Protecting Your Blog From Hackers

share this post >>

This post may contain affiliate links.

If your blog is on self-hosted WordPress, then you know how powerful WordPress is as a blogging platform.

Your ability to optimize your blog to generate more traffic, engage with your readers and grow your email list is unmatched by any other blogging platform.

But with great power also comes great responsibility.

The trade-off for using self-hosted WordPress is that you’re also responsible for the maintenance of your online home - and that’s also one of the biggest reasons I hear from bloggers as to why they’re afraid to go with self-hosted WordPress.

Maybe you’ve heard that WordPress gets hacked all the time. Maybe you’ve heard that WordPress can break when you update plugins. Maybe you’ve heard something else that makes you think self-hosted WordPress is risky.

So I’m gonna to separate the truth from the myth and give you a few simple steps you can take to make sure your self-hosted WordPress blog is in tip-top shape.

Myth #1 - "WordPress gets hacked all the time!"

The truth: Yes, hackers love WordPress. But just like a thief casing a neighborhood looking for an open garage door or an open window target, hackers are going to pass your blog by if you’re not an easy target.

How to protect yourself:

Install a security plugin:

I recommend WordFence, and you can learn exactly how to install and configure it inside of my free video training series, the 5 Day Website Challenge. Learn more and sign up for free here*.

WordFence will run a malware scan, so you’ll want to check your scan results and see if there are any items that need fixing. WordFence will alert you to plugin updates, old plugins, files that are different from the “WordPress Core” which resolved.

Going through those scan results every week or so and cleaning up anything WordFence finds is a good practice - and it can be done in just a few clicks!

Myth #2 - "I should wait to update WordPress core files and plugins to make sure they are stable first."

The truth: Back in the day, crashes after updates (known as the White Screen of Death in WordPress nerd lingo) were pretty common, but not so much anymore.

It’s much riskier to leave WordPress core files, plugins and themes outdated because it’s like leaving your front door open while you’re not home.

How to protect yourself:

Backup before updates:
Before you make any updates, make sure you have a good backup*. See Myth #4. Then if an update causes a problem, you can restore a backup in just a few clicks and it’s like it never even happened.

Keep plugins updated on a consistent basis:
If plugins need to be updated, you’ll see an orange dot with a number in it next to the Plugins menu item on your dashboard. It’s as easy as clicking on the plugins menu, finding the plugin that’s highlighted orange and clicking the Update link.

Do this for all plugins as often as possible. It’s when you don’t log into your site for a long time that this becomes easy to forget!

Tip: Add “Check for plugin updates” to your blog post checklist and that should be often enough to update your plugins if you’re posting new content on a regular basis.

Keep any themes you have installed updated:
You probably have a few inactive themes you’re not using installed. These actually aren’t as easy to spot as plugin or WordPress updates – there’s no big message or orange dot with a number, but they are important nonetheless.

You can find out if there’s a theme update by going to Appearance > Themes – there you’ll see the theme highlighted if there’s an update – simply click Update, and you’re good to go!

Keep WordPress Core files updated:
WordPress releases updates quite often, and one myth I commonly hear is that you should wait a few weeks to update to the next version of WordPress in case it’s unstable and the update causes their blog to crash.

Please do not wait to update WordPress when you see an update available in your dashboard. Unless it’s a major new release, almost all of the updates are related to security, and if you don’t click the link to update, you’re leaving your blog vulnerable to hackers.

Myth #3 - If I get hacked I’ll lose my whole blog and all of my hard work will be gone!

The truth: Hacks aren’t as scary as you might think. Yes, cleaning up a hack can be time-consuming, and annoying, but rarely will you lose all of your hard work. I’ve cleaned up nearly 100 hacked blogs and we’ve never lost any content.

Most bloggers who have been hacked don’t even know it! There are three common ways you may discover that you’ve been hacked:

  1. You get an email from your web hosting company saying malware has been discovered on your blog and it will be taken offline until it has been cleaned up - so as not to spread the malware to other sites that live on the same server (also known as “shared hosting”).
  2. You Google yourself and find a notice below your Google Search results that says “This site may be hacked.”
  3. Your blog starts redirecting traffic to shady websites.

How to protect yourself:

As the saying goes, “An ounce of prevention is worth a pound of cure,” so having a security plugin in place and keeping core files, themes and plugins updated will go a long way.

If this is something you know you won’t remember to do yourself, a service like my WordPress Protection Package* is a great option for you!

If you do discover that you’ve been hacked, cleaning up a hack typically involves removing files from your web hosting account that have been identified as malicious.

Cleaning up malicious files:
If you get a notice from your web hosting company that you’ve been hacked, typically they will offer a service called Sitelock that will clean up the hack for you and then protect you from hacks going forward.

