Things have gotten a bit alarming these days with all the many threats. Fortunately, there are steps you can do to keep your website safe from ongoing threats or at least be able to recover quickly if an attack happens. We are going to share eight steps to help your website stay safer!
Automated Bots – Not Individuals
First, know that most threats are automated bots, not individuals, looking for an entry point to a website. The reason they want your website is to gain access to sensitive information and/or redirect to scam sites. Even the spam that comes through contact forms and comments frequently are the result of bots.
All Types of Websites Get Hacked
For various reasons, any type of website can get hacked. SquareSpace, Wix, Shopify, WordPress, Drupal, they are all vulnerable. But since WordPress is open-source software and not a one-stop-shopping proprietary system, your company needs to ensure your website is “getting the oil changed” regularly.
Why Are Businesses Picking WordPress?
Over 42% of the websites on the internet run on WordPress, it’s the first choice for businesses. Non-open-source systems are too restrictive with functionality, offer only basic search engine setups (SEO), and comply poorly with accessibility standards.
What Makes a Website Vulnerable to Hacks?
A lack of care such as unsafe passwords, outdated software, a poor webhost (outdated server software and poor security rules), any of which can lead to an eventual hacked website. Similar to a car, it needs maintenance and some care to be road worthy.
Tips to Preventing Hacks
If like most businesses, you picked WordPress as your preferred platform, here are eight steps to keep your website safer.
1. Daily Backups Off Site
The first line of defense, having daily backups in case a problem comes up. Usually in a hack, some of the files will be corrupted and will need replacing. Backups are essential to a fast recovery. Bonus, you made some edits and screwed up some things? No worries – you have a backup.
Note: Most webhosts do not have an accessible backup – they have entire server backups and that isn’t helpful (you can’t use those). You need a backup you can use – if on a Managed WordPress webhost – most likely they have up to 30 days of backups you can use.
You can get your own backup service – BlogVault is pricey but totally solid and fantastic. Plenty of other options but the majority are best for developers where restoring the website takes technical skills.
My firm does two separate location backups, one of which goes up to 90 days. Obsessive much? Sure, but it buys piece of mind if one of the two ever fails on the occasion we need it.
2. Security Scanning
There are several vendors, but I have found free plugins to impact your website resources (slows your website) and will not catch everything. The latter is a deal breaker – you want your scanner to catch all known threats. My favorite currently is Malcare (affiliate link) and has an external firewall. SCORE!
3. Limit Users with Admin Access
Everyone does not need full administrator access; most likely they just need to be able to edit a page. Admin access should only be for those installing software and making theme edits, one or two people at most – your development firm being one of them. A lot of free plugins for WordPress are not routinely updated and a developer will spot this better than your staff.
4. Keep WordPress and Plugins Up to Date
This gets a bit tricky, I strongly recommend you don’t turn on the auto update feature available on the WordPress dashboard. Yikes – tread carefully. Not all software is fully bug tested, last thing you want is for your website to crash, trash your layouts, or have things not working because a vendor was too quick to release an update! Also, you really do need to have eyeballs on the website.
Typically, we wait 2 weeks after a major WordPress release with features (doesn’t apply to security updates), and depending on the reputation of software plugin, decide which are trustworthy to update right away based on their history.
Check the reputation/reliability of your plugins. Do they have a lot of people using it, does it have a high score? Do they publish a release only to frequently days later have a bug fix release? If doing that a lot – they are depending on their users to beta test – don’t be one of them!
Tip: Reviewing the changelog gives a sense of how often they publish bug fixes and if they are testing well enough. Unless it is what we call a zero-day security fix, most updates can wait a week or two if you aren’t sure.
5. Check Plugin and Themes for the Last Update
WordPress updates quarterly at minimum. However, plugins don’t have a schedule, it is up to the software developer. If it has been going for more than 6 months without an update, it probably is no longer compatible with your version of WordPress software. Check on WordPress.org the support forums to see if people are complaining.
If your plugin reaches 9 months, time to find a replacement. My fav tool for this is Better Plugin Compatibility Control which shows the dates and compatibility status with WordPress.
7. Have an SSL Certificate
If your website doesn’t have that cute little lock box in the URL bar – time to get an SSL certificate. Most webhosts (where your physical website is) provide this for free with Let’s Encrypt (appropriate for small websites) or paid SSL certificates for more complicated websites. This handy certificate encrypts your web traffic, further prevents hacking attempts, and shows your website as safe on web browsers.
Pro tip: Are you on Godaddy and they charge $95 for your yearly certificate? Most hosts don’t charge – nearly all webhosts include Let’s Encrypt SSL certificates.
7. A Good Webhost is Gold
I credit my client’s not having been hacked in part because they are willing to follow my advice on which webhosts to use. I typically recommend WP Engine (busy sites and those with more than one website) and Flywheel. Kinsta is another I hear my colleagues rave about; I personally haven’t tried them. Few developers agree on webhosts, but typically the more you spend, the usual result is better server security and speed.
8. Strong Passwords
Of course, use a strong password – everywhere. Use a password management app like 1Password from Agilebits for keeping track.
Yikes! Too Overwhelming?
We have website care plans where we do all this and more.
For the more advanced, here are some more things worth doing.
- Cloudflare: their basic paid CDN service has a great firewall (which is what most webhosts may use when they talk about a firewall and charge extra for this.) You can get a firewall in the cloud directly and speed up your website.
- Spam Filtering: Use Akismet or Cleantalk to check if form and comments submitters are blacklisted. Especially useful for established websites which get hammered with spam bots.
- Uptime Alerts: Sign up for one of the uptime services and get notified if your website goes down. Uptime Robot and Status Cake are a couple that are popular.
Whew! I’ll admit we do more than that but those are some of the key things that need to happen. Nothing is 100% effective, but this will give you a strong foundation.