Getting hacked isn’t something that happens to other people’s websites. It happens to small business sites every day — often quietly, without any obvious signs, while your customers are still browsing. Sometimes it’s a contact form being used to send spam. Sometimes it’s malware redirecting your visitors to sketchy sites. And sometimes it’s ransomware locking you out entirely.
The frustrating part is that most of these attacks are preventable. Here’s what actually works.
Keep Everything Updated
This sounds obvious. It isn’t done often enough. The majority of WordPress hacks exploit known vulnerabilities in outdated plugins, themes, or WordPress core — vulnerabilities that have already been patched in newer versions. Running outdated software is essentially leaving a door unlocked that the security community has already told you about.
Set a recurring reminder to check for updates at least weekly. Better yet, enable automatic updates for WordPress core and plugins where it makes sense. Some updates do occasionally break things, so having a backup before auto-updating is non-negotiable — but the risk of running outdated software is almost always greater than the risk of a compatibility issue you can roll back from.
Use Strong, Unique Passwords Everywhere
Brute force attacks — automated tools that try thousands of password combinations per minute — are relentless and indiscriminate. They target every WordPress site they can find, looking for weak credentials on the admin login, FTP accounts, hosting dashboards, and database access.
A strong password is long (16+ characters), random, and used nowhere else. A password manager like 1Password or Bitwarden makes this manageable. If you’re still using the same password across multiple accounts, or anything that includes your business name or a recognizable word, change it today.
Enable Two-Factor Authentication
Even a strong password can be compromised — phishing, data breaches at other services, keyloggers. Two-factor authentication (2FA) means a stolen password alone isn’t enough to get in. The attacker also needs the second factor, which is typically a time-sensitive code from your phone.
Plugins like WP 2FA or Google Authenticator make this straightforward to add to your WordPress login. Enable it for every admin account on your site. It takes about two minutes to set up and meaningfully raises the bar for any attacker.
Limit Login Attempts
By default, WordPress allows unlimited login attempts. That’s what makes brute force attacks viable. A simple fix: install a plugin that locks out IP addresses after a set number of failed attempts. Limit Login Attempts Reloaded is a reliable free option. Most security plugins include this functionality as well.
You can also move your login URL away from the default /wp-admin path, which reduces the volume of automated login attempts hitting your site in the first place. It’s not a substitute for proper security, but it cuts down on noise.
Install a Security Plugin
A dedicated security plugin adds several layers of protection that WordPress doesn’t include out of the box: a web application firewall that filters malicious traffic before it reaches your site, malware scanning that checks your files against known threats, file integrity monitoring that alerts you when core files change unexpectedly, and real-time blocking of known bad IP addresses.
Wordfence and Sucuri are the two most widely used options. Both have capable free tiers. If you’re on managed WordPress hosting, your host may already provide firewall and malware scanning at the server level — worth confirming before you stack a second layer of the same protection.
Back Up Regularly — and Test the Backups
Backups don’t prevent attacks. They determine how bad the recovery is. A clean backup from yesterday means a hack is an annoying afternoon. No backup means potentially rebuilding from scratch.
Daily backups stored off-site — not on the same server as your site — are the standard to aim for. UpdraftPlus is a reliable free option that supports storage to Google Drive, Dropbox, or Amazon S3. Whatever solution you use, actually test a restore periodically. A backup you’ve never restored is a backup you don’t know works.
Use SSL — and Make Sure It’s Configured Correctly
If your site is still running on HTTP rather than HTTPS, fix that immediately. SSL encrypts data between your visitors’ browsers and your server, which matters for any form submissions, login credentials, or payment information. It also affects your Google rankings — HTTPS has been a ranking signal for years.
Most hosting providers include free SSL certificates via Let’s Encrypt. Installing one takes minutes. After you do, make sure your site is configured to redirect all HTTP traffic to HTTPS automatically — mixed content warnings (where some page resources still load over HTTP) undermine the protection and look bad to visitors.
Be Selective About Plugins and Themes
Every plugin and theme you install is code running on your server. That code was written by someone, and not everyone who publishes WordPress plugins does so with your security in mind. Abandoned plugins — ones that haven’t been updated in a year or more — are particularly risky because known vulnerabilities in them won’t be patched.
Before installing anything, check the last updated date, the number of active installs, and the reviews. Delete plugins you’re not using — deactivated but still installed plugins can still be a vulnerability. And never install nulled (pirated) themes or plugins. They almost always contain malware.
Set the Right File Permissions
WordPress files and directories should have specific permission settings that prevent unauthorized modification. If permissions are set too loosely, attackers who gain access to your server can write malicious files or modify existing ones. The standard recommendation is 644 for files and 755 for directories, with wp-config.php at 600.
If you’re not comfortable checking and setting file permissions via FTP or your hosting file manager, this is something a developer can audit and correct quickly as part of a security review.
What to Do If You’ve Already Been Hacked
First, don’t panic. It’s fixable. The steps: take the site offline if possible to prevent further damage, restore from a clean backup if you have one, or use Wordfence or Sucuri to scan and remove malware if you don’t. Change every password — WordPress admin, hosting account, FTP, database. Update all plugins and themes. Then figure out how they got in so you can close that door.
If the infection is deep or widespread, professional cleanup is usually faster and more reliable than trying to do it yourself. Sucuri offers a flat-fee cleanup service. So do many WordPress developers.
Security That Doesn’t Require You to Think About It
The honest reality is that most small business owners don’t have time to stay on top of all of this. Updates slip, backups go untested, security scans don’t run. That’s exactly how sites get compromised.
At Interactive Design Group, our managed hosting plans handle the security fundamentals for you — updates, backups, monitoring, and firewall protection — so you’re covered without having to think about it. If your current setup is leaving things to chance, get in touch and let’s talk about what a properly secured site looks like.
