How to secure your website from hackers?
Is a WordPress website safe or not?
What are the top things to do for WordPress security
- Have the site run on HTTPS
- Use WordFence security plugin
- Use a paid Security service (optional)
- Host the site with a good company
- Keep everything in your site updated
- Have a backup of the site
HTTPS vs HTTPWe don’t need to go into the details on this as there are tons of articles about the intricacies on how each work but all you need to know is the ‘S’ in ‘HTTPS’ stands for secure. It means when your computer requests a website to load the chat it has with the server (where the site is hosted) is encrypted so only your browser and the site server know what is being passed back and forth. This is a must to have set up, it is essential and most people expect to see the padlock symbol when they visit a webpage. It is so simple to do that it says a lot about a company that doesn’t bother to configure their site to be HTTPS. Most hosts offer a SSL Certificate for free and it can be set up on some hosts in a matter of clicks. Bonus: Having the site on HTTPS is good for SEO so for the little effort required to set it up the benefits make it a no brainer.
What is the best plugin for website security?WordFence! Why? It is free and it is great, it has over 3 million active installations and a rating of 4.8/5 so they are doing something right. What it does is run scans to look for malicious scripts and it will highlight them so you can act on them before they do damage. It is very easy to set up and is one the essential plugins I install on every site I work on.
Use a paid website security serviceI don’t do this with every site as sites for small business usually have no important information in them and paying for a service isn’t justified. We do it for sites that are dealing with more sensitive information like eCommerce websites although I should note that WordPress sites running WooCommerce don’t store any of the payment info on the site, that is all handled by the payment gateways (Stripe and PayPal for example). For one client who has his site hosted on GoDaddy (I do not recommend them at all as a host) they quoted him $250/year for 1 site. This is really expensive and there are other companies to use that are much cheaper, we ended up going with WebARXsecurity for $150/year.
Host the site with a good company
All hosting companies are not created equal. Where you host your site can be a factor in keeping your site secure, most are good nowadays but one thing to note is what PHP the site is running on. Some hosts do not update this automatically unless you specify you want it updated and it is important to keep it on the latest version, depending on the host you will be able to do it yourself or you will need them to do it.
If you log into your WordPress dashboard and see this notification get in touch with your host to update it.
Keep everything in your site updatedThis is very easy but requires regular action, it includes updating the plugins, the site theme and WordPress itself whenever updates roll out. It is easy to do with just a few clicks but should be done at least once a month.
Why is this keeping your site up to date important?This is probably the most common way sites get hacked, hackers find vulnerabilities in plugins and exploit them to get into the files of your site. When the plugin and theme authors learn about problems they release a patch to fix the problem which usually means it gets fixed long before a bad guy ever was able to get around to your site. Of all advice around securing your site this would be the most important, it is extremely easy but is required every 2-4 weeks. 2 side notes related to this: It is best to remove any plugins you don’t actually use on the site or consolidate plugins that are doing the same thing. Many site owners have multiple people work their site over the years and each of those people add plugins to achieve whatever new feature was requested (often they use a plugin even when it is not necessary usually due to them not being good at their jobs). Some sites I see have so many plugins running I wonder how they keep the site working properly, often these are unnecessary with multiple form plugins running, or multiple code injectors which are just adding extra bloat to the site and increasing the possibility that it can be exploited. Related to this is to go to Users in your Admin and delete anyone who is not an active user in the backend of the site, having a lot of people with access to the site admin is a risk that you shouldn’t have with site. Keep only the essential people in there and if you get someone new to help with something delete their profile once their job is done.
Have a backup of the site
It is always good to keep backups of your site in case this happens, I have my sites hosted with Siteground which run a daily backup of the sites for free and allow me to restore any version within a few clicks which is a great peace of mind.
If you use a paid security plugin as mentioned earlier some of these have backups as a feature that can look after it for you or you can pay for a backup service such as UpdraftPlus.
What are good ways to make WordPress more secure?
– Change the default username to not be ‘admin’If they are trying to crack your site at least don’t have the username set to ‘admin’ as that saves one field that they need to get right.
– Move the admin login pageAll WordPress admin login pages sit on the path /wp-admin/ so you can help hide that page by moving it to something random. There are plugins to do this or you can follow a tutorial to do it which are straightforward but does require changing some code in the WordPress theme files.
– Limit login attemptsThis is a good idea as it will block someone from being able to see the login page after they put in the wrong details X number of times (whatever amount you specify). There are specific plugins for this or if you have a paid security plugin most likely this is built into the package.
– Two factor authorizationAgain another good idea, this is free on WordFence. You have an app on your phone which you will need to use each time you log into the site. This stops hackers from forcing their way through the login but does not help with vulnerabilities on your site such as out of date plugins.
What should you do if your WordPress site was hacked?
In my experience the easiest, fastest and best action to take is to restore an old version of your site from before the hack happened. This ensures the site will be back up running just how it was and there will be no traces of the hack still around somewhere in the code that can be almost impossible to find. There are services that help to fix hacked sites but they can’t guarantee the results and are often expensive, it will always be cheaper to get rid of the hacked site and restore an older version.
Someone came to me with a hacked site and asked if I could help and I reached out to a service in India who said it would be $250 but they could not guarantee they would be able to fix it and it may cost more depending on what they find out. We opted to restore an old version of the site we found on his server (a compressed zip file) and then used the http://web.archive.org/ to check if anything had changed on the site since that version.
If you do restore an old version of the site remember that it was that site that was hacked in the first place so it is a good idea to make some extra effort to stop it happening again. Covering the points outlined in this article should be enough to do it, if you are already doing each of those and you still got hacked I would suggest using a paid security service that offers WAF (web application firewall).