Protecting Your Website Against Hackers is not Enough – See What Other Steps You Should Take

Get your FREE WordPress Troubleshooting Guide – see how to fix most WordPress problems!

Stop Security SignI’ve written several times about steps you can take to strengthen your WordPress website against hackers – you can find the articles here.

But strengthening your WordPress site itself is not enough. You need to consider everything you do online, starting with your own computer.

The two most successful types of attacks on WordPress websites are through gaining access to the admin area and exploiting out of date software (plugins, themes or the WordPress core).

So let’s look a bit more closely at those two areas.

Gaining access to the WordPress admin area

I talked extensively about usernames and passwords both here and here – so I’m not going to cover those again.

But let’s look at the ways a hacker could gain access to your WordPress admin area, even if you have set up complex usernames and passwords:

Your computer is infected

Next to your website, your computer is the most important thing to secure. Some would say before your website!

Your computer can become infected with malware in any number of ways, but the most common are:

  • By visiting a website that has been hacked and which plants malware on your machine
  • As a result of a phishing attack
  • By installing an unsafe program or application (that plants malware on your machine)

If the malware that’s installed is a key logger, the hacker then has access to every username and password, however long and complex they are, that you use to log in to all of your accounts.

Everything you type into your computer is faithfully recorded and passed back to the hacker whenever your computer is online.

That includes the access details not only for your WordPress admin area, but for your online banking accounts, your insurance accounts, your social media accounts, your email accounts, your web hosting cPanel account, your website’s FTP account – and as many other accounts as you log in to.

So keeping your computer clean (free of malware) has to be the starting point.

I use a full (paid) internet security application, not just the free anti-virus version. This is because it offers a firewall, spam protection, protection against phishing, protection against visiting hacked websites and it prevents personal information from leaving my computer.

In addition to that real time protection, I also do weekly full scans of my machine for malware using herdProtect – an excellent free service.

I set up the scans on a schedule so they run automatically, and I do the same with my internet security application.

Yet you still have to be vigilant.

I came within a whisker of being hacked recently – here’s what happened:

I had ordered some stuff online from a site which I use every month. The site is well known, trusted and completely safe. However, on this occasion my goods didn’t arrive.

After 5 days I emailed the company to let them know my stuff hadn’t arrived and a day or so later received an email with the subject line ‘Delivery Status’.

As I was expecting a response to my email complaining of a delivery failure, I opened it.

The message said that they had attached a file showing the delivery status of my goods, which I downloaded onto my machine. It was a zip file (which should have been a warning!) and when I opened it I saw that the file I was about to unzip was a JavaScript file (.js).

I knew that was wrong – it should have been a PDF file. (JavaScript is a common language that works within your browser to achieve interactivity on websites you visit – but it can also do bad stuff if that’s what the programmer wants)

So I didn’t unzip it. I went back to the email intending to reply to the company that the attached file did not help and that’s when I noticed that the email came from a completely different email address.

Had I unzipped that file, my machine would have become infected – and I was literally a click away from doing so.

I consider myself to be pretty careful about security but I nearly got caught out that time – you have to be eternally vigilant..!

Phishing attacks

Phishing attacks are where you receive emails from institutions that you use that look totally authentic. They explain that your account has been hacked and, therefore, closed.

In order to reactivate it you are told to log in to it through the link in the email.

Needless to say, your account has not been hacked. Clicking the link and typing in your username and password simply passes those details to the hacker, who then has access to that account.

Worse still, if you use the same password on multiple accounts, they will have access to all of them.

A good internet security application stops most of these emails, but some still get through and, if you’re not being vigilant, you can end up giving your log in details to the bad guys.

Keeping your computer clean is fundamental to keeping your website clean – but there are any number of ways in which it can be infected with malware.

So use a full featured internet security application, be very careful about programs and applications that you install and scan your computer for malware at least once a week

And remember that you must always remain vigilant.

Not using SFTP when accessing your server

SFTP stands for ‘Secure File Transfer Protocol’ – which encrypts your connection between your computer and your server.

If you use plain FTP, your log in details are passed along in clear – anyone who is snooping on your connection can read them.

And if you access your server while sitting in a coffee shop, on an open WiFi connection, it is a piece of cake for a bad guy to be scanning the connections and pick up your username and password.

And, again, it doesn’t matter how long and complex they are.

Once the bad guys have your FTP access details they can log in to your server and your website is then entirely at their mercy.

So use SFTP to access your server – it’s easy enough to do, although some web hosting companies don’t support it. I moved away from the first hosting provider I ever used as soon as I discovered the importance of using SFTP and the fact that they did not support it.

Setting up SFTP is simply a case of selecting it as a connection option when you set up your access details in your FTP client (FileZilla or similar).

As an additional precaution, I also use a VPN whenever I’m accessing any of my accounts on a public network. VPNs also encrypt your connection with the Internet, so they form an extra layer of protection.

Just following those two steps – keeping your computer free of malware and connecting to your server via SFTP – will strengthen the protection of your WordPress site.

Exploits of outdated software

WordPress now powers more than 25% of the world’s websites – a fact that makes it a favoured target of hackers simply because the ‘market’ is so large.

And there are literally millions of those WordPress websites that are running out-of-date plugins, themes or the WordPress core.

The WordPress project is highly focused on security, and updates to the core, themes or plugins are issued on a regular basis.

On some of the larger (more complex) sites that I manage there are 20 or more updates released in a month to plugins, themes or WordPress itself – most of which are to patch security holes.

And yet many is the time when I look at the admin area of a WordPress site for the first time (when someone is asking for help with a problem) that I see startling numbers of updates waiting to be installed. I think the highest I can remember was 18.

This is like a great big green light to the hackers!

I can only repeat what I said up-front:

Most of the successful hacking attacks on WordPress websites are successful either because the hackers gained access to the admin area or because they exploited out of date software.


Very simple:

  • Keep your computer free of malware
  • Use SFTP and a VPN when connecting to your server – especially in coffee shops
  • Stay vigilant
  • Keep your software up to date

For more information on WordPress security and the service we offer to protect your site, please:


Martin Malden

About the author: Martin Malden owns Abledragon, a WordPress agency that was established in 2009. Today it serves customers in Hong Kong, Australia and the UK. Abledragon websites are built for today’s Internet, with the mobile user in mind, and are known for security and speed. Successful Abledragon projects.