Apr 19, 2025 | WordPress Security
TL;DR
Weak passwords can lead to serious security breaches, as demonstrated by a recent incident where a client’s email was hacked, resulting in 4,500 spam emails.
To prevent such issues, ONSiteWP recommends using a password manager.
Our top recommendation is Proton Pass which we use every day.
It’s a secure and user-friendly tool that generates strong passwords and keeps them safe.
Setting it up is easy, and it can significantly enhance your business’s security.
Hey there, ONSiteWP Clients and Friends!
We’ve got something important to share – and a heads-up from a recent close call.
One of our clients had their email account hacked, and it turned into a spam factory. Over 4,500 spam emails were queued up on the server, ready to go.
This didn’t just cause a mess – it slowed down Gmail delivery and even stopped some emails from reaching customers. When running a business, email delivery is crucial.
The culprit? A weak password. It’s a small slip that can snowball into big problems for your business. That’s why we’re strongly recommending all ONSiteWP clients and friends begin using a password manager, if you aren’t already.
Our top recommendation is Proton Pass.
It’s secure, user-friendly, and we’ve got an easy setup guide for you below – no tech know-how needed!
Why Weak Passwords Are Risky Business
Let’s keep it real. Weak passwords (like “password123” or your kid’s birthday) are an open invitation to trouble. Here’s what’s at stake:
- Hackers Slip In: A flimsy password is a cinch for cybercriminals to crack, giving them access to your email or other accounts.
- Spam Chaos: Once they’re in, hackers can hijack your email to send spam – like those 4,500 emails we saw. It’s a headache that can hurt your reputation with customers.
- Email Trouble: Spamming can bog down Gmail or block your emails entirely. If customers don’t get your messages, you could lose business.
- Data Theft: Hackers might snag sensitive stuff – customer info, invoices, you name it – putting your operation at risk.
- Chain Reaction: Reuse that weak password elsewhere? One breach could unlock a bunch of your accounts.
Here’s a handy tool to check how long it takes to crack your password:
Password Strength Meter
A solid password manager like Proton Pass is the fix for weak passwords.
It generates strong passwords and keeps them safe, so you don’t have to stress.
We’re big fans of Proton Pass because it’s simple, super secure, and built to protect your privacy.
Think of it as a vault for your passwords – only you have the key. It’s free to start, and we’ve got a no-tech-skills-needed guide to get you going.
Your Simple Guide to Setting Up Proton Pass
You don’t need to be a tech guru – just follow these steps, and you’ll be set in minutes.
- Visit the Site
Open your browser (Chrome, Safari, whatever you use) and head to ProtonPass and click “Get Proton Pass Free” to kick things off.
- Sign Up – Easy Peasy
- Hit “Create an Account.”
- Choose a username (something memorable – maybe your business name with a twist).
- Set a strong master password – the only one you’ll need to remember. Try something like “MyBusiness2025!” (mix letters, numbers, and symbols).
- Enter your email and click “Create Account.” Check your inbox for a confirmation email and click the link to finish up.
- Get Proton Pass Installed
- After signing up, Proton Pass will prompt you to download it.
- On your computer, add the browser extension (works with Chrome, Firefox, etc.). Click “Add to [Your Browser]” and follow the quick steps.
- On your phone? Find “Proton Pass” in the App Store (iPhone) or Google Play (Android) and tap “Install.”
- Log In and Let It Roll
- Open the app or extension and sign in with your username and master password.
- When you log into a site (like your email or client portal), Proton Pass will ask to save your details. Say yes, and it’s locked away safely.
- Next time, it’ll autofill your login – no more typing!
- Make Strong Passwords
- Need a new password? Click the Proton Pass icon, select “Generate Password,” and it’ll create a random, rock-solid one. Save it, and you’re done.
- Swap out old weak passwords by logging into your accounts, generating a new one with Proton Pass, and updating it.
- Use It Everywhere
- Proton Pass works on your computer, phone, tablet – wherever you do business. Sign in with the same username and master password, and your logins sync up seamlessly.
Done! You’ve now got bulletproof passwords, and your business is safer for it.
What’s Next for You?
We’re recommending ProtonPass to keep your business secure and running smoothly. Proton Pass is our top choice, but if you’ve got questions or need help setting it up, just holler at the ONSiteWP team and we will be glad to help out.
Let’s kick weak passwords to the curb and keep the hackers out.
Best,
The ONSiteWP Team
Mar 7, 2025 | WordPress Hosting, WordPress Security
WordPress is the backbone of over 43% of websites worldwide, from small blogs to enterprise platforms. Its popularity, however, comes with a catch:
it’s a prime target for cybercriminals.
A single security breach can compromise your data, disrupt your business, and erode customer trust—risks no website owner can afford.
At ONSiteWP Managed WordPress Hosting, we believe robust security isn’t optional; it’s foundational.
