If you follow my recommendations, you will exponentially reduce the chances of your website getting hacked. IT security is not rocket science. In 20 years of working in IT and being responsible for all the IT assists of private companies, government agencies and educational institutions, I’ve never had one of my networks penetrated, though I did have a DDOS attack back in 2001. 🙂
Keeping your website up, secure and running optimally takes some know-how, time and money. WordPress security is about limiting your risks and having fall back plans in place, in case things go sideways. If you plan on being hacked, when it happens, you will limit that hacks effect.
No one can guarantee your site will never get hacked. If someone makes that claim walk away. Every moment of every day a website is being hacked. Software evolves in part to keep up with hackers, who search for and find vulnerabilities in your software.
They use these vulnerabilities to hack your site. Once your site is hacked they can do any number of things from botnets to ransomware or keyboard logging. In the last week three of my friends have had their sites hacked and since I know a fair bit about internet security, I decided to write this post to help folks out.
Most sites get hacked for two reasons:
1. Poor security: Simple passwords, self-hosted servers with inadequate security, web hosts with inadequate security.
2. Lack of Maintenance: Your CMS (Content Management System) has to be updated on a regular basis, so do all of the plugins on your site. WordPress lets you do this automatically, which is better than not updating. Some plugins are buggy and updating them without testing could bring your site down.
The next biggest threat to your website is not having a good backup strategy. If you don’t have good backups you can easily access and restore, then you are hosed if your site gets hacked. It’s super easy to restore a site as compared to repairing a hacked site.
Anyone who is willing to put the time and effort to develop the skills needed to limit the risk of their site getting hacked can keep their site safe and restorable. But it’s not 5 minutes a week. And if you are doing it on your own and something goes sideways, let’s hope you have a great IT team in your back pocket!
If you are relying on your website to generate revenue and your site is at the heart of your business, consider paying a professional to do the work for you. So you can focus on your customers, team members, and partners.
When you build a house, you start with the foundation. It’s the same with a website. Your web host is part of your foundation. A great web host is going to have extensive systems in place to keep the bad guys away from your site as well as a backup system in case the worst happens. We are an Agency Partner of WP Engine, and we whole heartedly recommend them (and we’ll get a commission if you sign up with our link). We use them because they kick ass for the majority of use cases. We only support sites on WP Engine.
Step one, passwords. Ensure you have complex passwords. I use passwords that have uppercase, lowercase, number and symbols that are 20 characters long. For everything. I use a team password manager, LastPass to remember them all and share them as needed.
Step two, your web host, Evaluate your web host. Some people host their sites on their friend’s server in a closet someplace, on one of the many cloud server providers, on shared or dedicated hosting providers or perhaps the company data center. If you are self-hosting or your web host has crap security, use a plugin like Sucuri to help keep your site safe.
Google your web host and look for reviews on security. Do they have multiple layers of security set up? Including software that scans your sites looking for hacks and then fixes them before you even notice? Do they perform regular backups? How is their support? Look at ratings for these things and if you are not impressed with what you find. Do what I do. Host your site on a premium web host like WP Engine and then you’ll be 80% done with keeping your site safe.
Step Three, backups. Ideally, you’d have backups in at least two different physical locations, 3 if you are really paranoid or are running a 7 figure or better site. For most people, backups in two different clouds, that are in two different geographic areas is just fine. The reason you need 2 separate geographic locations is that if the datacenter where your backup is stored goes down, no restore. War, terrorism, and natural disaster happen and if your backups are a few hundred miles apart and something blows up, you can still restore.
Even if you signed up with WP Engine, which does nightly automated backups, you need a 2nd backup going to keep you safe from disaster. I’m a fan of UpdraftPlus. It will backup to any number of cloud services just pick one in a different part of the country from where your hosting provider is. Make test restores are part of your backup plan, if the restore doesn’t work, it’s not of any value. Another feature of WP Engine is they have a sandbox you can restore your site to, and you can use it to do testing before you push out new features to your site. If you have a 7 figure site, you’ll want to test all your updates first in the sandbox to ensure your site has minimal downtime.
Step Four, maintenance. If you are going to do this yourself, schedule it on your calendar every week at the least. Update your CMS and all your plugins. Just to be safe, do a backup first, that way if you run into an issue with the upgrade, you can get back to where you were with little time or effort. Leaving automatic updates on is risky, but if you’re not going to be vigilant about updating your site, better to leave it on and take your chances.
You can’t just build a site and set it on autopilot, if you don’t give your website some regular love, someone else is going to give it some hate. Be brutally honest with yourself, do you have the time and inclination to do what it takes to keep your site safe? If not, then shell out the bucks to keep your site and your business going. Do be thorough in evaluating hosting providers.
Stop what you’re doing, go evaluate your web host and do the other things I suggest above and take action. Right now!
At WoW, we love your website. Our team of internet geeks knows what to do to minimize your risk and bring you back from hackdom. We are the folks you need to keep the heart of business pumping away.