1 – Not making regular backups.
Even if you correct all of the things listed above, your website could still get hacked. Or your webhost could crash. Or you could update a plugin or theme that breaks your site – nothing’s infallible. Having current backups will help you recover more quickly in the event that something goes wrong. I generally recommend keeping 4 weekly database backups, especially if you blog or update content frequently, and 1 complete backup – files and database – that is no more than a month old. Sure, you could do a full backup each week, daily even, but that’s a lot of resources and a lot of storage. If you need to restore your site, you can use the full backup and then the incremental database backups to get the content current.
2 – Not updating WordPress, including themes and plugins.
This one goes along with the one above. Most hacked WordPress websites get hacked because they are running outdated versions of WordPress. The second and third most common reasons are themes and plugins that aren’t updated. Always keep your WordPress software updated. If you’re concerned that updating your site, plugins or themes will cause issues with your site, make a backup first, so that you can restore it if needed while you figure out the issue.
3 – Using ‘admin’ as your username.
If you used Scriptaculous or some other automatic installer to setup your WordPress website, there’s a good chance that your primary username is ‘admin’, and if it is, you are making it much easier for hackers to get into your site. This screen shot shows a hacker trying to get into a client’s site using the ‘admin’ username – almost 500 attempts in about 10 minutes.
4 – Not using a strong password
Using strong passwords is talked about everywhere, right? And not using the same password everyhere. Especially right after some online retailer gets hacked or something. And yet I still have clients with passwords like ’82pickles’ or something else rather simple.
Now, there’s a lot of debate in certain circles about what makes a strong password, but here’s some basic pointers:
- don’t any part of your name or username in the password
- password should be at least 12 characters
- passwords should not be repeated across multiple sites (I know, we all do it, but we shouldn’t)
- some say that 4 random words separated by hyphens make pretty good passwords (like purple-horsefly-brown-coat)
- many recommend using a combination of character types – upper and lowercase letters, numbers, and symbols
I use Passpack.com to keep track of my password – at least the ones I don’t write down on sticky notes on my desk. (I’m joking, I promise.)
5 – Not using reputable themes.
It’s tempting to use one of the hundreds of thousands of free themes available, and if you’re using one for the free themes from the WordPress repository (https://wordpress.org/themes/) then you’re chances are better, but there’s still an issue. Free themes can have spammy links and other issues in them, and these could be well hidden. Premium themes may cost a bit of money, but it’s worth it, especially if you’re using them for business.
And please, for the sake of your website, do not buy a premium theme off someone on Fiverr or Craigslist (also called nulled themes), even if it is a really good deal. Because you never know what nastiness they added to the theme files between when they downloaded then and when they made it available to you.
When in doubt, or if you bought your Premium theme through a third party, the Theme Authenticity Checker plugin can help you find common spamminess that might be present in your theme.
6 – Not using a security plugin
Even when you’ve taken all the other precations for keeping your site safe, using a security plugin is helpful. The can handle some of the techy stuff for you if that’s not your thing, as well as provide some monitoring for when you can’t be there to make sure everything’s okay.
My preferred security plugin is iThemes Security. I’ve talked about it before and have some videos about it on my YouTube Channel. It’s a great plugin and judging from the number of security notices I get for my site and my maintenance clients’ sites, it does a great job of keeping unauthorized access out.