching the internet for security weaknesses to exploit.

This does not mean that your small business website is not at risk.

Hackers have a wide variety of different motives but often it’s about profit. Hacking sites to distribute malware, gain user data, send spam emails, or redirect website visitors can be extremely lucrative.

Having your website compromised can have a huge negative impact on your website, your business, and your brand.  It can undermine user trust, cause legal violations, and potentially cost thousands to remediate the damage.

So how can you keep your WordPress website safe from attack?

Secure Your Local Device

It might not appear so, but the security of your WordPress website is directly related to the device (desktop or laptop) you routinely use to access it. Keeping your computer secure not only helps you avoid malware and attempts designed to steal your personal information, it can also keep your website safe.

Malware and viruses can easily infect your computer while browsing the internet and by downloading unverified software if it’s not secured by an anti-virus. And when you access the admin panel of your site and upload files to it from the same infected computer, your site’s security can be easily compromised.

Many of the practices you use to protect your website will also protect your computer.

• Install and maintain updated security software
• Use the most up-to-date version of your preferred web browser
• Keep the operating system patched with recommended updates
• Keep versions of other installed software up to date if they are installed
• Use strong passwords on your laptop/desktop

Secure Your WordPress Website

Have you heard the expression “safety starts at home”?  Nothing is truer than when it comes to your WordPress website. Some of the best ways to keep WordPress safe are fairly low-tech.

Have an SSL Certificate

An SSL (Secure Socket Layer) certificate means that communications between your website and users’ browsers are encrypted. This is another key way to secure your website – and a requirement for doing any online commerce and using paid ads for your business.

An SSL is pretty much the standard nowadays – but we occasionally see a website that does not have one. If you do not have one (finish reading this post and) contact your web host to arrange for one.  They will have free and paid options – depending on your requirements.

Keep WordPress, Themes, and Plugins Updated

Keeping WordPress up-to-date is an important security measure. WordPress software updates are made regularly to optimize performance and patch any security issues as they are discovered.

If you are not comfortable doing this yourself – or want to focus on working on your business and not it your business, work with a developer/agency to make this happen.

Use Secure Login Details

One of the more common ways hackers can access your WordPress site is through automated ‘guessed’ login attempts. The less complex (and more obvious) your username and password, the more likely these attempts will succeed.

Do not (ever ever) use ‘admin’, ‘login’, or ‘account’ as a username.  Also, do not use your first and last name (as in Jane Doe) as that is also easily breached. Go with an atypical username such as JDCatWrangler (seriously, we have seen this one before).

We suggest passwords that are at least 10 characters long and contain a combination of letters (upper and lowercase), numbers, and special characters.  Do not use phrases or known words. Also, do not use any words to which you can be associated with, such as names of pets, cities and friends. Just use random text.

If your name is published on your website (say as the author of a blog) and it is the same or similar to your username, change your user’s nickname and then update the “Display name publicly as” that way what is shown on your blog is not close to your username.  Using the example above, if your username is Jane Doe, change your nickname to Jane the Cat Wrangler and be sure to pick this name from the drop-down in the “Display name publicly as” field.  This is what will appear on your blog posts.

Invest in Quality Hosting

Often, website owners will look for a “good deal” in hosting.  Even after spending thousands on building a website.  You should instead look upon your website hosting company as a trusted partner.

A good company will take extra measures to protect their servers, monitor for suspicious activity, update their server software and hardware regularly, have systems and processes in place to deal with small and large attacks, and in the case of an incident, have the capacity to redeploy on different equipment, or even different data centers.

Also, you want to ensure that when you need help, they are available 24/7 in the way you would like to communicate with them – chat, phone, email.

Monitor Your Website

Every website should have security monitoring in place. You can use a service (such as Sucuri), or install a free/premium plugin such as WordFence or iThemes Security Pro. By adding a security plugin to your WordPress site, you’ll be notified of suspicious activity as soon as it occurs.

For example, if someone attempts an unauthorized login or adds a file, you can get a notification. You will also be notified of updates that are needed and whether a plugin may have been abandoned or no longer being updated.

The basic configuration of security plugins is fairly straightforward.  More advanced settings may require the assistance of a developer/agency.

Backup, Backup, and then Backup again

While this final tip does not actually prevent hacking, it’s probably the most important step to take just in case your site is ever hacked/

By making regular site backups, you can reinstate your site again quickly if ever needed. Without backing up, you could stand to lose everything you’ve ever designed, posted, or written on your site.

How to backup your WordPress site will depend on the type of hosting you have. See our post on the Best WordPress Backup Practices.

You Would Not Leave Your Car Unlocked

A website is not a one-and-done affair. It requires frequent (if not constant) love and attention – with security playing a major role. The web is constantly evolving. New technology gets old very quickly. And what was once thought to be a security best practice can sometimes be proven otherwise.

When it comes to WordPress, that may mean updating themes and plugins, adapting security practices in response to current threats, updating investments made in hosting, and replacing older security plugins with something better. Or doing away with abandoned themes and plugins to tighten things up. It could also require a change in hosts or server environments.

You wouldn’t invest in a car or a house and leave it unlocked and never service it – so why would you do the same to the website you invested in?

This post may contain affiliate links. This means we may receive a percentage of the sale in commission. We only recommend products we use ourselves and believe in. Thank you for supporting us!