SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez nos Conditions d’utilisation et notre Politique de confidentialité.
SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez notre Politique de confidentialité et nos Conditions d’utilisation pour en savoir plus.
Heart Harmony Communications makes marketing easy for small
trade and service businesses. We take the mystery out of online
marketing so they can confidently grow their business.
About Heart Harmony Communications
We help you
Build your foundations
copywriting and websites
for your business.
Grow your client base
through online content
Engage your fans
through social media
and turn them into
Build Grow Engage
Common WordPress Mistakes & Ways to Reduce Being Hacked
Most start-ups and small businesses choose a WordPress site for their first website. Why? WordPress is the most
popular content management system in the world, and is used by 26.4% of all websites. It is also the fastest
growing system – every 74 seconds a site within the top 10 million sites worldwide starts using WordPress.
In our business we see a LOT of small business websites! Often we upload the web copy or blog posts that we have
written to WordPress websites for our clients, and we see the same mistakes being made over and over with their
Today we will share the top mistakes we see, as well as share some of our favourite plugins. We will also look at
what to do if you get hacked, and point you in the direction of some great companies that can help you with your
small business website.
Number 1 Most Common Problem: Not Updating Stuff
WordPress sites are like any piece of technology – there are regular updates to all of the pieces of your site as
developers find bugs in their code, add new features or close access points to hackers.
There Are a Few Parts to Any WordPress Site
WordPress – This is similar to an operating system such as Microsoft or IOS.
Theme – This is what gives your website a particular look and feel. There are hundreds of thousands of
themes on the market. We favour sites built using Divi or Genesis Themes purely because of the quality of
Child Theme – Some sites have what is called a Child Theme. These contain tweaks that are unique to your
site and sit on top of your main theme. The benefit of this approach is that your main theme can be updated
without wrecking all the special tweaks that make your site look the way it does.
Plugins – These are similar to Apps in a smartphone, and give extra functionality to your site.
It Is YOUR Responsibility to Update Your Site
On any given day, you may find WordPress, your theme or your plugins may have been updated by the developers.
However, these updates are NOT automatically applied to your website. You have to take physical action to click the
update button and watch when the updates are installed to make sure they have updated correctly and haven’t
created problems with your website.
The number one way that hackers get into sites is through themes and plugins that have not
The no.1 way hackers get into websites is through themes and plugins that haven't been updated.Click To Tweet
Most business owners don’t realise that unless they have bought ongoing maintenance packages with their website
(which is different than a hosting package), then they are personally responsible for doing the updates.
Most web developers do not do regular site maintenance updates for sites they have built. Always assume that YOU
are responsible for keeping your site updated (and be pleasantly surprised if someone else is doing it for you).
Questions to Ask Your Web Developer
If you don’t know who is maintaining and updating your website, first check with your
Ask them, “Are you regularly updating my plugins and theme on my WordPress site for
If they say yes, ask them, “How often do you go into my site and run updates? ” If their
answer is more than every few days, then you need to find a better option.
Also ask your web developer, “Are there any paid themes or plugins that you own the license for? How are they
going to get updated?”
I often see problems when a web developer has paid for a theme or plugin from their own account, and then doesn’t
run the updates for the paid theme or plugin. The small business owner doesn’t know what they don’t know about
their website. They are not aware that many paid themes or plugins only have a limited update term, and then they
are on their own unless the developer pays the licence fee and actively goes in and runs the updates on their behalf
or gets the person to buy their own licence.
A last question to ask your developer relates to the theme itself. If the web developer has tweaked the theme code of
your site to get a particular look or feel, and hasn’t used a child theme, then any theme updates will over-write the
tweaks of the theme and the changes will be lost.
Ask your developer, “If I update the theme, will it break? Have you edited the base code for the theme?”
Web Developer Question Summary:
“Are you regularly updating my plugins and theme on my WordPress site for me?”
