Don’t End Up With an M&S Style Hack. Here’s How to Keep Your WordPress Site Safe.
Marks & Spencer didn’t think it would happen to them either.
The M&S cyberattack made headlines for all the wrong reasons. Millions lost. Customers unable to place orders. A brand with decades of trust suddenly scrambling to explain why its systems had been compromised.
Now — your WordPress website probably isn’t processing the same volume of transactions as M&S. But the hackers targeting it don’t care. Automated bots don’t discriminate between a FTSE 100 retailer and a small business in Hertfordshire. They’re looking for unlocked doors. And WordPress, being the world’s most popular CMS, has more doors than most. WordPress Security is critical.
The good news? Most hacks are entirely preventable. Here’s what you need to be doing.
001 / Keep Everything Updated
Outdated plugins, themes and WordPress core files are the single biggest cause of hacked websites. Every update patches a known vulnerability. Every time you skip one, you’re leaving that vulnerability open.
This isn’t optional. It’s maintenance. If you’re not doing it, you’re not secure.
Quick Check Log into your WordPress dashboard right now. How many update notifications are sitting there? If it’s more than zero, you’ve got work to do
002 / Use Strong Passwords and Two-Factor Authentication
‘admin’ as a username. ‘password123’ as a password. It sounds ridiculous. It’s also incredibly common. Brute force attacks — where bots hammer your login page with thousands of username and password combinations — work precisely because people use weak credentials.
Use a password manager. Enable two-factor authentication on your WordPress login. Change your admin username from ‘admin’ to something that can’t be guessed.
003 / Install a WordPress Security Plugin
Wordfence, Sucuri, iThemes Security — there are several solid options. A good security plugin will monitor your site for suspicious activity, block malicious login attempts, scan your files for malware, and alert you if something looks wrong.
It’s the digital equivalent of a CCTV system and a burglar alarm. You want both.
004 / Use a Reputable Managed Host
Not all hosting is created equal. Budget shared hosting often means shared servers with shared vulnerabilities. A good managed WordPress host handles server-level security, automatic backups, and malware scanning for you.
If your hosting costs you £3 a month, your security is probably worth about £3 a month too.
005 / Back Up Regularly — And Test the Backups
Even with every precaution in place, things can go wrong. A reliable, recent backup means the difference between a bad afternoon and a catastrophic week. Back up daily. Store backups offsite. And crucially — test that they actually restore. A backup you’ve never tested is a backup you can’t trust.
006 / Get a Security Audit
If you’re not sure how secure your site is — find out. A proper WordPress security audit will identify vulnerabilities, outdated software, weak configurations, and anything else that’s leaving you exposed. It’s not expensive. It’s considerably cheaper than dealing with a hack.
M&S had entire IT departments and still got caught out. You don’t need to be a target to become a victim. You just need to be unlocked.
{ LET’S TALK }
Let’s Get Your Digital Marketing in Order.
We’re a WordPress web design and digital marketing agency in Hertfordshire. No waffle. Just results. thirtysixdigital.com