When I started building websites over 20 years ago, WordPress didn’t really exist yet. We certainly didn’t use it the way that we do now. Fast forward to 2023 and WordPress now powers 43% of the internet. That’s a whopping amount! But it also means that it’s become a target for website hackers.
You would think that I would constantly be dealing with security vulnerabilities and issues with our websites being hacked.
After all, when you’re using a system that’s a target, wouldn’t that put our clients at risk?
The short answer: nope.
While WordPress is a potentially vulnerable platform, there are actually a lot of things you can do to keep your website safe and secure.
And one of them is a bit of my own secret weapon that has proved effective time and time again.
The Basics to Keeping WordPress Secure
I am in a couple of communities with other WordPress developers, and security comes up all too often.
Our clients are paying us their hard-earned money and hoping for an ROI with their websites. We don’t take that trust lightly. But that also means that we have to take steps to keep their websites secure.
Nothing is worse than paying $10,000 for a great website just to have it ruined by hackers, am I right?
What does WordPress hacking look like? Well, common issues include injecting your website with malicious code and links, meaning your visitors might click something that would install viruses onto their computers.
Other hacking issues I’ve seen redirect your pages to other malicious sites and just absolutely riddle your website so much that it’s hard to come back from.
The best solution is the one that prevents the issues from happening at all. And the crazy thing is there are some really simple steps that anyone can take to keep their WordPress website more secure.
Use Secure Admin Logins
The first thing I recommend to all of my clients is to set up secure logins for their WordPress dashboard.
If you’ve ever had a WordPress website, you know that you can login to your website and get in there and edit the content directly. The literal easiest way to keep your website secure is to use a proper password for your login.
While you as the owner of your website should have administrator privileges, that does mean that your login can be used to do a lot of damage to your website should it fall into the wrong hands.
Make sure that your password would be difficult to guess, includes a mixture of uppercase and lowercase letters, numbers, and symbols and passes WordPress’s included security measures. (It’ll tell you if something is a weak password now.)
While it’s annoying to have to remember a password like that, you can use Google’s built-in Chrome password keeper or a service like 1Password to keep your passwords safe and accessible.
Another pro tip: you don’t want to use a super generic username either. Use your first name or something that might be hard to guess. Just another way to make getting in with your login one step harder for someone with malicious intent.
Keep Themes & Plugins Updated
No matter how hard we try, we as coders will always accidentally code in some kind of vulnerability. WordPress is so flexible and powerful because we can super-charge it with different plugins and even themes to make it do what we want.
But those themes and plugins can have vulnerabilities that get analyzed and then exploited by hackers.
Plugin and theme authors do their best to stay one step ahead of those issues by releasing new updates (along with new features of course).
When you login to your WordPress dashboard and see those updates waiting, you don’t want to leave them un-updated for months at a time.
The unfortunate side effect to updating plugins and even your theme? It can cause issues with your website. Make sure that if you are going to update plugins that you do one at a time and check your website to ensure nothing has broken.
Honestly, many of my clients choose to let my team keep their WordPress websites secure and maintained so they don’t have to worry about it and their site stays secure.
A Note About WordPress Themes
One of the most common sources of hacks and attacks over the last few years have been a result of premium WordPress themes.
After all, some of the most popular themes power thousands and even millions of websites. We’re going to talk about how you can get around this issue a little bit later in this article.
Install a Simple Security Plugin
If you’ve had issues in the past or simply you’re worried that you might be a target for hackers, you can always install a simple security plugin.
What you choose might depend on who your website host is, but the most common is Wordfence.
This plugin comes with a free and paid version that helps to protect your website from common attacks and keep you more secure.
Start with the free version and upgrade only if you’re still having trouble.
Use an SSL Certificate
A security certificate for your website – known as an secure sockets layer or SSL certificate – helps to protect the data that you’re passing and back and forth through your website.
Think contact forms and even payment details.
Not having an SSL certificate especially puts your clients’ data at risk if they choose to share personal information with you through your website.
Most hosting companies will sell you an SSL certificate with your WordPress hosting package or even provide them for free.
You can have a web developer install one for you, too, of course, and there are ranges that they come in, but most websites can get away with a free version from Let’s Encrypt or a simple Positive SSL.
(I know those are technical terms, but bookmark this page so when you’re shopping you know what to look for!)
Take Regular Backups
The best way you can protect yourself from website hackers is to have regular backups taken of your website.