“How often do you go into my site and run updates? ”
“Are there any paid themes or plugins that you own the license for? How are they going to get updated?”
“If I update the theme, will it break? Have you edited the base code for the theme?”
Read more about other things to ask your web developer in this article: You Have An Exciting new website –
How to Maintain Your Website
You can easily learn to DIY WordPress website maintenance. The best resource I have found to learn to DIY is
from MaAnna Stephenson over at BlogAid. Her WP starter videos only cost $1 and are clear, easy follow and explain
what you need to do.
If you want someone to do your WordPress maintenance for you, then companies like WPCurve (Yes, this is an
affiliate link) can proactively manage the updates for you each month, as well as take care of little jobs around your
website for you.
Why Do Problems Occur During WordPress Updates?
You need to be aware that updates can sometimes break websites. Sometimes a
particular function no longer works the way you expect after an update, and sometimes
the whole site can crash.
Why? Remember I mentioned the huge number of themes on the market? WordPress
and plugin developers can’t test each update on every theme before pushing them out.
They test the main ones and hope for the best.
Some of the themes have clean code that is externally audited to ensure minimal bugs
and problems (Divi & Genesis). Other themes are written by enthusiastic amateurs or
well-meaning solo web developers, which means that the code is often less than fantastic and breaks when updates
That’s why the theme you use for your website is important, and you need to ask your web person what theme they
will be using for your site before they launch into building it for you.
The same goes with your plugins. Some plugins have great code – others not so much. If the code is buggy, then
problems can occur with a plugin update.
Then there is the variety of website hosting options and servers out there. Some web hosting companies run on old,
unpatched servers which can create their own raft of problems.
Ways to Minimise Update Problems
Before you click any update button, make sure you first run a full backup of your site.
I also usually pop over to MaAnna Stephenson’s blog and Twitter page to see if she has heard of any problems with
updates, and whether or not to hold off on a particular update.
MaAnna also put me onto the WP Rollback plugin and I install it on all sites we work with. That way, if a plugin goes
feral during an update you can easily roll back to the previous version and get your site back.
I also recommend updating the site in order: WordPress updates always happen first, then the theme, then the
plugins. I also prefer doing plugins one at a time, so I can test the functionality after each update to make sure they
work correctly after the updates.
Problem Number 2: Nil or Poor Security
Given WordPress’s popularity, it is a prime target for hackers. If you don’t take action to
actively secure your website, then it is like leaving your house doors and windows
unlocked and open, with all your valuables out on display.
When you combine poor security with unpatched plugins, you are setting out the
welcome mat and actively inviting people to take what they want.
Think I am kidding? You may have heard of the Panama Papers, also known as the
Mossack Fonseca case in the past few weeks. That is where the biggest data breach in
history just happened – all due to an unpatched WordPress slider and poor security.
Every site needs security installed. While there are loads of options out there, at varying levels of cost and
complexity, I use and recommend the paid version of Wordfence. (There is a free version available, but the paid
version has more features and real time protection.)
While no system is perfect and a determined hacker can still get in, Wordfence substantially reduces your risks.
A few things with your Wordfence set up. It can be quite resource intensive for your site, so here are a few tweaks
you may want to consider:
Turn OFF real time live logging (live traffic view).
Make sure you have no other caching plugin running if you are going to use that feature.
Turn two factor authentication ON (paid feature).
Block access to your login page for all countries other than the one you are in (paid feature).
You can safely turn off a few of the alerts so you don’t get bombarded with emails. I turn off alert when IP
address is blocked, when someone with administrator access logs in and when someone with non-
administrator access logs in).
Turn your firewall on.
My rate limiting rules have been tweaked. I use these:
Immediately block fake Google Crawlers.
Verified Google gets unlimited access to the site.
Anyone requests exceed 240 per minute, then throttle it.
Crawlers page views exceed 240 per minute, then throttle it.
Crawlers not found exceed 15 per minute, then block it.
Human’s page views exceed 240 per minute, then block it.
