Cybersecurity has become a mainstream concern. Whether you are a small business owner or a safety expert in charge of a larger network’s security, it is becoming increasingly clear that no website is too big or too small to be targeted. Globally, websites are being hacked on a massive scale, up to 30,000 every day and in many instances, these hacks can be fatal to the business attacked.
According to experts, one of the most worrying trends is the rise in highly targeted attacks by bots that have been programmed to look for specific vulnerabilities in CMS or content management systems platform software.
The WordPress CMS platform is used by over 35% of all websites, as such, it should come as no surprise that it is registered as the CMS with the most vulnerabilities. These vulnerabilities do not necessarily lie within WordPress itself but are rather related to the plugins which WordPress features in order to extend its basic functionalities. From very popular appointment reminder software to silly shoot the zombie fun features, WordPress currently offers over 50k different plugins. To complicate matters, these plugins are increasing at a rate of 30% every year. If you own a WordPress site, you should know that you are a definite target, but there is a lot you can do to keep your website safe.
Invest in good hosting
From a performance point of view, it is always a good idea to go with a quality hosting service as performance is one of the essential factors that influence your user’s experience. But, the importance of your chosen hosting service can not be underestimated when it comes to your website’s security. Just as you would do a lot of homework on your financial services providers, your WordPress theme or your business’ invoice templates, it is important to do proper research on your chosen hosting provider to establish how invested they are in the security of your website.
The best hosting services will offer a range of applications and tools to keep your website running safely. Think about looking at the following before making your final decision:
- Do you have the ability to do regular backups and the availability of restore points
- Does the hosting service do regular network monitoring
- Do they offer 24/7/365 online or telephonic support
- Does the support include the latest SSD hardware and support for PHP7 and HTTP/s
- Do they offer SSL, a Firewall and DDoS prevention
- Do they have written policies should a data breach occur
Once you’ve chosen your hosting service, ensure you have access to the database and file system through cPanel, SSH, SFTP or PHPMyAdmin. Keep your records on hand as any developers you work with might need the information.
Install a security plugin
Once you’ve decided on your hosting service, it’s time to get serious about security. One of the first things you should do after you’ve chosen your host is to secure your website before it goes live. It is highly recommended that you install a security plugin to help monitor your website’s activity and to manage your privacy controls. Looking at the latest reports on our personal and national financial statistics, data breaches cost the US economy over $100 billion per year, as such it is in your best interest to choose a high-quality security plugin.
There’s a multitude to choose from but try to find one that enables two-step authentication, monitors core file changes and provides brute force protection but still gives you the freedom to enable a few user management options. Bear in mind that no security plugin will guarantee 100% foolproof security, but it will go a long way in giving you peace of mind and embracing your website’s security from the get-go.
Use strong login credentials
Always keep in mind that hackers will try to exploit your website’s vulnerabilities, as such you should never use your admin, site address or other easy to guess names as your username. Most importantly, make sure you have a very strong password. If you are struggling to come up with one yourself, you can always make use of WordPress’s Secure Password Generator.
According to Bruce Schneier, the world-famous American cryptographer, one should always remember that “the whole notion of passwords is based on an oxymoron. The idea is to have a random string that is easy to remember. Unfortunately, if it’s easy to remember, it’s something nonrandom like ‘Susan.’ And if it’s random, like ‘r7U2*Qnp,’ then it’s not easy to remember”.
Strong passwords should have 8 characters or more, the longer the better. If possible, also add a two-step or multi-factor authentication. Bots are programmed to auto-generate usernames and passwords, as such the additional step during your login process will ensure better safety.
Run regular updates
Your WordPress website’s framework, plugins, and themes should always be up to date to ensure that any vulnerabilities or popular exploits and other issues have been patched or fixed. Each WordPress website has automatic updates enabled by default for translation files and core releases but the auto-updates do not cover your selected themes and specific plugins, as such it is crucial that updates should be run on a regular basis.
It is also a good idea to have a maintenance plan in place so that your server has only your latest documents and files available. It is possible to disable the automatic updates on your WordPress site, but it is strongly discouraged as automatic updates for minor core releases are one of the best ways to keep your site secure and up to date.
Install SSL certificates
Many website owners are not aware of the importance of SSL and HTTPS. Google even went so far as to set deadlines during 2018 in order for website owners and other publishers to upgrade their ‘HTTP’ websites to the safer ‘HTTPS’ announcing that “Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default.”
The rationale behind a Secure Sockets Layer, or SSL, is to protect your user or customer’s information that they provide on your website’s contact forms. Some hosting companies include SSL certificates in their service offering free of charge, but you may have to enquire directly. The three types of SSL certificates are:
- Extended Validation (EV SSL) – requires extended validation of the business that includes organizational information, domain ownership, and an organization’s legal existence
- Organization Validated (OV SSL) – requires the validation of the domain’s ownership, the organizational information and other information such as the organization’s name, city, state and or country.
- Domain Validated (DV SSL) – requires validation that the domain is registered and that a designated admin is aware of and can approve the certificate request.
Once installed, your SSL certificate will ensure safe, encrypted data transfers between servers and provide safety to both your website and your visitors. An SSL certificate is also guaranteed to establish trust between you and your site’s visitors.