In fact, you may already have Sitelock set up on your account, and if you do, think of it as an insurance policy - you’re paying for continuously to prevent a hack from happening and clean it up if something malicious slips through from an infected site on your shared hosting.

But if you get hacked and you don’t already have Sitelock, it’s like going to the emergency room without insurance - it can be pretty expensive to buy Sitelock after the fact and then have them clean up your hack - we’re talking a few hundred dollars or more.

The good news is that you can clean up a hack on your own without having to pay for Sitelock by requesting the list of malicious files from your web hosting company.

Then you’ll log into your CPanel, find the File Manager, and then navigate through the set of folders to each file on the list and then delete them one by one.

When you’re done deleting files, make sure you have WordFence installed and run another scan, and then make sure your WordPress core, plugin and theme files are up to date.

Then ask your hosting company to re-run their scan and then they should bring your site back online.

Fixing malicious redirects:
If your site is being redirected to another site, typically your hosting company can help you get that type of hack fixed. There are a few different ways hackers could do that, and your hosting company can troubleshoot and fix that for you.

Fixing “This site may be hacked”
And if you were getting the “This site may be hacked” warning on your Google Search results, first, clean up the hack and then you’ll log into Google Search Console and follow these steps to request a security review to scan your blog and remove the message.

Other ways to get help:
WordFence offers a premium service that will clean up your site for you in the event of a hack.

My WordPress Protection Package* will take care of all of this for you if you’re not into doing it yourself. My team keeps your plugins, themes and core files up-to-date on a daily basis, backs your blog up nightly, monitors security and cleans up hacks so you never have to think about the backend stuff at all and you can focus on growing your blog! You can learn more about exactly what’s included here*.

Myth #4 - I don’t need to do my own backups - my hosting company does it for me!

The truth: Your hosting company is making backups for you, but how often? Are they backing up your files and your database? And how many days worth of backups are they keeping? It’s worth finding out the answers to those questions in the event you need to restore a backup!

Backups are the most important component of protecting your blog, and I recommend that you back up your blog (files and database) every single night and that you have access to at least 30 days worth of backups.

Here’s why:

Nightly backups:
Even if you’re only adding new content once a week, you’re getting traffic to your blog every day. You work really hard to create awesome content and engage with your readers and get comments on your posts.

Ideally, you’re getting new comments every day. If you’re only backing up once a week and something happens that you need to restore a backup, you’ve just lost a week’s worth of comments (a week’s worth of social proof!)

30 days worth of backups: If something does happen that you need to restore a backup (hey, tech happens), then you have options. If your hosting has only one backup from two weeks ago available to restore, then yep, you just lost two weeks of content and engagement. Alternatively, if you have 30 days worth of full backups, you may only lose a few hours of work.

Restoring from a backup should be a last resort, not the first solution. Be very, very careful if your hosting company tells you that they need to restore a backup. Always ask for the date of the backup they are restoring, ask how many backups they have available for you to choose from, and consider the consequences of restoring the available backups.

How you can make your own backups:
There are a few backup plugins out there. Updraft Plus is a popular one, however, I recommend BackWPUp.

I also run nightly backups and store 30 days for customers of my WordPress Protection Package* service.

If you’re running your own backups, check every week or so to make sure backups are actually happening, and that they’re being saved and you know how to access them and how to restore them via whatever backup plugin you’ve chosen.

If you get hacked on a Tuesday, you can restore a backup from Monday, clean up any security issues that caused you to get hacked, and then you’re good to go!

But if you have an issue and find out after the fact that your backups never ran, well, all I can do is offer you a pint of your favorite ice cream and a giant spoon!

Myth #5 - You have to be a techie to manage all the backend stuff in WordPress.

The truth: This myth couldn’t be further from the truth. WordPress makes it easy for bloggers to keep their blogs updated.

WordPress notifies you of all the available updates in your dashboard every time you log in.

You simply need to install a security plugin, install a backup plugin, and actually log in on a consistent basis, check for updates, check your WordFence scan results and simply click a few links to get everything updated.

And if you simply don’t want to deal with it and you want the confidence to know that someone is taking care of your blog and is just an email away if you have an issue, then consider signing up for the WordPress Protection Package and it’ll take care of all of it for you - and you’ll have me in your back pocket just in case!


Shannon is a former side hustler turned full-time blogger, web designer, and WordPress expert who helps bloggers and online business owners build their websites, audience and income online. Shannon’s Free 5 Day Website Challenge teaches new entrepreneurs exactly how to build a website with WordPress from start to finish in just 5 days. You can learn more about Shannon and sign up for the Challenge at

share this post

Leave a Reply

Your email address will not be published. Required fields are marked *

Keep Learning: