So, you’ve gone to a lot of trouble and effort to get your business website looking just the way you want it. Don’t forget to make it safe! You’ve probably heard about the increased risk of hacking, data theft, and web attacks, but there is a lot you can do to protect your website. There are some key measures you can take to minimize your risk and reduce your website’s vulnerability.
1. Minimize the risk from plug‐ins
Experts say that vulnerable plug‐ins are the top way hackers can gain access to WordPress sites. When it comes to plug‐ins you should:
- Keep the number of plug‐ins to a minimum. You really don’t need that many, tempting as it might be!
- Delete any plug‐ins you’re not using and keep the others updated.
- Check and double‐check plug‐ins before you download them to make sure you’re getting them from a reliable source.
- Remove plug‐ins that haven’t been updated in over two years, and regularly check to see if your plug‐ins are current. Check the WordPress Directory to make sure your plug‐ins are still live.
- Use WordPress Security plug‐ins to detect threats, and block attackers and malware. Popular ones are Wordfence Security, iThemes Security, and All in One WP Security and Firewall. (By the way, I am using iThemes Security on this site).
2. Make it hard to login as you
Using ‘admin’ as your username, or having a weak password is like leaving your front door open. It’s almost inviting hackers in! Make sure you don’t use the default ‘admin’ username. Think of a unique and difficult username to guess. Similarly, come up with a strong password using a combination of letters, capital letters, symbols, and numbers between 10 and 15 characters long. If you find this difficult, you can use Strong Password Generator to make one for you.
And don’t forget to change your password regularly. Schedule it in as a regular business task, so you don’t forget.
3. Make your website HTTPS
Changing your website to HTTPS encrypts the connection between your web server and your web browser protecting your data from attacks. And as an added bonus, HTTPS improves your Google rankings!
4. Use two‐factor authentication
Two‐factor authentication protects your website against an attack that tries unlimited combinations of usernames and passwords until the hacker gets into the site. Adding Google Authenticator (this is an app available on your iPhone or Android phone) to your website will add this feature automatically. iThemes Security Pro (the paid version) has this built in! I have this on all my sites as well as my clients’ sits.
5. Backup and update
Doing regular backups and updates will keep your website data safe, so even if the worst happens, and you are hacked, you’ll be able to get your site back as soon as possible. If you need help with this, let me know! We back up over 100 websites a month for clients!
Good advice. We’ve been doing this for a while- since we were attacked by the WrongWing about 5 years ago.
One can only do so much… If someone really wants to get into your site, they will. FOr the majority of hackers on “our type of sites” we usually get the hackers trying to ‘have fun.’ Ugh. Sigh.
I’m working on these. I made my site https but because of some of my pictures (header in particular) it isn’t secure. I have to work a little harder on that! Thanks for the great info.
Just putting an SSL Cert on the site does not make it secure – ALL the links need to be changed from http to https that are intersite links.
I find this very informative. Thank you for this post.
I have questions, Paul:
– How do we change from http to https? (Mine is https but I’ve been encountering already a lot ‘not secure’ websites.)
– If these ‘not secure’ websites visit and commented, or listed in my blog roll, is my blog not secure?
– is there a free 2 factor authentication?
– can anyone perform backups and updates?
Sorry for the long list but I am confident you have the answers! Have a good day!
Great Questions, Bing!
With a lot of things, there is the right way to do things and the not-so-right way to do things, even though it gets the job done. Converting from http -> https is one of those things. I have written about http vs https but have not written up how to convert – that can be a future blog post!
Your site is still secure if you link to a non-secure site via comments. No worries there!
Google Authentication is a free app – there is a free plugin – Google Authentication (same name, different thing) although I have not used it. I will test that out and talk about it on an upcoming training!
Anyone can perform backups and updates just like anyone can tune-up a car! The ‘trick’ is to know what to do when something goes wrong. I can easily change my oil in my car, and the moment that the oil filter strips the threads as I am putting it on… well… I am dead in the water, need to call a tow-truck, and will end up paying a lot more in the end. Everything is always easy when there are no issues, and when there are (like the site won’t come back up) it is important to know what to do.
Hope these answer your questions!
This is so helpful! I am not prone to knowing the back end tech stuff so I am grateful you pointed it out today, Paul! We need to know these fine details and how to implement them!
Or know ABOUT them so you can get someone to take care of it for you, Julie!