The Christmas Eve security breach of 2017: Hackers compromised one of our websites (via a malicious SQL Injection) for the purpose of posting their own spam links. The error was leaving a website on this account dormant. Plugins weren’t being updated to the most secure versions.

Easy mistakes can wipe our your entire site, if you aren’t prepared. This experience lead to the creation of our current security protocol. A set of rules and best practices, protections and safeguards. We identified 4 areas that deserve attention and further research.

The first line of defense are unique and secure passwords. It’s important to have a unique password for each account that isn’t being used anywhere else. Beyond being unique, it has to be secure by using numbers and special characters. For example a good password would be ‘v4H!cY73#’ a bad password would be ‘HouseBuilder55’. By nature, good passwords are hard to remember and store safely. This is where a password manager can be extremely helpful – I recommend Last Pass.

The username you use to log in can act as a second password. This adds another layer of difficulty for anyone attempting to break in. Not only do they need to know your difficult password to get in but they need your difficult username too. To make sure you still have a normal public facing username for your website, create a nickname for that user as the default (in WordPress).

A common way that passwords are breached is by a brute force attack where hackers use a program to test thousands of different passwords in an attempt to guess correctly. Prevent this behavior is by installing a plugin such as Loginizer which limits login attempts to only 10 before a timed lockout.

WordPress (or whatever CMS you’re using) is a software that’s installed on your server. There are periodic updates available to improve functionality and security, which should be implemented as quickly as possible. In addition to the CMS (content management system) itself, all plugins and themes running on your installation should also be updated frequently. I recommend a weekly update schedule.

As hackers become aware of existing vulnerabilities, they seek out sites to exploit these on. You can avoid these issues simply by going through and updating your CMS, theme, and all plugins.

Acting as a barrier between your website and the internet, a website firewall can stop most dangerous activity in its tracks. Simply put, it’s a type of software that inspects incoming information to your server and blocks anything that looks suspicious.

Firewalls are a great way to prevent malicious code injections that are designed to hijack your site. They can also be used identify the origin of attempted hacks which allows you to block that geographical area from accessing your site. Set up your firewall software to do a routine scan of your site to sniff out anything that may be lurking or laying dormant on your server.

Wordfence Security is a great firewall plugin for WordPress that’s easy to use. Another benefit of Wordfence is that they will notify you if you have software updates pending, making it harder to forget about the important task of staying updated. Just keep in mind that firewalls can use a lot of server resources, which can be an issue if you’re on shared hosting.

There are 2 settings changes to minimize the load Wordfence puts on your server (which is important for the shared hosting that most websites are on). Under ‘Live Traffic Options’ set the ‘Traffic Logging Mode’ to ‘Security Only’. Second, under ‘Performance Options’ make sure to select ‘Use Low Resource Scanning’.

Scheduling routine, off-site backups of your site provides a contingency plan for when unexpected events occur. This is the equivalent of keeping all of your valuables in a safe that will remain even if the house burns down. Maintaining off-site backups gives you the option to start over with a recent, complete version of your site.

We use UpdraftPlus to create our WordPress site backups. Creating a weekly scheduled backup of all your site’s files is an excellent habit to start. Just make sure that you choose and connect to your remote storage (e.g. Google Drive, Dropbox, etc.).

Sending and storing the files on a different server (your remote storage) ensures that if your site is hacked and taken over, they can’t mess with your precious backup files.