WordPress powers around 43% of all websites. That makes it the most targeted platform on the internet by a significant margin. Automated bots run constantly, scanning for outdated plugins, weak passwords and known vulnerabilities.
Your site is not too small to be worth targeting. Most attacks are automated and completely indiscriminate.
Update everything, consistently
Most WordPress security breaches happen through vulnerabilities in outdated plugins. When a security patch is released, the vulnerability it fixes is documented publicly. If your site is still running the old version, it is a known target.
WordPress core, all active plugins and your theme should be updated promptly when new versions are available. Test on staging if you can, or make sure you have a current backup before updating anything.
Use strong, unique passwords
The WordPress admin login is a common target for brute-force attacks. A simple password (or one you have reused from somewhere else) is a meaningful risk. Use a password manager to generate and store something long and random.
Change the default admin username if you are still using “admin”. It is one of the first things brute-force scripts try.
Enable two-factor authentication
Two-factor authentication (2FA) means that even if someone gets your password, they cannot log in without a second verification step. Plugins like WP 2FA or Wordfence make this straightforward to set up.
Enable it for all administrator accounts, not just your own.
Limit login attempts
By default, WordPress allows unlimited login attempts. A plugin like Limit Login Attempts Reloaded or the brute-force protection in Wordfence will lock out an IP address after a set number of failed attempts.
Run a security plugin
Wordfence and Sucuri are the two most widely used WordPress security plugins. Both include a web application firewall, malware scanning and login protection. The free versions cover most of the basics for a small business site.
Keep backups off-site
A backup stored on the same server as your site is not a real backup. If the server is compromised, the backup is compromised too. Use a plugin like UpdraftPlus or BackupBuddy to send backups to a separate location: Google Drive, Dropbox or an S3 bucket.
Test your restore process at least once. A backup you have never tested restoring is a backup you do not know works.
The POPIA angle
South Africa’s Protection of Personal Information Act requires that any business collecting personal information takes reasonable steps to secure it. If your site has a contact form, a newsletter signup or a customer database (especially WooCommerce), you are collecting personal information.
“Reasonable steps” includes keeping your site’s software up to date, using SSL, and having a process for responding if a breach occurs. A poorly maintained WordPress site is not a reasonable security posture under POPIA.
Use SSL
Your site should be running on HTTPS. Every reputable South African host offers a free Let’s Encrypt SSL certificate. If your site is still on HTTP, your host’s control panel will have a one-click install option. Google has been using HTTPS as a ranking signal for years.
Read next
For a broader look at keeping your site in good shape, read Do I need a WordPress maintenance plan and What happens if you do not update WordPress.
For the bigger picture, our complete guide to WordPress for South African small businesses pulls all of this together.
Need a hand?
Security scanning and monitoring is part of all our WordPress care plans. If you suspect your site may have already been compromised, our rescue service covers full clean-up and vulnerability patching. Get in touch.
Not sure which service fits? See everything we do with WordPress, from builds to rescues to ongoing care.
