Website Security Breaches Happen – A Lot
A few months back someone told me about his friend whose website was stolen in a way. A hacker hijacked his domain name and turned it into a porn site. So, when someone tried to visit the friend’s website, the site visitors ended up on a porn site instead. Wow. That’s a lot of explaining to do.
Not too long after hearing that story, I began to notice a very sharp increase in website visits to my site. I knew it wasn’t normal. So, I downloaded a usage log, and it looked suspiciously like malicious bots trying to get into my site through any security holes they could find. Fortunately, I called my super duper hosting company, Flywheel, who verified my site was still safe and that no bots were able to get in. I went to sleep knowing Flywheel had set up a great sentry at the gate to keep my site safe.
However, when I built my first personal websites several years ago, I didn’t know enough about website security. I just kind of put blind faith into the Internet and the Universe, thinking a hack would never happen to me. I was lucky. Now, fortunately I know better and know I can take some simple steps to make my website a lot safer for me and my website visitors.
The Little Lock
Have you ever noticed a little lock next to the web address in your browser tool bar? If not you should. This lock is an important visual guide for website owners and website visitors alike.
Or, maybe you’ve encountered the Chrome warning that the site you’re trying to visit is not safe. Sometimes, Chrome won’t even the load the site! Chrome delivers those warnings for websites not using the HTTPS protocol for secure communication over Internet.
A website using HTTPS protocol has what is known as an SSL Certificate associated with it. In layman’s terms, you can think of SSL – Secure Sockets Layer – as a method for encrypting a website between the browser and server. The SSL Certificate makes it safe to transfer data via that website. When a site has a valid SSL Certificate associated to it, the lock appears next to its name in the browser address bar.
You Need an SSL Certificate
I believe just about every website should have an SSL Certificate. First, no one should ever use any pay services or send sensitive information through a site without it. Not only does an SSL Certificate make your website safer, it also improves your search rankings. So whether you’re asking for sensitive information or not, it’s best practice to get that certificate in place.
Luckily, it’s easy to get one. Your web host should offer free SSL certificates. If your host doesn’t offer a free certificate, I’d consider looking for a different host! Seriously. It’s that important. Head on over to my Tools and Resources Page to find out which hosting services I recommend and use myself.
To learn how to install your SSL Certifcate, you can watch this great video from Dave Foy at Design Web Build.
Get a good host! I know it’s easy to get tempted by cheap web hosting deals. But, sometimes you get what you pay for. If you’re using a hosted solution like Weebly or Squarespace, make sure you host secures its servers and is using the HTTPS protocol. If you’re self hosting your site, or someone is managing your site for you, make sure you’ve selected a good quality host that understands WordPress.
Some hosts, like Flywheel, provide an extra layer of security to help sniff out those pesky bots and to prevent hacks by locking them out. Recently, Flywheel saved my bacon when the bots began their attack on my site. I won’t get all technical, but it’s kind of like having a sentry at the gate. If the person doesn’t know the password, they can’t come in.
Unfortunately, bots come back over and over again to your site with a different disguise (the IP address). They keep trying to gain entry, hoping to catch the sentry asleep at the switch. That’s why your security needs to be top-notch. For me, hosts like Flywheel are worth the little bit of extra money to be able to sleep at night, knowing I’ve got a good sentry at the gate.
If you manage your own site, make sure you keep your website plugins, themes and software up to date. While most web hosts will keep the main foundation, like WordPress, updated for you, they don’t update your themes or your plugins. It’s important to keep these updated too because the updates close security breaches all the time.
Also, keep regular website backups. It’s not enough to rely on your host backups most of the time. Often, web hosts just back up your site on the same server where your site resides. If something goes wrong on their end with the server, you lose everything.
A good practice is to backup your site somewhere else. You can install backup plugins like UpDraft (what I use) or Backup Buddy that make it super easy to backup your site to your hard drive or to another cloud hosting service like DropBox or Google Drive.
Site backups are your insurance policy. If someone hacks into your site and breaks it, or if something else goes wrong, you can easily restore the site!
There’s a Plugin For That
Just like for backups, you can use plugins to beef up your website’s security. For example, Wordfence sets up a firewall for your site and helps prevent brute force attacks like the attempt on my site a few months back. If your host doesn’t provide super security, get a plugin to do that for you. Also, monitor your site activity to make sure there isn’t any unusual activity. See who’s trying to log in.
Anti-spam plugins are also great tools. Blog commenters will try to hack your site or use your site for spam or to link to their questionable sites. AntiSpam Bee and Akismet both offer free solutions, and you cam upgrade to premium for additional protection.
Get Your Theme Right
If you’ve got a self-hosted WordPress Site, also make sure you’re using a well-coded theme. How do you know if your theme is solid? Well, you can always read the reviews. Second, make sure the theme is frequently updated. Third, find out what themes WordPress professionals use!
I researched a bunch of themes. Now, I rely on these themes for the websites I build: GeneratePress, OceanWP and any of the Genesis themes from StudioPress. Astra is also a wonderful theme you can’t go wrong with, although I don’t use it myself.
Again, if you’re looking for a collection of good tools to help with this, head on over to resources page, and download the list of tools I recommend.
Just like with any online service you log into, make sure you have a secure password for your website dashboard! WordPress will even generate a secure password for you, or you can create your own. And while you’re at it, give yourself a username that’s different than your name. I’ve made this mistake, and it’s very hard to undo. You’ll give yourself an added layer of security if you disguise your username a bit so a bot can’t guess what it is.
Hide the Entry Gate
Another neat little trick is to rename your login page for your WordPress website. Every WordPress site uses the same web address formula to get to its login page. However, you can install a plugin, WPS Hide Loign, that renames this page to something unique to you. I installed this plugin shortly after the attack on my site, and now the bots don’t even know where the entrance to my site is located! Super brilliant.
Is Your Website Secure?
Whew! We made it through the list. While it may take some time to implement all of these security practice techniques, none of the steps are difficult. I believe your time will be well spent.
Of course, no one wants their site to be hacked, but we also tend to believe our own sites are safe. Make sure you protect your investment in your website and keep it safe.
If you’d like some help getting started, you can have someone like me take care of it for you and then set you up with a simple monthly maintenance plan to keep things up to date.
Use the form below to request information about how I can help!