There are two kinds of people in the world: those who think about website security and those who don’t. If you’re one of those in the latter category, it probably only crosses your mind when you hear about it in the news with another data breach. If you’re in the former group, it can keep you up at night.
Security used to keep me up at night. As a consumer, I’m still incredibly cautious (okay, perhaps paranoid) with my personal information — especially my debit card (I recommend using Apple Pay whenever possible!).
See, the thing is website security doesn’t have to be scary. The simple truth is that there is a strong probability your website will be targeted by a hacker at some point. It may even be under attack right now, but you’d never know it.
That doesn’t mean you can’t do anything about it. The reality is there are several proactive (and relatively simple) steps you can take right now to secure your website.
First, plug all of the holes
When is the last time you changed your website password? By any chance, are you using the same password for your website as you do your email? Regardless of your answer, change your password today and be sure to use a strong one. Don’t be like President Skroob and use 12345. Something more like Pr3s1D3nT1234% is much more secure and difficult to guess using brute force methods.
But even if you change your password to something along those lines, is the computer system you logged into clear of viruses? The last thing you would want would be a key logging virus to record every keystroke you make — including typing your password. Keep your computer's anti-virus software up to date.
Also, be sure to keep your website up to date with the latest version. Wordpress utilizes automatic updates, but even then it is worth logging in regularly to make sure you’re on the most current version. Most of the time when Wordpress releases an update it patches security holes. As soon as those holes are made public, hackers go to town finding websites that aren’t updated.
Think of it this way: I can often recognize how a website is built within about 2 minutes from first seeing it — just from a few simple clues. The people you’re protecting against are way smarter than me and being on an out of date installation is like waving a giant flag that says, “Please hack me.”
Next, minimize plugins
The beauty of Wordpress is it’s an incredibly customizable platform. Along with this comes the ability to use any of the thousands of plugins created by developers to meet just about any need. Unfortunately, this also can create more holes even if you’re running the latest version of Wordpress.
Almost two years ago, this was highlighted when the popular plugin “Revolution Slider” was found to be vulnerable and, in fact, led to quite a few successful hacks. Our solution was to move completely away from Revolution Slider in all new website builds, but for others this wasn’t an option.
Yes, the plugin developer quickly released an update to fix the vulnerability but the point remains: the more plugins you use, the more you open yourself up to potential vulnerabilities. Use as few as possible, code natively within Wordpress, and never ever use a plugin for something as simple as installing Google Analytics on your site.
Then, Use All in One Security
Of the plugins we use regularly (only about a half dozen in total) this particular plugin has become a cornerstone of our website launch process and is an exceptional way to harden your Wordpress site.
All in One Security modifies key files in the Wordpress core system installation, thereby locking down a website to an extent that has allowed me to sleep comfortably at night. Remember, I’m one of the two who thinks about website security but this plugin mitigates my concerns almost completely.
Some of the basic features you’ll want to capitalize on from this plugin:
- Changing your login page to a custom, secure URL
- Notifications of any file change
- Login records (I’ve used this to pinpoint when a file was modified)
- Failed login attempts*
- Approving all new users before they can become a subscriber
- Automatically blocking an IP address if they use the wrong username just once**
*Failed login attempts is even more useful if you’re using a custom login URL. It can point to your site being under excessive attack and serves as an early warning sign there’s another more critical security hole
**Never use “admin” as your username. Ever. It's the username equivalent of using “12345” as your password. Hackers know this, and will instantly try to login using brute force methods with the “admin” username. But if this username doesn’t exist on your site, All in One detects the invalid user and immediate blocks the IP address
Finally, schedule regular backups
Even with the most hardened sites, there is always a chance a hacker will get through. Since I’ve implemented the above operational changes, I can count on one hand the number of secure sites that have come under serious attack. It's even fewer that have had successful hacks. But when it does happen, it isn’t the end of the world.
I schedule what are called Cron commands. It sounds smarter than it really is. Basically, with every new website I set up a cPanel system schedule to run a backup either weekly, bi-weekly, or monthly (depending on how often the site will be updated with new content).
So let’s say your site gets hacked but they don’t do anything right away (common, actually). Later, once the hacker makes their access known (sometimes with something as silly as changing your logo out, just to prove they can) it becomes a question of how to clean up the site. Using some of the above tools, I am able to determine it happened on the 16th of the preceding month. Because all backups are stored on the server above public access, it’s simply a case of me logging in, extracting the backup from the 15th, and restoring a good version of your site. Depending on the complexity of your site, you may be looking at just a few hours of downtime.
But without these Cron job backups, your downtime can be days depending on your hosting provider. Your restore time will always be faster with a company like us on your side.
And no, I do not recommend using a plugin such as Backup Buddy. Again, your goal should be to minimize plugins.
The unfortunate reality is there will always be individuals who will want to mess with your website. Sometimes, they’ll do simple pranks such as the logo swap I mentioned. But other times they’ll completely destroy the beautiful work you’ve created. I don’t have a formal statistic to back this statement up, but in the same way almost all of us know someone who has been the victim of a data breach, I would also assume every one of us will eventually know someone whose website fell victim to a hack.
With a few preventive measures, we can significantly minimize the opportunity for and the impact to your business created by hackers. Contact us today to find out how we can build you a cleanly designed, secure, mobile-ready website.