Table of Contents

7 steps to help secure your WordPress Website from a CyberAttack

With more and more businesses taking their trade online, especially due to the change in consumer behaviour due to COVID-19, we have noticed a sharp rise in these business websites facing cyber-attacks.

Many small business owners are embracing the power and flexibility of website content management systems (CMS) such as WordPress. These systems, despite being amazing at getting your business noticed, face the constant threat of a cyberattack.

This article covers the most common issues and fixes for WordPress sites but you will find that many of these issues also apply to other content management systems.

But my business is too small to be targetted!

You can’t have the “it won’t happen to me” mentality. Many site owners think hackers have bigger fish to fry and don’t have any reason to target their website. That’s simply not the case. 

It is an unfortunate reality that 43% of all cyberattacks target small businesses. This is in part because many small business owners are often busy and strapped for time, cybersecurity might not be a top priority.

localstore - LAUNCHPAD Accounting

Cyberattacks and your website

Many cyberattacks are opportunistic, with hackers spotting vulnerabilities in a website and exploiting them. These attacks may involve finding flaws in the code of a website or plugin, that allows them to insert their code and bypass security or authentication processes. It could also mean they install ‘malware’ – a type of software which is specifically designed to damage a system – via a vulnerable third-party site.

An attack that knocks your website offline can cost your business anywhere from thousands to millions of pounds in remediation, lawsuits from customers and fines by regulators. 

Quick Fact About WordPress:

WordPress is used by over 35% of all websites worldwide and also registered as having the highest number of vulnerabilities. About 98% of WordPress vulnerabilities are related to plugins.

Some common website attack types:


  • Brute force attacks – Bots (automated hacking software) attack your site looking for weaknesses. This means that a snippet of code tries to access your site’s login screen and gain access to the CMS. The bot automatically tries to log in to your site by trying infinite variations.
  • Code injection – Hackers can “inject” your website database with malicious code. This attack can happen in many ways but commonly when hosting/server details are compromised.
  • Spam attacks – By far the most common attacks; the general purpose of these attacks is to slow your site down by overwhelming the database with 1000s of spam comments.

What steps do you, as a business owner, need to take next?

thinking - LAUNCHPAD Accounting

Looking after the basics

While it can be almost impossible to make a website 100% secure to the most determined hacker, there are some simple steps that as a WordPress site owner, you should be putting into place:

Make sure you have chosen a reputable hosting company

There is an extensive list of hosting companies on the web so when choosing a new host or reviewing your current provider, view the companies online reviews. 

These reviews will show you how different companies compare in terms of overall hosting quality and also individual aspects of their hosting setups, like security, reliability, speed, etc.

HTTPS not HTTP – Use an SSL certificate on your site

This one should be straightforward – if you have a website you should be using an SSL certificate and…if you are running an online shop or taking payments you absolutely must have an SSL certificate!

Most hosting companies can offer basic SSL certificates as part of the hosting package, however, you also have the opportunity to purchase one separately if you need to.

Why do you need an SSL certificate for your site?

A website needs an SSL certificate to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and gain user trust.

When you visit a website that’s encrypted with SSL, your customers browser will form a connection with the webserver, look at the SSL certificate, then bind the browser and the server. This binding connection is secure to ensure no one besides the customer and the website can see or access what information.

Make sure you are using the up-to-date WordPress version and all plugins

After speaking to clients who have experienced cyberattacks, the one thing in common is that they are not regularly updating their plugins or CMS. WordPress has simple tools to help make updating aspects of the website simple and straightforward. Just make sure that before you do a big update to…

Make regular backups

Some hosting companies, such as SiteGround, offer automated backups of your site. These backups can be lifelines for those business owners who face an attack which knocks their site offline. A quick tip for those with more active sites is to keep a regular plan of when you back up. If you have to roll-back to an old backup from months ago you will then have to spend a lot of time catching up with your content!

Change the admin username

By default, a lot of CMS applications use the default username of admin. Hackers know this and use the combination of this predictable username with random passwords when trying to break into your site. You should always set up a unique admin user name.

Use a secure password

We know that many businesses don’t like using strong passwords because they’re hard to remember. However, in many cases of brute force attacks on your website, making a secure password is your first line of defence.

QUICK TIP: You can use an online password generator such as to help make a secure password quickly and easily.


Other steps to take

There are many other steps you can take to keep your site secure but the above list should give you a strong starting point. If you have questions or find yourself in a midst of a cyberattack on your WordPress site and need guidance then speak to us.