Content Marketing Specialist

Title Here

Keep Your Website Safe and Secure

So you’ve got a brand new website. You’ve spent a lot of time and money getting exactly what your business or brand needs, and you’ve proudly launched it out into the great world wide web. Everything is working, everything is updated, and it’s built on WordPress so even if you’re not “tech-savvy”, you can handle some changes and improvements down the road. You’re feeling great.

And then something goes wrong.

WordPress is easily the most popular CMS platform today and has been for the last 5 years or so, and the potential for security problems is no reason to abandon a well-established platform, but ignoring the potential for security problems can be costly.

According to a report released by the security firm Sucuri, “78% of the hacked websites it investigated were WordPress sites.” (source) This doesn’t mean that WordPress is less secure than other CMS platforms, it’s just what happens when one platform holds that much of the market share. As of May 2017, 59% of CMS websites are running WordPress. 

It turns out that your plugins are more likely to be the point of entry, not the WordPress core itself. The same report by Sucuri found that 25% of hacks were attributed to vulnerabilities within just 3 plugins: RevSlider, GravityForms, and TimThumb. If you recognize one or more of those plugins, don’t start panicking yet! Developers are constantly updating plugins to address vulnerabilities and prevent hacking. The problem isn’t the CMS platform or the plugins, but rather a lack of updating by users. (source)

Part of this problem comes from plugins being bundled with themes. RevSlider, for example, has been packaged with almost every theme I’ve ever purchased, but because I don’t hold the license, I’m stuck waiting for updates from the theme developer. (Side note: if you purchase a theme with a bundled plugin, like RevSlider, and you use the plugin, spend the money to buy your own license. Not having to wait for updates from the theme author is invaluable.)

So what are you supposed to do to keep your new, shiny website functioning just as great as day one?

Do Updates Immediately
Keep everything up to date. Install WordPress updates and plugin updates as soon as they are available. Install theme updates. If an update breaks something else on your site, fix it. Skipping updates out of fear of creating new problems will eventually lead to a crashed or hacked site.

Delete What You Don’t Need
If you aren’t using a plugin or theme anymore, delete it. Don’t make the mistake of thinking that RevSlider is fine sitting on your site installed but unactivated. If you aren’t using it, delete it. Right now.

Up Your Username Game
Don’t use the “easy” usernames. Your site should never have a user who logins in with “admin” as the username or any variation of that. Don’t use the name of your company as your username. If you publish blog posts and your first and last name are visible, you probably shouldn’t just use your first and last name as your username, either. Come up with something else, and use a password manager if you’re worried about remembering unique things.

Strong, Changing Passwords
Pick a good, strong password, and change it at least quarterly. This is a good rule for everything in life. Your email, computer, bank account, social media, all of it. Strong, unique passwords that get changed regularly. Password managers are a necessity these days.

Two-Factor All The Things
Utilize two-factor authentication. This is just a good rule for everything, really, but it holds true with WordPress as well. There are several plugins that will accomplish this for you. It might feel like an inconvenience, but it’s less of a hassle than rebuilding a site.

Consider a Security Plugin
There are great free ones out there, like WordFence, that can be upgraded to premium should your site need additional security. These plugins can do everything from blocking suspicious login attempts to preventing changes to files on your server. There are also great and more robust security plugins that you’ll have to pay a pretty penny for, but bring even more peace of mind and security resources to your site.

Automate Backups
This is probably the most important thing you can do. Why? Because it isn’t hard to implement, and in the event of a hack or crash, most of the time, a backup can be restored and little-to-no data lost. Several web hosting providers offer automated backups for free or at a low cost, and I highly recommend you use them. But, you should also backup in a second way, preferably where the backup files are not stored on your web server. I personally am a big fan of the Updraft plugin for automated backups. Add a Dropbox Plus plan for $99 a year and you’ve got automatic offsite backups.

You might follow all these recommendations and still fall victim to a hack or crash. The reality is that it happens. I’ve had sites hacked. I’ve had sites crash and burn. The more you do to prevent these problems up front, the better, and a good backup system can often make quick restores a possibility. If you’ve implemented everything above and want to do more, this article outlines some additional easy steps you can take.

The bottom line is, the more you do up front to prevent or plan for future problems, the better shape you’ll be in when trouble hits. And if you want to do more but are new to WordPress, we can help!