The most vital step you can take for hack prevention on a wordpress website is to keep all of your plugins, themes and WordPress as up-to-date as possible. Hackers are discovering vulnerabilities in plugins even as I write this. Vulnerabilities are largely why there’s a constant stream of plugin updates being released. So, if you keep things updated, you’ll be doing your part to minimize vulnerabilities hackers can exploit.
Keep Everything Up-to-date
First, Backup!
Many things can go wrong with an update, so better safe than sorry. I use UpdraftPlus and configure it (usually) to backup the database daily, keeping 14 backups, and the files weekly, keeping 2 backups. So at any point in time I can go back 2 weeks and restore a somewhat recent version of a website.
Right before doing any updates to wordpress, plugins or themes I do a quick manual backup so if the site borks out after an update I can restore the non-borked version.
Plugins
There’s an Update link next to any plugins that need an update, just click it (after you’ve backed up your plugins). If anything goes wrong simply restore the plugins backup to the way it was. You may need to restore the database too, depending. If your site can’t be accessed to restore the plugins backup login to your hosting account and use the file manager in cpanel to removed the new plugin folder and add back the previous plugin folder that worked.
Themes
Themes are definitely the update that will send your website sideways if any update does. First, your website should be running a child theme, not the original parent theme. A child theme is one built to hold theme modifications, so that updating the parent theme doesn’t overwrite the customizations you’ve made to the original theme. Let me know if you need one made – we can do it for you.
WordPress
WordPress will self-update when minor security updates are released, unless you’re running an old version of WordPress, then this might not necessarily be true. The more major WordPress feature updates must be done manually. If you don’t do the manual updates the security updates will cease – I’ve fixed many a website after it’s been hacked for this reason. So keep wordpress up-to-date.
Install a Security Plugin
I use Wordfence. You can do a little research to find the most recommended settings and configure the plugin that way. It will send you email alerts whenever a plugin or theme or wordpress needs to be updated, it will also send you an email if there’s been any suspicious activity. Since I started using Wordfence on all the websites I manage there has been very little hanky panky in the hacking department. And it’s getting better all the time. Knock on wood.