WordPress Security: Preventing Your Site From Being Hacked

Published: June 24, 2015  by 

Password screen

No one ever wakes up in the morning thinking, “I’d love for my website to get hacked today.”

Having your website taken over by hackers is similar to experiencing a home break-in. You feel violated, you wonder what was stolen, and you’re going to sleep a little bit lighter for a while.

Thankfully WordPress is insanely secure. If there is an exploit, it’s typically patched within hours. There are also many eyeballs on the core code to ensure its security on the millions of websites where WordPress is installed.

WordPress: The Moving Target

WordPress is wildly popular and for good reason. As of today, WordPress powers roughly 24-percent of the top websites on the Internet. Approximately 74 million websites depend on WordPress.

The fact that WordPress is so popular makes it ever more likely that you will hear about someone getting hacked who is using WordPress.

So is WordPress insecure? Absolutely not. Hackers can get in a number of ways.

How do Hackers Break In?

There are a number of ways hackers can get access to your site. This is by no means an exhaustive list, but there are a few ways we’ve seen people get into a site and set up an exploit.

1. An Exploitable Plugin

WordPress Plugin Repository
WordPress Plugin Repository

WordPress has over 38,000 plugins in order to extend its functionality. While the WordPress plugin team removes or updates exploitable plugins rather fast, a few fall through the cracks.

There are also many premium plugins not hosted on WordPress.org. Rather than pay money for these plugins, some users will download a free copy from elsewhere, where it is not uncommon to download a modified plugin full of malware.

2. An Exploitable Theme

Slider Revolution
Slider Revolution

Theme marketplaces are popular as they often offer highly functional themes with a myriad of options for a low price.

Unfortunately, a slider plugin that was being included in a multitude of themes on these marketplaces had a severe exploit, leaving thousands of sites vulnerable.

The scary version is this exploitable code was patched months earlier, but all of the themes using the slider were slow to update.

Make sure to check the reputation of a theme you are about to purchase, download, and install. Just because you are paying good money for a theme does not make it secure.

3. Through Your Admin Account

WordPress Login Screen
WordPress Login Screen

WordPress is only as secure as your weakest administrator password.

Cracking a weak password only takes a few seconds, especially if someone has made or obtained a copy of your database.

Once in with your admin password, the hacker can get a copy of your database, install malicious plugins or themes, open up back doors… the sky is the limit here.

Even if you have a strong admin password, if you log into your WordPress site through public wifi, a user using network monitoring tools can easily capture your username and password for use later.

4. Through Your Hosting Account

A hacker can also get to your website using an FTP client or through your hosting account. Both are extremely dangerous, and typically any problems can be solved by using a hard-to-guess username and a very strong password.

As with WordPress admin accounts, avoid logging into anything sensitive using public wifi.

The Cost of Being Hacked

Google's Red Screen of Death
Google’s Red Screen of Death

Congratulations, you have a public website. You paid good money to an agency for a custom theme, launched it, and now you are making a decent amount of money each day directly and indirectly through your online presence.

Let’s assume your new site directly makes you about $100 a day. You come in on Monday morning and browse to your website. It has the dreaded red-screen-of-death. Your website is blacklisted, and Google is blocking access to your site.

Panic sets in. Nobody is able to get to your site. Your $100 a day, for the time being, is gone.

There’s No Time Estimate on Fixing a Hacked Site

It is understandable that a client wants their site up as soon as possible. What is scary about a hacked website is there is generally no easy way to tell how a user got in, what they took, what they infected, and what they are going to do with your site’s code.

A hacked site is like a hacked computer. The easiest way to fix a hacked computer is just to restore from a backup. You’ll lose data in this process, but it’s the quickest way to get you back up and running.

Your backup is 6 months old? That means we need to try to use the existing database and files instead of a straight restore.

As an agency, that means we need to go through every file, every directory, and make sure there’s no hacked code. We’ll use automatic scanners, but it’s still a very manual process.

Cleaning up a hacked site can take a few hours, or it can take several days. It’s an intense and unforgiving process.

Emergency Rates May Apply

Many agencies charge emergency rates for fixing hacked sites. A hacked site typically requires immediate attention and top engineering talent, so a diversion of those resources from existing projects usually comes at a premium rate.

