WordPress Security and You

This page may contain links to Amazon.com or other sites from which I may receive commission on purchases you make after clicking on such links. Read my full Disclosure Policy


WordPress Security and you

When it comes to website security, I’ve heard everything from “I’m not really worried about security. Why would anyone want to hack into a professional organizer’s website?” to “I don’t want to use WordPress – it’s always getting hacked!”

Let me start by saying that neither assumption is correct.

Hacking isn’t limited to major corporations who store credit card numbers and other sensitive client information on their servers.

One of my colleagues was the victim of the pharma hack and didn’t even know it until I told her my security software had alerted me to the problem. When she looked at the site on her own computer, everything looked just fine, but what I saw was a bunch of pharmaceutical links. It cost her several hundred dollars to get the problem fixed and her site restored to normal.

Just last week I was contacted by an interior designer whose site had been taken down by her web host because someone had installed malicious files on her site. She is also facing the expense of having her site either restored or rebuilt.

Both of these people own very small businesses and neither had valuable information stored on their website.

Many hackers don’t do it for personal gain, but just because they can – not unlike a vandal who walks around a neighborhood at night smashing windows without actually stealing anything. I’ve even seen a website where the content was replaced with a message saying, “Ha ha, you’ve been hacked!”

These stories are not prevalent due to a flaw within WordPress, but simply because it’s such a popular platform. In most cases, the security breach could have been prevented by following these best practices.

1. Don’t use an obvious user name.

Thousands of WordPress sites have been set up with “admin” as the username. Clearly if someone wanted to try to break into your site, that’s the first thing they’ll try.

If you were given “admin” as your username by a one-step WordPress installation tool or someone who didn’t know any better, it’s not too late to do something about it. You can create a new user with admin access, log in as the new user, and delete the original user, making sure you attribute any posts and pages created to the new user.

Alternatively, the iThemes Security Pro plugin can manage this change for you seamlessly, as well as guiding you through other security measures you should implement on your site.

2. Don’t use an easily guessed password.

If your password is a proper name or a word that can be found in the dictionary, the chances of someone guessing it are very high – especially if they’re using an automated tool to do so (see How Secure Are Your Passwords? [infographic]).

It’s easy enough to change your password. Just go to your User Profile and change it. Go do it now before you forget!

3. Keep your WordPress installation and plugins up to date.

The bad news is that hackers are constantly figuring out new ways to get into your site. The good news is that WordPress itself and WordPress plugins are constantly updated to address these issues.

If your site isn’t running the latest version of WordPress and any plugins you have installed, you’re leaving it vulnerable to attack.

4. Remove unnecessary plugins.

Speaking of plugins, there’s no need to load up your Dashboard with a bunch of plugins that aren’t even being used. I’ve often gone to work on client sites where multiple plugins had been installed for the same function, and others for features that weren’t even in use on the site. If you try a plugin and it doesn’t work for you, take the time to deactivate it, then delete it. Do the same with any unneeded plugins that were automatically added when you installed WordPress. This will help to protect your site by eliminating potential security problems, and will also keep your site running more efficiently.

5. Set up a regular backup system

Even if you maintain good security practices, you should always have a backup available. There are plenty of plugins that allow you to back up your WordPress site. Some will back it up automatically according to a regular schedule, while others require you to do it manually.

One of the most popular backup plugins is BackupBuddy. Not only can you schedule it to back up your database and all of your website files at regular intervals, you can configure it to send your backups to a remote location such as Dropbox or BackupBuddy Stash. This means you still have access to your backup in the event that something happens to the server.

6. Choose a reputable web host.

Although it may be tempting to go with the cheapest hosting company you can find, keep the old saying “you get what you pay for” in mind. Some companies can afford to charge very low prices for “unlimited” storage and/or bandwidth because they cram a large number of websites on the same server, and you have no way of knowing who you’re sharing that space with.

Your Organizing Business is hosted with WP Engine, who actually guarantee security. Their system is so robust that you don’t need either BackupBuddy or iThemes Security Pro. They’re not cheap, but they frequently run special promotions.

To learn more about WP Engine and other hosting options, read Signing on with a Web Hosting Company.

