There is very little doubt that Wordpress is the world's most popular Content Management System (CMS), powering 31%+ of worldwide websites. It's free and open-source, as well as easy to use which to many website designers and small business website owners make it impossible to pass by. However, with its fast-paced growth in popularity and so many web developers making simple mistakes, hackers are now specifically targeting WordPress for easy hacks.
Statistics from 40,000+ WordPress websites in Alexa's Top 1 Million show more than 70% of WordPress sites are vulnerable to attack. It's easy to make some of these simple mistakes unknowingly. If you've missed any of these necessary precautions, your site may very well be at a high risk of being hacked. It's essential for you to regularly monitor your website's security and make sure your content is safe and secure.
Here are 8 non-negotiables when it comes to the security of your website:
1. Choosing a good hosting company
Your hosting company should be continually monitoring for suspicious activity with options for DDoS attacks. Sometimes cheapest is not best. If it does not offer real-time security monitoring, then it's time to upgrade or move to another hosting company.
Make sure that either your hosting company or a Wordpress plugin is doing regular backups in the case that your site does go down. We recommend Updraft and VaultPress (comes with Jetpack)
3. Install a WordPress security plugin
There are lots of options to make sure your website is secure and installing a plugin is probably the easiest for DIY users. Jetpack, Wordfence and Securi Security
4. Pick a VERY strong username and password
It's more common than you think to use "Admin" the default created by Wordpress. That gets the hackers halfway in. Be scrupulous about who you give admin access to. Assign specific roles and make sure you are regularly purging users who are not needed. Reset your password regularly especially when doing any kind of handover security changes.
5. Use SSL/HTTPS
This is the newest level of encryption for your website should be using. In addition to making your site safer, using it is signalling to users and Google that your website protocol is safe and secure. Free certificates with Let's Encrypt
6. Limit log in attempts
This is by far the easiest way for hackers to crack your site. Wordpress default is set up to allow for unlimited attempts. Make sure you are setting the failed login attempts for your site.
7. Use 2-Factor authentication and CAPTCHA/ReCAPTCHA
Now the standard for so many platforms is using 2 factors to verify identity. By enabling this, logins have to have access to 2 devices. Another option is CAPTCHA which forces users to visually identify symbols that determine whether or not you are human.
8. Keep your WordPress core, themes and plugins updated.
If you are strategising your small business website and doing the hard yakka yourself, then you need to know how to maintain the safety and security of your website. Wordpress makes it quite easy. If you are regularly checking into the Admin area of your website, you'll have notifications that will come up for updating both Wordpress Version (core), plugins, and themes. It's vital to keep these up to date for security purposes. Here's a warning though, making changes can potentially disrupt plugins or code, and create issues with your website functionality.
You may already be in hot water and your website has been flagged or even worse hacked. Here are a few tips that will help you identify if your site has been compromised.
Google Console alerts you.
Recently Google Console added a Security Issues' tab with alerts for phishing, hacks, malware and suspicious activity to webmasters. If you haven't linked Console to your Google Analytics account its high time you did.
Red Alert! - Your browser alerts you to the hack.
Your browser will display a warning sign whether it indicates your site is being used in phishing campaigns or it declares your site is hosting malware. It's a very strong sign your site has been successfully hacked.
Oops! Your site is offline.
If your site is no longer live, there is a good chance your provider has removed your site due to hacking and in most cases, the provider will usually notify of the case. Ouch. We hope you've made it a regular habit of backing up your website!
Google search results flag your site as compromised or harmful
Google will warn you if the content that you're trying to see is 'phishing' or 'malware' including:
- "The site ahead contains malware".
- "Deceptive site ahead".
- "The site that you are trying to visit might be a phishing site".
- "The site ahead contains harmful programs".
There is a countless number of security precautions you should be taking to avoid the risk of attack. It will always remain vital that you ensure you are continually updating to the newest version of WordPress itself. Without doing so, your site will be vulnerable.
Making sure your website and customers privacy is safely secured and protected is vital.
For more information about security and managed web services and for a free security assessment as to where your website might be vulnerable, we're ready to hear from you.
Get a free assessment now