1. Code
  2. WordPress

When You're Hacked in WordPress: Staying Safe Later On

This post is part of a series called When You're Hacked in WordPress.
When You’re Hacked in WordPress: Dealing With a Hacked WordPress Site

In the first part of this series, we went through what to do when your website gets hacked. In this second part, we're going to learn about staying safe and being able to act quickly when another unpleasant incident happens.

The Age-Old Question: Is WordPress Safe?

Apparently this question never gets old, and people always approach WordPress with skepticism when it comes to security.

WordPress is safe. There are tens, maybe hundreds of thousands of developers caring for WordPress's well-being, and they're constantly patching the system to keep it safe. For even more secure websites, there are free and commercial security plugins handling attacks that regular websites shouldn't have to face at all.

But WordPress is not 100% safe. Why? The same reason that scientists are slowly succeeding in reading and even overwriting your thoughts: No system in the world is 100% safe. Of course those evil hackers will find yet another security flaw in the core of WordPress, it's nothing but natural. That's where the developer community's value comes out, as I said earlier. But even a community like WordPress's can't prevent future vulnerabilities.

And even if they do, even if WordPress becomes the first system that's 100% secure, that doesn't necessarily mean your website's safe either. Your WordPress version may be up to date, but your hosting provider might forget to update cPanel or even PHP, or a zero-day vulnerability comes up on MySQL or your server's Linux distribution. 

Or, you know what, your own computer's OS isn't 100% safe either. (Yes, I'm looking at you, Yosemite!) Your computer (or phone, or tablet) might get infected by a trojan and hand your passwords to the hackers on a silver platter. You can't disconnect your server or your computer, and you can't put a tinfoil hat over your head, so don't rely on how safe WordPress is.

But WordPress is safe, and you shouldn't worry about that. But you should worry about what you're going to do if you rely on WordPress or your hosting provider or your computer or even yourself. The only important things to do are to take precautions to make your website safer and to be able to act quickly to get your website back on its feet when your website gets hacked.

How to Secure Your WordPress Website

As I said, no system can offer 100% security, including WordPress. But there's no reason why you shouldn't bump that 99% to 99.5%, right? Plus, a lack of common sense could make that percentage steeply drop. That's why in this section, we're going to go through how to be safe while using WordPress.

Staying Up to Date

"Seriously?", I hear you saying. Yes, staying up to date is probably the most obvious tip on security, I agree. But there's a reason that every single security-related article about WordPress includes a section on staying updated: People forget to update. Seriously.

There's no shame in forgetting things, but you should know that not staying up to date has the cost of being a sitting duck against hackers. When you forget to update WordPress or your themes and plugins, you basically refuse the patching of security vulnerabilities and agree to be a volunteer target for newbie (n00b) hackers.

WordPress introduced automatic updates for minor releases (like 4.0.1 to 4.0.2, not 4.1 to 4.2), but patching the core isn't always enough. Be sure to update your plugins and themes (and core on major updates) as soon as they're released.

Using Safe Plugins & Themes

As I said in the previous part of this series, a security hole in one of the plugins I used had let a hacker run a shell script in my server. Just like in this example, poorly coded plugins or even themes can create security holes on your website.

So, how do you choose "safe" plugins and themes? Well, think of it this way: The more a software gets popular, the more its developers are motivated to improve it. So, choosing popular WordPress plugins and themes may be logical. There is, of course, the possibility of a popular plugin having a major security vulnerability, but its developers will be more responsive to patching it in contrast to less popular plugins.

If you find a plugin or theme that isn't very popular and you must use it, then you should at least check the background of its developer(s). If they seem professional to you, it's also more logical to trust them, compared to blindly installing any plugin you see.

And if you know how to read code, it's always the best option to go check the code yourself.

Removing Unnecessary Plugins & Themes

There isn't much to say about this one, really: Since any plugin or theme has a chance of having a security vulnerability (it doesn't matter whether it's up to date or not), it's yet another logical option to remove unused or unnecessary plugins and themes to lower risks.

Check your plugins list and see which ones are absolutely necessary and which ones you can live without; then remove them all, including the ones that are deactivated but you may use one day. Likewise, remove themes and child themes that aren't in use.

Using a Security-Related WordPress Plugin

To maximize server compatibility, WordPress sometimes refrains from adding some features, and those features include security optimizations for certain server types. That's where security plugins come in handy: They allow you to maximize your website's security through their many, many options.

There are four "big" players in the WordPress security plugins ecosystem: Wordfence, Bulletproof Security, iThemes Security (formerly known as Better WP Security) and Sucuri Security. They all are really high-end products, and they have so many options that reviewing and comparing these plugins to each other would make us drift away from the "staying safe in WordPress" topic. My advice is, read all of their descriptions carefully, compare them to each other (they all have premium versions, so compare them as well if you want to buy one), and decide on one (or maybe two) of them.

And remember: These plugins are mostly for experienced users who know how servers work and basically know what the plugins' options really do. (That's another security measure: Don't play with things you don't fully understand.) If you know what to do with these plugins, don't hesitate to at least try one or two of them.

Note: Sucuri has a great post on the WordPress security plugin ecosystem, so be sure to check it out.

Choosing a Good Hosting Provider

There isn't much to say about this either: A secure host is as important as a secure WordPress installation. Be sure to research good hosting providers which update their systems regularly, offer additional protection options, and have decent technical support teams.


Security is a deadly issue on everything (including your house, your smartphone, your country and WordPress) and you can't argue against that. That's why you need to keep it tight to make your WordPress website stay secure. In this series, I shared two things with you: a plan to deal with a hacked website, and the precautions to take after (and before) your website gets hacked. I hope you enjoyed reading it as much as I enjoyed writing it.

What's your take on this topic? Tell us what you think by commenting below. And if you liked this series, don't forget to share the articles with your friends!

Looking for something to help kick start your next project?
Envato Market has a range of items for sale to help get you started.