Every day, droves of WordPress websites hit the internet. And every day, creeps on the internet hit back. Hacked websites are common, regardless of platform, though many of the fallen got there because they did not know the appropriate precautions to take.

I’ve been designing and building WordPress websites for government and private clients since 2009. Around that time, a primary concern was security because so many WordPress websites seemed to be getting hacked. I commissioned a brilliant Australian programmer to create a plugin that would aid in spotting weaknesses and could then suggest some remediation. For less than $5,000.00 US, this programmer built a solid plugin that ended up educating me on best practices. Along with my ongoing literature review, it changed my implementation and maintenance strategy just by showing me where problems existed. I released the plugin as a freebie to the WordPress Plugin repository but never updated it. Better, more powerful plugins were on the rise, and my interests lay in creating websites for clients, not becoming a WordPress security company. But now I wonder if there is a difference, and if there is, should there be?

Here’s a common theme among the websites I’ve rescued after a hack has taken place:

  1. The web host doesn’t allow moving wp-config.php out of the WordPress install directory.
  2. The web host restricts security-focused plugins or disallows them entirely.
  3. The web hosting and the e-mail hosting are on the same server. When the e-mail system gets hacked, the website is next. 
  4. The websites were installed in multiple subdirectories without any consideration for security. This allowed the attacks to traverse the directory structure and infect multiple websites. 
  5. The web designer thought the hosting company was responsible for their website’s security (partially true). 
  6. The web designer is unfamiliar with WordPress security best-practices, believing such things to be the domain of an IT company. 
  7. Without exception, none of these clients asked about their web designer’s background in building secure WordPress websites or other cyber-security background they might possess. 
  8. Multiple people have the admin login credentials, but nobody has a list of who those people are. 
  9. A complete reliance on the web host’s backups to restore their website, which limits how far back we can go to get clean files. 
  10. Severely outdated plugins and themes that aided the attacker.

Of these items, #5 and #6 could be considered the root causes of everything else. WordPress professionals that don’t understand their role in building and keeping a website secure, and the ongoing expense of doing so, are putting their client’s website and reputation at risk. 

Making a 100% hack-proof website isn’t the goal, since hacking is an evolutionary practice. However, it is possible to make your website less attractive to hackers so that they move on to less secure targets. The next time you are shopping for a WordPress expert, make sure to ask about their skills with building and maintaining secure websites.