4 Simple Steps to Securing Your Website

4 Steps to Securing Your Website is the core of the presentation on website security that I gave at the 2016 WordCamp Sunshine Coast held here in Queensland last weekend.

I wrote this post and put together that presentation because Google tells us that they find over 100,000 hacked websites every month and I want to help at least some people avoid the all the hassles that can destroy your business and your spirit when you find that someone has hacked your website.

So what are those 4 steps to securing your website?

Understand that there is a very real threat and you are not too small to be hacked.

Understand how hackers get into your website

Discover and install the security plugins that will help keep the hackers out of your website.

And then start monitoring your website every single day.

thiefUnderstand the threat
There are five basic types of hacker that want to get into your website. They range from bored kids who want to create havoc to organised crime syndicates that want to use your website to infect the computers of those who visit your site and turn those computers into yet another part of their network of bots.

You don’t need to collect payments to be a target of hackers. You don’t need to have a religious or political position to be a target. You can run a charity site or a site that talks about blue widgets … the subject matter is of no concern to a hacker.

The only thing you need to attract hackers is a website because it’s not what is in your site but what they can do with your site that matters to hackers.

Some of those hackers simply want to deface your website. Some want to fill your website with links to their own websites … and not all of them are porn sites.

Others want to add short snippets of code to the backend of your site so that they can sent out hundreds of thousands of spam emails.

And then there are those that I already mentioned who want to turn your website into an attack mechanism that will turn visitors’ computers into parts of the hacker’s botnet.

“… it’s not what is in your site but what they can do with your site that matters …”

Those guys are probing your website right now and unless you have some security measures installed they will get in and you won’t know.

I know because my website security business monitors hack attempts for my clients and the figures I see are frightening.

  • A health and beauty site – 40,000 attempts in 3 weeks
  • A very small land subdivision website – 3,000 attempts in a weekend.
  • The website for a brand new B&B – 3000 attempts in the first 2 weeks after the site went live
  • A website about plastic pipe welding – 2000 attempts in the first week
  • A signwriter’s site – over 5,000 attempts in five or six months

So how many attempts are being made on your website?

Understand how hackers get into your website
There are 2 basic access points to your website that hackers want to exploit.

The easiest access point of all is your front door … your WordPress login page where you have to enter your user name and password. If you have a simple username and a simple password you have the welcome mat laid out for any hacker who wants to drop by.

Even if you have a difficult username any hacker can still find it because Google indexes it … but that doesn’t mean that you should be lazy and settle for the tired old ‘admin’ username.

The password is the really important factor here. More recent versions of WordPress require you to have very difficult passwords but you can change them … if you want to make it easier for a hacker to get in.

Even harder passwords can be hacked because even the most unsophisticated hacker has access to scripts that can run hundreds of username/password combinations in just a minute or two. So using a hard username and password combination is just the start.

The other access point that hackers us is old versions of plugins, themes and even the WordPress core. Updates are frequently issued for the plugins you use because vulnerabilities have been found that hackers can exploit.

Once they gain access through outdated plugins, themes or the WordPress core they have access to everything they need to take control of your website. They can even shut you out and ensure that there is almost no way for you to regain control of your site.

“…no level of security … no matter how strong … will keep a determined hacker out …”

Security plugins – building walls to keep them out
I know that it probably all sounds like a game of Russian roulette and all the chambers are loaded when it is your turn to hold the gun to your head but things are stacked far more in your favour than you may realise.

There are a number of security plugins available that you should install but it is important to remember that no level of security … no matter how strong … will keep a determined hacker out of your website.

The best you can hope for is that you’ve built enough walls that a hacker has to climb over to gain access to your site the he gives up and goes in search of sites with weaker, or no, security.

So what plugins do I recommend?

Wordfence Security – it not only has a firewall and automatic blocking after a set number of failed login attempts but it will also alert you whenever there is a plugin, theme or WordPress core update available.

