Preventing WordPress Hacks

by Bill Burke
6 June 2019

It has been said that "presumption is the opposite of prevention". It's not unreasonable for a businesses to expect their website, especially a reasonably new website, to stay live and error free. The reality, however, is that unless you take proactive measures to protect your site, the odds of it being hacked are fairly high.

If you've redeveloped your site within the past 5 years, there's a good chance it's based on the WordPress content management system (CMS). WordPress is the most popular web platform around today (accounting for one third of all websites) and for good reason:

  • It's user-friendly and easy to set up
  • Easy to update and maintain
  • Works well with search engines
  • Thousands of free (and premium) plugins available to extend functionality

The downside of using a ubiquitous technology like WordPress is that it has become a large target for hackers. When a malicious bot (an automated visitor) encounters your WordPress site, it will try to exploit it or take it down by cycling through a library of known WordPress vulnerabilities. If you've taken the measures listed below, your site should be able to withstand this kind of activity.


Maintaining site backups is the single most important activity. If your site is backed up, it can be easily restored, no matter how bad the hack. Also, it's a good idea to have your site backed up before undertaking some of the other tasks listed below. Obviously, the more recent the backup the better - you don't want to have to prevail on an old backup that doesn't include recently added content. Your backup schedule should correspond with how active you are on the site: if you make weekly changes, then have the site backup weekly.

WordPress versions, Plugins, & Themes

Keeping your version of WordPress up to date is essential. If you have been using WordPress for a while, you may have noticed how successive versions have extended functionality and improved user experience. That's not the only focus of WordPress updates: they also include essential security patches that close off discovered vulnerabilities. The older your version of WordPress, the more known vulnerabilities it likely harbors.

Your site almost certainly uses third-party-developed plugins and theme. Just as with your core WordPress installation, they also need to be updated. Old plugins and themes are a common target for exploitation. Sometimes support for plugins and themes is discontinued - the third party developer simply stops issuing new updates. When this happens, it's time to start looking for a more up-to-date alternative.

Security Plugins

WordPress has several free and premium security plugins such as Securri and WordFence. In addition to providing a firewall, plugins like these allow you to scan your site for corrupted files and fix them.


Weak passwords are a very common and easily preventable cause of website hacks. When you're setting your WordPress user login, use a relatively complex password - don't ignore WordPress' built-in password strength indicator: anything it deems "strong", is very unlikely to be hacked.

Other passwords that need to be secure: your hosting providers login details, your FTP details, and your database connection details. If any of these are compromised, you're site is entirely exposed.

All sites should be furnished with an SSL certificate. This is a security measure that encrypts any data being submitted to your site (either by you or a visitor). Intercepted data will be of no use to the hacker.

Finally, it's a good idea to use a service like Cloudflare for your site. This is a sits between the visitor and your site and handles all requests to the site. It's a great tool for preventing DOS attacks ("denial of service" attacks involve a resource on your site, typically a login page, being bombarded with requested until the hosting server runs out of resources and the site goes down). Cloudflare also has a caching feature that will improve the loading time on your site.

If you need any further advice, or you have any concerns or questions about your own site (whether it's based on WordPress or not), please don't hesitate to get in touch by emailing [email protected] or calling us on 1 2939000

Leave a Reply

Your email address will not be published. Required fields are marked *