Here’s why WordPress security matters and how our managed hosting keeps your site safe.
Why WordPress Security Is Non-Negotiable
Widespread Use, Widespread Risk: With millions of WordPress sites live, hackers have a vast playground to exploit outdated software or weak configurations.
Business Impact: A hacked site can lead to lost revenue, SEO penalties from Google, or costly downtime—sometimes costing thousands to recover
User Trust: Customers expect their data to be secure. A breach can turn loyal visitors into wary skeptics overnight.
The stakes are high, but the good news?
With Managed WordPress Hosting, you don’t have to face these threats alone.
How We Safeguard Your WordPress Website
Our ONSiteWP Managed WordPress Hosting is built from the ground up to protect your site, so you can focus on growing your business—not fighting hackers.
Here’s how we do it:
- Regular Updates, Zero Hassle
Outdated WordPress core, themes, or plugins are the top entry points for attacks. We handle all updates for you—pushing minor patches instantly and testing major releases to ensure compatibility. Your site stays secure without you lifting a finger.
- Fortress-Level Access Protection
Weak passwords are a hacker’s dream. We enforce strong, unique credentials and offer optional two-factor authentication (2FA) for every login. Plus, we can ditch the default “wp-admin” URL for a custom one, thwarting brute-force bots.
- Enterprise-Grade Infrastructure
Our servers are locked down with Web Application Firewalls (WAF), DDoS protection, and real-time malware scanning. Hosted on isolated VPS environments—not overcrowded shared servers—your site enjoys maximum performance and security.
- Daily Backups, Instant Recovery
Mistakes happen. Hacks happen. We’ve got you covered with automated daily backups stored securely off-site. If disaster strikes, we’ll restore your site to its pre-attack state in minutes.
- Proactive Threat Detection
Our security suite scans your site daily for vulnerabilities, malware, and suspicious activity. If a plugin turns risky or a file looks fishy, we neutralize the threat before it escalates.
- Free SSL Certificates
Encryption isn’t optional—it’s standard. Every site we host gets a free SSL certificate, ensuring data between your visitors and your server stays private and secure.
- Hardened Defenses
From disabling PHP error displays to locking down critical files like wp-config.php, we minimize attack surfaces so hackers hit dead ends.
Security You Can Trust,
Support You Can Count On
With ONSiteWP Managed WordPress Hosting, security isn’t an add-on—it’s baked into every plan.
Our expert team monitors your site 24/7, ready to step in if anything goes wrong. Whether it’s a sudden spike in traffic or a sneaky malware attempt, we’ve got your back.
Ready to stop worrying about WordPress security?
Sign up today and let ONSiteWP Managed WordPress Hosting safeguard your website, so you can focus on what matters most—building your online success.
Aug 15, 2017 | WordPress Security
One of the most frequently asked questions we get is how to protect a WordPress website from ransomware. It is a two part answer. First keep your site software updated to reduce the possibility of known bugs that hackers will exploit. The second part, and this is very important, keep a backup copy of your website.
What Is WordPress Ransomware?
Let’s start with the definition of ransom:
Ransom: a sum of money or other payment demanded or paid for the release of a prisoner.
In the case of ransomware, the prisoner is your website. Ransomware is a type of malware that scrambles the content of your website. The only way to recover your site is to pay the hackers a fee for them to undo the damage. We are talking real money, perhaps thousands of dollars.
How is Ransomware Installed?
The most common way ransomware is installed on a WordPress site is through a bug in wordpress or a wordpress plugin. Which one you may ask? The real answer is that it’s a moving target.
WordPress updates are released to fix bugs. If you aren’t applying these updates, then you could be leaving a known security hole in your website. It’s very important that you stay current on the security fixes released for WordPress, your plugins, and your theme.
If the number of updates to your website is overwhelming, we recommend subscribing to a WordPress Support Services so that specialists can do the WordPress updates for you on a regular basis.
Buy Now – Stay Secure
Should I Pay the Ransom?
Experts disagree whether paying the ransom is a good idea. When you send money to these unscrupulous criminals, there is no guarantee they will follow through and decrypt your website. The most obvious reason is that they are bad dudes. They have your money so why would they care to do extra work?
The second reason is that when hackers use free email addresses like gmail, yahoo, or hotmail, known as throw away accounts, the abuse teams at the email providers disable malicious accounts to stop the criminals from collecting income. You are caught in the middle of having paid to an anonymous overseas bank account but have no contact with the criminals to get the unlocking code.
Can My Website Be Fixed Without Paying Ransom?
YES, there is a solution! Your website can be restored from a backup. The major caveat to this answer requires you to be performing regular backups before your website gets hacked. There are free backup plugins to help with this. We recommend UpdraftPlus.
