There seems to be a belief, especially among small business owners, that they’re too small to be noticed by hackers. They’re not aware that most hackers use automated tools to find vulnerable sites.

Hacking is not just about stealing data.

Why do websites get hacked?

Honestly, there are a variety of reasons why people hack and infect websites.

Financial Gain

They may hold a website for ransom to earn some money.

Maybe they are doing it to steal data such as credit card details from an online shop if credit card info was stored on the server, and then selling that information or using it themselves.

They may do it to obtain user data such as usernames, emails, passwords, and so on, all of which can be sold.

Or, it could be related to identity theft schemes.

Targeted Attack

Sometimes hackers may get paid by a third party to attack the website of a particular business or organization for whatever reason.

In fact, while I was originally doing the work to outline this article, Buzzsprout, which is a podcast hosting platform, was the target of a DDOS, or distributed denial of service, attack.

A DDOS attack essentially works to overwhelm a target with a flood of Internet traffic that incapacitates it.

In Buzzsprout’s case, the attacker was trying to obtain a ransom to stop the attack.

They’re a Big Ol’ Jerk.

Sometimes, a person hacks because they’re just a sad little human being, with too much time, and they want to see if they can do it.

Yes, you may be at risk

According to an article in Security Week in 2018, at that time, they stated that 18.5 million websites were infected with malware at a given time each week and that an average website was attacked 44 times every day (you just don’t usually notice it because most of the time it’s not successful… but sometimes it is.)

All it takes is for one piece of malicious code to be dropped into your site, which can lie dormant for months before being activated.

The fact is, new vulnerabilities are found every day and one line of code in a theme, plugin or WordPress core can open you up to thousands of breaches.

The good news?

It’s really quite simple and inexpensive to protect yourself from that happening, but you have to follow some best practices.

But before we get to those best practices, let’s take a step back and look more carefully at an important question:

Why Should You Care?

Time is money.

Clean up can take from hours to days, all of which means lost traffic to your website… and which consequently means fewer leads and potential revenue for your business.

You could disappear from search engines like Google.

Most search engines, including Google, take prudent measures to protect users from hackers, including removing your website from search results if they think it could be harmful to visitors.

Once Google determines your website has been compromised, they will blacklist your website and modern web browsers will display a message about your website containing harmful programs and prevent users from accessing it.

The consequence?

No one is visiting your website.

Damage to your business reputation.

Clients don’t want to visit a site that could infect their computers, and it only takes one upset person to spread the word.

So how do you protect your website?

Your website is supposed to bring you business

The last thing you want it to do is to lose potential leads!

There are six key steps I recommend that every business owner should abide by in order to secure their website. (You may also be interested in our WordPress Inspection!)

#1 – Use strong passwords

I know that every website you register with these days tells you you need a 73-word password that includes numbers and letters and symbols and hieroglyphics. The fact is, your password should not be easy to guess.

I realize this sounds obvious, but I wouldn’t be mentioning it if weak passwords weren’t an epidemic and a very common way people get hacked.

Truly strong passwords will be a minimum of 12 characters in length. Some resources say 12 or more, others say 15 is the minimum for truly strong passwords. Basically, the longer and more random it is, the better.

Don’t be one of my past clients who continually insisted on setting up passwords along the lines of abc123. Fortunately, I can tell you that she now has very secure passwords.

Of course, I realize that makes it a bit difficult for our overburdened brains to remember.

With that in mind, remember to use a password manager like LastPass, as I talked about in a previous video about logins.

#2 – Choose a unique username

While WordPress no longer sets “admin” as the default username when you install the software, many people still seem to choose to set that up as their login username, so I would caution you against doing this.

Since so many people still choose to use this username, consequently, brute force hackers often go after WordPress sites that have this username. In simple terms, a hacker goes to the login page on your website and tries every password it can to see if it can get in.

These are automated attacks, and they go after thousands of websites all targeting the ‘admin’ username.

So using ‘admin’ puts you at a higher risk, especially if you have a weak password.

#3 – Limit access to your website

I know it’s tempting for a lot of small business owners to simply share their primary WordPress account login with whoever needs some sort of access to their website… maybe it feels easier/faster to just share that one account because I know a lot of folks who do it.

But this can open you up to security risks if you do that.

I recall one client who had a marketing agency working with her to provide a lot of her branding, design and content strategy and execution.

The agency’s team members who were assigned to the client’s account had been explicitly instructed to never run WordPress updates on the client’s website due to the complexity of the site. It was a task that was to be left in our hands each month.

However, one of their very well-meaning employees noticed that some of the plugins needed updates done. Rather than leaving it for us, she ran the WordPress updates, thought everything looked fine and moved on with her day.

But it turned out a plugin update had broken part of the website, which showed up a number of hours later, around 11 pm at night, in the form of the entire website going down.

This employee had no malicious intent whatsoever, and she had nothing but good intentions… but the result was still a broken website. She never should have had administrative-level access to the client’s website when all she was updating was blog posts and page content.

#4 – Keep your WordPress up-to-date

If your website is on WordPress, it is vital that you run your WordPress updates regularly.⁠

This includes your WordPress core version updates, your theme updates and plugin updates.

Keeping your WordPress software isn’t just something to do if your website seems to have run into a hiccup or seems to be broken in some way. You need to run them proactively before you run into a problem.

WordPress updates help to improve features and fix bugs in WordPress, but it’s also a key part of preventing hackers from exploiting any vulnerability in your site’s code.⁠

And when I say run them “regularly,” that does not mean doing your updates a few times a year or whenever you happen to remember.

Out of date WordPress software or plugins are hands down the most common cause of a website being hacked or infected that I and my team have seen.

How to Do Your WordPress Updates

If you haven’t done your WordPress updates recently, my advice is to login to your WordPress admin now and check if you have outstanding WordPress updates.⁠

Then I want you to do three things to protect your site, in this specific order:⁠

  1. ⁠Make sure you have a solid backups system in place *first* before you do updates (and you should watch my video about Backups if you haven’t watched it recently)
  2. Run your WordPress updates, and then check over your website in Incognito mode in your browser and ensure you are logged out, and then check over your website to ensure everything is looking and working as it should.
  3. Set up a recurring monthly reminder in your phone or calendar or project management system to take action and keep your updates current.

#5 – Use a professionally trusted security solution


If you are quite confident with your website tech knowledge, or if you have a developer supporting you, the plugin I’d recommend is Wordfence Premium.

iThemes Security Pro

You can also consider the free iThemes Security plugin, which is reasonably simple to set up if you’re DIY’ing your website, though if you’re going this route, I would suggest you check out the iThemes Security’s Pro plugin for something a little more robust.

The Free version doesn’t have two-factor authentication, malware scanning, or a variety of other helpful security tools that the Pro version does include, so it’s worth considering the upgraded option.

It should be noted that iThemes Security is a plugin for preventative measures but does not fully protect your website.

But I would recommend Wordfence’s premium security plugin over iThemes Security Pro, as Wordfence offers more security. It also provides login security, security scanning and other solutions that are beneficial to your website’s security.

Your website is one of your biggest business assets

Don’t leave it vulnerable.

Just as you would do for a home in a busy city, protect your property, and the contents inside of it.

Don’t be a website owner who regrets leaving the door wide open.

Sign up for a WordPress Inspection now.

Website Quiz

Is your WordPress website hurting your business goals? Find out now!

Take the Quiz