Warding off the WP Hacker 101 website security image

Let’s face it, having a website is sort of like having a house – or more accurately, like having a house in Compton. If you don’t lock your doors and close your blinds, you’re bound to get robbed.

The difference with your website is, there’s always a new door being found. Hackers are constantly scouring popular platforms looking for vulnerabilities, and WordPress is no exception.

Have a look at some of the stats:

statistics of website traffic

Pretty daunting stuff, right? Keep in mind, that loss of traffic also translates into loss of revenue, as most business owners are well aware of.

Luckily, there are precautions that you can take to protect your virtual home from these nuisances. And believe it or not, it’s not that tough to do.

Password security

According to Google, one of the most common methods hackers use is password cracking. It’s no secret that a strong password is paramount when securing anything that’s on an open network. Unfortunately, in the words of Sonny LoSpecchio, “Nobody cares”.

It used to be that you needed to make a crazy long password with lots of numbers and symbols that even Rain Man would have trouble remembering. Well, in case you haven’t heard, the guy who made that rule up was completely wrong.

comic about passwords

Image credit – xkcd

Nowadays, you should be using random, unrelated words to create your passwords. Something like “notebookchipsbriefcasewater” (fun fact: that’s what’s sitting on my desk right now).

For your convenient re-education, here are some password-creation pointers:

  • Use random words all joined together. Obviously this is what we just stated, but here’s the reasoning behind it: as shown in that little comic above, it would take 3 days for a computer program like John the Ripper to guess a password like “Tr0ub4dor&3”, whereas it would take 550 years for it to crack “correcthorsebatterystaple”. Let that sink in.
  • For God’s sake, don’t leave your password on a post-it note, on your computer, in plain sight: No explanation needed, I hope.
  • Try to avoid using easily-found personal information: Things like your spouse’s name, your anniversary date, your daughter’s birthday, etc, are all go-to’s for potential hackers. Avoid them like you avoid donating to the Salvation Army guy that stands outside of Walmart during the holiday season.
  • Use different passwords for different accounts: Once a hacker figures out that your password is “ilovejustinbieber”, they’re going to use it on every account that you have to try and break into those, too. And just changing it to “iloveharrystyles” isn’t going to cut it either – remember, random words.

For the love of Matt Mullenweg, update your themes and software

I’m a web developer by trade. When I go to a website with 27 outdated plugins that are 12 versions behind and a theme from 1905 who’s developer passed in the Great War, I actually soil myself. After I change into clean pants, I furiously backup and update the whole package.

As one WordPress security giant, Sucuri, states:

“Plugins and themes can become deprecated, obsolete, or include bugs that pose serious security risks to your website.

To protect your WordPress installation, we recommend that you audit your plugins and themes on a regular basis.”

It’s not even that hard to exploit an old plugin or theme. When new versions are released, most developers include a changelog with the update, which typically includes security fixes. These logs also outline exactly what the vulnerabilities were, which is kind of like telling Mark Zuckerberg all about your awesome new app idea.

It’s a simple thing to get up-to-date. Make sure you backup your website first, in case anything goes awry. Then go to the plugins page and click this button on every plugin that needs to be updated.

screenshot of plugins page on wordpress

Or, you can amaze your family and friends and head over to the “Updates” page, select all, and update all of them at the same time!

screenshot of plugins dashboard on wordpress

Do the same with themes and last-but-not-least, your WordPress version, and you’re good to go! Your website is up to date.

Install security software

There are quite a few options out there for WordPress security software, but then again, there are quite a few covers of “Time After Time”, but we all know Cyndi Lauper holds the crown. There are a couple of softwares that are more recommended than others.


Sucuri is a big name in the security industry in general, and their WordPress plugin is more than enough to keep the most common internet menaces from tampering with your website.

They offer options such as file hardening, file scanning, and blacklist monitoring, all for free. They also option premium options.

It can be tricky to set up, but it’s well worth it to keep your website safe, and we at build/create are always here to help you with configuration.


Possibly the most well known of the WP security players, Wordfence has been around since 2012, and they’ve definitely made a name for themselves in the security space.

The free version of Wordfence is definitely more feature-rich than the free version of Sucuri. The only real downfall is the effect it can have on site performance. But, everything comes with a price. Even free stuff.

Backups are your friends

Most of the time there is some form of backup being done on your website server-side, by your web host. However, if you’re making money from your website and it goes down, every minute counts during recovery, and your hosting company may not be the quickest to respond and restore your site. Plus, they might not even have a recent enough version backed up.

And that’s why I ALWAYS recommend you back your website up in one way or another.

There are several plugins to do this, most notably BackupBuddy, UpdraftPlus, and Duplicator, or you could also have a top-notch web company, most notably build/create, handle the backups for you.

Typically, in the case of a breach, the parasites that infect your website are going to leave behind little eggs and corrupt your files and whatnot, so your copy of your website will be in pretty rough shape.

While it’s possible to clean out the files and get it back up to speed, most times it’s a lot easier to just restore it with a backed up copy, and then spend that time you would have spent cleaning files on better securing your website to prevent the breach from happening again.

Website security is kind of like the fighter jets that patrol the US borders.

Sure, they cost millions of dollars (the jets, not the security) and you don’t see any results at all when they’re working properly. But if you compare them to the alternative, they’re well worth the investment.

The most common reason folks don’t secure their websites is that they see no reason to. It’s kind of like being on a plane that’s crashing – you hear about it all the time, but you don’t think it could ever happen to you.

The problem is, a hacked site is much more common than you think, and it’s a headache that’s well worth avoiding if you can. In the words of Robert Mueller, former Director of the FBI:

I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

As dystopian as this sounds, what we should take from it as a species of technology and connectivity isn’t to be hopeless, but to be prepared, because hackers are to websites as lions are to gazelle – they kill the weakest ones. So do yourself a favor and be one of the fast gazelles. It only takes a little bit of legwork.

Published 03/16/18 by Doug Sumner