You carefully crafted the wording of your website, people love the design – you feel confident your business has a good presence on the web. But suddenly out of the blue you receive the dreaded email “Google detected malware on your site.” Yikes!
Your first call is of course to your webhost (physical location of your website) that supposedly backs it up daily. Most do but they don’t save copies for long. If your site has been infected for several days or worse weeks, their archives of backups may only be for 24 hours. What do you do then? Spend a lot of time and money setting up your site again or have a specialist remove the malware. Ouch!
No method is 100% when it comes to WordPress security but you can get very close by being proactive.
Here are a few simple steps to help protect your WordPress site:
- Get third party malware monitoring – Securi is the leading provider of malware monitoring. They even provide free clean up if you have a problem.
- Backup often. Webhosts may backup your website, but many do not and for those that do, only keep an archive of a day or two. If a hardware failure occurs or worse, your server was hacked by malware, this is an expensive recovery. Stay safe and use Backup Buddy (full backups weekly or more often if you are a busy blogger) or VaultPress.
- Change your username login. For your WordPress dashboard, change your username from "admin" to something more difficult to guess.
- Change your password for your WordPress dashboard to 12 randomly generated characters. Not $uper88 or other clever character substitutions; these unfortunately are guessable by brute force programs. Besides including random characters, use a password you are not using anywhere else. Instructions for changing your username and password. (Need help tracking passwords – try 1Password or Lastpass.)
- Keep up on WordPress software updates. The majority of these are security updates; it’s free and plugs holes to security vulnerabilities.
- Update your WordPress plugins. These are also vulnerable to being hacked and an out-of-date plugin could leave the door open to malware. Also, if you have inactive plugins – delete those because out-of-date plugins, even inactive ones, are a security risk.
- Don’t go cheap on web hosting; get a professional grade account. Paying more does get you more in terms of better security and access to real technical support. When a problem occurs, you want immediate qualified technical help. Cheaper services limit access to the real technical support staff and usually you are talking to a customer service rep not a technically qualified server specialist. Your website is a business asset – don’t go cheap.
- Limit admin access to your WordPress dashboard. Have users no longer supporting the site, go ahead and remove the user account. Not everyone needs an administrator level user account; if they are only posting blogs – downgrade them to Contributor. Make sure all administrators have secure logins (wouldn’t hurt to occasionally update those as well).
That’s it; nothing difficult, just some due diligence and easy to implement. Stay safe!
Does all of this sound great but you have no time to implement? Check out our maintenance package, which includes malware monitoring, backups, up time site monitoring and more!
Bernadette says
Hi Nancy,
Great post! I tell my friends, who get stuck on developing good passwords, to think of a favorite book, quote, or song they like, and use the first letter of each word (i.e., A Groovy Kind of Love by Neil Diamond 741776) of it combined with a date combination. So the password would be either. AGKoL741776ND! or ARIoO741776ei@ (2nd charater). I chose (password removed) for July 4, 1776 the date the USA was declared independent.
Would you consider that as secure enough?
I try to keep passwords somewhat easy to remember too. So I find if I define a formula, it works. But I would think that password busting software (that is what I call it) such as Botnet Brute-Force, would have an algorithm built in so as it could eventually figure that out.
When people say, If the bad guys really want your information, they can get it.” I just tell them, “Yes, I suppose that is true, but why make it easy for them?”
Again, good article.
Nancy Seeger says
Hi Bernadette,
Depends on what they choose. But there are plenty of online password generators, for example:
http://www.whatsmyip.org/random-password-generator/
There are so many passwords and logins to keep track of, it’s best to use something like Lastpass or 1Password program. The latter is my personal favorite.
Thanks for commenting,
Nancy