If You Don’t Keep Your WordPress Website Updated, You WILL Get Hacked

How would your day be going if you discovered that your website had been hacked? Probably not so well, and unfortunately, it happens more often than you think.

I know what you’re thinking. “No hacker is going to go after my little site. I don’t get that much traffic and I don’t take credit cards on the site, so I’ve got nothing to worry about.”


In the past two weeks alone, I’ve had three people contact me whose sites had been hacked. These were small sites, owned by single person businesses, that on a good day would get 100 or so visitors.

Like yours maybe?

Small biz sites are more prone to hacks because most small biz owners don’t think they will get hacked, thus they don’t take the security of their sites seriously.

And. Then. They. Get. Hacked.

Why Do WordPress Websites Get Hacked?

The main reasons WordPress websites get hacked are:

– Poor passwords.

If you use a birthday, family name, pet name, common word, or similar, you will get hacked. Guaranteed. I’ve had clients that use “password123” on all their sites. Guess what happened. You don’t want to be that person.

– Failing to keep WordPress, plugins, and themes updated.

There are regular updates made to the software that your website is built with, and often these updates address security vulnerabilities. It is very easy for a hacker to create a bot that scans the internet looking for sites with outdated software and, once it finds one, exploit those known vulnerabilities. I’ve seen client sites that haven’t been updated in months, and have 15 or more pending updates. That is a recipe for disaster. If you’re not checking your site for updates multiple times per week, you should be.

This also includes other sites on the same hosting account. If you’ve got more than one site on your hosting account, and one of them isn’t kept up to date, you are putting every site on your hosting account in danger. Hackers can exploit the vulnerability in one site and use that to access the other folders and sites on your hosting account.

Bet you hadn’t thought of that one, huh?

– Not taking basic security precautions.

Most small business owners make simple mistakes that leave them susceptible to getting hacked.

  • Using “admin” as a login for instance is a big security issue.
  • Not securing folders on your hosting account, exposing sensitive files and data to prying eyes, is another.
  • Allowing unlimited login attempts.
  • Not banning IP addresses that come looking for things they shouldn’t be looking for.
  • Not using something as simple as reCaptcha or two-factor authentication on your login page.
  • Not performing regular malware scans.
  • And the list goes on…

If you use password123, you deserve to get hacked.

There are any number of things that can make your site safer, but most site owners don’t bother to implement them.

And that’s why I get calls like the ones I received over the past two weeks.

Don’t Forget Backups

A related problem is that site owners aren’t making backups of their sites on a regular basis. A backup plan doesn’t prevent hacks from happening, but will save your sanity and your wallet if you do get hacked. If your site gets hacked or infected with malware and you don’t have a clean, secure backup, well, welcome to up the creek sans paddle.

Without a backup, you could be looking at rebuilding your site from scratch, which could cost you big time.

“But my web host takes database backups for me.”

Yeah, I hear that a lot. The problem with simple database backups is that, while your content is in there, none of your theme and plugin files are in there. So that design that you paid a pretty penny for? Gone.

You want a backup solution that backs up ALL of your files and databases, and then stores them offsite. (Not a great idea to store your backups with all of your website files if your website files get hacked. Just sayin’.)

Welcome to up the creek sans paddle. Click To Tweet

So, How Do You Handle All of This?

Well, first, you need to commit to check for WordPress core file and plugin updates at least once per week. More often would be better. I check my Virtual WordPress Webmaster service clients’ sites daily.

Then, you need to make sure you aren’t using passwords that a third grader could figure out. My passwords are generally 15-20 random characters, including numbers, upper/lower case letters, and special characters. Can’t remember those, you say? Good. Get LastPass.com and stop using crappy passwords.

Once you do that, install and configure a good security plugin. My recommendation is iThemes Security Pro.

Then, implement an automated backup solution. There are lots of plugins out there that can do it such as Updraft Plus, Duplicator, and BackupBuddy.

Do all of these things, and you’ll protect yourself from about 99% of the potential bad guys out there targeting WordPress sites.

If all of this stuff makes your head spin and you feel as comfortable implementing it all as you would performing brain surgery, I can help.

Subscribe to one of my Virtual WordPress Webmaster plans and I will take care of all of this automagically behind the scenes for you. Backups, updates, security, and more. Check out the different maintenance plan options, and sleep better at night.

It certainly beats getting hacked and having your site display cupcake recipes, and will cost you less than having me rebuild your site from scratch.

Posted in ,

Dave Soucy

I design, build, and maintain kickass WordPress websites for small businesses and non-profits. If your website isn't cutting it, let's chat.

Let's Connect

Contact Barefoot Web Designs, LLC

  • This field is for validation purposes and should be left unchanged.