Top 4 Website Security Tips

Site security is something that’s often overlooked or just taken for granted. An alarming amount of businesses have websites that are vulnerable to simple attacks and their owners are completely unaware. (Is yours one of them?)

Hackers can quickly take control of an unsecured website and use it for whatever purpose they desire (spam posting, information theft, or disabling the site). Usually there is no warning before it happens and recovering can be a frustrating and costly process. Fortunately, you can ‘harden’ your website with these tips to protect yourself and your brand.

Keep reading to see our 4 tips to better website security.

We Got Hacked (Never Again)

The Christmas Eve security breach of 2017: Hackers compromised one of our websites (via a malicious SQL Injection) for the purpose of posting their own spam links. The error was leaving a website on this account dormant. Plugins weren’t being updated to the most secure versions.

Easy mistakes can wipe our your entire site, if you aren’t prepared. This experience lead to the creation of our current security protocol. A set of rules and best practices, protections and safeguards. We identified 4 areas that deserve attention and further research.

Lockdown Your Website

1. Passwords

The first line of defense are unique and secure passwords. It’s important to have a unique password for each account that isn’t being used anywhere else. Beyond being unique, it has to be secure by using numbers and special characters. For example a good password would be ‘v4H!cY73#’ a bad password would be ‘HouseBuilder55’. By nature, good passwords are hard to remember and store safely. This is where a password manager can be extremely helpful – I recommend Last Pass.

The username you use to log in can act as a second password. This adds another layer of difficulty for anyone attempting to break in. Not only do they need to know your difficult password to get in but they need your difficult username too. To make sure you still have a normal public facing username for your website, create a nickname for that user as the default (in WordPress).

A common way that passwords are breached is by a brute force attack where hackers use a program to test thousands of different passwords in an attempt to guess correctly. Prevent this behavior is by installing a plugin such as Loginizer which limits login attempts to only 10 before a timed lockout.

There are a few measures you can take to secure your user accounts beyond maintaining high quality passwords and usernames. Using the premium version of the Loginizer plugin, you can:

  • Set up Two Factor Authentication
  • Add a Login Challenge Question
  • Rename the Login Page URL

2. Software Updates

WordPress (or whatever CMS you’re using) is a software that’s installed on your server. There are periodic updates available to improve functionality and security, which should be implemented as quickly as possible. In addition to the CMS (content management system) itself, all plugins and themes running on your installation should also be updated frequently. I recommend a weekly update schedule.

As hackers become aware of existing vulnerabilities, they seek out sites to exploit these on. You can avoid these issues simply by going through and updating your CMS, theme, and all plugins.

3. Website Firewall

Acting as a barrier between your website and the internet, a website firewall can stop most dangerous activity in its tracks. Simply put, it’s a type of software that inspects incoming information to your server and blocks anything that looks suspicious.

Firewalls are a great way to prevent malicious code injections that are designed to hijack your site. They can also be used identify the origin of attempted hacks which allows you to block that geographical area from accessing your site. Set up your firewall software to do a routine scan of your site to sniff out anything that may be lurking or laying dormant on your server.

Wordfence Security is a great firewall plugin for WordPress that’s easy to use. Another benefit of Wordfence is that they will notify you if you have software updates pending, making it harder to forget about the important task of staying updated. Just keep in mind that firewalls can use a lot of server resources, which can be an issue if you’re on shared hosting.

There are 2 settings changes to minimize the load Wordfence puts on your server (which is important for the shared hosting that most websites are on). Under ‘Live Traffic Options’ set the ‘Traffic Logging Mode’ to ‘Security Only’. Second, under ‘Performance Options’ make sure to select ‘Use Low Resource Scanning’.

In the unlikely event that something gets passed your security measures, it’s helpful to have a plan for recovery. If your hosting account has been infected by malware, you will need to have it professionally removed. We have used a company called Sucuri to clean malware before and they work quite well. They also provide the option for a server-side scanner that monitors for any malicious activity.

Wordfence WordPress Firewall Plugin

4. Remote Backups

Scheduling routine, off-site backups of your site provides a contingency plan for when unexpected events occur. This is the equivalent of keeping all of your valuables in a safe that will remain even if the house burns down. Maintaining off-site backups gives you the option to start over with a recent, complete version of your site.

We use UpdraftPlus to create our WordPress site backups. Creating a weekly scheduled backup of all your site’s files is an excellent habit to start. Just make sure that you choose and connect to your remote storage (e.g. Google Drive, Dropbox, etc.).

Sending and storing the files on a different server (your remote storage) ensures that if your site is hacked and taken over, they can’t mess with your precious backup files.

Updraft Plus WordPress Backup Plugin

Final Takeaway

Following our list of best practices will help you ‘harden’ your brand’s website against attackers. These are crucial steps to prevent a major disruption in your business and the loss of your customer’s trust.

Website security is a lot like home security. You can improve your defenses, but nothing is every truly impenetrable. Increasing your security will make hackers move along to find themselves an easier target.

If you have been a target in the past or have highly sensitive data, there are other layers of security that go above and beyond what was discussed above. Please contact us to find out more about protecting your brand.

Security Checklist

  • Unique/Secure Passwords for Each Account

  • Update CMS, Themes, and Plugins

  • Install a Trusted Website Firewall

  • Schedule Regular Offsite Backups