Lost Business

While your site is hacked, it is inaccessible if on a blacklist. Your customers will not be giving you business online, and if your customers see that your website is hacked, it will be a while before they come back, if ever.

Once your website is cleaned up, it’ll take several days to get your site off of the many blacklists. It’ll take even longer to get removed from any e-mail blacklists if your site was used to spam people.

Hosting Overages or Cancellation

Your website was hacked, so let’s add insult to injury.

Many hosts will suspend your site if it is hacked to prevent its resources from being used up. Typically this resource usage is detected by the host, they will run a scanner to check your site, determine it is hacked, and then pull it crawling and screaming from the Internet.

Many hosts have overage costs, and if your site was trying to spam half the Internet, there is a good chance you will be hit with a nice bill at the end of the month.

Advertisement Losses

If you have set up campaigns like AdWords, you will find your accounts suspended if your site is found to be hosting malware.

If you paid good money to set up an AdWords campaign, all of that investment is on hold while your site is blacklisted, with the worst case scenario being kicked out of AdWords.

9 Tips to Preventing Hacks in WordPress

So far I’ve established that being hacked is an insanely horrible experience for all involved. How do we prevent a site from being hacked in the first place?

WordPress has some very good tips on hardening WordPress, and I suggest reading and understanding their recommendations. The sad reality is, if someone wants to get into your website, they will. However, we can do our best to make it harder for the rest of the malicious users out there.

1. Limit Admin Access

Does your website have 12 admins? Try to bring that down to one or two users. Twelve admins mean hackers have 12 opportunities to get access to your WordPress install.

If even one of those admins has a weak password, getting into your WordPress install will be pretty easy.

2. Use HTTPS

Using a secure protocol for your website will protect you and your customers.

The cost is about $100 a year. The benefits? Improved SEO, improved security, and your site has a more professional appearance.

3. Strong Passwords

Password Generator
Password Generator

Using strong passwords for everything is an absolute must.

With tools like 1Password, there is simply no excuse to use weak passwords any more.

4. Vett Your Plugins and Themes

Don’t install plugins and themes blindly. Make sure the themes and plugins you install are from a reputable source.

All plugins should be inspected before they are installed. What are the ratings? How does the plugin author handle support? When was the plugin last updated? Does the plugin have any active vulnerabilities?

5. Purchase a Maintenance Plan

Maintenance tools like Maintainn or VaultPress will set you back about $50 a month, but they might be well worth it for your site.

Maintenance plans typically cover plugin updates, theme updates, WordPress updates, security scans, and backups.

You can also talk with your agency and see if they offer a maintenance plan.

6. Purchase Security Monitoring

Sucuri is the service we typically go to if we can’t or are unable to fix a hacked site. It’s usually a reactive step, but we encourage clients to be proactive and sign up for some type of security scanning.

Sucuri will run you about $200 a year, but if you get hacked, you’ll get your site cleaned up for free, and they’ll help remove you from all the various blacklists.

7. Use a Security Plugin

Sucuri Security WordPress Plugin
Sucuri Security WordPress Plugin

Use a security plugin and set up alerts. We recommend Sucuri Security as it is the least obtrusive of the many security plugins available for WordPress.

The plugin does basic hardening, and the alert and notification system is a lifesaver should the worst happen. The plugin also performs periodic malware scans and will alert you immediately should your site come back infected.

8. Backups, Backups, Backups!

Having a backup of your website content and database is a proactive step, and a very necessary one.

At the very least, you should take weekly database backups and monthly site backups.

Should you get hacked, these backups will be used to restore your site.

If there are no backups in place, your database and site will have to be scrubbed, which takes significantly longer.

9. And Lastly… Pay for Good Hosting

For good hosting, we recommend SiteGround and WP Engine, depending on your needs. Both sites proactively prevent your site from being hacked, but WP Engine is the absolute king if you do not want to have to worry about caching, security, backups, and updates.

Both SiteGround and WP Engine are priced higher than other hosts, but hosting is the most important and crucial part of having a website online, and skimping in this area is not recommended.


You should try to take every precaution available to prevent your site from being hacked.

If your site is hacked, you will lose customers and potential revenue.

There are many tools and services available to you to prevent a hacked site, and indeed they cost money, but the cost of being hacked is significantly higher if you do nothing.

If you have a website, WordPress or not, get with your developer or agency and take the steps to make the Internet a better and more secure place.