Backups and security

Keeping WordPress secure

Last updated 14 July 2026

The handful of habits that prevent almost every WordPress compromise, and what we handle for you.

Almost every hacked WordPress site is hacked for one of three reasons: an out-of-date plugin, a weak admin password, or a plugin that should never have been installed. All three are in your control.

What we handle

What you must do

1. Update, and update on staging first. Out-of-date plugins are the number one cause of compromise. Update WordPress core, your theme and your plugins. On Pro and above, test the updates on staging first so an update never breaks your live site. That removes the usual excuse for not updating.

2. Delete what you are not using. An inactive plugin is still code sitting on your server. A theme you abandoned two years ago is still a way in. Delete them. Do not just deactivate them.

3. Use strong, unique passwords for every admin account. And do not have five admin accounts. Give people the lowest role that lets them do their job. An editor cannot install a plugin, and that is the point.

4. Be careful what you install. Install from the official directory or from a developer you can name and contact. Never install a "nulled" or cracked premium plugin. They are the single most reliable way to get a site compromised, and they are usually compromised on purpose.

5. Remove people when they leave. The contractor who built your site three years ago probably still has an admin account. Check.

6. Keep your PHP version current. Old PHP versions stop receiving security fixes. See Tuning PHP settings for your site.

Security plugins

One is enough, if you want one at all. Three of them will fight each other and slow the site down without making it safer. Good habits beat plugins.

If the worst happens

See What to do if your site is hacked.

Still stuck?

The assistant in your control panel can see your actual account and answer about your sites, your plan and your usage. For anything else, email [email protected] and a person will answer.