How to Protect Your WordPress Website from Getting Hacked with Malware

by Feb 15, 2022Website Aftercare

A financial services consultant reached out to me recently after she noticed that her website’s main navigation looked different.

Instead of seeing the usual Home, About, Services, and Contact page links, there was a new, mysterious link for crypto where the services page link used to be. And in place of the Services page was a cryptocurrency marketplace page.

This was alarming to the financial services consultant because attracting new clients to her business relies so much on trust. Even with her impressive credentials and an impeccable track record, her website was making a different impression about her business. An impression that would likely scare away good prospective clients.

So, what’s a professional services business to do to protect your website from malware infection? I recommend performing website maintenance every month. If you follow these steps, you’ll significantly reduce your website’s exposure to getting hacked.

Make Website Backups

Before making any changes to your website, make a full backup. This way, if something goes wrong during your maintenance session, you’ll have a full copy of your website that you can restore. My favorite tool for making backups is All-in-One WP Migration. It’s easy to use and creates fully restorable site backups.

You also want to make a full site backup after you’ve completed your maintenance session so you have a copy of the fully updated version of your website.

Another situation that calls for creating a website backup is after making extensive edits to your site. And, by extensive, I mean any amount of edits that you wouldn’t want to have to recreate if something were to go wrong.

Install a Security Plugin

Keeping your website safe and secure is easier when it’s monitored 24/7 automatically. One popular security plugin and my favorite is Wordfence. It is easily programmed to email you alerts whenever your website software becomes outdated or if there are any widespread WordPress issues that could potentially affect your website.

It’ll also send you reports showing if anyone’s tried to log into your site, and if there’s unusual activity from a particular country or IP address.

Update Plugins

Speaking of plugins, like Wordfence, there are many different plugins you can install on your website to allow for added functionality. You want to keep the number of plugins on your site to a minimum to reduce unnecessary security exposure. And make sure to update plugins when new versions are released.

I like to keep a record of plugin versions as I update them so if anything goes wrong—either during maintenance or shortly after my maintenance session—I’ll know what the last version is that worked and can revert back to it if I have to during troubleshooting.

Update WordPress

WordPress issues updates several times a year in response to security issues and also to enhance functionality of the core software. While it’s probably okay to allow minor updates to happen automatically, major updates come with a greater risk of breaking your site. So I recommend making major WordPress updates manually so you can do a careful inspection of your website during your maintenance session and make corrections on the spot.

Update Themes

Many websites are built using a WordPress theme with varying degrees of customization. If you’re running a small professional service firm, chances are, your website was built using a theme. Like WordPress and plugins, theme developers (the good ones, anyway) are constantly updating their applications with improved functionality and better security.

Whenever you do site maintenance you want to check for theme updates and make them when they’re available. Also, keep track of version numbers so you can revert back if something goes wrong.

Keep Your Website Secure with SSL

Does your website’s URL start with https? If yes, then it has an active SSL certificate in place. If your website URL doesn’t have the ‘s’, it indicates that there isn’t a valid SSL certificate.

While SSL certificates are ubiquitous these days, I still occasionally come across websites that don’t have one. The way I can tell? Besides the missing ‘s’ most major browsers—Chrome, Safari, Firefox—flag websites as non-secure when they don’t have an active SSL certificate.

As a professional service business, you don’t want your website flagged as non-secure, especially if you’re collecting visitor contact information or processing any kind of payments. Put yourself in your prospective clients’ shoes and ask yourself, If you were looking for legal advice or seeking financing or marketing consulting, how would you feel about hiring a firm with a website that’s been flagged ‘non-secure’? Would you trust that firm to help solve your issue? How about your ideal client? Would they shrug and call you anyway? Or keep looking for another professional service provider with an unquestionable website?


Having a website to promote your professional service business is a must. And like anything else on the internet, there are security risks. Malware bots are programmed to look for easy ways to breach websites. This means websites running outdated software—plugins, themes, WordPress—or that don’t have a current SSL certificate are all at risk.

You can largely avoid a malware infection by keeping your website updated with regularly scheduled maintenance. This not only keeps your website secure but has the added benefit of improving site functionality and can help sustain the intended look and design of your website.

But if taking the steps to keep your website up-to-date seems like more than you or your team are interested in handling yourselves, get in touch to find out about my Web Concierge Aftercare service. I can take this tedious but important security task off your plate while you keep your focus on your genius work.