WordPress is one of the most popular website platforms in the world, which also makes it a common target for attackers. For many small businesses, the website is not just a brochure. It is connected to enquiries, bookings, contact forms, email notifications, customer data, analytics, advertising and sometimes online payments.
The problem is that many WordPress sites are treated as a “set and forget” project. A website gets built, launched and then slowly becomes risky over time as plugins, themes, administrator accounts and hosting settings are left unmanaged.
This checklist is designed for small businesses that want a practical way to reduce the risk of their WordPress website being hacked, defaced, blacklisted or used to send spam.
1. Keep WordPress, plugins and themes updated
Outdated plugins and themes are one of the most common WordPress security risks. Even if the main WordPress core is up to date, one abandoned plugin can create a serious vulnerability.
At a minimum, you should regularly check:
WordPress core updates
Plugin updates
Theme updates
PHP version compatibility
Plugins that have not been updated by the developer in a long time
Plugins that are installed but not actively used
Unused plugins and themes should be deleted, not just deactivated. Every extra plugin increases your attack surface.
If your business does not have someone checking this regularly, it may be worth having a proper website maintenance process in place.
2. Use strong administrator passwords and MFA
Your WordPress administrator login should never rely on a weak or reused password. If one of your staff members uses the same password across multiple services, a breach from another platform could put your website at risk.
Every WordPress administrator should use:
A unique password
A password manager
Multi-factor authentication
Their own user account, not a shared admin login
The lowest access level needed for their role
Avoid giving every staff member full administrator access. Most users only need editor, author or shop manager access depending on what they do.
This is also where website security overlaps with broader business cyber security. If an attacker compromises a staff email account, they may be able to reset WordPress passwords, access hosting accounts or intercept form submissions.
For broader protection across email, devices, users and cloud platforms, see our cyber security consultants Melbourne service page.
3. Choose reliable hosting and development support
Cheap hosting is not always a problem, but poor hosting support, weak backups, outdated PHP versions and badly configured servers can make recovery much harder after an incident.
Website security starts with the basics: a well-built site, reliable hosting, regular updates, clean code and sensible access controls. Businesses working with external providers for web development and cloud hosting services should still make sure responsibilities are clear for backups, plugin updates, administrator accounts, MFA and recovery if the website is compromised.
Before choosing a hosting or website provider, ask:
Who is responsible for WordPress updates?
Are backups included?
How often are backups taken?
Can the site be restored quickly?
Is staging available for testing updates?
Who has administrator access?
Is MFA available for the hosting control panel?
Are security logs available?
The key is making sure nothing falls into the gap between the website developer, hosting provider and business owner.
4. Review administrator accounts regularly
Many WordPress websites collect old administrator accounts over time. These might belong to previous developers, marketing agencies, contractors or staff members who no longer work with the business.
You should review WordPress users regularly and remove access that is no longer needed.
Check for:
Unknown administrator accounts
Old developer accounts
Shared login accounts
Staff who have left the business
Users with higher permissions than needed
Accounts using personal email addresses instead of business email addresses
The same applies to your hosting account, DNS provider, domain registrar, Google Analytics, Google Search Console, Cloudflare and email marketing platforms.
5. Set up proper backups
A backup is only useful if it can actually be restored. Many businesses assume their website is backed up, but only discover a problem when they urgently need to recover it.
A good WordPress backup setup should include:
Automated scheduled backups
Offsite backup storage
Database and file backups
A clear restore process
Backup retention history
Occasional restore testing
Do not rely only on backups stored inside the WordPress website itself. If the site is compromised, those backups may also be deleted or infected.
For businesses that rely heavily on cloud systems and business data, website backups should be part of a broader backup, disaster recovery and business continuity strategy.
6. Protect contact forms and website email
Many WordPress websites send enquiry forms to Microsoft 365, Google Workspace or another business email platform. If the website is compromised, contact forms can be abused to send spam, phishing messages or malicious links.
You should check:
Contact forms are protected from spam
Website email is authenticated properly
SPF, DKIM and DMARC records are configured
Form submissions are not exposing sensitive data
Admin notifications are going to the correct mailbox
Old forms and test pages have been removed
Website security and email security are closely connected. If attackers compromise your email, they may also gain access to your website, domain, DNS or hosting accounts.
For businesses using Microsoft 365, our Microsoft 365 support Melbourne team can help review account security, MFA, mailbox access and email protection settings.
7. Limit login attempts and monitor suspicious activity
WordPress login pages are constantly targeted by bots. Even if your password is strong, repeated login attempts can create unnecessary risk and noise.
Consider using security controls such as:
Login attempt limits
MFA for administrators
Activity logging
File change monitoring
Malware scanning
Blocking known malicious IP addresses
Alerts for new administrator accounts
Alerts for plugin or theme changes
The goal is not just to block attacks, but to notice suspicious activity early.
8. Secure your domain and DNS
Your domain name is one of your most important digital assets. If an attacker gains control of your domain registrar or DNS, they can redirect your website, intercept email or damage your brand.
Make sure your domain registrar account has:
A strong unique password
MFA enabled
Correct recovery email details
Limited access for third parties
Registrar lock enabled where available
Current billing details so the domain does not expire
You should also know who manages your DNS. In many small businesses, DNS access may be sitting with an old web developer, marketing provider or hosting company.
9. Remove unnecessary plugins, themes and old pages
Old website components are easy to forget. A plugin that was used for one campaign two years ago might still be installed. A test landing page might still be indexed. An old form might still send email.
Regularly clean up:
Unused plugins
Unused themes
Old admin users
Old staging sites
Test pages
Outdated landing pages
Broken forms
Old API keys
Unused tracking scripts
A simpler WordPress site is usually easier to secure, maintain and recover.
10. Have an incident response plan
If your WordPress site is hacked, speed matters. You do not want to be working out who has the hosting login, who manages DNS and where the backups are during the incident.
Your business should know:
Who to contact if the website is hacked
Who has hosting and WordPress admin access
Where backups are stored
How quickly the site can be restored
Whether customer data may be involved
Whether Google, customers or regulators need to be notified
How to reset passwords and remove unknown users
How to check whether email accounts were also compromised
A hacked website is often not just a website problem. It can affect your email, reputation, search rankings, advertising campaigns and customer trust.
If you are unsure whether your business has the right controls in place, Intuitive Strategy offers cyber security support for Melbourne businesses across websites, email, cloud accounts, endpoints and business systems.
Quick WordPress security checklist
Use this as a simple starting point:
WordPress core is up to date
Plugins and themes are updated
Unused plugins and themes are deleted
Every admin has a unique login
MFA is enabled for administrators
Old users have been removed
Backups are automated and stored offsite
Restore process has been tested
Hosting account is protected with MFA
Domain registrar account is protected with MFA
DNS access is known and controlled
Contact forms are protected from spam
SPF, DKIM and DMARC are configured
Website activity is monitored
A response plan exists if the site is compromised
Final thoughts
WordPress security is not about one plugin or one setting. It is a combination of good website maintenance, reliable hosting, strong access control, secure email, tested backups and clear responsibility.
For small businesses, the most important step is to stop treating the website as separate from the rest of the IT environment. Your website, email, domain, staff accounts and cloud platforms are all connected.
If you need help reviewing your website, email security or broader business cyber security setup, contact Intuitive Strategy for practical cyber security consulting and IT support in Melbourne.