Freelancers on WordPress…Don’t get HACKED!

Earlier today I tweeted about a woman who got hacked and lost her ENTIRE business site. No backups and no protective measures were previously taken to harden (aka protect) her site because she relied on her web hosting company.

While she is taking it like a champ and seeing the lesson in all of this, she has basically LOST everything. Her business site, product offerings EVERYTHING!

Listen. To. Me. Making your site beautiful and accessible is wonderful but security should always be the priority (designer friends don’t kill me). As the site owner, it is your responsibility to do you due diligence. Please do not 100% rely on your web hosting provider, especially if you are on WordPress.

I have outlined a few tips that will get you on the right path to securing your site. Please keep in mind that as this is not an exhaustive list, I recommend that you go through your own due diligence process, especially if your site is hosted on WordPress.

I can appreciate the versatility and flexibility offered by WordPress however if you have no time or interest in maintaining your site and taking the necessary steps to protect it (which can include backups, staging, testing plugins before deploying and constant monitoring), keep it moving over to Squarespace. WordPress flexibility will have you jacked up if you are not vigilant.


  1. Stop installing ALL the plugins
     For the sake of the internet gods, stop installing every dang plugin that exists to mankind. Most importantly, please install the plugin in your staging environment first.
  2. Username and Passwords
     Please ensure that your username is NOT your email address, NOT “admin”, NOT “administrator”, NOT your “name”. It goes without saying that you must always use a complex password and not something like “password”, “password123”. Make it complicated and preferably auto-generated by a password manager tool. I also recommend enabling two-factor authentication.
  3. Staging
     As far as your Staging environment, please DO create several copies (1-Please DO use a completely different username/complex password than your production/live site. Yes, it’s a pain I know but if you want to minimize your risk, do these things today!
“Security is all about layering, layering, layering and a little healthy paranoia” — @divinetechygirl

Please, thank you and always. This is important. Your web hosting provider should offer the option to create a full site backup. Do this and be sure to save a local copy of this as well.

PROTIP Please DO NOT give your password up for “troubleshooting” purposes. My web hosting company tried to request this from me recently and of course, my reply was a speedy HELL TO THE NO. Well, it was actually, “I do not feel comfortable providing these details to you”. Look, they can probably get this themselves at the end of the day but I sure as heck am not making it easier for anyone.

Again, this is not meant to be all-inclusive but a mere starting point for many who have not even thought about taking these steps. I hope these tips are helpful. Feel free to add to the original thread on Twitter, if you’d like to include any other recommendations.

Originally published at Christina Morillo.