Skip to main content

How to Prevent WordPress Website Hacks

October 12th, 2015

When it comes down to it, it’s not the WordPress site itself but the people managing the WordPress site that have both the best chance of preventing a hack and the best chance of causing one.

The two most common reasons I see behind WordPress hacks are:

Weak Admin Passwords: A quick Google search will turn up lists of the most common passwords and they’re depressingly simple ones. If someone gets the admin login for your site, they essentially have the keys to the kingdom. Thankfully, WordPress is now enforcing stronger password generation in core but weak passwords continue to be a big factor behind hacks. If you have even the slightest suspicion that your admin password may be too easy to guess, change it. Change it now.

Lack of Maintenance: WordPress is open-source software and like any other software, it needs maintenance to ensure it keeps running smoothly & securely. Frequently WordPress minor releases include security patches or hardening that are worth implementing on your site in a timely fashion. Plugins, just like WordPress core, also require maintenance. Just recently, multiple security issues were found in Visual Composer that required an update to patch. Often, if sites are left unattended for months or years without running any of these updates, they’re at high risk. Attacks on these vulnerabilities frequently aren’t targeted as specific sites, they’re targeted as specific vulnerabilities and they crawl looking for sites that have this weakness that can be exploited.

So outside of ensuring you have a strong admin password and regularly updating WordPress core and its plugins, what else can be done?

First, ensure you’re making regular backups of your entire WordPress site. I personally love VaultPress and BackUpBuddy. If you do fall victim of a hack, it becomes a minor roadbump vs. a site ruiner.

Second, it may be worth installing a security plugin such as iThemes Security or Sucuri Scanner. These can alert you to potential security issues on your site.

Third, it may be worth weighing investing in a specialized hosting solution that provides security as part of its overall package of features, like Kinsta, WPEngine or Flywheel.

Finally, you should read the article in the Codex on Hardening WordPress and consider what additional WordPress security measures may be right for your project.

MORE: WordPress Security & Maintenance

Related Articles

September 16, 2017

Converting WordPress to HTTPS

An in-depth look at the process for changing a WordPress site to HTTPS without negatively impacting SEO

Read more