Jetpack – it’s the Swiss Army knife of plugins it will do just about anything you want it to do. For security all you have to do is install Jetpack and activate the ‘Protect’ and ‘Monitor’ options.

The ‘Protect’ option blocks incoming traffic from IPs that are known to be used by hackers. It won’t give you much information about where these attacks are coming from but it will let you know how many times it has blocked access attempts and that number can grow alarmingly.

The ‘Monitor’ option will let you know when your site is off-line for any reason.

Sucuri Security – Auditing, Malware Scanner and Hardening – it’s a big title for an important plugin. Sometimes hackers can get passed all the security plugins and when they do you need to know that they are in. When you install this plugin and set up the Alerts system that is included you will receive notifications if things are changed on parts of your website.

Recovering from a hack is also important and the faster you recover the better. To do that, you need to be responsible for your own backups so it’s important that you keep a copy of every image and every PDF that you have posted to your site.

You also need to back up your website’s database and have those backups delivered to your computer. Of course, there are plugins that will help you do just that.

My recommendation is WordPress Database Backup by Matzko. It’s simple to install and set up and it will email you a copy of your database every week, day or hour. All you have to do is keep that back up in a safe place, where you can find it if you should happen to need it.

You will find links to all those plugins here.

“When it comes to security nothing … absolutely nothing … beats eyeballs on the subject.”

Start monitoring your website
When it comes to security nothing … absolutely nothing … beats eyeballs on the subject. You need to do a quick visual scan of your website every couple of days to make sure that no unauthorised changes have been made to the web pages that face the public.

You also need to take responsibility for your own updates. A number of plugins, and the WordPress core, offer automatic updates but what happens if one of those updates fails … or there is a conflict between the WordPress core and a plugin that was updated automatically?

Conflicts do occur? Every time there is a WordPress core update there are complaints from website owners that their sites are having problems or even failing to appear.

Do all the updates manually and visually check the website each time you update something and you will be on top of any problems. There is nothing worse than finding that your website has been down for a week … or longer … because you’re too lazy to check it regularly.

The security of your website depends entirely on you and what you choose to do. You can do nothing or you can start building barriers to make it harder for the hackers to get in.

Website security is boring and repetitive work. There is nothing sexy or exciting about it but if you don’t do it hackers could destroy your site, your business and your dreams.

What I have outlined is fairly basic stuff but, if you feel that handling the security of your website is beyond your capabilities or your time, you can always use the services that I offer here on the website.

Click the link and you will be on your way to having a far more secure website in a matter of hours.

A Website Security Train Wreck

website-security-train-wreckOver the last 2 years or so we here at WP Security Workshop have been watching something of a slow-motion train wreck as ignorance, and a desire to save money, have opened up a breach in website security and given hackers a chance to break into two WordPress websites.

Let me set the scene by giving you some of the background to this story.

A local business that is located here in the same town as we are has a very successful franchise for here and for a neighbouring town. The owner of that business had our sister- business, Total Website Management (owned by my partner), build two fairly simple WordPress websites for their client.

As is their practice, Total Website Management optimised the websites for the major search engines and included a number of security plugins to ensure that hackers would not find an easy path into the back end of the site.

After a few months the client was dissatisfied with the way his websites were performing in the search engines and decided to hire a marketing specialist to promote the websites.

To save money he instructed Total Website Management to stop monitoring the websites and updating the plugins because the marketing specialist would look after everything and keep the plugins updated.

That was not a problem and my partner handed everything over to the marketing guy.

The problem
Unfortunately it soon became apparent that the marketing guy had no idea about website security. He made no attempt to change the email address that update alerts were going to and so he was often late doing any updates.

To be fair to him, he certainly did lift the sites’ rankings and has brought a lot of business to the owner of the website. However, his lack of knowledge about security, combined with a plugin that never got updated because he never saw the alerts, and was a well-known target for hackers, was a ticking time bomb that blew up in his face this week.

