The Security Basics Most Site Owners Skip (Until Something Goes Wrong)
I've helped clients recover from hacked websites twice in the past three years. Both times, the attack exploited something that a basic security checklist would have prevented. Neither client was a high-value target — they were just unprotected enough to be worth a bot's automated sweep.
Website security isn't about being paranoid. It's about not being the easiest target in a scan of ten thousand sites. Here's what that means in practice.
SSL/TLS: Non-Negotiable, Free, and Easy
If your site still loads over HTTP instead of HTTPS, you need to fix this today. Not next week. Today.
HTTPS encrypts data between your visitor's browser and your server. Without it, passwords, form submissions, and personal information travel in plaintext — readable by anyone with network access between the user and your server. Browsers mark HTTP sites as "Not Secure" in the address bar. Google uses HTTPS as a ranking factor.
SSL certificates are free through Let's Encrypt and automatically provisioned by most hosting providers (Cloudflare, most shared hosts, all major managed WordPress providers). There's no technical reason or cost reason to remain on HTTP.
If you're on HTTP right now, contact your hosting provider. This should take under an hour to fix.
Keep Software Updated
The majority of successful website attacks exploit known vulnerabilities in outdated software. This is especially true for WordPress, which has a massive installed base making it a high-value target for automated scanning.
What needs updating: - WordPress core (enable automatic minor updates at minimum) - All plugins — especially contact forms, e-commerce plugins, and anything that handles user data - Themes — especially if they haven't been updated in over a year - PHP version on your server (WordPress recommends PHP 8.2+)
The most dangerous plugins are those that haven't been updated in 12+ months. If a plugin you're using has no recent updates and its developer is unresponsive, consider replacing it. An abandoned plugin with a known vulnerability is an open door.
Strong Passwords and Two-Factor Authentication
I still encounter sites where the admin login uses the username "admin" and a password like "company2021." These take seconds to brute-force.
Passwords: - Minimum 16 characters - Generated by a password manager (not based on words, names, or dates) - Unique per site — if this password is compromised, only this site is affected
Two-factor authentication (2FA): WordPress has free 2FA plugins (WP 2FA, Two Factor). When enabled, even a stolen password isn't enough to log in — the attacker also needs access to your phone or authenticator app.
Enable 2FA for every admin account. Non-negotiable for any site that handles customer data or payments.
Limit Login Attempts
WordPress by default allows unlimited login attempts. This means a bot can try thousands of password combinations without any resistance.
Plugins like Limit Login Attempts Reloaded or WP Cerber block IP addresses after a configurable number of failed attempts. This doesn't prevent targeted attacks with known credentials, but it stops the automated brute-force sweeps that compromise most WordPress sites.
Also useful: change your login URL from the default /wp-admin to a custom path. Bots scan known WordPress login URLs by default; a custom path removes you from the automated sweep.
Regular Backups: Your Last Line of Defense
A backup doesn't prevent attacks, but it determines how bad the damage is when one succeeds. Without a recent backup, a successful attack can mean hours or days of rebuilding. With an automated backup from yesterday, recovery is usually under an hour.
Backup requirements: - Daily backups for active sites (sites updated or generating transactions regularly) - Weekly for mostly-static sites - Stored in a separate location from your server — not on the same hosting account that got compromised - Tested periodically — a backup you've never tried to restore is a backup you're not confident in
UpdraftPlus (free tier) backs up WordPress to Google Drive, Dropbox, or S3. Set it up once and it runs automatically. This is the single best insurance policy for any WordPress site.
Firewall and Malware Scanning
A web application firewall (WAF) filters malicious traffic before it reaches your site. Cloudflare's free tier includes a basic WAF that blocks common attack patterns. For more comprehensive protection, Cloudflare Pro ($20/month) or Sucuri's firewall service provide active filtering and malware cleanup guarantees.
For WordPress specifically, the Wordfence plugin provides: - Malware scanning - File change detection - Firewall rules (updated for new threats) - Login security options
The free version is adequate for most sites. Paid adds real-time threat intelligence updates, but the free version already covers the most common attack vectors.
HTTPS Headers and Security Headers
Beyond SSL, HTTP security headers add additional protection:
Content-Security-Policy (CSP): Controls which external resources the browser can load. Prevents cross-site scripting (XSS) attacks by restricting which scripts can execute.
X-Content-Type-Options: Prevents MIME-type sniffing attacks.
X-Frame-Options: Prevents your site from being embedded in iframes on other domains (clickjacking protection).
Strict-Transport-Security (HSTS): Forces browsers to always use HTTPS for your domain.