If human’s not found exceed 15 per minute, then block it.
404s for known vulnerabilities exceed 15 per minute, then block it.
I block IP’s out for a month if they break the rules.
I lock people out for failed passwords after 3 failed attempts over a 1-day period.
I lock them out for 60 days.
I immediately lock out invalid usernames.
Other Security Risks
While there is a lot you can do to harden your security, there are a few major risks to
address. For full protection, I recommend having a site security audit done to highlight
problems you’re your website set ups, servers and other nasties.
Don’t Use Admin as a Username
Most hacking bots start with trying the usernames admin and administration. By not having a username “admin”, you
stop a world of problems.
If you currently have admin as a username, don’t just hit delete as you will lock yourself out. Set up yourself as a
new user with a new email and password first. There is an art to it, so read up on these simple steps from BobWP
on what to do first.
Harden Your Passwords
Don’t use the name of the website as a password, or the name of the person, or the business. Set up strong
passwords, and change them a few times each year.
Delete Old Themes & Plugins
Many sites are filled with old themes that are not in active use, as well as more plugins than Kim Kardashian has
shoes. Just like Ms Kardashian’s shoes, many of the plugins have been tried on and have not been used since the
Think of each plugin and theme as if you have given a key to your house to someone. You want to reduce the
number of keys you have floating around out there, and only hand keys out to people actually staying in your house.
If you are not using a theme or a plugin, delete it to reduce the security risk. You can always reinstall it later if
Delete Old Users
While we are on the subject of tidying up access, delete all non-active admins of your website.
Many sites we see are filled with users with admin access for people who have left the company – often using
private emails rather than company emails. This is just asking for trouble! The day someone leaves your business is
they day their admin rights to access your website should be deleted.
This also goes for non-current web developers and virtual assistants!
Problem Number 3: No Site Backup
There is no substitute for running your own backups for your website. That way, if your site is hacked, you have a
problem updating something or you simply want to take your site and move somewhere else, by having control over
your backups you can quickly get your site back up and running again.
Most web hosts offer some form of backups, but generally these have limited storage timeframes. In other words,
the backup they may have for your site may only be for your hacked website and not the one that was pre-hack a
few weeks back.
I advise my clients to run their own site backups in addition to whatever their host may or may not do. Vaultpress Lite
is a budget friendly backup option that only costs $55 per year.
Don’t store your backups in the same place as your website. If hackers hit your site, they will also trash your
backups. Keep your backups stored off your hosting – either with the backup company or stored in the cloud with
somewhere like Dropbox.
One more thing, if you run your own backups, you need to know how to restore your site from the backup. Learn this
before an emergency!
Problem Number 4: No Details
Getting a new website can be exciting and confusing all at once. It is easy to lose the details for your site in a pile of
Trying to reconstruct this information a few years down the track can be frustrating, time consuming and costly.
For each website you own, create a detailed information sheet for your files with logins & key contacts. That way
everything is in the one place.
For each website you own, create a detailed information sheet for your files with logins & key contacts Click To Tweet
Having these details will help if something goes wrong with your site, and you manually need to get into the control
panel side from your host (different to your normal WordPress dashboard) to delete or add something.
Doing this now will make your life easier in an emergency, it can also help you identify problems with things not
being transferred correctly, such as your domain name ownership.
What To Put In Your Website Information Sheet
Who is your domain name registrar:
URL of the registrar:
Login for your domain name account:
When is it due for renewal:
Who is your website hosting with:
URL of the web host:
Login for your web hosting account:
When is it due for renewal:
Emergency contact details (for if the site goes down or is hacked):
Who hosts your email. (Is it through your hosting or some other place?):
URL of the email host:
Login for your email hosting account:
Login details for all your different email addresses:
When is it due for renewal:
Emergency contact details (for email problems):
Who created your website:
URL of the web developer:
Are you paying for ongoing site maintenance:
When is it due for renewal:
What backups are being run:
Any paid themes or plugins? (What are they and who created them?)
