And Safe From Hackers
It’s vital to keep your WordPress website protected because while there are many great features, there are also vulnerabilities, and hackers know what they are. If you think your site is too small, or new, or it’s not an eCommerce site so it’s safe, think again. There are over 90,000 security attacks every minute, and hackers target all WordPress websites.
To keep your site safe, you need to identify what the weakest spots of your site are, consider the different ways in which hackers might exploit them, and protect them.
So, Where Are The Weakest Spots Of Your WordPress Site?

Image by Darwin Laganzon from Pixabay
Most of the time hackers aren’t specifically searching online for your website (especially if it does happen to be brand new or on the smaller side). Many hackers automate the process of sniffing out vulnerabilities by using bots. These bots detect the entryway and the hackers jump inside. So, really, any WordPress site can become the victim.
To keep hackers and their bots at bay, it’s important to be aware of these common weak spots in WordPress:
Passwords
Hackers know that users aren’t always inclined to create a unique and strong password for every account they have online (if you said “that’s me”, it’s time to change your ways). That’s why this will be one of their first targets on your WordPress site.
Remember there’s a tradeoff between convenience / easy to remember and security. Please consider using a password database such as Dashlane for all your online passwords.
Any spot on the backend or frontend of your WordPress site that requires a login and password is a prime area for targeting. This includes:
- the main WordPress login area
- Comment boards (if you require logins)
- e-Commerce accounts or payment gateways
A word about your username
The default username for the first user you set up with WordPress is “admin”. If you leave this username set as “admin” you’re providing hackers with half the information they need to break into your website. If you, or the company that built your site, left the administrator username set as admin, you’ll want to change it right away.
Also if you have a blog that displays the author, make sure that the nickname is what displays. You don’t want your username to display.
Comments
Spam comments can also be problem, which is why some people choose to disable comments entirely in WordPress. People who comment will often include links. Sometimes the links are malicious and lead to a site with malware. Other times the link itself is harmless, although it has nothing to do with the topic of the post and the commenter could have left it there as a way to increase links to their own website. See how to avoid WordPress blog spam.
WordPress Core
Over 70% of earlier versions of WordPress have known vulnerabilities. While it’s the responsibility of the WordPress security team to fix these vulnerabilities and keep WordPress updated, it’s your responsibility to make sure your WordPress website is updated promptly and running the latest version.
Plugins
Plugins are even more susceptible to security breaches than the WordPress core; WordPress plugins account for over 50% of all security attacks on WordPress websites. Updates to plugins are usually available soon after there is a new version of WordPress; you also want to update your plugins promptly.
Before adding new plugins to your site, you want to make sure it’s not a fake plugin, and that the plugin developer is keeping it up to date. A good place to start is the WordPress repository, as those plugins have been reviewed for security and good coding practices. Although you will still want to check to make sure it’s being kept up to date, and be wary of plugins that have a low number of installations.
Why Do Hackers Want To Get Into Your WordPress Website?
Are you thinking “My website’s not an e-Commerce site and I don’t have anything on my website that needs to be protected”? Or “I’m a small local business, hackers wouldn’t bother with my website”?
The thing is, hackers aren’t just looking to break in and steal from big companies. What they’re looking for is any vulnerability they can exploit.
Here are nine of the things hackers will do when they can get into a site:
1. Inject Malicious Content
In some cases, hacking is simply about getting malicious content or code onto the front end of your WordPress site with the hopes that your visitors then click on the errant links. This may happen through comment spam, by hijacking your site’s email and sending spam messages to your followers, or through actual content submissions.
2. Spread Viruses
Sometimes hackers want to use your WordPress site to spread viruses and malware. They can do this using malicious code they’ve written into the backend or with files they’ve uploaded for download on the front end. When visitors interact with them, hackers then steal the visitors’ information or they use their computers to spread viruses to other websites.
3. Steal Visitors’ Personal Information
While any security breach is bad for business, this one could also means having to compensate your visitors and customers for the money and privacy compromised in the attack, in addition to their loss of trust in your business. Sometimes hackers do this for their own personal monetary gain, or sometimes they’re trying to make some sort of statement.
4. Steal Business’s Private Information
You make sure to keep details about your company–especially as it pertains to financials and customer account details–private. Which is why it’s important not to sync that information to your website.
5. Host Phishing Pages from Your Server
Phishing on websites is when hackers create a fake page in an attempt to collect information from visitors willing to give it. They can do this by embedding a contact form on the page and directly collecting information or they can redirect visitors to another website where that information will then be lifted.
6. Host Legitimate Pages from Your Server
Some hackers may actually take the time to build out legitimate pages on WordPress sites in order to improve their own SEO. These pages talk up their own business and link back to their website in order to give their site more clout in search. Or they may skip the landing page and instead use a system of backlinks from your site to theirs.
7. Overload Your Web Server
When hackers overload your web server with an influx of hits, this is what’s known as a distributed denial of service (or DDoS) attack. Once they hit the threshold, your site goes down. What’s the point of doing this? It could be for bragging rights. The site may be just one of many victims in a major widespread attack. Or maybe they did it in order to demand a ransom.
8. Steal Your Server Bandwidth
Hackers may steal your server’s resources to host their own nefarious activities, such as bitcoin mining and brute force attacks on other websites. Learn more about cryptojacking in this Scientific American article written December 2017.
9. Vandalize Your Website
And, of course, there’s website vandalism. For the most part, hackers are doing this to establish a calling card for themselves while simultaneously hurting your brand. One of these such defacements happened to a huge number of WordPress websites in February 2017, and continued to happen even after WordPress issued the patch because users didn’t update right away.
Here’s What You Can Do To Keep Your WordPress Website Safe and Protected
Remember that having a WordPress website is not a set it and forget it kind of thing. When you do the following, you’ll be keeping one of your most valuable marketing tools safe and working well for you:
- Backup the filesystem and database regularly, at least weekly
- Update WordPress, plugins, and themes promptly
- Make sure all the plugins and themes are kept updated by the plugin authors so that they are secure and compatible with the latest version of WordPress
- Keep your username and passwords secure
- Use a security plugin, monitor activity regularly and run vulnerability scans regularly
For more tips see WordPress Website Maintenance and Security
—
Would you like help and support to keep your WordPress site is kept secure and safe from malicious code, vulnerabilities, and corrupt files; functioning correctly, as well as kept up-to-date and backed up? Webb Weavers Consulting can have your back with a WordPress Website Maintenance Plan.