Website Security Quiz

The hackers are becoming ever more sophisticated, and hacking is one of the few real growth industries around today (sad though that is).

This security quiz is fun and will only take you a couple of minutes to complete. When you click the ‘Finish’ button at the end, your results will be displayed: correct ones framed in green, incorrect ones in red along with the correct answer and an explanation.

It also gives you some good pointers and, where appropriate, links to more in-depth articles.

Let’s play!


Great, well done!

If you enjoyed the quiz and have a moment I’d really appreciate you sharing it – just click one of the share buttons.

Scroll down to check any answers you missed, and thanks for playing 🙂

Oh well, sorry about that – you missed a few. Scroll down to check out the answers you missed.

If you enjoyed the quiz and have a moment I’d really appreciate you sharing it – just click one of the share buttons.

Scroll down to see the answers you missed, and thanks for playing 🙂

#1. Do you back up your WordPress website – everything, not just the database?

You should back it up! Having a clean full-site backup is the quickest and cleanest way to restore your website it it’s hacked or damaged.

#2. If you run backups are they scheduled to run regularly?

Not only should you back up your website, you should set it to backup on a regular schedule.

After all, the software on your site is being updated all the time (or it should be!), so even if you don’t make any changes to your content you still need to capture updated software in your backups so that when you restore your site it is restored with current software.

#3. How often is your website backed up?

A busy site, with regular content updates, should be backed up once a day, but if you’re making no content updates then a schedule of once a week is OK. But the frequency should be no longer than once a week!

You can set backups to run on a schedule, and be automatically downloaded to Dropbox, Google Drive or other cloud storage accounts, with plugins like BackupBuddy.

#4. Where are your website backups stored?

Your backups should not be stored on the server that hosts your website.

This is because if the site is hacked the hackers can also hack your backups. Also, if your server completely melted down, or was wiped out by a natural disaster, you would lose your backups.

You can run regular scheduled backups and have them sent automatically to storage accounts like Dropbox or Google Drive (and others) with a reliable backup plugin such as BackupBuddy.

#5. Have you practiced restoring your website?

It’s a good idea to practice restoring your website.

When a website is hacked most site owners feel awful – violated, confused and angry. When your mind is in this state it’s more difficult to remember everything that you need to do, so knowing how to restore your site quickly takes one of those worries away.

#6. Where do you find plugins to install?

You should only ever install plugins from the WordPress repository or paid plugins from a reputable developer.

A couple of things to remember here:

  1. Plugins are the biggest source of hacked WordPress websites by a long way
  2. When you install a plugin on your site you are effectively making a contract with the plugin author that they are not going to corrupt your site and will deliver the functionality that they promise to.

Because of those two things, you should only install plugins from trusted sources, and the most trusted sources are the WordPress repository or a reputable developer of paid plugins.

#7. How often do you check your site for updates (plugins, theme and WordPress itself)?

You really need to check your website for software updates once a day.

90% of plugin (and theme) updates are done to plug security vulnerabilities. Leaving an un-patched plugin on your site for any length of time is an invitation to the hackers to exploit the vulnerability by hacking your website.

If you don’t have the time to check each of your sites every day we may be able to help – see our:

WordPress Software Maintenance Plan.

#8. Do you have inactive plugins on your website?

If you’re not using a plugin you really need to delete it.

One often over-looked element of securing a website is to minimise the site’s code foot print. The less code there is on a website the smaller is the target for hackers to attack, so removing code that you’re not using (an inactive plugin!) is good security practice.

#9. Do you use 2 Factor Authentication (2FA)?

Two Factor Authentication (2FA) makes a huge improvement to the security of your website.

2FA validates your log in username using something you know (your password) and something you have (a device displaying the one-time code).

If you don’t use 2FA I strongly recommend setting it up – it’s easy enough to do and it will greatly strengthen your site’s defences..!

Information on Two Factor Authentication.

#10. How many Administrator level user accounts are there on your site?

There should definitely be only one Administrator level user account on your website!

This follows the principle of least privilege. The Administrator account lets the account owner do whatever they want with the website, so if a hacker gets control of the Administrator account on your website it’s all over bar the shouting.

Again, you want to give the hacker the smallest possible target, so only have one Administrator level user account on each website.

There can be occasions where, because of the functions the site owner needs to use, there has to be more than one Administrator account. If you face this situation you should manually restrict the screens that the other Administrator account holders can access by adding a filter in the functions.php file.

If you need to do this get in touch and I’ll show you how.

#11. Do you use a comprehensive security plugin (like Wordfence or iThemes Security)?

I would definitely recommend a comprehensive security plugin.

These plugins are developed by people who know WordPress extremely well and they include safe-guards and protections that reach into every corner of the website.

This is the security plugin I use.

#12. Is your username ‘admin’?

The hackers all know that the default username for the Administrator level user accounts on WordPress websites is ‘admin’.

You should definitely create a new Administrator level user account, with a different user name, and delete the default user account with the username ‘admin’.

This should be the first security step you take!

#13. What password do you use?

You should definitely be using a unique password, with at least 12 characters.

The strength of a password is directly linked to the length of it. The longer the password, the more secure it is.

This article explains why that is.

#14. Do you use the same password on different accounts?

If you use the same password on more than one account, then it’s no longer secure – however long and secure it may have been to start with.

And that opens up serious exposure for you personally

This article explains why.

#15. Do you use a password manager?

A password manager remembers your login URLs, username and password for all your accounts and logs you in with one click.

Most importantly, it will find duplicated passwords and create unique random passwords for you. The only password you need to remember is the master password for the password manager.

For me, a password manager is one of the safest things you can use online.

Full details here.

#16. Which type of hosting company do you use?

The server on which your website is hosted has an enormous impact on your site’s performance and its security.

A hosting company that fully understands WordPress, and supports it, will have security built into its server environment that protects the sites it is hosting from server related hacks and other risks such as cross site contamination.

They will also ensure that the server software is up to date and that vulnerabilities are patched as soon as patches are released.

This is often not the case with free or cheap hosting.

I strongly recommend using a hosting company that fully supports WordPress.