SMALL BUSINESS TIP #7: WordPress Website Security Tips
If you’re worried by the time you read these WordPress website security tips, then I’ve accomplished what I set out to do. I don’t make a practice of being a fear monger but, in this case, I’m willing to be one to get you to be proactive!
You’ve probably heard the term “hacker” before. You may even know someone who got hacked. But, do you know what this really means?
A hacker is a species of vermin that lives throughout the world and breaks in to your website with the intention of wreaking havoc. They typically do this by inserting malicious code into your site, effectively hijacking it.
Why do they do it? Here are some of the main reasons:
- To send spam
- To steal your data (especially email addresses so they can send more spam)
- To redirect your visitors to a website of their choice
- To broadcast obscene or illegal content to your visitors
- To turn your site into a weapon that destroys other innocent websites
- To completely destroy your site (just because they can)
If you’d like dig deeper and learn more about cybercrime, take a moment to read this informative article—Cybercrime: 5 Things You Need to Know
Just like the vermin that infest actual houses, it’s crucial to stop hackers from ever getting in—because it’s VERY difficult to get them out once they’re in and they can permanently destroy the reputation of your domain name.
WordPress sites are the most popular target for hackers. Why? It’s estimated that 31% of websites are WordPress sites—and 83% of hack jobs are done to a WordPress site. When the hackers figure out how to get in to WordPress sites, they can get in to A LOT of them. Also, WordPress is “open source,” which means that the code used to run it is visible to everyone—even the hackers. Although WordPress has a diligent team dedicated to foiling hackers, you are in no way relieved from taking action to protect yourself. If a hacker finds a vulnerability before WordPress does, the hacker wins.
Back in 2015, the leading security provider for WordPress websites, Wordfence, stated that there was an “approximate doubling of brute force attacks on WordPress sites”—from 10,000 to about 20,000 per minute. And, this is not even the highest they’ve seen. Three entities are doing the attacking—individual humans, a single robot or a “botnet” (a group of robots). The human is the rarest.
Access points (or doors) into your website include, but are not limited to:
- An insecure hosting account
- Weak passwords on the WordPress admin login page
- PHP code (in your WordPress theme, plugins, etc.; especially if it’s outdated)
- WordPress configuration file
- User accounts
- Plugins (mostly outdated or abandoned ones)
- Temporary files
I’ll never forget many years ago when I went to login into to one of my personal WordPress websites and saw a dreaded white screen with a blunt message:
“Error accessing database. Please contact your server.”
It turns out there was a rash of brute force attacks against my previous website host and they went into ninja mode. I was proud that not a single vermin was able to get into any of my sites and a simple server reset was all that was needed to fix what could have been a tragedy for many people and businesses.
I want you to be so fortunate, which is why I am sharing some important website security tips.
Website Security Tips
Here are several key WordPress website security tips that will help your site be a formidable fortress:
- Make sure you have Privacy Protection on your domain. Security starts when you purchase and register your domain. Make absolutely sure you pay the additional fee, which will need to be renewed annually, for Privacy Protection. The long term costs of not doing so can be significant.
- Secure your site at the hosting level. Having an SSL certificate is no longer an option for reputable websites. It’s also a good idea to have an actual conversation with someone at your hosting company to assess their attention to security and ensure tat you are taking advantage of all the security options they offer.
- Use secure user names and passwords. According to WPTemplate, about 8% of WordPress websites are hacked as a direct result of weak passwords. Do not use the same user name and password for all of your logins, especially if it is some variation of a pet, child or maiden name with your birth year thrown in for good measure. Do use passwords that make your head spin—recommendations are for a minimum of 12 characters (a mix of upper and lower case, special characters and numbers). I highly recommend you use a password manager, which have a Password Generator that creates passwords that are virtually impossible to be cracked. Also, enabling two-factor authentication adds another layer of protection to the login entry portal.
- Use a reCaptcha plugin. Using a reCaptcha plugin doesn’t even let the robot hackers have a chance at breaking in through your WordPress admin login or contact form(s). I recommend Invisible reCaptcha.
- Purchase the Premium version of a reputable and effective security plugin. The better ones scan your site to make sure it’s clean, then protect it against brute force attacks, malware, and spam. Some even speed up your site. Brute Force (part of the Jetpack plugin), WordFence, and iThemes Security are three of the best.
- Make sure you have a full (and current) site backup that is not stored on your host server. In this virtual age, a backup of anything is a must. Don’t forget about backing up your new website or make the mistake of assuming that your host or designer has it backed up. Not only do you want to make sure that your site is being regularly backed up, you want the backup files to be stored off the server. Why? I’ve seen hacking jobs that have completely destroyed everything in the hosting account, including the backup file. If you do get hacked and you have an uncorrupted backup file, getting back online is usually as simple as erasing everything that’s been corrupted and restoring your latest backup. We recommend UpdraftPlus or our Security and/or Maintenance Packages (which include scheduled monthly backups stored in the cloud.)
- Perform regular maintenance on your site. Up-to-date plugins and the latest versions of WordPress and your WordPress theme are CRUCIAL to the safety of your site. It’s said that 32% of websites are hacked due to a WordPress vulnerability and 40% through outdated plugins. By updating to current versions, you are ensuring that you have the most recent protection available and you effectively lock your website doors tighter. (Staying up to date also ensures that your website is running faster, so you aren’t being punished by Google’s algorithm for being too slow.)
If you don’t feel confident you can handle all of this by yourself, or feel short on time, get hold of us sooner, rather than later, so we can do it for you. Our Website Security Package includes all of the above, plus some additional technical tweaks that provide further protection. Once you purchase it, we’ll have you locked down and backed up within days!