Will hackers turn your websitesite into a Russian shoe store?

WordPress is amazing. Really. It shaves a huge amount of time (and money) from the web development process. This is of course no secret. WordPress is now used by 24.9% of the worlds’ websites.

This is also one of the downsides of WordPress. Its popularity makes it an obvious target for hackers. They can write a script which targets specific vulnerabilities and then set it lose.

The script goes from site to site, looking for whatever it can find that can be broken into. The script does not care if you are a multi-national corporation or a one-man-band who sells cheese.

Once it is in, it can do whatever it likes with your website.

I’ve seen clients’ (well, right before they became clients) sites get hacked in loads of different ways. The hacks range from subtle and unobtrusive through to very destructive. Some examples are:

  • Embedded links to dodgy websites. Google hates this
  • The website completely replaced with terrorist propaganda
  • Being overwritten by a hidden Russian shoe store, which only displays to people who aren’t from Australia

Nuts, right?

Over the last couple of months, the number of hack attempts has climbed exponentially.

This graph shows the number failed login attempts to WordPress sites worldwide through one particular method. These hackers are just trying many different username and password combinations to find one that works.

Wordpress brute force hack attempts
Source: Sucuri

If you are using a default username like “admin”, this is where you should worry a litte bit. That should be one of the first things on your list to fix. Hackers love default usernames.


There are ways to protect against these threats. This is one of the many things we do for our WordPress care & support clients. This is an actual screenshot from my email.

wordpress lockouts

See those numbers on the left – 59, 52, 98 etc? That is the number of user lockouts which have occurred on ONE site in ONE day. If I didn’t hide these emails, my inbox would be completely flooded.

These aren’t all massive companies. Many of them are local small business who by no means would be specifically targeted. The scripts simply attack everyone.

How to protect yourself

It isn’t all doom and gloom. There are lots of different ways you can protect yourself. The most popular is to install one of the many WordPress security plugins like Wordfence, BulletProof, Sucuri, iThemes Security, Acunetix or All In One Security.

Each have their pros and cons. Generally we use the premium version of Wordfence with custom settings.

If everything does go wrong, you need to have backups in place. Most people use default settings and back their site up on the same server where their site is hosted.

That is the worst kind of backup.

This is not a backup
This is not a backup

Your backups need to be stored somewhere totally different like Amazon S3, Dropbox or one of the several “vaults” that some plugins provide.

Installing a plugin is only the most basic level of protection. Outside of this, it gets a bit nerdy and can be too much for a non-technical person to handle. Soon, we’ll release a guide on this for those who want to DIY their security. This of course will take some time learning and implementing.

For everyone else, if you value your time at $75 an hour, it isn’t worth you spending time on your website. There are way more important things to do in your business.

Imagine having a team of experts for just over an hours’ worth of your time, who will not only jeep your site secure and backed up, but make changes to your site when you need it.

We’ve been looking after sites a long time, so we’ve been able to get our prices down to a point that make it a no brainer. Start protecting your most important online asset today.

Protect My Website