How Secure Is Your WordPress Website?

hackedHow would you feel if you woke up one morning to find that the site you have poured your heart and soul into had been hacked? Gone is your pride and joy and in its place is some ugly ad site or inane message from the hacker.

The bad news is that once a site is hacked, it is normally very difficult to clean. In fact, without a known clean backup, you risk having to start from scratch again.


Yes, WordPress sites are often targeted by hackers, and odds are your site will be a target at some point. But the good news is that there is a lot you can do to protect yourself (and your site).

Secure Setup

Most attacks rely on known “shortcuts” used by 1-click installers (and most developers). By simply taking a bit of extra time to set up your WordPress site properly you will automatically block many hacking attempts.

Follow our step by step instructions here: How to Launch Your Self-Hosted WordPress Blog in Less than 20 Minutes

Is Your WordPress Database Secure?

1-click installers are included with most hosting accounts, and they seem like an easy way to get up and running. The problem is that each installation will have the same database name, database user and (often) database user password.

Hackers know these details and can use them to bypass WordPress altogether and add malicious content or additional users. Once they have installed these “back doors” your site is effectively theirs to control.

A full manual install takes less than 10 minutes and is incredibly easy. Why would you risk your site to save yourself this amount of time?

Is Your Table Prefix Non-Standard?

If you don’t know what a table prefix is, don’t worry.

All you need to know is that by default WordPress uses “wp_”, and hackers know this. Many of their attacks rely on this fact, and can be thwarted simply by using some other prefix.

Most 1-click installers will not give the option to change this, but a manual install will allow you to set it to whatever you want.

Is Your Admin Username Secure?

By default WordPress creates an a user with full rights to your site and names it “admin”. Even though a manual install allows your to change the name, most people don’t.

Imagine how easy it makes it for hackers knowing that more than 90% of WordPress sites still use this account to access the dashboard. All they have to do is run a “brute force” script to crack the password – and anyone can get access to enough computing power to do that in under 24 hours these days.

Simply replacing “admin” with something harder to guess will make it exponentially harder for a hacker to gain access to your site.

Is Your Password Secure And Hard To Guess?

It is scary how many people use passwords that are easy to guess – pet’s names, birthdays, significant others, etc. If you use anything that could easily be discovered on social media, or with a google search, then you are making it way too easy for the hackers.

And if you are worried about having to remember some random string of characters and numbers (the most secure sort of password), then maybe it is time to invest in a password management program – 1Password is the best for Mac and Roboforms will do the job for PCs.

Have You Deleted All Unused Themes And Plugins?

Themes and plugins also contain code that can be exploited by potential hackers.

Play it safe – deactivate and delete any themes and plugins that you do not absolutely need.

Ongoing Maintenance

OK, so you have the basic setup done in a way that makes it harder for hackers to gain access to your site.

But site security is not a once-off effort. There are things you need to do on an ongoing basis to keep hackers out of your site and ensure you can clean up quickly should they gain access.

Is Everything Up To Date?

Have you noticed how often WordPress is updated? Sure, there are some new features added now and then, but the majority of the releases are to address known security issues.

And if WordPress know about the security issues, you can bet the hackers do.

Don’t take the risk of hackers gaining access through a hole that WordPress (or theme/plugin developers) have already closed. Make sure you regularly check your WordPress dashboard for available updates and apply them promptly.

Do You Run Regular Backups?

This one won’t stop the hackers, but it will certainly make the job of recovering easier.

Unless you are adding multiple articles a day to your site, a full site backup on a weekly basis should suffice. If you are posting more regularly you might want to add a daily database backup to the mix.

Of course, you could do this manually, and there are some decent free backup plugins. But I highly recommend you install and use BackupBuddy. Yes, it costs a few dollars, but it allows you to automate the whole process and makes it incredibly easy to restore your site should you ever need to.

Are Your Backups Stored Off Site?

What good is a backup file if you can’t access it when you need to restore from it?

Many hacks can make such a mess of your site that any backups stored on it may become inaccessible and/or corrupted.