These are configured at the web server level (or via Cloudflare). You can check which headers your site currently sends at securityheaders.com — it gives a letter grade and shows exactly what's missing.
What to Do After an Attack
If you suspect your site has been compromised: 1. Take it offline or put it in maintenance mode immediately to prevent further damage 2. Restore from your most recent clean backup 3. Change all passwords (WordPress admin, hosting account, FTP, database) 4. Review recent file changes using a security plugin's file monitor 5. Identify the entry point (outdated plugin, weak password, etc.) and close it before going back online
If you don't have a clean backup and can't identify the infection, a security cleanup service (Sucuri, Wordfence Care) is usually faster than attempting manual cleanup.
Frequently Asked Questions
My site is small — would anyone bother attacking it?
Attacks on small sites are almost always automated. Bots scan millions of sites looking for known vulnerabilities. Being small isn't protection; being unpatched is a target regardless of size.
How do I know if my site has been hacked?
Signs include: your hosting provider sent a malware warning, Google Search Console shows a security issue notification, visitors see warning messages in their browser, your site redirects to unfamiliar URLs, or your hosting account was suspended. Also check Google's Safe Browsing status: search "Google Safe Browsing site check" and test your URL.
Do I need a security plugin if I'm using managed WordPress hosting?
Managed hosts (WP Engine, Kinsta) include server-level security and malware scanning. A security plugin adds application-level protection on top of that. Both layers together are better than either alone.
Marcus Reed is Senior Editor & Digital Strategist at High5Expert. He has managed website security remediation and implemented security protocols for businesses across multiple industries.
Discussion
9 commentsThe 'not being the easiest target' framing is exactly how I explain security to clients. You don't need perfect security — you need to be meaningfully harder to compromise than the unprotected sites in the same automated scan. Most attacks are automated; making yourself a 5-minute fix instead of a 30-second fix eliminates most of the risk.
That's a great suggestion! We're exploring video content for our most popular guides. Stay tuned — it's on our roadmap.
The backup lesson cost me two full days of work before I learned it. Site got infected, no backups, spent two days cleaning manually and rebuilding the database. Set up UpdraftPlus the same week. Three months later the same client's site got hit by a plugin vulnerability — restored from backup in 45 minutes. The two days paid for years of backup vigilance.
Thank you! We do offer consulting and implementation services. Feel free to reach out through our contact page and we can discuss your specific needs.
Two days of manual cleanup versus 45-minute restore from backup — that's the cost calculation every site owner should do once. UpdraftPlus free tier with Google Drive storage is genuinely one of the highest-ROI 30-minute investments in WordPress maintenance. And the backup only has value because you'd tested restoring before you needed it.
True
Question: I'm on shared hosting and my provider doesn't support HTTPS natively. The cheapest option I've found is $70/year for SSL. Is that the going rate, or am I missing a free option?
We review and update our guides regularly to keep them current. This one was last updated recently, and we plan to add new sections as the landscape evolves. Bookmark it and check back!
Rachel's answer is exactly right — Cloudflare's free tier handles SSL at the edge and your visitors get HTTPS regardless of your origin server's configuration. For a longer-term fix, most decent shared hosting providers now include Let's Encrypt SSL at no cost — if yours charges $70/year for SSL, I'd evaluate whether that host is worth staying on. That's a 2020 pricing model.
True
The securityheaders.com check gave my site a D rating. Missing all four of the headers mentioned here plus a couple more. Cloudflare lets you add custom headers through page rules — spent 20 minutes adding them and the rating went to B+. Small time investment, real security improvement.
Welcome aboard! We publish new guides every week. Glad you found this helpful!
Changing the WordPress login URL from /wp-admin to a custom path immediately reduced the login attempts logged in Wordfence from about 200/day to under 5. Bots scanning default paths simply don't find it. Not a complete security measure but removes you from the default automated sweep.
That's the best compliment we can get! Glad it helped resolve the debate. Data-driven decisions are always the way to go.
Reducing login attempts from 200/day to 5 is a significant reduction in noise and risk. The custom login URL isn't a replacement for strong passwords and 2FA — a targeted attacker will find your login page regardless. But it eliminates the automated commodity scanning that accounts for most low-sophistication WordPress compromises.
True
For the HTTPS question — if your host doesn't support Let's Encrypt, you can put Cloudflare in front of the site for free. Cloudflare handles SSL termination and your visitors get HTTPS even if your origin server is still HTTP. Not ideal from a complete encryption standpoint but better than no SSL for most small business sites.
Great question! You can bookmark our blog page — we publish new content regularly. We're working on a newsletter feature that will be available soon!