Have you heard about the latest website breach? Yes, of course you have, but I won’t describe it – doing so would quickly date this article. Hacks, malware, DDoS attacks and online crime in general seem like an epidemic, and everyone from the European Central Bank to your local mom n’ pop shop have been victimized. As a site owner this fact likely makes you cringe — it makes us cringe, too. But there’s no real need to fear if you are prepared.

As the most popular platform on the Internet, WordPress is not immune to hacks; its popularity makes it a popular target, in fact. The flip side? There is a huge demand for products and services to protect WordPress — and a community of developers who meet this demand. As a result, the platform is constantly evolving to close vulnerabilities and address threats; it has become the easiest CMS to harden against hackers.

You can follow a few steps to protect your online investment. 


Make sure that you always have a recent backup of your site on hand, and that you know how to use it to restore your site. Not only does this allow you to recover your site should it become infected with malware, it also allows you to recover should the site fail during a software update or server failure. Several popular and effective backup plugins are available that create backups automatically on a schedule that you define. The backups can be stored either on your local server (and manually downloaded) or sent to a remote location such as a dropbox. 

Wordpress backup software dashboard
UpdraftPlus is one of the most popular WordPress backup plugins. Users can schedule database and file backups separately, which is useful for those whose data might update frequently (ecommerce site owners, for example) but who don’t upload files (for example, photos) as often.  Note that the plugin can be configured to send files securely to a remove location such as Google Drive. 
UpdraftPlus backup in progress. Completed backups are shown lower down in the control panel; it is a good idea to keep a number of past backups on hand. Note that you can restore portions of your website by simply pressing the “Recover” button. Caution should be taken, however, as this will erase all changes made to the site after the backup was made. Note that these backup files can be downloaded to your machine as well.
Backed up copies of your website can be sent to a remote location after being encrypted, if desired. Note that these files do not comprise your entire website; Updraft does not back up WordPress core files, for example.
You can configure Updraft to send you an email whenever a backup has been completed.

Site Updates

Now that you have a reliable backup of your website on hand, it’s time to update your website’s software. This is likely the most important part of WordPress site security; whenever a vulnerability or bug is discovered, or when a feature is developed or refined, an updated version of the software is introduced. These changes are announced to site owners in the form of update alerts on their dashboard, and installing them is an easy matter. This is the easiest way to take advantage of the work of WordPress developers interested in keeping your site safe and secure. 

Wordpress updates available
Numbers beside Plugins and Updates (under Dashboard) indicate that software updates are available to be installed.
Wordpress plugins screen
On the plugins screen, a light blue background indicates that the plugin in active. The yellow notice indicates that an update is available. However, it is easier to update from the Updates dashboard …
The Updates dashboard is found under Dashboard in the side menu. Note that it is divided into sections, one for WordPress (or core) updates, one for Plugins, and a third for Themes. A cautionary notice is displayed at the top of the page: as you’ll see in a few sentences, this is a valid warning. To update, click the update buttons, or check off your items and select Update at the top.
While the update is in progress, your site will go into maintenance mode. 
Very rarely, this will happen. If it does, first check your email to see if you can fix the problem yourself. Sometimes when the error screen is showing you can still access the WordPress dashboard. If you are unable to fix the problem yourself, contact us! We can use your backup files to restore your site.

Security Software

WordPress security software packages, such as Wordfence, offer a number of ways to manage your site’s safety, including:

  • Blocking and rate limiting. If a site visitor’s behaviour on your site looks suspicious (that is, if they cause too many 404 errors or try to log in with the wrong password too many times), the Wordfence can either block them or limit their access to the site. It can also block malicious IP addresses, or entire countries, from your site. 
  • Two-factor authentication. Wordfence can require administrators to enter two passwords, or to be at a certain IP address, to sign in. 
  • Site scan and monitoring. Wordfence can monitor changes to files on your site and notify you about suspicious file changes, and periodically scan your site to compare your WordPress and plugin files against official copies stored on WordPress servers. 
  • Sign in notifications. Wordfence can notify you when an administrator signs in to your site. 

This is just a partial list of available features. Wordfence’s basic features are free, but it offers a premium version on an annual license that offers a range of benefits. Check out Wordfence’s listing for more details!  

Part of the Wordfence dashboard.


Cloudflare is an intermediary between your website and the public. It compares the IP address of visitors to your site against a listing of suspect and known problem IPs, and filters out unwelcome traffic. It also acts as a cache that can speed up delivery of your site content. The basic Cloudflare package is free, and the paid version is sufficient for most users. 

Server Security

Finally, ensure that your site is sitting on a secure, up-to-date server running the latest server software. Sites running old, out-of-date versions of PHP, the language that WordPress (and much of the web) is written in, are extremely vulnerable. Unfortunately, as of July 30, 2019, a full 61% of WordPress sites were still running PHP 5.x, an ancient branch of the language that has not received security updates for years. This means that security features available in the current version of PHP are not available to these plugins; in some cases, software will simply not run on old PHP. 

Want Some Help with Your Security Checkup?

If you would like to have your WordPress site checked for security, let us know. We have experience cleaning up hacked sites and subsequently hardening them against future incursions. 

TLDR: If you just skipped to the end without reading 80% of what was written above you really need us! You don’t have to know how to best maintain your site – you just have to know David Strand at Holy Cow does!