Here is the second important point. Your backups should be offsite. This means your backups should not be stored on the same server as your website. If the hackers can mess up your website, they can mess up any file in your account, including your backups. By sending your backups to dropbox, google drive, or amazon S3 storage, you put your backup copy out of reach from the ransomware program.
The folks at WordFence agree of the need for off-site backups in this post:
Ransomware Targeting WordPress – An Emerging Threat
It is important that you don’t store your backups on your web server. If, for example, they’re stored in a ZIP archive on your server, then if your site is taken over by this ransomware, the backups will also be encrypted and will be useless.
Who Can Help Me?
As you have read, there are a lot of considerations that need to be made to keep your website secure. We understand not everyone is a WordPress security expert. OnSiteWP has developed our WordPress maintenance service to provide businesses with the essential security, updates, and backups needed for responsible website ownership. A lot of time and money has went into building your website. Protect that investment with one of our WordPress maintenance service plans. We take care of the technical IT issues so that you can focus on your business.
Get more info on our WordPress Support Services here:
Buy Now – Stay Secure
Aug 1, 2017 | WordPress Security
My name is Kim and I have a blog. I love blogging! EXCEPT, all of the techie stuff that goes along with being a website owner.
As my blogging friends starting talking about a certificate for SSL…what?!? I started to panic because I didn’t have a clue about the topic!
I began asking myself the questions: what is it and do I need an SSL certificate for my website?
Being clueless, I didn’t have the answer.
So I asked my techie-that-speak-plain-English-friends, Mark and Brian at OnSiteWP, to help me figure the whole thing out!
An SSL Certificate And Why My Website Needs One
My superhero techie friends explained that Google is working to make the internet a more secure place by encouraging website owners to add an SSL certificate to their websites.
I learned that a Secure Sockets Layer (SSL) certificate is actually a small data file that creates a secure connection between a website (server) and a user’s computer (browser).
It’s sort of like jumbling up information (also known as encryption) so as the data travels, hackers can’t read it and do totally rotten things to innocent people who are visiting cool websites all over the internet!
Years ago, websites that performed ecommerce/banking transactions were the only ones that had SSL certificates … but now it is becoming the norm that every website has one.
Buy Now – SSL Conversion
Because Google’s algorithm is a big secret, not many people really know how much an SSL certificate plays as far as Google’s SEO ranking factors are concerned but they were talking about it as early as 2014!
I Care About What Google Thinks About My Website
Because it is a ginormous search engine, I REALLY care about how Google sees my website.
When I realized that before I had my site secured, when a user lands on my website, they would see a warning indicating my website was not secure. THAT’S FREAKY!!!
I don’t want anyone to get the impression my website is shady and a bad place to hang out!
For the love of all mankind, I have a fun family-friendly website about camping and eating awesome food while out in the wilderness!!!
There is nothing dubious happening and I don’t want my visitors or Google to think otherwise!
Now my URL looks like this:
https://www.campingforfoodies.com/
See that “s” after the http? See the cute little lock in the address bar on the site?
See the word “secure”? Those are signals to the world and Google that my site is secure and safe!
I Heard Rumors Of Websites Disappearing From Google After Adding An SSL Certificate
I have to admit that even though the answer to my question: Do I Need An SSL Certificate For My Website? was a resounding YES … I was still nervous about making the change.
Buy Now – SSL Conversion
The reason was, I have a bunch of blogger friends who were ranking on page 1 of Google and then suddenly were not even found after they converted their sites to SSL.
I get a fair amount of visitors to my website because of organic searches performed by people who want to learn about camping, are looking for awesome Dutch oven recipes, and searching for the perfect gift for someone who loves camping.
I didn’t want them to disappear.
YOU ARE NEVER GOING TO GUESS WHAT HAPPENED TO ME!!!!!
As I sat next to Brian while he did his techie-magic to make my website secure, I just about chewed my fingernails off worried my website would be invisible to Google when it was all over.
Instead of my fears coming true, this is what I found…
My website REMAINED ON PAGE ONE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
That is a really good thing because some really fun family who has no idea how many charcoal briquettes are needed to cook their Dutch oven camping dinner was able to get the answer from my website and they didn’t have to eat gross hot dogs on their first RV camping trip!
My Advice To Your Question:
“Do I Need An SSL Certificate For My Website?”
In the end, I am sooooooooooo glad my website is secure and my Page 1 Google rankings didn’t miss a beat … all because I trusted my superhero techie-that-speak-plain-English-friends, Mark and Brian to secure my website!
If you have not secured your site, call my superheroes Mark and Brian at OnSiteWP to do it for you.
I have no doubt, you’ll be glad you did!
I’m signing off for now because the mountains are calling and I must go!
Happy camping my friends!