Play it safe and store your backups somewhere other than just on your site. If you use BackupBuddy you can configure it to automatically store the backup files in your Backup Buddy Stash (cloud storage especially for your backups).

Do You Regularly Scan For Malware?

Don’t be fooled – many hacks are not immediately obvious.

Often hackers will deliberately not leave any visible signs of attack for weeks (or months). Why? So that when your site is restored from a recent backup, they still have access through the back door they installed and can wreak havoc again.

Yes, even if you are running regular backups, you still won’t know when your site was hacked

You do have the option of running a manual Sucuri check any time you want, but this is only a remote scan and won’t show everything. If you want more peace of mind, sign up for a Sucuri subscription. Sucuri will then actively monitor your site and let you know as soon as a hack occurs.

What to do next

If you answered “no” to any of the above questions then your site is at serious risk of attack. These days it is not so much a matter of “if”, but “when” someone will try to attack your site.

Don’t make it easy for them – plug the gaps NOW! If you need help securing your site or if your site has been hacked, get in touch so we can advise you of the best path forward.


  1. Michele says

    Do you think free backup/security plugins are not worth the risk? If you had to recommend a free option, which one would you recommend? I’ve heard WP Backup to Dropbox is good – I don’t mind doing a manual backup regularly, I just don’t know how. I want to make sure it keeps images and design, not just content. Thanks-

    • says

      Some of the free backup options are quite good, but be careful when selecting one.

      You need to make sure both your database AND all of your files are backed up. Also, you need to consider how easy it will be to restore your site from a backup if needed – this is where many of the free plugins fall short (ie, it can be a highly manual process to restore your site from a backup file).

      WP Backup to Dropbox seems OK, and I have heard good things about it. Note that it operates on a “freemium” model, meaning that to get the full functionality (eg, zipped backups) you need to pay for “extensions”. Another option may be Xcloner, although I would be wary with this one as there are mixed reviews on whether it works properly with the latest version of WordPress.

      The reasons we like BackupBuddy so much are:
      * It works beautifully for backing up your database and all of your files
      * You can schedule backups and get them sent to a range of offsite storage locations automatically
      * It has a very easy restore process (including by individual file in the latest version)
      * It effortlessly translates domains when restoring – meaning you can easily move your site to a new domain, or from a (local) development server to your live site. This feature alone is worth the price of the plugin for me!

      Whatever you choose, make sure you test that you can perform a full restore.

  2. says

    Warren —

    Great tips! I was unaware that the one-click installers all used the same info (but by habit I always modify the DB username/password).

    One more tip – I add every site I create to google webmaster tools – you’ll get a heads up alert if there’s any issues with your site.

  3. says

    Thank you Helena for these tips! I went and tried to change my username from admin and it said this cannot be changed. That is a little bit frustrating! Other than that I have everything covered. Thank you!

    • says

      Hi Janelle

      You can’t change the name of the admin user. You will need to create a new user with administrator rights, then log in as that new user and delete the “admin” user. Note that when you set up the new user you will not be able to use the same email address as the current admin user – just set it to something else and once the “admin” user is deleted you can change the email on the new user to your current email.

  4. says

    Important steps to secure one’s website, Warren. Thanks for sharing. Hacking is more common than one would think, and unfortunately we don’t get serious about website security until we see the skull and crossed-bones. In addition to the tips you provided, I find WordFence to be useful in keeping track of updates and for blocking visitors who have no right to try and login using combinations of Admin, admin, administrator as well as trying to guess the user name based on different variables. It also helps to review the visitors log in Cpanel every now and then to see what is going on.

    • Warren Denley says

      Yes, WordFence is a good option for those that are a little more comfortable setting and monitoring their security parameters. We don’t recommend it for the absolute beginner because it can be a little confusing, and if you get it wrong you can lock yourself out. However, it does provide more options for monitoring and more fine grained access control than the Sucuri plugin, so it is a good next step.


Leave a Reply

Your email address will not be published. Required fields are marked *