How Secure is Your Website?

The hackers are becoming more sophisticated every day and, sadly, hacking is the only real growth industry around today.

This is a fun quiz, but it also provides some good pointers to ways you can improve the security of your website. When you click ‘Finish’ at the end your results will be displayed, with correct answers framed in green and incorrect ones in red, along with some tips and hints.

Let’s play!


Great, well done!

If you enjoyed the quiz and have a moment I’d really appreciate you sharing it – just click one of the share buttons.

Scroll down to check any answers you missed, and thanks for playing 🙂

Oh well, sorry about that – you missed a few. Scroll down to check out the answers you missed.

If you enjoyed the quiz and have a moment I’d really appreciate you sharing it – just click one of the share buttons.

Scroll down to see the answers you missed, and thanks for playing 🙂

#1. Do you back up your WordPress website?

Having a clean backup of your entire website is the quickest and best way to recover from a hack, so I would definitely recommend that you take regular backups of your WordPress installation!

#2. If you do take backups, are they run on an automated schedule?

I would definitely recommend setting up an automated backup schedule for your website. At least you will have an up to date version backed up!

Good security plugins enable you to set up an automated schedule and download the backup file to off line or cloud storage.

Here’s the plugin I use for this.

#3. How often is your website backed up?

If your site content is being updated regularly you should really be doing daily backups.

A weekly backup is OK if you’re not updating your content often. Even though your content is not being updated, your site software is being updated (or should be!), and you need to be capturing those updates in your backups, so I would recommend at least a weekly backup.

#4. Where are your website backups stored?

You should not be storing your backups on the server with your website.

For one, if the site is hacked the hackers can hack your backups as well. And for two, if the server melts down or is destroyed by an earthquake or tsunami, you would lose your backups.

So I recommend storing your backups on off-line or cloud storage.

A good backup plugin will automatically download your backup files as soon as they are complete to a range of different cloud storage services.

The plugin I use sends files to 9 different services.

#5. Have you practiced restoring your website?

It would be a good idea to practice restoring your website!

Most people, whose sites are hacked, feel violated, angry and confused. This is not a good state of mind in which to make sensible decisions about what to do next, so having the confidence that you can restore your website quickly would lessen the stress that you will be under.

#6. Where do you find plugins to install?

Two things to keep in mind here:

  1. The primary route through which hackers successfully attack WordPress website is the plugins – by a very long way.
  2. When you install a plugin on your site you are effectively allowing someone else access to your website’s code, so they had better be trustworthy!

As a result, it is critical that you install reliable, tested and approved plugins, which you can only get via the WordPress repository or from buying premium plugins from reputable, professional developers.

More details here.

#7. How often do you check your site for updates (plugins, theme and WordPress itself)?

You should really check your site for software updates each day.

90% of plugin updates are security enhancements that are developed to fix a vulnerability. Leaving an un-patched plugin with a known vulnerability on your website is just asking for the hackers to take advantage of it by hacking your website.

If you don’t have the time to check the sites you’re managing every day you may want to consider this:

Website Security Plans.

#8. Do you have inactive plugins on your website?

You should not leave inactive plugins on your website.

One of the principles of good security is to leave the hackers with the smallest target possible, which means removing all excess code from your website.

An inactive plugin is ‘excess’ code, because it’s not being used. So it should be removed in order to present the hackers with the smallest target possible.

#9. Do you use 2 Factor Authentication (2FA)?

You should use Two Factor Authentication (2FA). It is one of the strongest steps you can take to secure your website.

2FA validates your user name by comparing it with something you know (your password) and something you have (the device displaying the one-time-code).

Unless the hacker also has your phone or your email account and can, therefore, pick up the one-time code, this is a highly effective way to protect your account.

More details here.

#10. How many Administrator level user accounts are there on your site?

You should have no more than one Administrator level user account on your website.

This follows the principle of least privilege. The Administrator level user account allows whoever is using it total control over your website, so if it’s in the hands of a hacker it’s curtains – your site is done for.

In some cases it may be necessary to have two (or more) users with Administrator level accounts because of the functions they need to perform. If so, you can manually restrict the screens they see by adding a filter to your functions.php file.

If you need to do this but are not sure how contact me – I’ll explain what you need to do.

#11. Do you use a comprehensive security plugin (like Wordfence or iThemes Security)?

I do recommend using one of the comprehensive security plugins.

The best security plugins are developed by teams who know WordPress intimately and these plugins extend protection into all corners of your website.

Here’s the security plugin I use.

#12. Is your username ‘admin’?

I strongly advise you to change it!

The hackers know that the default Administrator username for WordPress websites is ‘admin’, so if you’re using that as your username you’ve done half the hacker’s job for them.

I strongly recommend that you:

  1. Set up a new Administrator level user account on your website with a different user name and check that it’s working.
  2. Log in with the new Administrator login details and delete the user account with the user name ‘admin’

#13. What password do you use?

You should be using a unique password with at least 12 characters.

The strength of a password is defined solely by its length. It’s pure mathematics.

I wrote a detailed post to explain how important the length of your password is in protecting your website:

Read it here.

#14. Do you use the same password on different accounts?

You should not be using the same password on different accounts..!

However, strong a password may be, the instant you use it on a second account it is no longer secure.

This article explains why.

#15. Do you use a password manager?

I strongly recommend you use a password manager.

A password manager remembers all your passwords for you and logs you in to all of your accounts with one click. Better still, it finds duplicated passwords so you can change them and creates unique, secure passwords for you (and remembers them) whenever you need to assign one to an account.

The only password you need to remember is the master password for the password manager.

This article explains password managers.

#16. Which type of hosting company do you use?

You should be using a hosting company that fully supports WordPress.

The hosting company you use has the biggest impact of all the factors on the stability, speed and security of your website.

A hosting company that fully supports WordPress will be keeping their servers properly updated with security patches, and will have implemented good security processes to prevent cross site contamination.

My WordPress agency business has used Siteground for some years now to provide fully secure, WordPress supported hosting for our clients.

Here is some more information.