Order SSL Conversion Now
Feb 27, 2017 | WordPress Security
Having a good, restorable backup copy of your website is something that OnSiteWP cannot stress enough. It’s why we include WordPress site backups with all of our maintenance packages. One of the frequently asked questions we receive is why do we perform backups when your hosting company is also doing backups? The answer is very simple: redundancy. Even the top names in web hosting have mistakes. It’s best to have the insurance of your own backup copy.
At some point in the lifespan of your website, you’re likely to experience a failure. We regularly see people reaching out for help on the internet when their website goes down. The story I’m about to annotate is typical and yet lucky, because the original poster was keeping a backup.
Our poster contacted the technical support at his web hosting company. First line support tried to help but didn’t give a very satisfactory answer. I don’t blame tech support for this. They are great at performing tasks within their purview such as resetting your cpanel password but they are generally not WordPress experts.
The first commentor (in blue) did a good job at confirming the problem. All of his core WordPress files are gone!
Luckily, the original poster has found a calm and rational person to work through the issue with him. On the Internet you’re likely to get a full smorgasbord of opinions on how to solve your problem.
We see the original poster go through the phases of grief by asking “how can files suddenly disappear?” Unfortunately there are many ways. It could have been user error, an accidental bug in the software, or a malicious script taking advantage of vulnerable plugins. While not likely the culprit in this case, corrupt filesystems and hardware errors are also ways to lose files in a catastrophic way.
VaultPress is a backup plugin and subscription service for WordPress. Our original poster saved his tail and thousands of dollars of web developer time by restoring his website instead of needing to start from scratch.
This is the time to ask yourself: Do you keep good up to date copies of your website?
At OnSiteWP we use a different backup plugin than VaultPress but the concept is the same. We perform regular backup copies of your website and save it to a safe storage area outside of your web hosting account. This way even if your entire WordPress site was to be deleted, we have a copy of it that can be restored.
We understand that business owners don’t want to be IT people. Contact OnSiteWP today to inquire how we can manage your website while you run your business.
Dec 13, 2016 | News and Info, WordPress Security
WordPress Security Alert:
One of the new features of the recent WordPress 4.7 update is the REST API which is being hailed as the NEXT BIG THING for the WordPress platform.
Of course that remains to be seen.
So what exactly is this REST (JSON)
API and what does it do?
In short, it is a connector between WordPress and other software applications which is characterized by universality and high compatibility.
Universality and high Compatibility. That is the takeaway.
The WordPress REST API is revolutionary because it enables WP to communicate with other web properties no matter what programming language they’re written in. This is a Big Deal.
That’s the Good News.
Here’s the bad news.
Parts of this new API on your site are potentially available to anyone on the internet.
This means that the new WordPress REST API allows anonymous access to some features of your WordPress website.
What?
One of the functions that it provides is that anyone can list the users on a WordPress website without registering or having an account.
This is not a good thing.
It allows anyone to list all users that have published a post and view the Userid, Username, Gravatar Hash and Website URL.
Really Not Good!
The awesome folks from the WordFence Security plugin were the first to bring this to our attention.
You can read the post here:
https://www.wordfence.com/blog/2016/12/wordfence-blocks-username-harvesting-via-new-rest-api-wp-4-7/
So why is this a security alert and why is having your username publicly visible not a good thing?
Your username is 50% of your login info.
If a hacker or bot has your username, they only need to run password cracking scripts to try to guess the password.
Knowing your username gets them 50% of the way to breaking into your website.
That is the reason for this security alert.
Security Tip: Never display your username publicly.
Another way your username can be viewed publicly is simply due to lack of user knowledge.
Every WordPress user has a username and a nickname.
Users must have a username, but don’t necessarily need a nickname. Your nickname is what is displayed on every blog post and author bio.
If no nickname is chosen, WordPress defaults to the username and inserts that into the nickname field.
If you haven’t changed your nickname, your username is automatically inserted and therefore displayed.
Again, not good.
We always recommend using a different name for your nickname (the publicly displayed name) than your username.
If you want to see if your usernames are publicly available using the REST API,
just enter your site url in the field below.
If your usernames are not displayed, then congratulate yourself or your web developer.
You have good security practices/features in place.
If you can see your usernames, then as quickly as you can, install the WordFence Security plugin.
Then go to your admin user area and add a different nickname to your user.
Another option is a recent update to iThemes Security which now has the ability to turn off the REST API functionality in WordPress.
You can read about it here: Restrict WordPress REST API with iThemes Security.
We always recommend updating WordPress, Themes, and Plugins.
Many updates are plugs for security holes.
In the case of WordPress 4.7 we still recommend updating
but make a few changes and you will be covered.
Staying on top of security news and potential threats is what we do.
That is our job.
We also keep your website up to date so you don’t need to be concerned with this stuff.
You can focus on growing your business instead.
For plans and pricing go here:
Website Maintenance Pricing
