First off, please understand that all sites and hosted venues are susceptible to site security issues. This includes do it yourself builders as well. And, this is not something to take lightly especially where your customers are concerned.
It’s one thing to protect your website files but are you making sure your customer data is protected? We have all read about the large department stores getting hacked and then losing their customer credit card information to the hackers. Something like this could ruin even the smallest of businesses with lawsuits, etc.. Bottom line, it’s your job to reduce the likelihood of getting hacked especially if you are collecting user data of any kind. So how do you protect your site?
Plugins are Cool But Can be The Villain
I love WordPress because of their hundreds if not thousands of plugins and themes available.
With that said, this can become an achilles heel so to speak. Not all plugins are valid. Some can crash your site or stealthily implant itself and do something malicious. It’s imperative you make sure any plugin you install is safe. Partnering with an experienced WordPress developer helps as they can guide you through the maze of good or bad themes and plugins out there. At the very least you should always make sure you download your plugins and themes from a reliable source.
Update, Update, Update
I can not stress the importance of this more emphatically. Keep your Core WordPress, Plugins and Theme up to date. This is something that is overlooked by the do it yourselfers typically. My experience has been when I do this for my sites and customer sites religiously I have dodged many issues. Of course, always performing a backup is as critical before updates.
Hackers can cleverly uncover weak passwords with a variety of methods. Most website owners don’t believe that their little site would be a target by a hacker. Wrong! Take a look at this: Huge rise in hack attacks as cyber-criminals target small businesses.
Choosing a strong password is important. You should make sure all your users do so. One weak link is all the hackers need. Something like “pAssword!1234” would work. Of course not using the word “password” and a different number. You get the idea. Also, it probably makes sense to have a Two Step Authentication in the world we find ourselves today. Again, an experienced developer can help with this.
Is Your Database Secure, Really?
Everything can be accessed from an Administrator login. With that said, I can not tell you how many times I have found a WordPress site with the default administrator account still in tact. After setting up a new admin account delete the old default one. Always!
Beware of changing the wp-config.php file!
It’s a critical file which contains database usernames and passwords and database info in general. Be very careful when working on your wp-config.php file. Personally, unless you know what you’re doing I wouldn’t. Let the professionals handle it. Some gotchas that I’ve seen is making a backup and leaving it on the server renaming it wp-config.OLD. By not having the php extension you open your config file to the public easily.
Backups are cool if protected.
I love backups! Backups to my local storage device or off site to Google Drive or Dropbox. What I don’t like is when they are backed up to a public directory on your website. These can be downloaded with all the information you would never want a hacker to have.
HTTPS and Certificates Pain
Yes, you need https even if you’re not doing transactions over the internet. What? Browsers now give warnings to the end-users that the site they are on is not secure!
“To enable HTTPS on your website, you must first obtain an SSL Certificate from a Certificate Authority (CA). This certificate does a couple of things. One, it enables your site to communicate with users using encrypted, non-corruptible data. The certificate also acts as a stamp of approval from a trusted party (in this case, the CA) that says your site is legitimate and secure.” – Search Engine Journal
This can really be confusing to the novice. Either have your ISP walk you through the process or hire a professional. It is important and needs to be done.
Site Security and Public Files
Take time to make sure there are no public viewable files that shouldn’t be. For instance
- Backups: They should not be stored in public folder.
- Log files: Biggest culprit are error logs.
- Orphaned PHP applications: No longer used and updated.
- Test files: Always clean up after yourself.
- A full additional copy of your WordPress website: Really?
- Temporary files: Again, clean up after yourself.
Is a Firewall Needed for Site Security?
Yes! But can be a little intimidating unfortunately.
Here is what it does:
- Malware scanning.
- Brute-force login protection.
- Protection against hacker reconnaissance techniques.
- Full featured web application firewall.
- Rate based throttling and blocking.
- Two-factor authentication.
- Password auditing.
- Country blocking.
- Advanced blocking techniques including blocking IP ranges and blocking user-agents.
There are many firewalls available for WordPress. I would encourage you to evaluate several products and their references. If this seems overwhelming then it probably makes sense to partner with a professional.
WordPress security involves a fairly steep learning curve. Partnering with a solid experienced WordPress developer can help tremendously. Take security seriously as your online business future may just rely on it.© 2000-2017 totallysales™ | Photos courtesy of 123RF