The big joke these days is that there are only two kinds of companies left in the US…those that have been hacked and those that don’t know they’ve been hacked.

Get it?  Hardy Har Har. Yeah, not so funny, huh?

Trust me when I say that no one is immune from getting hacked.  Not the big guys.  Not the little guys.  And sadly, not us solopreneurs.

been_hackedHeck, not all that long ago the New York Times and Twitter were both hacked. Evernote, Facebook, Apple and NBC (and its affiliates) and Microsoft were also all hacked. Even the people that guard our personal data (like our login info, our credit card info, all our important info) were hacked for Peet’s sake!

Again…no one is safe from getting hacked.

Especially if you’re using WordPress.

I’m not trying to scare you off of WordPress, so please don’t even go there.  In fact, lucky for you, there are some super simple things you can do to make sure you’re aware of what’s going on with your own website.

First and foremost, don’t leave the login to your WordPress site as the default Admin.  Go into your user panel and create yourself a brand spankin’ new admin – feel free to use your first initial and your last name – complete with a strong password (more on that below). Then log in to your site as your new admin and delete the original “ADMIN” user (be sure to transfer all their posts to your new admin user). Yes, it is indeed, that simple.

Next up, strengthen those passwords. The bots that the hackers use tend to look for words (like common names or even the word “password”) and utilize what’s referred to as “dictionary attacks.”  So if you’re using a name or a word as your SECURE password, change it to something more complex that uses a combination of letters, numbers, and symbols. [Click Here to Tweet This]

If you’re stuck with what to create for a password, might I suggest a word that works for you, switching some letters for number or symbols in conjunction with a zipcode or your license plate number (usually another mix of letters and numbers), or even part of your phone number. For example: DOLPHINS87112 would become d0lph!nz*87112.  It’s easy enough to remember, yet difficult enough that the bots can’t get it easily using a dictionary attack.

Finally, get some help.  I can personally recommend the Wordfence plugin.  I get reports throughout the day telling me how many times it is locking out “users” from signing in, any time an admin logs in, or when my plugins appear to be altered.  It’s quite simple to install and even the most basic of default settings will still protect you. On top of all the useful info it shares with you (if you give an email for the alerts), you can also find out some fascinating, if not curious info about your hackers like where they’re from.

And I’m sure you realize (and it basically goes without saying), that you should watch what you download and make sure your computer’s security settings are up to date.  Oh yeah…don’t forget to make sure your system – and yes, your website – are regularly getting backed up following the 3, 2, 1 plan.

One final note: If you’re really, really stuck on creating strong passwords, or if you have challenges remembering all your passwords, I highly recommend you look into getting Lastpass.  It will simplify your online life in ways you’ve yet to even imagine.


  • Thank you for these important tips, Katy. I tweeted your message to my network.

    • Thanks Susan. Folks really do need to know. The “admin” thing has been around for a while now. But I don’t think folks realize just how often someone is attempting to get control of their site until they see the data from the Wordfence plugin.

  • Meenakshi

    Thanks for the tips, I wonder: is there some data about what ‘kind’ of sites get hacked? For instance is this for sites linked to online shopping carts?

    • At this point, I don’t think it matters. When you come down to it, most WP sites are personal blogs, with not much of anything going on. Yet my own personal blog (which has nearly no traffic) still receives non-stop “attacks” by hackers and bots. Which is why I love the Wordfence plugin…it’s free, it works, and it keeps you informed.

  • Great post and as we have been hacked this year I have changed all logins and passwords

    • Being hacked is such a pain. Cleaning things up and getting things back to where it should be is a painful an energy draining task. So yes, doing these simple things can save your business.

  • Thanks for the reminder to be conscious of my website security. It’s something I’ve definitely been lazy about. I’m happy to see that I do have a special login, no the default Admin on all my sites. I also learned the hard way that my hosting company backs everything up once a week and for a small fee can restore my website for me when something goes drastically wrong. 🙂 Great post! Thanks!

    • I think many folks can get a little lazy about it. Especially when we’ve paid others to set things up for us. Good to hear that your admin account was changed up. Just that one simple thing can save off some major inconvenience. Adding in the regular backups (makes things so much easier when you can restore), and using Wordfence makes it all the better.

  • Web design

    I have a question, is it possible for hackers to access your server files if they don’t know your password or username. If so, how? I just want to know if keeping the password extremely safe can prevent my site from being hacked.

    • When I was first prompted to write about this two months ago, yes, I did hear of folks getting their server hacked. I’m not a web developer (by any means), so I honestly can’t tell you how. I just know that it did indeed happen to clients of ours.

      I will say, that over the past couple weeks, my WordFence plugin is alerting me to far, far less hack attempts than it did two months ago when I first wrote this article. I don’t know if that means, that “hacker” crew isn’t as active at this time or if they’ve moved on from my site since they’re not getting anywhere.