Most breaches aren't sophisticated
The majority of website compromises don't involve a skilled attacker targeting a specific site. They involve automated tools scanning the internet for known vulnerabilities — an outdated plugin, a weak password, an unpatched piece of software — and exploiting whatever they find. The practical upshot is that basic hygiene prevents most of the risk most sites actually face.
Keep everything updated, especially WordPress plugins
If your site runs WordPress, plugins and themes are the most common entry point for automated attacks, because vulnerabilities in popular plugins are widely documented once discovered. Updating promptly — ideally within days of a security release, not months — closes that window before it can be exploited at scale.
The same applies to the core CMS itself and to any other application installed through Softaculous. Leaving 'update available' notices unaddressed for months is one of the single biggest avoidable risks on a website.
Passwords and access
Reused or weak passwords remain one of the most common causes of account compromise, both for your hosting control panel and for admin accounts on the site itself. A password manager generating a unique, long password for each login removes the temptation to reuse one across services.
Where two-factor authentication is available — on your hosting account, domain registrar, and WordPress admin login — turning it on is a small amount of friction for a significant increase in protection, since a leaked password alone is no longer enough to gain access.
Backups: the thing you hope you never need
No security measure is perfect, which is why backups matter as much as prevention. A working, tested, recent backup turns a potential disaster into an inconvenience — restore the last clean version and move on. Check not just that backups are running, but that you know how to actually restore one before you need to under pressure.
A short list that covers most of it
- Update WordPress core, themes, and plugins promptly rather than batching updates for 'later'.
- Use unique, long passwords and enable two-factor authentication wherever it's offered.
- Keep automated backups running and periodically confirm they can actually be restored.
- Remove plugins and themes you're not actively using rather than leaving them dormant and unpatched.
- Use an SSL certificate on every site, not just ones that handle payments.
Discussion is coming soon. In the meantime, if you have a question about this article, get in touch or open a ticket from your client area.