We live in a world of malware infections spread by botnets, denial-of-service attacks, and viruses that take over computers to steal data. I know it can seem a bit overwhelming. As website owners, we all have a responsibility to make sure our site is as protected from attack as it can be.
Having your site hosted on the right server can make your life much easier. For WordPress hosting, I recommend SiteGround’s Managed WordPress Hosting (GrowBig Acct offers backups & easy restore) or GoDaddy’s Managed WordPress Hosting (Ultimate Acct offers backups, easy restore & malware scanning/removal).
Here are some things you need to think of in regards to securing your site:
Malware & Hacking
Websites, like computers, need to be protected from viruses & malware attacks (hacking). WordPress is the most popular content management system in existence, which also makes it the most targeted in regards to malware attacks. Although there is no way to reduce that risk to 0%, we can take precautions. The most important thing that you need to do is to make sure you have malware protection & monitoring service. Some hosts now offer malware monitoring via their hosting accounts, so check with your host to see what protections you can put in place at that level.
If your host does not have a safeguard that protects against hacking, or if they only offer notification that your site has been hacked but no malware clean-up option, I recommend Sucuri. Starting at $199/year, Sucuri will protect your site with their CloudProxy firewall, monitor your site & clean it of malware if it becomes infected (which, if it’s protected by the CloudProxy firewall, is unlikely).
For detailed information about what to do if you do get hacked, read the article “I’ve Been Hacked! Now What?”
If a site is compromised on a large scale (ie, needing to be restored), you must have a current backup of the site or risk having to have your site rebuilt again from scratch. Again, check with your host. Find out if you can add a daily backup service to your hosting account that offers easy restoring. That is the ideal option because if something goes wrong, your host can restore the site to a previously saved version. Make sure they store several weeks of backups in case you need to restore to a version of your site from two weeks ago.
Sucuri also offers a daily backup service. For around $5 per month, you can have the peace of mind knowing that if your site suffers a catastrophic loss, you can download a backup of the site from any point in the last 30 days. You can find out more information by visiting the Sucuri Website.
Remember, the text content of your site is stored in a SQL database. The site platform, design & images are stored on your server. Both must be backed up off-site to restore a site in the event of a catastrophic loss. Sucuri backs up both.
When I launch a site, all user passwords are a completely random series of letters, numbers & characters. Although you may feel like you want to change that to something you can easily remember, don’t. Particularly if your login has admin level access. It’s absolutely okay to change the password, but when you do, make sure whatever you replace it with is equally strong. Remember, admin level users have direct access to the server which is oftentimes how malware is placed in sites.
In this day and age, a password should not be something you can remember easily and it should never be a password you use for any other account. This goes for every online login, not just your WordPress site. Avoid pronounceable words or common phrases.
It’s absolutely okay (and preferred) to have to copy and paste your pw each time you log in to anything from an encrypted password program like LastPass. Weak admin pw’s are a very common reason for hacking.
Hackers also target websites with spam comments. If your site allows comments to be posted, the best way to protect your site from web spam is Akismet for $5/month. Go to akismet.com to sign up for a “WordPress Key”. You will have to create an account (they will ask if you have a wordpress.com account and that is not the same as your self-hosted WordPress). Activate the Akismet plugin & enter the key, and you will notice significantly less spam comments & trackbacks.
There are also plugins available free of charge that will block all comments, however, if your site utilizes comments, this would not be a good option obviously 🙂
Hackers are not people who are targeting your site in particular. These are botnets that are released on the internet and look for any window into any site & server. The goal might be to use your server in an attack against a larger, more prominent site. It could be to embed a site redirection in your code to earn affiliate dollars bringing your traffic to another site. It could be simply because some hackers get a thrill from attacking and bringing down as many sites as they can.
A WordPress site is built using the WordPress platform & various Open Source Plugins that create the needed functionality. All of these things are updated often, and outdated software is one of the most common vulnerabilities of a CMS. At the time of your site launch, all Plugins and the WordPress Platform were current & updated, but new versions are released regularly so it’s important to stay on top of it.
I email my clients when a new version of WordPress is released and that’s usually a good opportunity to go in and make sure all PlugIns are current. If you want to do the updates yourself, the most important part is making sure you start with a current and clean backup of the entire site and database. Every site uses different Plugins, and some Plugins on your custom site have been customized which can create a more complex updating process. Also, platform updates can cause compatibility issues which may require restoring your site from the backup.
If you would like me to review your site at any time, I can do so on an hourly basis.
Renewing Your Hosting & Domain
Your website needs a current domain & hosting account in order to function. If either of those things is allowed to lapse, your site will go down. When I receive a “my site is gone!” call, the most common culprit is that the domain or hosting account has been allowed to expire.
It is important that you know what companies hold these things so you can keep your payment & contact info up-to-date. I recommend keeping a hard-copy (not web-based) of your domain register info, hosting provider info, and all relevant logins & passwords for your site. If you don’t have that info, it will make the process of renewing much more difficult if not impossible.
In Summary …
Site protection is no longer an optional “nice to have” feature. Though it’s very easy to believe that malware attacks will happen to other people and other businesses, the bottom line is that botnet attacks to not discriminate between businesses small or large. It is your responsibility to make sure your site is protected to the best of your ability. The steps above are important and will help you have peace of mind with your website.