Your WordPress Website Is Due To Get Hacked! Here Is How You Can Prevent That!

  • Date Published
  • Categories Blog, Guide
  • Reading Time 12-Minute Read

Sooner or later someone will attempt to hack and compromise your WordPress website. Here is what you must do to prevent that!

What You Need to Know About Protecting WordPress Websites

Over the past two days, I had four conversations with clients and associates about WordPress websites. Actually, the conversations centered on why so many WordPress websites get hacked, and if WordPress was still a viable option for their business website. I always tell potential clients, and anyone else who will listen, that protecting WordPress websites is not a problem, as long as you follow a few simple steps.

This is not the first time I had this type of conversation. Especially since the Equifax hack website security is on the mind of many business owners. Website security should be on everyone’s mind. Here at the highly caffeinated agency, we see all too often what happens when businesses launch, and then promptly forget their websites. But what makes WordPress websites such a risk? And what can you do about it? Let’s take a look!

According to statistics from 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks. WPWhiteSecurity

Yes, WordPress Sites Get Hacked!

WordPress is the most common Content Marketing System (CMS) out there, with a market share of 50-60% of all CMS sites. That’s not surprising. At we recommend getting a WordPress website to our clients looking for a cost-effective and flexible online presence.

And that popularity makes WordPress a very tempting target for hackers and all kinds of cybercriminals. So by the simple law of averages, WordPress sites get hacked more because there are more WordPress sites. That doesn’t mean it is more vulnerable, or can’t be protected. As a matter of fact, there are many options for protecting WordPress websites. Let’s take a look at some of them.

The Essentials of Protecting WordPress Websites

Work With a Professional!

Protecting WordPress websites starts right when you decide you are going to get a WordPress website for your business. Many business owners want to save money, and therefore many try their hand at building their own WordPress site. While that may be an admirable trait it can get you into trouble quickly. By working with a professional web designer or agency you can count on their experience in protecting WordPress websites to do the same for yours.

Don’t Use Free Themes!

The next common mistake many business owners make is to use a free WordPress theme. Yes, I know it’s a budget consideration. But you are shooting yourself in the foot with this one! Free WordPress themes are usually not supported by their developer. Why should they; they are not making any money on this! And that also means the theme may not be updated as WordPress releases new versions. And outdated themes are one of the biggest security risks!

If you want to build a WordPress that will actually serve your business needs and vision I recommend that even if you decide to build your own WordPress site you start with a responsive WordPress framework that allows you to create a site exactly the way you want. Here at the highly caffeinated agency, we prefer a framework that allows a modular approach to building as that is the most flexible.

Another option is to purchase a custom WordPress theme that is designed to meet the needs of a specific business or industry. You can find pre-designed WordPress themes for just about any business or service on ThemeForest.

Here are some basic WordPress theme considerations:

  • Is the theme compatible with the latest version of WordPress?
  • Does the theme include all of the specific functionality you require without using additional plugins?
  • When was the theme last updated?
  • How many users have purchased the theme, and what are they saying about it?

Starting with a ready-made premium theme can be a cost-effective way for especially small business to get a WordPress website, while still allowing you plenty of options for protecting your site as well.

Be Careful With Plugins!

One of the cool things about WordPress websites is that there are so many WordPress plugins to choose from! From simple contact forms to complex e-commerce configurations there is something for everyone. But it does make protecting WordPress websites a bit more difficult. You see, plugins are not created equal.

Here are some basic website plugin considerations:

  • Is the plugin compatible with the latest version of WordPress? (4.9.1 as of this post date)
  • When was the plugin last updated? (Should be within the past few weeks, or since the last WP update)
  • How many times has the plugin been downloaded? (I recommend 10,000+ times unless it is a real niche plugin)
  • What experience are other users having? (Be sure to check comments and reviews)

The above information is readily available on both the WordPress plugin repository, and third-party plugin providers like CodeCanyon. If it is not you can consider that a definite warning sign.

Plugins are not that expensive, and even if a free version is available I usually recommend you opt for the premium version. Yes, I know you are very concerned about your budget. So imagine what kind of budget it takes to repair a hacked or otherwise compromised site?

Hosting Makes a Difference!

Another key consideration for protecting WordPress websites is where they are hosted. There are many different website hosting options available to business owners. But some of them are better than others! Once again, opting for the cheapest option is most likely not in your best interest. Instead, you should select a hosting provider that offers secure and reliable hosting. This is so important to us that we are even giving you a special discount offer to try out our preferred WordPress hosting provider!

Use! Strong! Passwords!!

Sorry, but in my opinion website owners who don’t use strong passwords deserve to have their WordPress website hacked! I mean, you wouldn’t go to work and leave your front door wide open, would you? Well, weak passwords have pretty much the same effect. Coming up with strong passwords takes some effort, so feel free to use a secure password generator. And be sure to keep your passwords in a safe place!

Don’t Forget Your Site After Launch!

One of the biggest problems in protecting WordPress websites we see at is that many business owners build them, launch them, and promptly forget about them. Or so it seems! So here is a simple fact many of you have never considered:

Launching a website is like giving birth to a baby. Now you need to support and maintain it if you want it to provide sustaining results!

