How To Avoid Compromising Your WordPress Website

Home / Web Design / How To Avoid Compromising Your WordPress Website

“My Wordpress website is sending spam emails to my subscribers. Help I don’t know how to make it stop.”

Does this sound like what’s been happening on your website?

In a movie, a hacker who finds a way to get inside a computer to stop a countdown that would launch a missile to destroy the world is a hero. In real life, a hacker is not a hero when she is responsible for your email subscribers receiving spam emails, your blogs being bombarded with spam comments or worse, your website URL now leading to a porn site.

Being hacked is an entrepreneur’s nightmare, and it can cost a lot of time, money and frustration. Most people get hacked because they simply don’t have the time to clean up their website’s back end.

In my experience, I discovered that there are 8 ways you’re compromising your WordPress website and you don’t even know that you’re doing it.Click To Tweet

What if you could take simple steps to break the hacker’s heart instead of yours? There is, and today I am sharing them with you.

Heartbreak #1: You Have A Complete Backup Of Your WordPress Website

Most entrepreneur when launching their business online, sign-up for a shared server with GoDaddy, BlueHost, Hostgator or else, to host their website. These types of web hosting packages usually cost $3.99 per month. You are sharing server space with many other people. You have no idea how secure the other websites are. A hacker can infiltrate one of them and delete your files.

How can you recover your website if this happens?

Having a complete backup of your WordPress website can help. The complete backup allows you to save a copy of your website for you to recover in case you get hacked. The backup doesn’t require you to redesign your site. Your website can be restored to the way it looked like before getting hacked. The plugin I recommend to backup your entire website is BackupBuddy.  You can even schedule for BackupBuddy to automatically save your website daily, weekly at a remote location or on a storage device.

Heartbreak #2: You always update your version of WordPress

WordPress does an amazing job keeping their free product secure updating it frequently. Take advantage of this free support by keeping your WordPress version up to date.  Before updating your version of WordPress, make sure you do a complete backup avoiding breaking your own heart just in case the WordPress update didn’t go as expected.

Heartbreak #3: You delete the plugins you’re not using

Every plugin you install on your website was created by a different developer. Each time WordPress updates its version, a good developer updates the plugin she created as well.

Make sure all your plugins are updated and tested with your current WordPress version. If not, find a substitute or delete it. Hackers use a back door technique to install malicious codes on plugins not updated to infiltrate your website. It allows them to do whatever they want without you even knowing they already have access to your site.

Heartbreak #4: You delete the WordPress themes that you’re not using

Your WordPress website install usually comes with a couple of free themes. People purchase other themes with more features for their website and don’t even bother with the free ones. You can delete them. Keeping the WordPress themes that you’re not using gives hackers the perfect opportunity to infiltrate your website.

Heartbreak #5: You’re not using “ADMIN” as your username

Don’t be shy, do you still use “ADMIN” or your email address as your username to log into your WordPress dashboard? Having your username as “ADMIN” – the first username hackers usually try – is doing 50% of the job for hackers. The solution is to break their heart changing your username to something that is tough to guess.

Heartbreak #6: You’re using a password with at least 8 characters

I get it, your pet name, your favorite restaurant or your wedding date anniversary are easier to remember. But they are also easy information for hackers to obtain just by paying attention to what you post on social media.  You want a password that is tough to guess and that’s 8 characters long.  Use a Strong Password Generator to create it for you.  I know you have enough password, family schedules and grocery lists to remember. Don’t worry, I got your back! Use a password management system like LastPass to remember ALL your passwords for you so you don’t have to.

Heartbreak #7: You audit your website users

From your WordPress dashboard, navigate the “Users” section. If you see other users you don’t remember adding besides you, delete them especially if they have “Administrator” status. You should be the only one with this status. If you need to give access to a designer to update your website, create a separate user account with a temporary password.

Heartbreak #8: You Keep spammers from commenting on your blog

When your website is new, you spend a small amount of time moderating comments. As it becomes more popular, comment moderation will turn into a shore especially with spam comments. Spammers love to bombard you with all kinds of comments to buy Ray Ban glasses or Viagra. You don’t want your visitors reading these types of comments, that’s why you must activate a spam filtering plugin.

