After reading about this past month’s SQL vulnerabilities on many WordPress websites, I thought it was worth the write up for a quick security check piece. Though there are many expensive cyber security services out there to choose from (such as SiteLock), here are some quick and painless steps you can do right now – for free!
A friend of mine (now client), who is an entrepreneur as well, had THREE of her websites go down in the same weekend. Trying to reach out to her old web developer, he was AWOL. Coming to me for help, I told her it was going to be an easy fix. I assumed it was just some simple plug-in malfunction or poorly written line of code. Boy was I wrong.
After I scanned the website for malware, it turned out her sites got hacked. All three were under the same host, and she had gotten a Trojan on her main computer that somehow got the login info for her sites then shipped that off to who knows where. Now, what could she have done to prevent this?
Let’s see in this simple website security check.
1. Is your website backed up?
This is the most common mistake I see. Many people simply do not have a backup copy of their website. It’s a quick and simple backup mechanism against both outside threats as well as our own mistakes.
I recommend always having a current (less than 2 months) backup on a handy flash drive as well as a copy in a separate cloud server such as Google Drive, iCloud, OneDrive, Dropbox. Your hosting provider will often have their own backup service as well. I recommend both if possible.
If you don’t want or know how to manually backup your website, I would recommend one of these two programs:
2. Login Security
The main way to stop hazardous hackers and spammers it to lock the front door securely. This means optimizing your password, locking out password bots, and additional log in features.
I hear from too many people that are using poor passwords. Your password needs to be:
- Length – Aim for 10 or more characters. The longer the better.
- Mix of Letters and Symbols – Remember to use uppercase letters numbers and symbols (^*$) when creating a password
- Unique – don’t use this password anywhere else!
Once you have a solid password, you can add on more security:
- Limit login attempts -Either through a WP plugin or your website host
- Delete the default username “admin” – replace it with something else so that hackers (especially automated bots) will have a harder time getting in
- 2-factor Authentication – attach an authenticator that will either text or email you asking for confirmation when a new log in occurs. I recommend the Google Authenticator plugin. Here’s a great write up on how to set up a 2-factor authenticator.
3. Protect Your Local Computer
If you don’t have proper virus protection and malware removal, you could be in danger. It won’t matter how strong your password is or how great your website’s malware scanner is if a key-logger is tracing your every move hidden deep on your hard drive. Have virus protection installed on ALL of your computers, and run regularly.
First off, Macs CAN get viruses. I don’t know who started this rumor, but it simply isn’t true. I recommend using BitDefender as a great virus protection and Malware removal tool for Mac. The free version is great, and if you prefer you can upgrade to the premium paid subscription.
You’re in luck! The current easiest and best defense for the single user comes with a legal and up to date version of windows: Windows Defender. This will work better than almost all other systems for the solo computer. If you are working through a large business or company, I recommend you talk to your IT staff, for they will have a broader range of options when it comes to defense.
4. Keep WordPress Up to Date
Always try to keep your WordPress website, plugins, and users up to date.
For optimal site security:
- Remove old user accounts
- Make sure WordPress is up to date – This means the actual WordPress software, as well as any plugins on the site.
- Update your password every time you change team members or loose an employee
- Make sure you’re website is current and has an SSL Website Security Certificate, especially if you have any e-commerce or personal user data stored on the website.
To read more about how to make your website secure, WPBeginner has a great article here.
All of this article is my opinion and opinion only. Please consult with a professional before deciding what the correct level of security is for you and your team.