If you followed my advice from earlier in this post and are working with a web designer or agency ask them if they offer a website maintenance plan. If they do I highly recommend you sign up for it! The monthly cost is minimal compared to what it will cost to build you a new website, trust me! But if your budget considerations still outweigh your security concerns I have a few more options for you!

Make Regular Website Backups!

Part of protecting WordPress websites is to prepare for the worst-case scenario, your website gets compromised taken down. The easiest and fastest way of getting back to normal in that case is by restoring an existing backup. Lucky for you, getting backups is actually pretty easy. Some hosting providers like WPEngine make regular daily backups as part of their hosting service. Or you can use a plugin that does the same.

The highly caffeinated agency uses and recommends the UpDraftPlus plugin as it provides you with the most configuration options. For instance, the premium version gives you the option to back up your entire site to Dropbox, Amazon Web Services, or Google Drive.

Here are some basic website backup considerations:

  • Static sites that do not change much should be backed up at least once a month
  • If you blog regularly you should back up after each new post
  • Busy e-commerce sites should be backed up every few hours so you don’t lose too many online sales
  • ALWAYS back up your website before making any updates or any other changes

Install WordPress Security Plugins!

Protecting WordPress websites is actually a bit easier than you may think. Some hosting providers like WPEngine actually take care of that for you. If not you should install one of the available WordPress security plugins. We recommend and use both Wordfence and Sucuri for many of our client websites, and we never had one hacked!

Once again, both of these have free and premium versions, and I highly recommend that you opt for the paid versions. Not only do you get professional level support if you need help configuring them; the paid versions have more options. Funny how that works, isn’t it?

And a gentle reminder that protecting WordPress websites does not end with installing one of these plugins! Many folks don’t configure them correctly, which means they are not working to their full potential. And in one case I came across some time ago the client actually downloaded and installed the plugin, but forgot to activate it! Come on folks, you can do better than that, can’t you?

Stay Up-to-Date on Security Threats!

One of the conversations I mentioned at the beginning of this post was with another agency owner. They had a client site taken down recently. They had security software installed and configured, and the site was on a secure hosting provider. So what went wrong? Well, one of the plugins on the site had a security flaw. It was not a major part of the site, and they did not monitor that plugin closely. And that little thing was all it took for a hacker to get in, and kill the site! Ouch!!

I hate to tell you this, but protecting WordPress websites does require attention to these little pesky details. And just like the NSA gets daily reports if Kim has been throwing his toys around again, or if @therealdonaldtrump had a busy morning, WordPress security organizations have their own daily reports. The ones I read with my second espresso of the day are WordPress Security and Updates from Wordfence, the Sucuri Blog, and the WPMU DEV Blog. I highly recommend you do the same, at least a few times a week.

Now That You Know About Protecting WordPress Websites …

And that’s all most business owners really need to know about protecting WordPress websites. Of course, knowing something and actually doing something are two vastly different things! I have provided the same info as a presentation at conferences and for business organizations. Usually, there are a few folks taking notes or clicking links on their iPads. So they are probably good to go or know someone who can help them.

Hacked Sites Are Up 32% in 2016. Google

But especially small business owners or individual professional service providers tend to be partially or totally overwhelmed and in shock. I completely understand! This is not only a scary subject; it is foreign to many of you. And now you just found out that you have to deal with this, on top of maintaining and updating your website. Not to mention that little detail of actually running and growing your business.

What to Do If You’ve Been Hacked

First, take a couple of deep breaths! Relax, as with most website tasks, this sounds way scarier than it really is. If you followed the above steps or had your web designer follow them, your site is pretty safe from malicious attacks. And by having a backup of your site you can quickly get back to normal in a worst-case scenario. So please don’t lose any sleep over this tonight!

But if you haven’t done anything since you launched your site I recommend you get some help. If your business website looks and functions as always it most likely has not been compromised in any way. But if you notice strange or even offensive content or images, or if your site suddenly doesn’t work the same, you most likely have been hacked. In that case, you should get professional help, starting with a free security scan or malware scan. That will help you determine the next steps.

The average cost of a hacked website is $2,518. WordFence Blog

Keep in mind that a hacked website not only will cost money to restore. You will also lose any sales from your site while it is down, and that does not include the cost of potential sales that went to your competitors. You will also need to expect a pretty significant drop in your organic search rankings, and that can take a long time to recover.

More About WordPress Websites

Many businesses and organizations use WordPress to power their online presence. It is a very versatile, robust, and scalable web development platform. From a simple small business website to a large e-commerce store WordPress can help you achieve your online marketing and engagement objectives.

Need Help Protecting Your Own WordPress Website?

Here at, we offer a full range of innovative WordPress web design services, including WordPress web design and development, technical support servicessearch engine optimization, and website maintenance plans. Contact us to learn more about how our team can help you get your own WordPress website secured and protected, and protect your online presence.

Do you have anything to add to our tips for protecting WordPress websites? Please leave your comments below so our audience can benefit as well, and grab our feed so you don’t miss our next post! And help your friends and associates protect their online presence by sharing these steps for protecting WordPress websites with them!

Thank you! We appreciate your help to end bad business websites, one pixel at a time!

By Gregor Schmidt Co-Founder / Creative Technologist @gregorspeaks