Keeping your WordPress website secure and running smoothly takes a bit of effort, but not taking care of your site puts it at risk for hacking or malware attacks. Here are a few things I have seen in my years of working with WordPress that can make your site vulnerable to performance and security issues:
Ignoring plugin & core update notifications
There are new versions coming out for plugins almost constantly – bug fixes, new features, and security patches. Depending on how many plugins are running on your site, you may get these notices quite often. WordPress core files also require updating, typically every month or so as they release new versions.
It can be overwhelming to log in to your dashboard and see those orange update circles everywhere! But ignoring them is a bad idea: an outdated plugin is the number 1 way that WordPress websites get hacked.
Typically, updating plugins and WordPress core files takes just a few minutes, thanks to the ‘click to update’ option. But occasionally, a new plugin version may conflict with something on your site, leading to errors, broken functionality, or a site that won’t load. So make sure you have a backup you restore in case something goes wrong!
Keeping the default admin username active
When WordPress is first installed, it has one administrator user with the name ‘admin’. Keeping this user active makes it WAY too easy for bots to gain access to your site with a brute force attack. Create a new admin-level user in your WordPress admin with a secure password (tip: use a password generator!) and delete the original ‘admin’ user. It takes 2 minutes and makes a huge impact on your site’s security.
Assuming your web host is taking care of backups
A lot of web hosts have built-in site backup tools, but sometimes they aren’t reliable. Sometimes they don’t restore easily. Sometimes they just plain fail. And some web hosts don’t do this at all! So make sure you’re taking care of database and file backups on your own (it never hurts to have double backups!) There are a few fantastic plugins for WordPress (I like UpDraftPlus) that make it easy to schedule daily or weekly backups of your entire site, and even store them offsite in your DropBox, Google Drive, or other cloud service.
Using too many plugins or plugins that have become unsupported
Not all plugins are created equal. Because WordPress is open-source, free software, that means there’s a world of developers creating and sharing free tools they’ve built for it. That can be great because there are so many options for adding features to your site. But it also means that anybody can build a plugin and call themselves a WordPress Plugin Developer.
The WordPress Plugin Repository does a good job of auditing what gets shared and published, and the WordPress community as a whole helps to keep things in check with comments and reviews. I try to stick with plugins from development teams who are established in the community, or that are widely used (you can see how many installs a plugin has had and when it was last updated which helps!) But it’s easy to use plugins that end up being abandoned, and if a plugin hasn’t been updated in a few years, that can be a security risk for your site. So keeping up with removing and replacing older
and unsupported plugins is important.
Another pitfall that comes with the wide array of plugins available is that you can go a little nuts with it! There are plugins for adding ALL kinds of functionality, and that’s not always a good thing. An experienced web developer (like me! 😉) knows that sometimes, it’s better to use 1 or 2 lines of code in the theme files to get something done, rather than install a whole plugin for it. This keeps the site from becoming bloated with trying to load and run a bunch of unnecessary code.
There are also a lot of plugins out there that do the same thing, and I’ve seen sites with 2 or more plugins installed with features that overlapped when they could have consolidated with just 1 plugin. Keep it simple when you can!
Not using a security plugin
You’re not going to be able to monitor and stop all attempted hacking attacks on your site. So you need a bouncer, a gatekeeper to keep things safe while you’re off running your business and living your life. I like Wordfence because it has a lot of different ways of keeping your site secure: a firewall to keep out malicious traffic from bots, routine scanning for modified files & malicious code, and brute force blocking after too many failed login attempts. A security plugin is a must for any WordPress website!
Using a cheap web host
Where your website files “live” also has an impact on your website security. Some cheap web hosts will overload servers, which not only leads to a slow site but can put your site at risk if another site on your shared server gets hacked. It all depends on the server setup, so it’s worth the money to pay a little more for a reputable web host who prioritizes security. My favorite web hosts for WordPress sites are Siteground and WPEngine.
Not installing an SSL certificate
Having an SSL (secure socket layer) certificate on your site keeps any data you transmit through your site secure – not just payment info, but data from web forms too. It will also load faster, and search engines have started giving a higher ranking to sites that have a certificate installed. A lot of web hosts are now offering free certificates through Let’s Encrypt, which makes it super easy to get one for your site.
Other WordPress Security Questions
How will I know if my site gets compromise or hacked?
If you have a security plugin like WordFence running, usually a routine scan will flag any malicious code. Google Chrome can detect site hacking as well, so if you visit your site and get a giant red warning before the site loads, you know something’s going on. Your site might be flagged in Google search results, or if you have a Google Search Console profile for your site, you’ll get an email alert that something has been found. Other times, your web host will be alerted to unusual activity on your site, and they’ll take your site offline until it gets fixed.
What do I do if my site gets hacked?
Sometimes despite our best efforts, a site is compromised and you have to clean it up. If you have a recent backup, you can try a restore in the hopes that it’s a clean version. But sometimes those backups are also infected so a manual clean is required. If you’re tech-savvy and comfortable with digging through WordPress files and a MySQL database and know what to look for, you can do this yourself. But it’s almost always a better idea to hire someone for the job. There are companies that can help if the hack is extensive and complicated to clean up. (My maintenance retainer clients get this malware cleaning service for free if the worst-case scenario does happen!)
Why do bots and hackers attack sites? What is the whole point?
There are about a million reasons why bots and hackers try to compromise websites. Gaining private information and data they can sell is a big one (think logins, passwords, contact lists) Hackers also love to embed hidden links in your site to get back-link credit for search ranking, or to redirect traffic to a completely different site (basically stealing your website traffic). They’ll also use server resources to send mass emails, share files, and distribute other content.
So does this mean that WordPress isn’t secure??
Not at all! Every computer, device, and software is at risk for hacking. The targets are often the tools that are most widely used, and because WordPress powers so many websites, it has become a favorite for hackers. That’s why taking the time to address the things I outlined above is so important. If you follow those few tips, you’ll be doing a lot to keep your WordPress site safe!