If you run a small business website on WordPress, you're probably familiar with the never-ending flood of spam form submissions, shady login attempts, and cryptic plugin updates.
Unfortunately, in the world of WordPress, if you're not actively keeping your site secure, you're probably leaving the door wide open. I’m writing this post to walk you through what actually matters when it comes to WordPress security—and how you can avoid the most common mistakes that leave websites vulnerable to attack.
Why WordPress Security Matters
WordPress powers over 40% of the internet. That popularity makes it a prime target for automated hacking tools that are constantly scanning for out-of-date plugins, weak passwords, and other low-hanging fruit.
Even if your site doesn't store sensitive information, it's still valuable to attackers. A compromised site might be used to:
Send spam emails
Host phishing pages
Redirect users to shady online pharmacies
Inject SEO spam or malware
Burn your Google ranking and domain reputation
If your site gets hacked, it may still look normal to you, but it could be silently damaging your brand and attacking your customers. If unaddressed, you may only realise your site has been hacked when your emails start to bounce because you've been blacklisted as a spammer, or you realise your site has been blacklisted by Google.
Common WordPress Vulnerabilities
Let’s start by acknowledging the main culprits behind most hacked WordPress sites:
Outdated plugins and themes – The number one vector for WordPress hacks.
Weak passwords or reused credentials – Especially for admin accounts.
Insecure hosting – Cheap shared hosting with no isolation between sites.
Too many plugins – Especially abandoned or unmaintained ones.
Poor file permissions or misconfigured servers – Often overlooked by DIY setups.
The Essentials: How to Secure Your WordPress Site
✅ Keep Everything Updated
This is the most important thing you can do. Set aside time weekly (or use a maintenance provider) to update:
WordPress core
Plugins
Themes
But be aware. Sometimes updates can break functionality — especially on sites with custom themes or complex setups. You will have to manage the tradeoff between keeping your site as secure as possible and minimising the amount of time you spend checking your site after updates.
There are also tools which can help with this, for a simple site, you might enable automatic updates and then set up a monitoring tool that takes screenshots of your site every few minutes and alerts you if anything has changed. Many web hosts will have tools to help manage updates. But there will always be a tradeoff between security, stability, and the amount of time you spend.
✅ Use Security Plugins (But Don’t Rely on Them Alone)
A solid security plugin helps harden your site and block common attacks. Popular options include:
Wordfence: (Free) Real-time firewall and malware scanning .
Free version offers a very good security baseline
Paid version gives better protection against newly discovered attacks
It does slow down your site a little bit, depending on your hosting
MalCare: (from US$149/year) A good all-round paid security plugin and service
Faster than WordFence
Includes backups, logging,
Includes support, a "total solution"
Patchstack: (US$69/Month) Focused on virtual patching and real time protection
The most up to date protection
Expensive for a single user, often available from web hosts or developers for much cheaper.
But remember, plugins are just one layer. They won’t fix a vulnerable server or a bad password policy.
✅ Install Only What You Need
Every plugin is a potential liability. Each one adds code that can introduce vulnerabilities—even if it’s deactivated.
Audit your plugins every few months:
Are they still maintained?
Do you actually use them?
Could the functionality be replaced with a simpler alternative?
If in doubt, remove it.
✅ Use Strong, Unique Passwords
This one’s simple but possibly the most important. Use:
A password manager
Unique logins for each user
Consider enforcing Two-factor authentication for admins (Wordfence and other plugins support this)
Disable the default admin username if you're still using it.
✅ Limit Login Attempts and Access
Use a plugin to limit login attempts or lockout repeated failures. Patchstack, Malcare, Cloudflare offer this service.
Consider restricting access to /wp-admin and /wp-login.php with HTTP basic auth.
Don’t give admin access to every contractor or plugin.
Basically, treat your admin panel like you would treat the keys to your business.
✅ Backup Regularly (And Store Offsite)
Having a recent, clean backup is your safety net. Use plugins like:
Ideally, you want:
Daily backups
Offsite storage (Google Drive, S3, etc.)
Easy one-click restore
This won't prevent an attack, but it could save your site if something goes wrong.
A Note on Hosting
If you’re paying $3/month for hosting, your site is probably sharing an old, and potentially unmaintained server with a lot of questionable users. Think of it like a bunk in a hostel dorm room. A more premium or specialist Wordpress host can provide:
Isolated accounts (not just directories)
Regular server-level patching
Up to date firewall tailored for Wordpress
Malware scanning at the hosting layer
Built-in backups and firewall protection
Update management tools
Semi-Managed WordPress hosts like Kinsta, WP Engine, or SiteGround are more expensive — but do provide a better baseline of security and performance.
How Sites Get Hacked Anyway
Even with security plugins and updates, I still get called in to clean up hacked sites. Here are some real-world examples I’ve seen:
A "security" plugin that hadn't been updated in years and had a backdoor for hackers.
An admin password like "password123".
An old staging site that had been forgotten about with out of date plugins.
The common thread? Someone thought the site was secure, but hadn’t done a full audit or had outgrown their original setup.
Final Thoughts
Security isn't a one-time job—it's an ongoing process. You don’t need to be paranoid, but you do need to be proactive.
If you’re running a business website, your reputation is the currency that hackers are after. Keeping your site secure protects your customers, your brand, and your peace of mind.
A Pitch for Me
If you're running a WordPress site and would like to know that it's secure, I offer ongoing WordPress maintenance, hardening, and monitoring. I also offer high performance, fully managed Wordpress hosting based entirely in Australia.
Whether you need a quick audit, ongoing monitoring, or someone on-call when things go wrong, I’m available.
Contact me for a free consultation:
Eru Penkman
WordPress Developer & Security Consultant
Sunshine Coast, Australia
