You finally joined 35.9% of the internet by getting a shiny new website built with WordPress. Congrats! Now you’re ready to make the site public and bring in that web traffic, right? Before you open the door, have you thought about the security of your site?
Believe it or not, “bad guys” are scanning the internet, looking for any weakness they can find in any website. Even if you aren’t taking payments or letting users log in to your website, standard security measures must be in place to prevent malicious actors from gaining access.
Keeping the bad guys off your website is a 24/7 job. Are you up for the task?
What do I need to protect against?
Understanding what you are protecting your website from is the first step to understanding how you’re going to protect yourself in the first place.
There are generally three primary things you need to watch out for:
Brute Force Attacks
Automated hacking software (also called a “bot”) scans your website looking for weaknesses. This is typically done with a snippet of code that tries to access your login screen and tries a near-infinite number of password combinations in an attempt to force its way into your website.
Malicious code is injected into your website and database by hackers due to poor code or a known vulnerability. From there, they can corrupt your data and steal sensitive information.
SPAM attacks can take multiple forms, from using your site or application to SPAM users with fraudulent links or information, to inserting malicious links into your webpages or creating new pages with redirects to less-than-savory places.
Here are 5 different ways to keep your website protected every day, all day:
1) Keep an eye on pending updates
WordPress regularly releases updates to the core files that it uses to run. These updates generally add new functionality and improvements, but can also include security updates from time to time as well.
When a security update is released, the vulnerability that was patched is also disclosed, usually with details on how the vulnerability works.
Unfortunately, this means bots and other bad actors will immediately start scanning the internet for vulnerable websites.
The plugins and themes that you use with your website are also updated regularly and the same principles apply. If you’re curious, you can search for a plugin or theme to see if it has ever had a vulnerability and make sure the version you are currently running does not have an outstanding security issue.
By simply making sure your plugins are always up to date to the latest versions, you significantly reduce your chances of letting the bad guys in.
Tip: Plugins and themes are created and maintained by individuals and third parties and thus sometimes get abandoned. If you’re using free plugins from the WordPress repository, be sure to review them regularly to ensure they are continuing to be maintained.
2) Always use secure, unique passwords (and try a password manager)
If your password is “password”, chances are you’ve already been hacked. Something that’s important to understand is that when a password gets breached, it’s not generally a human doing the breaching, but a bot capable of testing millions of password combinations.
These bots crawl the internet using common word combinations to crack weak passwords. Moreover, when they crack a password, they’ll attempt to use that password again on all other accounts linked to the associated email address.
The most secure password is one that’s as long as possible. Make sure it’s over 16 characters in length, and avoids using real words. Additionally, never reuse a password on multiple accounts.
Since no one expects you to remember hundreds of lengthy passwords, you can go old school and record your passwords in a securely located notebook (that’s a notebook of the paper variety), or take advantage of the many reputable password manager tools available these days such as 1Password, LastPass, or Dashlane.
Whatever you do, do not use a Word document or Excel spreadsheet as your password manager. If your computer gets hacked, so will all of your online accounts.
TIP: Implement two step/factor authentication (2FA) where possible. We recommend installing WP 2FA and implementing it for all users that are Administrators or Editors on your website.
3) Implement an SSL certificate
Look up at your web address bar on your website. Does it start with an “http://” or an “https://”? The difference might seem subtle, but that extra “s” at the end stands for “secure”, and means your connection to the server is encrypted.
In other words, when the data is flowing over the internet between your personal computer and the server your website is hosted on, anyone who intercepts it won’t be able to read it.
If you don’t see the “s”, that means the connection to your WordPress site is not secure.
If that’s the case, talk to your website hosting provider about getting an SSL Certificate added to your domain. SSL certificates are offered for free at almost all hosting providers these days, so don’t get pressured into purchasing one.
TIP: Not only will adding an SSL certificate improve your site’s security, but it will also improve your SEO. Since 2014, Google has favored sites with an SSL certificate and in some cases, will display a warning on sites that do not have one.
4) Install a security plugin
A more obvious approach to improving your site’s security is to install a security plugin.
Generally speaking, these provide low-maintenance protection against hackers, malware, and other vulnerabilities, while some will even help to repair your site in case the worst comes to worst.
It’s important to know, not all security plugins are created equal. When configured properly however, most provide some added security benefits over using nothing at all.
The key features you’ll want to be sure are included in any security plugin will be:
- Brute Force protection
- Malware scanning
- WordPress hardening
Typically your website hosting provider will be able to recommend which plugins work best with their platform, or if a plugin is required at all. If your provider says a security plugin is not necessary, make sure you understand why. Don’t hesitate to ask questions!
As an example, we’ve outlined all of the security measures we put into place by default with our WordPress hosting services.
TIP: Starting with a reliable hosting partner, focused on security, should be your first priority. A good hosting company has multiple layers of security in place to protect your website and their infrastructure.
The hosting service you choose is the foundation of your security—it is worth investing a bit more to ensure your hosting provider is as secure as possible.
5) Limit User Access
If you have multiple people accessing your website, consider limiting what each user has access to.
WordPress allows you to define the type of user being added. This means you can select their roles and allow access to only what’s essential for their job on your site.
After all, you don’t want a user adding blog posts to also have access to change key settings on your site.
BONUS: Invest in a reliable security partner
In all honesty, security is extremely complex and nothing is ever 100% secure. Our best advice is to make sure you have someone in place that can be responsible for the security of your website at all times.
At Watchdog Studio, not only do our WordPress care plans provide 24/7 firewall protection to your website, but they also provide:
- Regular deep scans for malware
- Malware cleanup if needed
- Daily off-site back-ups
- 24/7 uptime monitoring
- And more!
You even get advanced expert support and guidance to become a master of your own domain! …Your web domain that is!
Your WordPress security is only as strong as its weakest link, and that means you need an eye watching out for you at all times.
Though there are many ways you can attempt to keep you and your website safe from the bad guys, the easiest way is to hire a 3rd party security partner, like your friends at Watchdog Studio.
Check out our awesome website management and support plans to find the one that’s best for you, and get a Watchdog of your own to guard your website!