Every week, Google, and the other search engines blacklist tens of thousands of hacked websites. Back in the day, hacking was more proving your worth as a hacker or about revenge. Now, hacking is about money as there millions of dollars to be made from compromising vulnerable websites.
The Effect of Being Hacked
Switching on your computer in the morning and finding your website hacked promises to be the start of a long day. If you find your website has been compromised, you will find that:
- your reputation will be affected,
- your bottom line will suffer,
- your client details may have been stolen,
- your website may be distributing malware or be used to steal passwords and other personal information.
You may even find that the hacker has been able to lock you out of the site. Paying someone a ransom to get back into your own site will leave a bitter taste in your mouth. If you are really unlucky, you may find your site wiped completely.
Given what could happen, it’s surprising how few people take website security seriously. In a recent WP Builds podcast, WordPress Security Guru David Hayes said that if you keep your software up to date and change your password to something that can’t be guessed, you will see off 80% of all attacks on your website.
With that in mind, here are some simple things you can do that won’t cost money, but could keep your reputation in tact.
Use a website hosting company that can be trusted. Don’t go for the cheapest host you can possibly find. Make sure that they have a great reputation. If you a running a business from your site, then their actions will directly affect your site’s security and your reputation. I use and recommend SiteGround for most of my websites.
Be careful of websites that rank hosts. Many of these sites will rank websites based on the amount of money they receive from referrals. If you click on a link on a page ranking hosting check the url bar at the top of your browser. If it’s a straig
Users, Roles, IDs and Passwords
People who have a user account on a website have a role assigned to them that determine what they can and cannot do. Roles include Admin, Editor, Author, Subscriber, Guest, etc.
User IDs and Roles
- Do not create or use the ‘Admin’ ID. If it’s there, create a new account under a different name as an administrator and delete the Admin account. Someone attempting to break into your account will test for this ID first. If you are using a hosting company like SiteGround or Hostmonster you will not be able to create an ID called Admin.
- Don’t create more administrators than you need. It is easy to make everyone an administrator, and takes next to no thought. However, administrators hold a lot of power, and the more you have of them on a site, the more likely it is that there may be a security breach. Only create the bare minimum of administrators. If you have someone on the site who only write articles, assign them to an Author role. If you have someone who can add and delete posts and pages, give them an editor role. These roles wield much less power, and will still allow the user to get the job done.
- Change your password from time-to-time! Many people advocate changing your password once a month.
- Do not reuse the same password on multiple sites.
- Do not use the following passwords: 123456, qwerty, password, the city you live in, your partner’s name, etc. The longer the password the better. You can use a short sentence that’s easy to remember if you like.
- Don’t share your ID and password with anyone else – especially if the password belongs to an administrator account.
Keep your Software Up to Date!
The biggest problem I find when it comes to security is that people do not keep their core WordPress files and plugins up to date. I’ve seen websites that haven’t had a single update in years. These sites are invariably slower than the average site, and they often have security holes so big you could run a bus through them.
There are three components to your website software:
- core WordPress files
WordPress is open source software developed and maintained by an army of developers. These people quickly analyze and fix core WordPress problems found out in the wild. Those fixes are then subjected to exhaustive peer review and testing before they are released to website owners.
To make life easier for WordPress site owners, there is an option to automatically apply minor updates. Major updates are usually a manual install as these need to be done carefully.
Often, your website hosing company may also initiate a core WordPress update.
Plugins and Themes
People love plugins and themes – and why not? Plugins and themes are what make WordPress what it is – a flexible platform that can be an online store, a simple brochure, or a training site. Plugins provide the functionality while themes provide the look and feel of the site.
The problem is, is that many plugins found on the internet should be avoided because they have been badly written or are old.
With this in mind, I always have the following checklist when looking at adding a plugin to a website:
- has the plugin been updated recently? If it is 3 months old, or even older, be wary. If it hasn’t been tested on your version of WordPress (which is the latest version, right?), then be even more wary. Your website isn’t a good place to test a plugin’s worthiness.
- does the plugin have good reviews? If it doesn’t give it a wide berth.
- If you type the plugin’s name into Google, do you get a good or bad feel about it? Have people complained? Worse – are there any reports of bad coding?
Once you have found your plugin or theme, keep it up to date. Make sure you install all updates, particularly security updates. You can use services such as Managewp.com to email you when new updates are available.
Make sure your site is getting backed up. I’ve worked in IT long enough to have witnessed on a number of occasions the panic and chaos of a system biting dust. In half of those cases, a proper backup was unavailable because nobody thought to do make sure they were working.
- Choose a hosting provider that automatically backs up your site.
- Try to get one that will hold backups for a month.
- Use a free or paid-for plugin that will do a separate backup and store your files on a cloud service such as Google Drive or Dropbox. The more often you update or ad to your website, the more frequently you should backup.
Get some Security Software
Another plugin, I know, but think about getting some good security software. There are a number of different plugins out there that all have similar core features. Again, check reviews, both user reviews and on WordPress information websites like WP Beginner or WP Tavern. Make sure that the plugin you choose has the options that you are looking for. Plugins that get good reviews include, Wordfence Bullet Proof Security and Sucuri security. More information on the different plugins is available at the Infosec Institute.
Get Professional Support
Of course, if you don’t have time for all of this, or you are concerned you don’t have the right knowledge, you can always take someone on to do this work. For example, I currently maintain a number of websites by keeping their software versions up to date and ensuring that the backups are completed.
So you see, you must take steps to secure your website on the online world in the same way that you must lock your doors and invest in security in real life. Many of the things you can do will not cost anything except a little bit of your time in research and implementation. The best way to begin is to change your password to something unguessable, and to get your WordPress software up to date.
Now that’s not a difficult way to make a start, is it?