If you haven't heard of WordPress, there's a high chance you've still engaged with it at some point, because as of April 2025, it's estimated that around 43% of all websites are powered by WordPress - a huge chunk of the web! We use it for our demo sites - something potential customers can use to get an idea of the sort of page load times they can expect on our platform.
Not only is it free and open-source (two things that we love!), but it has a massive community, which is great because if you run into a problem with it, there's a good chance someone will be able to help.
Out-of-the-box, WordPress is tried-and-tested as a result of many years of development (it was first released on May 27, 2003) and if you were to spin up an install with a strong and unique password, as well as automatic updates enabled, there's a good chance it would never be hacked - sounds like a webmaster's dream, right?
Well, not so fast there. A lot of webmasters install third-party plugins to enhance their site's functionality - whether that be adding a contact form, an image slider, etc. - there's something for everyone. The problem? Unfortunately, a lot of plugin authors build their plugins for functionality over security, or in other words: as long as the plugin does what the author wants it to do, surely, that must be good enough. If only that were true.
In our experience, a lot of webmasters tend to use at least ten plugins, and in some cases, a lot more. That means you're putting your trust in potentially ten different individuals (or businesses, in some cases) to ensure that their plugin is secure. This is where the security of your website is often let down, so, today, we're going to talk about a few things you can do to help keep potential hackers at bay - remembering that security is a process, not a product.
1. Use unique and strong passwords - and protect them
This one might sound obvious, but it's important. You can have all the security software in the world, but if password authentication is the attack vector, that software might not count for much.
Over the years, hardware has become faster. That means that tools used to crack passwords have also become faster. Certain estimates say that in 2015, a password like !123Password456! would take days to weeks to crack, but now, 10 years on in 2025, it could take just seconds to minutes to crack.
Ideally, make sure your passwords:
- are at least 16 characters long
- do not contain dictionary words
- have a mixture of letters (A-Z), numbers (0-9), and special characters
Now that you've got a strong password, we need to talk about protecting it.
Quite clearly, if your password is easily stolen, no matter how secure it is, it won't make any difference, and it's safe to assume your website will be hacked.
Ideally, avoid storing your password anywhere (online or on your device) - keep it in your head. If that's not possible, make sure your device has the latest security updates installed, and where appropriate, run malware scans. Given the number of different platforms, it's impossible to talk about all of them, but using Microsoft Windows as an example, Malwarebytes is free and consistently ranked as one of the best for detecting security threads (.e. viruses, malware, etc).
In our experience, a lot of webmasters tend to use at least ten plugins, and in some cases, a lot more. That means you're putting your trust in potentially ten different individuals (or businesses, in some cases) to ensure that their plugin is secure. This is where the security of your website is often let down, so, today, we're going to talk about a few things you can do to help keep potential hackers at bay - remembering that security is a process, not a product.
2. Keep plugins and themes to a minimum (and delete, don't just deactivate)
As mentioned earlier, plugins are often the downfall when it comes to a WordPress website being hacked.
It's for that reason that the fewer plugins (and themes) you have, the better.
If you do not need or do not use a plugin or theme, it should be deleted (not just deactivated). The problem with just deactivating is that the files are still live on your server, waiting to be exploited.
In our experience, in a lot of cases, webmasters use plugins to achieve things that could be better achieved elsewhere. For example, let's say you install a plugin to embed Google Analytics code on your website (we have seen this), but you use Cloudflare (a company specialising in website performance and security), you would be better off using Cloudflare Zaraz to embed that code. We do this on the Ethernet Servers website. This takes the load off of your server and moves it into the cloud, which means you have one less plugin to maintain.
Or, perhaps you're using a plugin to take daily backups of your website and store them somewhere on your server (that would usually be in the wp-content directory). Your hosting provider should be taking backups for you, and assuming you've verified this is happening, consider removing your backup plugin and letting the host take care of it. That will also save you disk space, as well as the Memory, CPU, and Disk I/O required to create the backup.
In our experience, a lot of webmasters tend to use at least ten plugins, and in some cases, a lot more. That means you're putting your trust in potentially ten different individuals (or businesses, in some cases) to ensure that their plugin is secure. This is where the security of your website is often let down, so, today, we're going to talk about a few things you can do to help keep potential hackers at bay - remembering that security is a process, not a product.
3. Use an up-to-date version of PHP
WordPress is written in the PHP programming language, though it does also use other languages to bring it all together.
As of writing this post, on 15th April 2025, the latest versions of PHP that are maintained (and get the latest security updates) are: 8.4.6, 8.3.20, 8.2.28, and 8.1.32.
If you're not using one of those versions, you should strongly consider updating as soon as possible, because not only will you get all the latest security updates, but you will likely experience a boost in performance, especially if updating from something like PHP 7.4 to 8.4. Using your preferred search engine, looking up something like "wordpress php benchmarks" will show you the differences between the different versions.
As a hosting company, we very often find that webmasters choose not to update due to their software (i.e. a plugin or theme) not being compatible with a newer version, however, ultimately, security is paramount, and if your plugin or theme doesn't support a version of PHP that is actively developed, you should consider making contact with the developer to ask them to address this. If they refuse to do so, it would be advisable to find an alternative plugin or theme that is kept up-to-date.
You can easily check which version of PHP you're using by navigating to WordPress Admin -> Tools -> Site Health -> Info -> Server.
In our experience, a lot of webmasters tend to use at least ten plugins, and in some cases, a lot more. That means you're putting your trust in potentially ten different individuals (or businesses, in some cases) to ensure that their plugin is secure. This is where the security of your website is often let down, so, today, we're going to talk about a few things you can do to help keep potential hackers at bay - remembering that security is a process, not a product.
4. Lock down the admin area to trusted IP space
Perhaps you have a WordPress website, and the only person that needs to log in is yourself.
Or perhaps you use it for your business, and the only people who need to log in are members of your team, either from your office or a company VPN.
In these cases, locking down wp-admin (which is just a redirect to wp-login.php) to trusted IP space might be something to consider, but only if you have a static/fixed IP address that doesn't change (for example, when rebooting your router).
Simply modify the .htaccess file in the directory where WordPress is installed, and add the following, making sure to replace 192.168.1.1 with your IP address:
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from 192.168.1.1
</Files>
To add more IP addresses, simply use the following code instead:
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from 192.168.1.1
Allow from 192.168.1.2
</Files>
These steps add an extra layer of security that could well prevent unauthorised access to your WordPress administration area.
In our experience, a lot of webmasters tend to use at least ten plugins, and in some cases, a lot more. That means you're putting your trust in potentially ten different individuals (or businesses, in some cases) to ensure that their plugin is secure. This is where the security of your website is often let down, so, today, we're going to talk about a few things you can do to help keep potential hackers at bay - remembering that security is a process, not a product.
5. Use WordPress' Site Health Checker
You may not realise it, but WordPress has a built in tool which checks for a number (11, to be exact) of potential security issues.
You should consider checking it every so often, via WordPress Admin -> Tools -> Site Health.
In an ideal world, your website will pass all of the security checks.
We hope this guide has been helpful, and that it might make the difference between a lost night's sleep and a good night's sleep - the impacts of a website being hacked can be far-reaching.
Our team are highly experienced when it comes to WordPress, so feel free to get in touch at any time to see what we can do for your website.