The disaster
The first I knew of the problem was when my partner rang me and asked me to run some scans over the two websites. The marketing guy had rung her in a panic because he was locked out of one of the websites.

Fortunately, our old access codes had never been deleted or changed and they worked. Once I was in the back end I didn’t have to run any scans to know where the problem lay.

Revolution Slider was sitting right there in the list of plugins and it was so old.

It was soon obvious that plugin was the access point for the hackers on both sites but they almost certainly hadn’t stopped there.

Old versions of Revolution Slider can be exploited to allow hackers to give themselves shell access to the server and once they have that access they can drop their malicious files just about anywhere.

We had to report to the marketing guy that it probably took the hackers all of five minutes to breach the site but it would take many hours to ensure that all traces of their activities had been removed.

I also had to tell him that until the sites were completely clean there was a very real danger that Google would find that the sites had been hacked and once that happened the sites would be out of the paid and organic listings till Google was satisfied they had been cleaned … and satisfying Google can take weeks and sometimes months.

No search engine listings mean no traffic and no traffic means no business … and the business that owns those two websites employs around 20 people.

The takeaway
Ignorance of the need for website security is no excuse … hackers won’t stop and politely ask you if they can come in and destroy your website and your business. Saying that you didn’t know is no excuse either.

It’s your business and your responsibility to ensure that people can’t break into your website and destroy your business. If you don’t know what to do, then employ the services of experts who do … and then check to make sure that they have done what they said they would do.

If you are going to allow third-party service providers to access the backend of your website, make sure that they know how important good security is and make sure they know how important it is to you.

If they don’t understand then employ the services of some security experts who can look over the shoulders of the marketing people and prevent them from making security blunders.

Sure, keeping your website secure may cost you money but then think of how much money you will lose if your website goes down for weeks … or even months.

Spend a little on security now can save you a whole lot more in the future.

A Crazy Week of Updates

More WordPress updatesThey say that an image is worth a thousand words and I can definitely agree with that.

In fact, this image may well describe how you felt during this week just gone when you saw WordFence, the most popular WordPress security plugin, release a major update just an hour or two before WordPress released their major WordPress 4.5 update.

The WordFence update was a little trickier than most because it involved some extra bells and whistles that may … or may not … have required some manual installation. Of course, once WordPress updated WordFence has to release a second update.

Around the same time Ninja Forms released an update and of course all those new plugin updates had to be updated again because of WordPress 4.5 and now we are seeing the usual flow-on effect that comes with every WordPress core update as more and more plugins release updates too.

Yes, things were definitely a little crazy around here and it’s going to stay that way for the next week as we keep our clients WordPress websites updated.

If you have missed those updates … or you’ve been a little slow getting them done … then I urge you to get them done now! Don’t put them off for another minute because, every time you miss an update or put off doing the update, you leave yourself vulnerable to hackers.

They only need a faint sniff of an out-of-date plugin and they can be inside your website in minutes and that’s the last thing you want to happen or need to happen.

If you think that life was a little crazy with all these updates happening, then you won’t believe how crazy life can get when a hacker gets into your website. Your business can go from hero to zero in the blink of an eye when a hacker gets in but it takes a lot longer to recover.

You should be running WordPress 4.5 and if you are using the popular WordFence and Ninja Forms plugins you should now be running WordFence 6.1.3 with the new firewall configured and NinjaForms 2.9.42.

Keeping Your Website Secure Over Christmas

wordpress website security repairs

It’s the holiday season … the time for lots of fun with family and friends … the time we want to forget about anything that is work related … the time we let our guard down and our websites become more vulnerable to attacks from hackers.

So, to make sure that you come back from the holiday season and have a reasonable chance of finding your WordPress website still free of hackers, here are three things you must do before you leave the office to enjoy Christmas.

These three things won’t take long and they could save your website and your business.

Make sure all updates have been done
Make sure that all the plugins, the theme, and the WordPress core have been updated to the current version. Just one minor out-of-date plugin can be the crack in your defenses that a hacker needs to get in and destroy your business.

