SMALL BUSINESS TIP #7: WordPress Website Security Tips
If you’re worried by the time you read these website security tips, then I’ve accomplished what I set out to do. I’m not typically a fear monger, but in this case, I want to shake you up enough to be proactive.
You’ve probably heard the term “hacker” before. You may even know someone who got hacked. But, do you know what this really means?
A hacker is a species of vermin that lives throughout the world and breaks in to your website and wreaks havoc, typically by inserting malicious code. Why do they do it? It could be one of the following reasons:
- To send spam
- To steal your data (especially email addresses so they can send more spam)
- To redirect your visitors to a website of their choice
- To broadcast obscene or illegal content to your visitors
- To turn your site into a weapon that destroys other innocent websites
- To completely destroy your site…just because they can
If you’d like learn more about cybercrime, take a moment to read this article—Cybercrime: 5 Things You Need to Know
Just like the vermin that can infest your house, it’s crucial to stop the hackers from ever getting in, because it’s REALLY difficult to get them out and they can permanently destroy the reputation of your URL.
WordPress sites are a popular target for hackers. Why? It’s estimated that 24% of websites are WordPress sites—so if they figure out how to get in, they can get in to A LOT of websites. WordPress is also “open source,” which means that the code used to run it is visible to everyone. Although WordPress has a diligent team dedicated to foiling hackers, you are in no way relieved from taking action to protect yourself. If a hacker finds a vulnerability before WordPress does, the hacker wins.
Back in 2015, the leading security provider for WordPress websites, Wordfence, stated that there was an “approximate doubling of brute force attacks on WordPress sites”—from 10,000 to about 20,000 per minute. And, this is not even the highest they’ve seen. Three entities are doing the attacking—individual humans, a single robot or a “botnet” (a group of robots). The human is the rarest.
Access points (or doors) into your website include:
- Login page
- PHP code (in your WordPress theme, plugins, etc.)
- User accounts
- Plugins (mostly outdated or abandoned ones)
- Temporary files
- Hosting account, server and operating system
I’ll never forget the day I went to login into to one of my personal WordPress websites and saw a dreaded white screen with a blunt message:
“Error accessing database. Please contact your server.”
It turns out there was a rash of brute force attacks against my website host and it went into ninja mode. I was proud that not a single vermin was able to get into any of my sites and a simple server reset was all that was needed to fix what could have been a tragedy.
I want you to be so fortunate, which is why I am sharing some important website security tips.
Website Security Tips
Here are several key website security tips that will help your site stand up against the bad guys:
- Make sure you have Privacy Protection on your domain. Security starts when you purchase and register your domain. Make absolutely sure you pay the additional fee, which will need to be renewed annually, for Privacy Protection. The long term costs of not doing so can be significant.
- Secure your site at the hosting level. Having an SSL certificate is no longer an option for reputable websites. It’s also a good idea to have an actual conversation with someone at your hosting company to make sure you are taking advantage of all the security options they offer.
- Use secure user names and passwords. Do not use the same user name and password for all of your logins, especially if it is some variation of a pet, child or maiden name with your birth year thrown in for good measure. Do use passwords that make your head spin—recommendations are for a minimum of 12 characters (a mix of upper and lower case, special characters and numbers). I highly recommend you use a password manager and use their Password Generator to come up with ones that cannot be cracked.
- Use a reCaptcha plugin. Using a reCaptcha plugin doesn’t even let the robot hackers have a chance at breaking in through your WordPress admin login or contact form(s). I recommend Invisible reCaptcha.
- Install a reputable and effective security plugin. The better ones scan your site to make sure it’s clean, then protect it against brute force attacks, malware, and spam. Some even speed up your site. Brute Force (part of the Jetpack plugin), WordFence, and iThemes Security are three of the best.
- Make sure you have a full (and current) site backup that is not stored on your host server. A backup of anything is never a bad idea. Some website hosts offer this option for an extra fee, but many don’t so it’s a mistake to assume your site is backed up. Make sure your site is being regularly backed up and the backup files are being stored off the server. Why off the server? I’ve seen hacking jobs that have completely destroyed everything in the hosting account, including the backup file. If you do get hacked and you have an uncorrupted backup file, getting back online is usually as simple as erasing everything that’s been corrupted and restoring your latest backup. We recommend UpdraftPlus. (Scheduled backups are part of our WordPress Security and Website Maintenance packages.)
- Perform regular maintenance on your site. Up-to-date plugins and the latest versions of WordPress and your WordPress theme are CRUCIAL. It’s said that 32% of websites are hacked due to a WordPress vulnerability and 40% through outdated plugins. By updating to current versions, you are closing doors into your website. (Staying up to date also ensures that your website is running faster, so you aren’t being punished by Google’s algorithm for being too slow.)
If you don’t have the time to follow through on these website security tips yourself, get hold of us sooner, rather than later, so we can do it for you. Our Website Security Package will have you locked down and backed up within days.