7. Add a WordPress specialist to your team.

If you find any of the information in this article overwhelming, don’t just ignore it. Although Benjamin Franklin didn’t know anything about WordPress, he nailed it when he said, “An ounce of prevention is worth a pound of cure.”

If you’re uncomfortable with the inner workings of your site or are too busy to stay on top of updates, check out my Website Care Plans.

Photo by hyena reality / FreeDigitalPhotos.net

I recommend...

A former professional organizer, I now eliminate stress for my clients by hosting, monitoring, and maintaining their WordPress sites so they don’t have to worry about security, downtime or performance issues. When I’m away from my desk, I enjoy reading, photography, watching movies, and cooking.

Join the Community

Did you find this post helpful?

Sign up to get new posts by email every week!

This field is for validation purposes and should be left unchanged.

Join the Conversation


  1. Avatar Kathy Stinson on February 24, 2015 at 1:04 pm

    I am so glad you take care of all this sort of thing for me, Janet. It’s sometimes hard enough to find time for all the things I need and want to do, without having to deal with the security of my website too. Thanks for doing all you do for me (in so many ways) and for knowing all you know.

    • Avatar Janet Barclay on February 24, 2015 at 3:21 pm

      Thank YOU for realizing how important this is. I worry about clients who don’t consider it a priority, and hope nothing terrible happens to their site!

  2. Avatar Kathy Stinson on February 24, 2015 at 4:48 pm

    Hopefully this post will help people realize that it IS a priority! All best, Janet.

  3. Avatar Seana Turner on February 24, 2015 at 8:17 pm

    I’m going to be spending some time in the next few days addressing all of these. Thanks, Janet!

    • Avatar Janet Barclay on February 25, 2015 at 6:12 am

      Glad to hear it, Seana! It probably won’t take as much time as you might think.

  4. Avatar Jill Robson on February 25, 2015 at 6:21 pm

    I think I have all of these areas covered, but I will look at what plugins I am actually using.

    • Avatar Janet Barclay on February 26, 2015 at 6:52 am

      Good idea, Jill! It’s so easy to install something, realize you don’t have time to check it, then forget to go back to it.

  5. Hazel Thornton Hazel Thornton on February 28, 2015 at 10:31 am

    My WordPress security system is named Janet Barclay. I did read the article, but will you let me know if I should be doing anything you aren’t already doing for me? Thanks! 🙂

    • Avatar Janet Barclay on February 28, 2015 at 11:06 am

      Absolutely, Hazel (and thanks for the plug)!

  6. Avatar Tina on February 28, 2015 at 12:45 pm

    Janet, a great article as ever. Unfortunately hackers attacked my website last week and have totally destroyed it. Rest assured as I now have to go through the very painful process of rebuilding it (as unfortunately I didn’t have a recent back up) I will be working my way through your list to try and ensure I am never in this awful situation again. Tina

    • Avatar Janet Barclay on March 1, 2015 at 7:27 am

      Tina, I am so sorry that happened to you. 🙁 Maybe this is an opportunity to make it better than ever!

  7. Nancy Borg Nancy Borg on February 28, 2015 at 12:48 pm

    Thanks Janet for sharing your expertise. I get notifications to update WordPress frequently, and I try stay on top of that. I’m always interested in the advice you post, I’m sure to not miss anything that I need to know 🙂

  8. Avatar Jill Annis on February 28, 2015 at 1:58 pm

    Excellent advice Janet. I had my hosting service beef up my security this year and have hired my web designer to update everything annually. When I updated my plugins myself I didn’t notice issues for weeks, like when my opt-in form went missing. Then I had no idea how to fix the issues. Hiring someone to update has given me peace of mind.

    • Avatar Janet Barclay on March 1, 2015 at 7:39 am

      Good decision, Jill! Having one person look after all that means that if something does go wrong, they’re more likely to know what caused it as well as how to fix it.

  9. Avatar Christina Hidek on February 28, 2015 at 3:57 pm

    Great advice. My username has an intentional, but not obvious or even logical misspelling in it- makes it that much harder to guess.

    • Avatar Janet Barclay on March 1, 2015 at 7:43 am

      That’s an excellent idea! Not only hard for others to guess, but easy for you to remember!

  10. […] To learn more about potential issues and how to avoid them, read WordPress Security and You. […]

Leave a Comment