Increase your defenses
Make sure that you have the WordFence plugin installed and set up. It will help to keep hackers out of your website and it will let you know when updates have been released for the plugins that you use.

As you go through the short set up procedure set the number of failed attempts before lockout to just 3 instead of 20 and the length of time the lockout is in force to 2 days instead of 5 minutes

Install this alert plugin
Install and set up Sucuri Security – Auditing, Malware Scanner and Hardening. Among other things this plug in will email you whenever someone tries to break into your website. Ignorance is not bliss when it comes to people trying to get into your website. You need to know what is happening so don’t forget to check your emails.

It would be nice to be able to just walk away from your website for a few days and enjoy time with your family but these days that is simply not possible. You need to stay in touch with your website and have the ability to react quickly if a hacker does get in.

It only takes a hacker a few hours to totally destroy your online business so don’t give him a head start.

And if the worst should happen over the holiday season and you need help we are only a phone call away.

How do You Keep Hackers Out?

Let me make it plain – there is simply no way that you can keep an experienced hacker out of your website.

All you can do is to put enough road blocks in his way that he decides that his time would be better spent finding some other, less difficult, WordPress site to hack.

Ok so what are the best roadblocks to put in the way of any hacker who wants to get into your site and destroy your business?

There are three areas that you need to focus on:

  1. You need a unique username and a very strong password
  2. You need to keep the three parts of your WordPress website updated and
  3. You need to install some solid security plugins that will keep most hackers out of your website.

Let’s look at each of those areas in some detail.

Usernames and passwords
“But I won’t remember those, I need something easy to remember.” If I had ten bucks for every time and client has bleated those words at me I would be a wealthy man.

Simple usernames and easily remembered passwords are weak links and they are the first things that every hacker will look for. If you use them then you are giving an open invitation to every hacker on the planet to come in and do what he wants with your website.

Recent changes to the WordPress core have made it easy to have a strong password so use that feature and don’t change it to something that is easy just because you think you can’t remember a strong password.

You also need to use a complex username. If you are still using “Admin” then you need to change it FAST. I continually see hundreds of attempts to break into sites that we monitor and they invariably try all the variations of ‘Admin” and other common usernames.

More complex usernames make it harder for a hacker to get into your site and that’s exactly what you want so use different username and don’t let anyone else who has access to your website use a simple password either.

Keep your WordPress website updated.
Your WordPress website is made up of three parts.

At the very centre of your website is the WordPress core. Basically that is what makes your website appear on the screen.

Layered over the top of the core is your WordPress theme. The theme is what makes your website look pretty.

And woven throughout the core and the theme are a bunch of plugins. These basically add functionality to your website.

Unfortunately the people who write the code for the WordPress core are not the same people who write the code for the themes and they are not the same people who write the code for the plugins.

So updates don’t happen together. When the WordPress core updates … and it can update quite frequently … there is a ripple effect that flows through the theme and on down to the plugins but it’s an irregular ripple so some plugins may update within hours of the core updating while others may take days to update.

Regardless of how often these updates happen there are things you need to do:

  1. You need to keep your WordPress core up to date and WordPress will tell you when you need to do that. And you need to do it as soon as the update is released.
  2.  You need to keep your theme up to date and WordPress will tell you when you need to do that (in some cases). If WordPress doesn’t tell you then you need to watch for some notification from the people who built your theme.
  3. You need to keep your plugins up to date and WordPress will tell you when to do that. But don’t rush off to do them right now because there’s something else you need to do too.
  4. You need to do all these updates as soon as they become available. The longer you leave those updates the greater the risk that a hacker will find his way into your site and destroy your business.

Security plugins
You need to at least add some basic security plugins that will not only lock down your site but also notify you if someone tries to break in.

While each of those plugins works well by themselves they only cover one piece of the security puzzle. Add them all and you’re starting to get serious about basic security for your WordPress site.

