Keep Your Website Secure with These 10 Tips
In this day and age, if your company has a website, you have a security risk. Did you know that about 30,000 sites are hacked a day? On average, a website is hacked every 5 seconds.
Keep in mind – there is no such thing as 100% safe and secure. However, the more locked doors and walls put in place on your site, the harder it is to get into. That is why we’ve put together these 10 tips to help keep your website as secure as possible.
1. Keep Your Software Up-to-Date
With software like WordPress, which regularly releases new versions to provide new features and patch security issues, updating is a must. Generally, if the update contains an immediate security patch, WordPress is able to update itself, but that’s not always the case. Know what updates are available for your content management system and implement them.
If you use plugins or other add-ons to enhance your site’s functionality, keep them updated as well. This is especially true if the plugins are built by third-party developers. If you have a plugin that has not been updated by its developer for some time, you should be aware that it may contain a security hole that was never patched.
Be judicious when deciding what third-party products to add to your site, and if you’re not using a plugin or alternate theme on your site, remove it. Getting rid of the code from your server ensures that it can’t be exploited.
2. Only Give Access to Those Who Need It
The more people who have access to your website or server, the greater the chance that someone’s account will be used to hack your site. While everyone involved in your website certainly has the best of intentions, all it takes is one person’s account to get hacked. Limit who has access to your website, and set up user levels for those who do have access. As people move on from your company, ensure that their accounts change as well.
3. Use Trusted Partners for Hosting and Website Management
Know what your web host and website manager do to keep your site secure, and understand it to the best of your ability. Get on the same page as far as who is responsible should a hack happen. Is it you? Is it your site manager? Is it your host? Whoever it is — know beforehand. When you’re picking out service partners, understand that price matters. Cheap web hosting is cheap for a reason. It’s not good.
4. Install an SSL Certificate
Your website should include an SSL certificate, which turns it from an “http” site to an “https” site. When your site is secure, you are ensuring to your customers that they are indeed on your site, and not being subjected to a man-in-the-middle attack. It’s not a large investment in cost or time to switch to a secure site.
Additionally, Google uses your site’s security as a ranking factor in its search algorithms, so if you have an SSL certificate, you’re getting an additional positive consideration.
5. Don’t Use Admin for a Username
Using the default admin account is a very common mistake to make in security. What login do you think a hacker will use first when trying to get into your site? Get creative and use a unique username for your login. If you are already using “admin” as an account, simply make a new account with a unique username and assign admin rights to that user before deleting the old admin user account. When you delete the old admin account make sure to assign any posts from that account to the new admin account.
6. Use Strong and Unique Passwords
Just like your online accounts for banking, e-mail, and social media use strong passwords, your website should too. Why? Your website is the online home base of your brand – protect it. You can use online secure password generators like this one or this one. To see the top 25 most used passwords in 2015, click here.
7. Backup Often
Make sure either you or your website host backup your site files and database often. You’ll need those backed-up files and data if your site is hacked to restore it to its former (pre-attack) glory. It’s also a good idea to have those backups stored offsite and if possible not on the same server as your website files, as they might get infected too. This tip is more for being prepared in case of a security breach than it is for up front security. Learn more about this by checking with your website host.
8. Add Security Plugins
There are several WordPress security plugins out there, but the one that we love and use at BLU on all of our WordPress sites is Wordfence (http://wordpress.org/plugins/wordfence/). Don’t install more than one security plugin as they might have compatibility issues or overlapping functionality. Here is a list of WordPress security plugins to choose from:
- Wordfence – full-featured security plugin.
- iThemes Security – offers a wide range of security features.
- Bulletproof Security – protects your site via .htaccess.
- All in One WP Security and Firewall – adds a firewall to your site.
- Sucuri Scanner – scans your site for malware, etc.
9. Lock Down File Permissions & Write Access.
Take your site security one step further by locking down the files on your server and who has write access to them. This can be done through a WordPress plugin or hosting settings in cPanel. I’d suggest you contact your website host to make these updates, as they can break things if not done right.
10. Consider Logging In With Two-Step Authentication
Normally logging into a WordPress site would require your username and password – this is one-step authentication. Up your security with two-step authentication, also called two-factor authentication (2FA) like an SMS code, Google Authenticator, or Cell Phone Sign-in (offered by Wordfence Premium). Using two-step authentication is a good idea for some sites depending on the company and what should be protected. If you have a simple site / blog you may not need it.
Security is not a one-time endeavor. It needs to constantly be a part of your digital strategy. You need to understand current threats to your website or have someone managing your site who does understand them. While there are plenty of security fundamentals you can implement, find out what more you can do. Push your service partners to better explain their security protocols and if there’s more they can do.
If your company has a website, you have a security risk. If someone intentionally wants to hack your site (which is rarely the case for the majority of sites), they have plenty of ways to go about it. Don’t make it easy for them. Be vigilant, and constantly work to make your site more secure.