This post was prompted by yet another warning that someone had tried to break into a client’s website.

With multiple warnings received every day, attempts to hack into clients’ WordPress accounts are an all-too-frequent occurrence.

I’m aware of them because I use the WordFence plugin. Without it – or something similar – I’d have no idea what’s going on.

Even the basic (free) WordFence package locks out potential intruders and alerts me to their activities and including it by default as part of my website packages is a no-brainer.

Installing WordFence is just one of the measures I put in place to improve the security of clients’ sites.

I also install a lifetime Secure Sockets Layer (SSL) certificate on all my clients’ websites, I use a quality hosting package, and I keep WordPress themes and plugins up-to-date.

Here’s a brief look at each of these benefits:

SSL

Installing an SSL certificate changes a site’s URL from the basic ‘hyper text transfer protocol’ (http) to ‘hyper text transfer protocol secure’ (https).

The ‘secure’ status means that traffic between the site’s server and a visitor’s browser is encrypted, so users don’t get those ‘unsafe site’ warnings which all too often persuade them to leave a website and look elsewhere.

Growing awareness of site security issues has seen an increase in the number of sites now using SSL certificates, with data suggesting that nearly 80% of the top 100,000 websites now use SSL and research by Google showing that almost 90% of pages loaded in Chrome were served over https in May 2021 (up from 40% in 2015; figures based on 21+ SSL Statistics that Show Why Security Matters so Much).

Although SSL certificates are available free of charge, they’ve sadly become another way for website hosts and designers to make money, with some charging for installing and/or renewing them.

Having fallen foul of just that practise with a previous host, I know how annoying – and expensive – it can be to have to renew annually. That’s why I offer free installation of a lifetime SSL certificate. If more than one is needed (e.g. for a subsite) then the client pays only the certificate cost; I don’t charge for adding it.

HOSTING

Some clients seem to think that it’s people like me – website designers – who are responsible for site security, but we’re not. Although designers often organise hosting and sell it on (some without revealing which host and package is being used) it’s professional hosting companies that provide the actual hosting.

I’m old enough to remember when websites could be hosted from home by enthusiasts, with an old pc acting as a server. Those days are long gone and hosting is now big business, with companies investing serious capital in datacentres, networks and, of course, security.

I’ve tried a few hosting companies over the years and can honestly say that Hostinger, which is the one I now use, is by far the best.

The cloud hosting package I use for clients’ websites includes a daily backup and comes with a 99% uptime guarantee. Other security features include 24/7 monitoring of servers and protection against distributed denial-of-service (DDoS) attacks.

Because I pay up front for a multi-year hosting deal, my clients get excellent value for money, paying as little as £80 per year for a quality package – which to my mind is an absolute steal!

WORDPRESS

Although I’m happy to hand responsibility for backing up clients’ websites to Hostinger, it’s also important to update WordPress themes and plugins.

With many providers introducing new features, improving existing ones and responding to security issues, the chances are that updates on even a small WordPress installation will become available on an almost weekly basis.

That’s why my support packages offer weekly or monthly checks and backups.

Going back to the attempted intrusions that inspired this post, it’s worth noting that the majority (I estimate 80%-85%) try the default WordPress username ‘admin’.

If the person or bot trying to break in (many of these attempts are automated) gets the username right, then they can move on to hacking the password. Given that many people still use a password that’s easy to remember and is associated with them (e.g. date of birth) or their business (e.g website name), that can be surprisingly easy. Some also leave clues for potential hackers on their website or on social media (e.g birthday, favourite colour) so beware what details you’re sharing and what passwords you’re using.

To be on the safe side, security experts advise using a password generator and saver (apparently the password bL8%4TO&t9b% automatically generated by LastPass would take 46 million years for a computer to crack!), while the current username can be changed using a plugin such as Easy Username Updater.