Many small business owners think that their site isn’t important enough to be a target for hackers. Criminals see things very differently, viewing the web server behind a business website as a desirable target in its own right.
For example, I was once asked to find out why a site with modest traffic was generating excess bandwidth costs. I quickly discovered the site had been breached and was being used to send hundreds of thousands of spam emails per day.
Hundreds of files on the site were infected with malicious code that provided the hackers with multiple ways to control the web server. What’s more, the infections were also present on the site’s backups and it took almost two weeks to find and remove all infected files.
The site was running old versions of PHP, MySQL, Apache, and WordPress. In addition, the site didn’t have a WordPress security plugin installed.
Had the owner kept the software, database, and web server updated, and run a security plugin with regular scanning, it would have incurred a relatively minor fee for one of the following...
Instead, the site owner was hit with a sizeable bill for diagnosis and repair after two developers spent nine days disinfecting the site having discovered the backups were also infected. It’s always cheaper and easier to secure a WordPress website.
The hacked site was running old versions of PHP, MySQL, Apache, and WordPress. The site had no WordPress security plugin installed. Had the owner kept the software, database, and web server updated, and run a security plugin with regular scanning, it would have been cheaper than paying my colleague and I for nine days worth of work.
The plain fact is that the best way to secure a WordPress website is via preventative security. It’s easier and cheaper than attempting to disinfect a compromised website after the fact. Even after disinfection, there’s always the possibility that a file containing malicious code remains undetected somewhere on the server.
WordPress is the world's most used Content Management System. The sheer volume of users makes it a target for criminals hoping to exploit it and gain control of a web server. Fortunately, the following list will help to secure a WordPress site...
The plugin WPS Hide Login allows the site Administrator to change the standard WordPress Admin URL to anything you like.
Installing and setting up this simple plugin takes two minutes, and yet it thwarts well over half the attempts to hack a WordPress site. It’s an easy way to secure a Wordpress website. If you do nothing else after this article, be sure to implement number one.
There are many WordPress security plugins, many offering free versions, that provide automated scanning, a firewall, and other preventive measures.
Click on the WordPress Plugins section in the Admin menu, click the Add Plugin button, and enter the name of the following security plugins to find out more about them. Select the one you feel best covers your needs...
Installing a security plugin is another easy way to secure a WordPress website. MalCare is almost entirely automated, making it a snap to install. Solid Security requires a little more configuration, but is also very easy to install, configure, and run. There is no reason not to use of one of these WordPress security plugins.
The WordPress core is regularly updated with security fixes and new features. Keep the core up-to-date to ensure hackers can’t take advantage of known security issues.
The same applies to all themes and plugins installed on your site, even if they’re not currently active. Hackers can and do make use of known security flaws in deactivated themes and plugins, so if you keep deactivated themes and plugins around, be sure to keep them updated. Its one more simple way to secure a WordPress website.
Don’t just deactivate a plugin you’re not using. Deactivate it so it’s not available to criminals.
The same applies to unused themes. Keep a copy of the latest stock theme as this is sometimes useful for working out which plugin has broken your site. But delete every other theme you’re not using.
When you remove unused themes and deactivated plugins, you remove a potential attack vector and that helps secure a WordPress website.
If you have access to the file system on the web server, change the access permissions to ensure these files and folders can’t be manipulated by someone who has access to the file system through a browser.
This is best done by someone who knows what they’re doing as it requires a knowledge of and experience using the Linux permissions system. Contact me for help.
If wp-config.php and .htaccess are compromised they can be used to do any or all of the following...
These are all very bad things from your perspective. These two files can be locked down so that a hacker won’t be able to edit them using uploaded file browsers.
This way to secure a WordPress website requires knowledge of the Linux permissions system and is best implemented by an experienced web developer. Contact me for help.
Setting up environment variables requires knowledge of and experience with the web server software and supplying this data to WordPress via wp-config.php requires knowledge of PHP.
This isn’t something most WordPress users can do, so contact me if you need help.
The first four of the seven ways to secure a WordPress Website in this article can be applied by any WordPress user with Administration rights and experience with installing and configuring plugins.
The last three require knowledge of the wider operating system, web server software, and PHP. This work is best done by an experienced web developer like myself. This work doesn’t take long on most web servers and it’s well worth getting in touch with me to discuss it.
With a little preventative work, you can secure a WordPress website relatively easily and inexpensively. You can take the security of your WordPress site even further and use The One Stop Web Shop’s Security Monitoring service.
If your site is already infected, get in touch with The One Stop Web Shop and ask about our Diagnosis and Repair service.
Copyright © 2025 TheOneStopWeb.Shop. All rights reserved.
