It seems that everybody I talk to these days has a website, or is about to start up a website. I think it’s great that there are so many creative people out there with so much to share, say or sell, but what isn’t so great is how unprotected many of those sites are. In the past two months we’ve had five new clients whose WordPress sites were hacked, corrupted or otherwise compromised. In each instance, a complicated, time-consuming and ultimately costly reconstruction process was necessary to restore these sites to their previous functionality. Most of this could’ve been prevented had the site owners followed a few simple steps to insulate their sites from potential disaster.
Strong User Name & Password
This is as elementary as it gets, but you’d be surprised how often it’s overlooked. Here’s the thing, when it comes to securing your website, make your user name as cryptic as your password. The most recent user name I had for this website was “nxsTiwzrqs2QEJRL4K9F9WY” which I’m comfortable sharing here because the new user name is equally secure. Keep in mind a Wordpress user name can only be letters and numbers, but a password can have symbols in it, so when you’re creating your password, make sure it’s something like “4/r&9iu4Y8pUodK6ZFBE.mq” because nobody is cracking that any time soon. Don’t fear, you can still set the display name for your posts to your actual name.
As always, here’s my usual recommendation to buy the indispensable 1Password app for creating, storing and entering secure passwords. It’s truly a must-have app. Buy it now from the App Store.
Seriously, buy it. It’ll change your life.
From the security logs I’ve seen these past few months, when it comes to hacking attempts, the most commonly used guessed username is “Admin” time and time again. If your site’s user name is “Admin,” before reading any further, open up a new browser tab, log into your site admin, create a new user account with a secure user name and admin privileges, log out from the old admin and in with the new and delete that Admin user. This is the weakest point in your security setup, and there’s just no reason for it.
Like all the other data in your life, you need to backup your site regularly. The same rule of thumb applies here: back up as often as you can afford to lose data. If every day’s post or content update to your website is vital, then you need to back up every single day. If you only post once a week, perhaps you can get away with weekly backups. Whatever the schedule is, you must backup your site, because this is your first and most valuable resource if your site gets hacked or corrupted.
Updraft Plus is a free plugin that can automate the backup process, and store your backups on a multitude of cloud services (Dropbox, Google Drive, Amazon S3, etc.). It’s truly set it and forget it, and in the event of a catastrophic problem, Updraft Plus can get your site up and running again in mere minutes. The value of this can’t be overstated if you rely on your site daily to attract customers, manage your business, or even just share your thoughts with the world.
There are numerous comparable plugins, and your hosting provider may even offer a similar service. What’s key to be aware of is how long your hosting service stores backups (often 30 days, but your provider may vary). This means you need to be vigilant and keep tabs on your site’s wellbeing so that you’re always comfortably inside the deletion window. It does’t do you much good to have 30 days of backup if your site got damaged 35 days ago and every stored backup is of your compromised site. It also does’t help if you have a 30 day backup window, realize your site was compromised on day 20 and spend two weeks waiting to resolve your issue, and again you’re on day 34 and only have useless backups. Time is of the essence here, so act quickly to restore your site from a backup as soon as you’re aware a problem exists.
With over 12 million installs to date, Wordfence is one of the premier security plugins for WordPress. Available in both free and premium versions, Wordfence is an excellent defensive barrier against hacking attempts, malware infestation and other unsavory attacks on your site. Best of all it’s a set it, and forget it plugin, that once it’s up and running, it’ll automatically do its thing with no involvement from you. There are a wealth of customization settings you can configure during your initial install, but after that it’s smooth sailing.
Worthy of a blog post all of its own, Wordfence has a wealth of advanced security functionality built in, that can do everything from enforce a strong password policy, to block specific IPs from accessing your site, to restoring damaged files. In the security space, Wordfence is a jack of many trades, yet never sacrifices security in the name of adding more features, which is why we install Wordfence on every site we set up.
The Premium version of the app offers up even more robust security functionality by enabling two-factor authentication, advanced spamware scanning, more frequent security scans of your complete site, the ability to create a geofence and block specific countries from accessing your site and of course premium support services for when you need additional help far beyond what the free plugin offers.
Again, your hosting service may offer similar security functionality – but it might not. It pays to do the research here to see how protected you are and balance that with how protected you want to be.
Read Your Email
Here’s another guideline that’s very basic, yet also very commonly ignored by site owners: if you get an email from your hosting provider alerting you to a problem, read it and act on it promptly. Don’t wait three weeks before getting around to addressing the problem. This again relates to your backup window, and how far back you have clean backups.
Similarly, emails about expiring domains, plugin license renewals and other essential services are critical to the smooth functioning of your site. Read them and promptly act on them as needed. For example, if your domain name expires an somebody else grabs it, you’re at their mercy to get it back, and it’ll likely cost you a bundle. If you’re prone to not acting on these sort of things in a timely fashion, go to your domain registrar right now and renew your domain for 20 years.
One suggestion to prevent these emails from getting lost in the void of your overflowing inbox is to set up a new email address to be used solely for these serves to alert you of issues. Go create a Gmail address along the lines of MyDomainServices@gmail.com and use that for all the vendors and services that interact with your site. Here’s our post on why it’s a good idea to have multiple email addresses to keep your life better managed.
You know those notices you get every now and then to update your apps/software/plugins/passwords etc.? Do you usually just ignore them and get on with your day? That’s potentially a big mistake too, because more often than not these days, system updates, WordPress core updates, and plugin updates are done to strengthen security, and that’s something well worth doing. These things are all updated in response to new and active threats, so it becomes critical to perform these updates in a timely fashion. Think of it this way: getting a flu shot in 2008 isn’t going to do you much good against the 2016 strain of the flu. Staying current is important.
Tech Haven Is Here To Help
At the end of the day, unless you have an actively vigilant webmaster, the burden of these guidelines are on you to set up and monitor regularly. Don’t think just because you hired somebody to setup your site two years ago, who you call when trouble arises, has your back when it comes to actively protecting your site. You need somebody who’s logging into your site at least a couple times a month to confirm all is working as desired. Fortunately, there’s nothing I’ve shared here that should be considered beyond the scope of your abilities if you’re a regular WordPress user and know your way around the admin interface.
That said, if any of this is confusing, overwhelming or simply too time consuming for you to manage, Tech Haven is always here to help with both setup and ongoing maintenance of any of these services or features. Certainly if you’re focused on content creation, and have no interest in administering the backend of your website, please reach out. If your website is important to you, it’s important to us too.