Any login details for paid themes or plugins:
Emergency contact details (for if the site is hacked):
Google analytics details:
Google web console details:
Who wrote the copy for your website:
URL of the web copywriter:
Emergency contact details (if you didn’t have a backup and need a copy of your web words):
Login URL to access your website:
Access to your control panel for your site:
FTP details for your site:
Problem Number 5: Hacking
Having a site hacked is horrible on so many levels.
On a personal level, it feels as emotionally draining as being burgled.
On a business level it can affect your leads into your business while you get the hacking
dealt with and your site restored.
It can also cost a small fortune in remedying the problem, which can often extend far
beyond sorting out your website.
Site hacks can filter into your whole business, so you may need to find ways to de-
encrypt all your business emails and files (which may or may not include paying ransom to hackers), and sort out
liabilities for privacy breaches.
Liabilities can really add to the fixing cost. Remember, the Panama Papers started with a hacked website, which
then led to all the emails and files being accessed for the law firm. They are likely to be the subject of lengthy and
expensive court cases. To give you some idea of the scale, ChoicePoint had to pay $10 million in penalties and $5
million to consumers for their data hack!
That’s why many businesses are investing in cyber-insurance to cover costs associated with fixing the breach and
dealing with any liabilities arising from the problem. Talk with a good insurance broker to find out more information.
On a search engine level, being hacked can tank your rankings in Google (often Google is your first warning you
have been hacked). Your rankings can take a while to recover after you have been hacked, and you need to take
action to proactively communicate with Google after resolving your hacking.
On an email level, if your site is used to send out spam emails, your email, server and website can be blacklisted.
This means that you will need to fix the problem, and then go email provider by email provider to have your
blacklisting removed, otherwise none of your emails for your business will get through the spam filters.
Even if you have regularly updated your site and run security, you can STILL be hacked. The difference is how fast
you can fix the problem and get functioning again.
Wordfence has a great article on how to know if your site has been hacked. Google also has some useful
information to help you if your website has been hacked as does WordPress.
What to do if your site has been hacked
1. Get your Website Information Sheet. You are going to need ALL of that information to fix your site.
2. Check your backups. Check that you can access your backups before you call your host. The reason is that
some hosts have been known to delete entire hacked sites without warning to stop problems spreading
across their network.
3. Call your web host. Your host will need to check if anyone else on the server has been compromised and
may help with some early troubleshooting.
4. Call in the experts. Most hack recovery is beyond the skill set of small businesses (… and most web
developers if truth be told). Contact BlogAid for a referral to an expert, or you can also contact Wordfence to
clean and fix your site for you.
Keep your WordPress site, themes and plugins regularly updated.
Check if your web developer is doing the updates for you (most are not).
Learn how to DIY WordPress updates (BlogAid)
If you are not personally updating your site, hire someone who will do it for you ( WPCurve).
Install the WP Rollback plugin on your site.
Backup your site before running any site updates.
Back up WordPress, then themes, then plugins.
Install Wordfence security (paid option).
Configure Wordfence for greater control.
Take regular backups of your site and store the backups off site ( Vaultpress Lite).
Delete plugins and themes you are not currently using.
Delete users with admin access who are not current in your business.
Put together an information sheet about your website with all your site details and contacts.
If hacked, check your information sheet and your backups before calling your host and then calling in the
experts to fix the problem.
Consider getting Cyber Insurance for your business.
Some Last Thoughts
Maintaining your website, like many other parts of running a business, takes time and
practice to refine.
Delegate responsibility to one particular team member to do the weekly maintenance,
and ensure that you have time allocated to the task. Security is something that you can't
If you need a hand maintaining your website or learning how to do it properly, drop me
an email at firstname.lastname@example.org or call me on +61 7 3351 8844. Together we will
make your business grow!
Thanks for reading!
If you found this ebook useful, please click on
one of these icons to share it with your
friends on social media.