Those plugins are

  • Wordfence Security
  • BruteProtect – now included in the Jetpack plugin
  • Sucuri Security – Auditing, Malware Scanner and Security Hardening

You will find them all via the “Add New” link under the “Plugin” heading in the left-hand column in the back-end of your website. Installing them may take a few minutes but if you follow the instructions you won’t go wrong.

Serious business
The threat from hackers is relentless and they will win if you don’t take the security of your website seriously. Use strong usernames and passwords, keep your website updated and add those security plugins and you may have some hope of keeping the hackers out of your website.

Why Do They Do It?

Why hackers want to get into your website

I guess the first thing you need to accept is that hackers are constantly probing WordPress websites to find weaknesses that will let them in. You may not see any evidence of that probing if you have no security barriers in place but they are there and they don’t go away.

These attempts are automated and relentless. Hackers control large botnets … collections of private and business computers located all over the world that they control and they use their botnets to try to gain access to your website and, if they think that they have a chance of accessing the back end of your website, they will keep probing till they find a weakness that will let them in.

It doesn’t matter what sort of business you might have. It doesn’t matter if you’re a charity or a special interest group. If you have a WordPress website then hackers are trying to get in.

Here are four examples of from websites that we monitor using a suite of security plugins. In every case, the plugin that produces the data shown below has been installed for less than six months.


This website is a hobby site - it posts information and images about a reasonably popular hobby

This website is a hobby site – it posts information and images about a reasonably popular hobby



This website belongs to a small business that sells automotive spare parts. It’s been online about 4 months


This website belongs to a small boutique accommodation provider in a tourist town.

This website belongs to a small boutique accommodation provider in a tourist town.


This website advertises the services of a guy who mows lawns and weeds gardens.

This website advertises the services of a guy who mows lawns and weeds gardens.


As you can see from those examples, it really doesn’t matter how big or how small you are … it really doesn’t matter what you do or what your website is for … your website is being attacked because it has real value for hackers.

Not all hackers use botnets
Not every attack is a botnet attack. Other security plugins pick up numerous hack attempts that are made by individuals who have simple, but effective scripts that will run thousands of username/password combinations in just a few minutes.

These are motivated by the same things that drive the guys who control the big botnets. They want to control your website.

But why do they do it? Where is the real value?
1. They want to trash your site … some hackers are just vandals and want to cause as much disruption as they possibly can.

2. They want to make a political statement – some hackers are activists or terrorists and they want to make a statement about their beliefs … or their abilities … and your WordPress website is the perfect place to do just that.

3. They want to take control of your website’s email server and use it to send out thousands and thousands of spam emails … and every one of them will look as though it came from you.

4. They want to fill your website with links to dodgy sites that offer pills and potions in the hope that some of the people who visit your site will follow those links, make a purchase and so put money in their pockets.

5. They want to put malicious code on your website so that any visitor who comes to your site will leave with an infected computer that will become part of the hacker’s botnet.

Not every hacker will deface your website or delete files. Not every hacker will add links to your web pages or destroy your business by sending out spam emails.

Not every hacker will load up your website with Trojans and malicious code.

The damage to you
Not every hacker will do the same thing to your website but they all have the same intent. They want to turn your website into a tool that will grow their “business” at the expense of your business.

If you aren’t doing everything in your power to keep hackers out of your website then they will win and you will lose because every hack has consequences.

Your website could be kicked out of Google … your incoming and outgoing email can be totally blocked … regular visitors to your site can be met with a warning like this:


Imagine what that would do for your business.

And you can face even more problems … problems that can destroy your business and/or your credibility.

How badly you will lose depends on how many hackers get through whatever security barriers you have put in place around your website.

You do have some security barriers in place don’t you?

If you need help with your WordPress security then talk to us.

We have a simple and affordable plan to lock down your website and keep it as secure as any WordPress website can be.


This post was originally published in a much abridged version on another site in our network … the e-Commerce and Small Business Guide


Load More Posts

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.