WordPress comes with some plugins preinstalled. One of those plugins is a spam filtering plugin, Akismet, which doesn’t come activated though. You will have to take some extra steps to get it activated for a small fee.

You can also use a spam prevention technology, a honeypot like Spam Fighter to force the spam bots to identify themselves before posting a comment on your site. A honeypot creates a fake challenge that can only be seen by the spam bots. When the bots fill the challenge, they end up identifying themselves and are caught before posting a spam comment.

My wish for you is to get in the habit of protecting your business online as well as your visitors.  I’ve been designing websites for 7 years and I’ve made many mistakes. You don’t need to do the same! It’s good practice that every month you schedule some time to do a security audit of your website. Doing so will keep your heart intact and will surely break a hacker’s heart.  If you feel stuck, I’m happy to help you fight your tech monsters. Tell me about them here  .

wordpress tips


  • June 2, 2017, 2:32 am

    I need to make time to delete the themes I don’t use and delete the inactive plugins too. I thankfully don’t have “admin” as my login so that’s good – lol. Great tips here, Webly. Thank you!

    • July 13, 2017, 11:12 pm

      I hope you get to delete the themes, Tandy. That’s one thing that most entrepreneur DYIing their website forget to do.

  • July 13, 2017, 1:23 am

    Great tips, Webly. Thankfully my son helps me do regular complete backups and my site automatically updates. I really must get better about deleting the unused plugins though.

    • July 13, 2017, 11:23 pm

      Sounds like your son has a business he can start don’t you think?

  • July 13, 2017, 6:20 pm

    Good warning signs, Webly. I was able to track that hackers got in from old plugins. I had deleted themes I’m not using because it was recommended but didn’t realize it was an entry point for hackers.

    • July 13, 2017, 11:08 pm

      Good thing you deleted them. That is indeed one of their backdoors.

  • July 13, 2017, 8:55 pm

    Looks like I’m on track for keeping my website safe. I do have a few plugins that are dormant, but my web person is reluctant to remove them for reasons I am not too knowledgeable about. In the early days of my new site, I was getting a ridiculous amount to comments that I was replying to, only to find out they were sort of spam. That got corrected with Akismet! Thanks for the tips Webly!

    • July 13, 2017, 10:54 pm

      I would investigate further on the reason why the dormant plugins must stay. If they come with your website theme and you are using them, regular updates will do. If you’re not using them at all and keeping them, they are slowing your website and it affects your visitor’s experience. Something to keep in mind.

  • July 16, 2017, 5:45 pm

    You’re right Lori. It is becoming a chore to keep up with all that ourselves. That’s a task that can easily be delegated to a VA or a tech person. Good job on backing up your site!

  • July 16, 2017, 6:13 pm

    Thanks! Those are all important safety steps. I’m grateful to have a team that does a good job of managing all that.

    • July 20, 2017, 1:34 am

      That’s great Cathy to you save yourself time delegating this task.

  • Meghan
    July 18, 2017, 2:07 pm

    Super helpful list! Keeping WordPress updated is a total pain in my rear, but it comes with the territory. You reminded me of a user that I needed to delete, so thanks for that. I took action immediately. One day I hope to upgrade out of shared hosting…malware is a bad thing!

    • July 20, 2017, 1:33 am

      It is a pain and not one at the same time. If you log into your website every week to blog, 10 more minutes updating won’t hurt.

  • July 18, 2017, 8:03 pm

    These are such great tips. My husband is a software engineer, and he made sure when I got started that back ups, security, etc were taken care of. I suppose it’s not fool proof, but he got me started with some good habits. And he even gave me a a 4 TB external mirrored harddrive for my backups since I’m still on shared hosting. I hope that’s good enough to stay safe. I look forward to dedicated.

    • July 20, 2017, 1:45 am

      I know. Shared hosting is economical but unfortunately, we are not responsible for the other people using the same spac

  • July 19, 2017, 4:59 pm

    Hahahahaha I am guilty of most of the points you stated, I need to delete the themes and plugins that I do not use. I recently moved my site from a shared host to a private one. Not sure what you will say about that.

    • July 20, 2017, 2:00 am

      Having a dedicated server is a good move. You’re protecting yourself as well as your visitors. The problem with shared hosting is that we are not responsible for other people sharing the space and not keeping their site safe. That’s all it takes for your site to be at risk.