Not too long ago, I was writing a blog post and including a link to a friend’s website. When I tested the link and went to my friend’s site, I noticed something unusual.
Directly below the header and above the menu bar was an innocuous line of text.
“Viagra professional scam.”
That seemed a bit out of place…
I immediately notified my friend, who happened to be traveling at the time, and we discovered that his site was infected.
It’s not the first time I’ve seen something like this, and I’m sure it won’t be the last!
However, there are things that every website administrator can do to ensure their site is better protected.
Are you wondering whether it’s really worth your time to worry about site security? Perhaps the replacement costs will convince you…
How much money did you spend to initially create the site? If you created it on your own, how many hours did you spend on it?
How many pages and posts are on your current site? Using an average of 30 minutes each to write the content, how many hours did you spend on that?
Add the total number of hours together and multiply it by your hourly rate. (Or use this handy Content Replacement Cost Calculator from iThemes.)
If you paid to have your site created for you, add that amount to the content replacement subtotal.
That’s what it would cost to replace your site today. And that’s probably a low-ball figure. I don’t know about you, but I typically spend more than 30 minutes writing a blog post!
Have I convinced you now that spending some time on website security is worthwhile? If so, read on…
The tips I offer here are geared specifically toward WordPress websites, but the concepts are the same regardless of what platform your website is built on.
Follow these suggestions to secure a little peace of mind.
Choose Unique User Account Names
When WordPress is initially installed, many administrators use the default user name “Admin” for their account.
This is a big “no-no” in my book!
There are only 3 unique elements needed to access your website.
- The login URL
- A user name
- A password.
If you use the default “Admin” user name, you’ve just significantly reduced the amount of effort needed for a hacker to access your site.
Since most login URLs are also standardized (domainname.com/wp-admin), essentially all the hacker has to figure out is 1 element, your password!
Make it harder to access your site by using a unique user name for your administrator account.
Unfortunately, if your site already has an Admin user account, you can’t delete it.
However, you can (and should) create a new user account with administrator access rights. Then, change the access rights of the old Admin account to the lowest access privilege offered. For Wordpress, that’s the “subscriber” level.
If someone does manage to hack the site using that account name, they won’t be able to do any damage to your site.
You can make your site even more secure by changing the login URL for it as well, although that’s something that I would never recommend you do on your own. Hire a professional website database administrator to do it instead. One small mistake here could make your site inaccessible. So that’s not a DIY job.
Ensure Your Site is Regularly Backed Up
If your website is important to your business, you can’t afford to skip this step.
It’s like owning a home without having home owner’s insurance. If the place burns down, you’ve got nothing to replace it with.
Making a regular backup of your site ensures that, in the event of a problem, you can rebuild or restore it.
Personally, I recommend using Backup Buddy by iThemes for systematic backups, because you can set a schedule and have it run automatically. For most business websites, I have it create a full database backup once a week, and an incremental backup every day.
However, there are plenty of other backup plugins out there, like Backup Creator and others.
The main thing here is to pick a plugin that meets your backup and restoration needs, as well as fitting within your budget.
This is not a place to skimp on your site.
Keep WordPress, Themes and Plugins Up-to-Date
I can’t begin to emphasize enough how important this step is for a website, although a word of caution is in order here.
If you made changes to your site’s theme, instead of modifying the CSS or creating a child theme, you run the risk of overwriting your custom code. This is a rookie mistake to make (modifying the site’s theme instead of creating a child theme), but I’ve seen it happen often enough that it’s worth mentioning here.
Assuming that your site has been properly developed though, keeping WordPress, the theme and all plugins current is imperative. I’ll admit, some of the updates are purely for enhanced features, etc., but they almost always include some form of a security update as well.
The problem with any kind of a software update is that it comes with easy-to-read release notes that highlight the problem areas that were fixed.
Any hacker can read those release notes to identify the weakness of an earlier release. Essentially, it’s a roadmap that allows them to discover and exploit the hidden weaknesses in your site, unless you keep your site updated with the latest releases of WordPress, your theme and all plugins.
Even if a plugin is deactivated, it should be current.
For what it’s worth though, I never recommend keeping a deactivated plugin installed. If you’re not using it, delete it! It will improve the overall safety and performance of your site.
Decide Whether a Security Plugin is Right for You
This becomes a very personal question.
Is a security plugin right for you?
Only you can really answer that question…
Security plugins provide some great features!
- They can limit the number of invalid login attempts before an account is blocked, protecting against a brute force attack.
- They can automatically log a user out of the system after so many minutes of inactivity.
- They can force you to have a strong password (harder for hackers to break).
- Some can disable your login URL during specific times of the day (for instance, while you’d typically be sleeping).
However, for some people, these features can work against them. It adds too much complexity to something they’re already uncomfortable with (like having a strong password), or doesn’t fit well with their business lifestyle (perhaps they travel frequently, entering different timezones, so having blackout times for accessing their website is inconvenient).
You have to assess the needs of your site, as well as your business and personal preferences to determine which security plugin, if any, is right for you.
But if your business depends on your website, this isn’t something you can really afford to ignore.
If you’re interested in exploring whether a security plugin is right for you, one of the most popular WordPress security plugins right now is Wordfence.
One of the neat features about this plugin is that it monitors IP addresses engaged in hacking activities. If it identifies a hacker for one site using Wordfence, it blocks that IP address for all sites using Wordfence. Therefore, your site benefits from increased protection as Wordfence “learns” from real-time experience.
Scan for Malware Periodically
Despite all your best efforts to block security issues, it’s still worthwhile to proactively scan for malware every once in a while.
Finding an issue before it becomes one will save you time, money and lost revenue if your site is brought down.
Secure Your Peace of Mind
Even though these steps are fairly easy to take, I find that most of the clients I work with don’t have a plan in place to minimize the risk to their websites.
Yet, once a problem erupts, they need an immediate solution.
If you don’t have the technical expertise, experience or time to maintain the health of your website, find someone you trust who does. The peace of mind it will give you is invaluable, knowing that the hub of your business is protected.
Maintaining a website can be tedious and technical. But we’re here to help!
We offer routine maintenance packages that include:
- Taking a full site backup.
- Updating all of the software on the site.
- Running a malware check.
- Checking for broken links in your site.
If we find a problem, we report it to you along with suggested solutions and an estimate of what it will take to fix it.
Either way, you’ll have the peace of mind that comes with knowing that one of your most valuable business assets is being proactively taken care of. Fiddling with backups, updates, maintenance and security will be a thing of the past for you!
Why not spend your time on the things that really matter to you?
If you enjoyed this content, why not
subscribe to the blog so that you don’t miss out on future posts!
Latest posts by Tara R. Alemany (see all)
- 2017 Social Media Image Sizes Cheatsheet [Infographic] - March 23, 2017
- Podcasting Has Improved My Life - June 30, 2016
- Four Ways to Get Stellar Results When You’re Working With a Copywriter - May 25, 2016