I had a client who got hacked pretty badly once. The only reason we were able to save their website is that we were able to roll out a backup we had taken before the attack had taken place and then do some work to shore up their security to keep it from happening again.
You can install a backup plugin like Updraft into your site so that it will take the backup for you and even drop the files into your Google Drive, or you can see if your website hosting company offers backups as part of their services.
Pay for a Secure Hosting Platform
You’re probably thinking at this point – “Can I do all of this with a secure hosting service?”
The answer is – most of it!
I’ll be totally transparent. We offer hosting for our clients which includes regular maintenance and us keeping an eye, but let me tell you a secret.
I host with my absolute favorite WordPress hosting service, WP Engine.
With WP Engine, I know that my clients are protected because they offer their own built-in security measures, take daily backups of the full website, and offer SSL certificates for free.
Yes, WP Engine costs a bit more money per month than say a cheap plan with Bluehost, but at the end of the day you’ll be saving time and money.
In fact, with WP Engine, you’re getting:
- A free SSL certificate
- Daily backups
- Alerts for plugin and theme security issues
- Built in security so there’s no need for a plugin
- Easy customer service if something does happen
If you’re really concerned about WordPress security, the best thing you can do is to find the right home online.
If you want to take that a step further and work with my team so we literally take all of that off your hands and you don’t have to worry about it at all, send me a DM @captaincoder on Instagram!
My Extra-Special Secret for Keeping WordPress Secure
Remember how at the beginning of the episode I promised that I had an extra secret to avoiding issues?
While nothing is going to be 100% secure because of course hackers spend their days literally looking for vulnerabilities to WordPress and the many websites it powers, there is something that’s worked for me time and time again.
It’s not using theme builders like Elementor, Divi, and others.
Avoiding Popular Theme Builders
Remember how I said at the top of the episode that I’m in a few WordPress developer communities?
There’s been a huge push over recent years to use the “easy” solutions like Elementor and Divi because they allow clients to have more control over the design of their websites.
But really it’s about saving time and money (and increasing profit margins) for website agencies.
I’ve never really gotten into that for one big reason – security.
Just this last week, Elementor had a big security vulnerability that they had to patch pretty quickly. Thousands of websites were put at risk all at once and I had one friend who had dozens of clients with issues.
Maybe I’m selfish, but I don’t ever want to live that scenario myself.
These popular themes and theme builders are such a huge target because you can literally download their code for free or a small fee and then spend all their time trying to find the holes in the code that allows them in.
It’s a pretty small investment if it gives you access to tons of websites because they’re all built on the same code base.
Yes, those theme creators like Elementor work tirelessly to prevent these problems and resolve them quickly, but it’s still putting you at risk.
Why Custom Code Works Best
How do I avoid dealing with hacked websites on a regular basis?
Anyone who has a website built by the Captain Coder team has a website that’s been created with custom code.
While we do have a base theme that allows us to save time (and therefore saves you money), it’s 100% customized to your business.
No two clients have the exact same code in their theme and the only way to get my theme code is to have me build a website for you.
By building your website with a custom WordPress theme, not only are you getting something that’s faster and built just for what you and your business needs, it makes your website that one more step secure.
And our team works tirelessly to deliver you a website that you can edit on your own, too. Custom doesn’t mean you need to be tied to the web developer to make any little change to your website either.
If you’re looking to hire someone to build your website for you, make sure to ask them how they’re building your website.
If they’re building it using Elementor or another popular website builder, you’ll want to know that they’re taking extra steps to keep your website secure in the long run.
Custom code means that you’ll have a website that performs better and keeps you secure. It’s why I haven’t and won’t ever do anything else.
Protecting Your WordPress Website
Over the years, I’ve had to help several clients mitigate hacking issues with their WordPress websites and I can honestly say that it is not a good time.
It can feel like an endless loop of trying to find the gap and closing that and keeping bad people out of your website.
Worst case scenarios have meant we’ve had to rebuild their entire website and move them to another hosting provider all together.
Knock on wood – the only websites I’ve had to do this for over the last few years have been sites that I didn’t build originally.
If you want to avoid a really expensive clean up later – that can impact your ability to sell and maintain trust with your clientele – it’s time to think of security.
While it’s not any fun to think about, you and your business absolutely can be a target.
Start with the easy items that you can handle and then reach out to me with any questions.
Your website is your business’s home online. We’re here to help and keep you protected!