Got a WordPress website? You may be a target for hackers.
WordPress powers 43% of the internet, which makes it a huge target for bad people.
If you have a WordPress website, you need to be thinking about security, full stop.
Luckily for you, there are some simple steps you can take to make your website more secure and keep those hackers out!
Head to your favorite podcast app and listen to the latest episode of the #CaptainCoderPodcast to discover how to keep your WordPress safe.
Make sure that your password would be difficult to guess, includes a mixture of uppercase and lowercase letters, numbers, and symbols and passes WordPress’s included security measures. (It’ll tell you if something is a weak password now.)
While it’s annoying to have to remember a password like that, you can use Google’s built-in Chrome password keeper or a service like 1Password to keep your passwords safe and accessible.
Another pro tip: you don’t want to use a super generic username either. Use your first name or something that might be hard to guess. Just another way to make getting in with your login one step harder for someone with malicious intent.
Keep Themes & Plugins Updated
No matter how hard we try, we as coders will always accidentally code in some kind of vulnerability. WordPress is so flexible and powerful because we can super-charge it with different plugins and even themes to make it do what we want.
But those themes and plugins can have vulnerabilities that get analyzed and then exploited by hackers.
Plugin and theme authors do their best to stay one step ahead of those issues by releasing new updates (along with new features of course).
When you login to your WordPress dashboard and see those updates waiting, you don’t want to leave them un-updated for months at a time.
The unfortunate side effect to updating plugins and even your theme? It can cause issues with your website. Make sure that if you are going to update plugins that you do one at a time and check your website to ensure nothing has broken.
Honestly, many of my clients choose to let my team keep their WordPress websites secure and maintained so they don’t have to worry about it and their site stays secure.
A Note About WordPress Themes
One of the most common sources of hacks and attacks over the last few years have been a result of premium WordPress themes.
After all, some of the most popular themes power thousands and even millions of websites. We’re going to talk about how you can get around this issue a little bit later in this article.
Install a Simple Security Plugin
If you’ve had issues in the past or simply you’re worried that you might be a target for hackers, you can always install a simple security plugin.
What you choose might depend on who your website host is, but the most common is Wordfence.
This plugin comes with a free and paid version that helps to protect your website from common attacks and keep you more secure.
Start with the free version and upgrade only if you’re still having trouble.
Use an SSL Certificate
A security certificate for your website - known as an secure sockets layer or SSL certificate - helps to protect the data that you’re passing and back and forth through your website.
Think contact forms and even payment details.
Not having an SSL certificate especially puts your clients’ data at risk if they choose to share personal information with you through your website.
Most hosting companies will sell you an SSL certificate with your WordPress hosting package or even provide them for free.
You can have a web developer install one for you, too, of course, and there are ranges that they come in, but most websites can get away with a free version from Let’s Encrypt or a simple Positive SSL.
(I know those are technical terms, but bookmark this page so when you’re shopping you know what to look for!)
Take Regular Backups
The best way you can protect yourself from website hackers is to have regular backups taken of your website.
I had a client who got hacked pretty badly once. The only reason we were able to save their website is that we were able to roll out a backup we had taken before the attack had taken place and then do some work to shore up their security to keep it from happening again.
You can install a backup plugin like Updraft into your site so that it will take the backup for you and even drop the files into your Google Drive, or you can see if your website hosting company offers backups as part of their services.
Pay for a Secure Hosting Platform
You’re probably thinking at this point - “Can I do all of this with a secure hosting service?”
The answer is - most of it!
I’ll be totally transparent. We offer hosting for our clients which includes regular maintenance and us keeping an eye, but let me tell you a secret.
I host with my absolute favorite WordPress hosting service, WP Engine.
With WP Engine, I know that my clients are protected because they offer their own built-in security measures, take daily backups of the full website, and offer SSL certificates for free.
Yes, WP Engine costs a bit more money per month than say a cheap plan with Bluehost, but at the end of the day you’ll be saving time and money.
In fact, with WP Engine, you’re getting:
If you’re really concerned about WordPress security, the best thing you can do is to find the right home online.
If you want to take that a step further and work with my team so we literally take all of that off your hands and you don’t have to worry about it at all, send me a DM @captaincoder on Instagram!
My Extra-Special Secret for Keeping WordPress Secure
Remember how at the beginning of the episode I promised that I had an extra secret to avoiding issues?
While nothing is going to be 100% secure because of course hackers spend their days literally looking for vulnerabilities to WordPress and the many websites it powers, there is something that’s worked for me time and time again.
It’s not using theme builders like Elementor, Divi, and others.
Avoiding Popular Theme Builders
Remember how I said at the top of the episode that I’m in a few WordPress developer communities?
There’s been a huge push over recent years to use the “easy” solutions like Elementor and Divi because they allow clients to have more control over the design of their websites.
But really it’s about saving time and money (and increasing profit margins) for website agencies.
I’ve never really gotten into that for one big reason - security.
Just this last week, Elementor had a big security vulnerability that they had to patch pretty quickly. Thousands of websites were put at risk all at once and I had one friend who had dozens of clients with issues.
Maybe I’m selfish, but I don’t ever want to live that scenario myself.
These popular themes and theme builders are such a huge target because you can literally download their code for free or a small fee and then spend all their time trying to find the holes in the code that allows them in.
It’s a pretty small investment if it gives you access to tons of websites because they’re all built on the same code base.
Yes, those theme creators like Elementor work tirelessly to prevent these problems and resolve them quickly, but it’s still putting you at risk.
Why Custom Code Works Best
How do I avoid dealing with hacked websites on a regular basis?
Anyone who has a website built by the Captain Coder team has a website that’s been created with custom code.
While we do have a base theme that allows us to save time (and therefore saves you money), it’s 100% customized to your business.
No two clients have the exact same code in their theme and the only way to get my theme code is to have me build a website for you.
By building your website with a custom WordPress theme, not only are you getting something that’s faster and built just for what you and your business needs, it makes your website that one more step secure.
And our team works tirelessly to deliver you a website that you can edit on your own, too. Custom doesn’t mean you need to be tied to the web developer to make any little change to your website either.
If you’re looking to hire someone to build your website for you, make sure to ask them how they’re building your website.
If they’re building it using Elementor or another popular website builder, you’ll want to know that they’re taking extra steps to keep your website secure in the long run.
Custom code means that you’ll have a website that performs better and keeps you secure. It’s why I haven’t and won’t ever do anything else.
Protecting Your WordPress Website
Over the years, I’ve had to help several clients mitigate hacking issues with their WordPress websites and I can honestly say that it is not a good time.
It can feel like an endless loop of trying to find the gap and closing that and keeping bad people out of your website.
Worst case scenarios have meant we’ve had to rebuild their entire website and move them to another hosting provider all together.
Knock on wood - the only websites I’ve had to do this for over the last few years have been sites that I didn’t build originally.
If you want to avoid a really expensive clean up later - that can impact your ability to sell and maintain trust with your clientele - it’s time to think of security.
While it’s not any fun to think about, you and your business absolutely can be a target.
Start with the easy items that you can handle and then reach out to me with any questions.
Your website is your business’s home online. We’re here to help and keep you protected!