Why small websites should take security seriously.
Many business owners are tempted to underestimate their need for website security because their sites don’t receive enough traffic. However, hackers are a little like burglars canvasing a neighborhood. A house in a wealthy neighborhood might have more valuable property, but it will also have higher security, which increases both the difficulty and the risk.
On the other hand, smaller houses aren’t likely to have alarm systems, and their owners often haven’t taken many measures to secure them. Because of this, many home robbers will simply rob a street by testing which doors are left unlocked.
Hackers online will follow a similar plan, using bots to probe thousands of websites at a time looking for exploitable vulnerabilities. Because of this, you can’t depend on your site’s obscurity to protect it. Hackers aren’t looking for the highest value websites, they’re looking for the most vulnerable.
Hackers also tend to have different motivations than home robbers. Once they have control over your site, they may vandalize your website, hold it for ransom, use it to infect your visitors with malware, collect private user data, or host illicit traffic.
The good news is that protecting yourself from these attacks is well within your ability. In fact, choosing WordPress as your CMS gives you more control over your website security than hosted platforms, including access to a range of security tools. In the meantime, here are some of the main security measures you should take to keep your website safe.
1. Keep your version of WordPress up to date
WordPress is open source, which means that its code is constantly being revised and updated. Along the way, security flaws come and go. Since so many people have access to the source code, vulnerabilities are often quickly discovered and remedied. However, it’s up to users to ensure they are running the most up-to-date version of WordPress.
2. Update plugins and remove those not in use
Apart from your routine WordPress updates, you will also need to maintain your plugins. Because plugins have access to the internal workings of your website, some hackers try to penetrate your system through them. To stay safe, only install trusted plugins and keep them up to date. If you’re no longer using a plugin, uninstall it.
3. Install a WordPress security plugin
Speaking of plugins, there are many security plugins for WordPress that can protect your site from a possible security breach. Sucuri and iThemes Security are both well-regarded plugins that help users without a wealth of technical knowledge keep their websites safe.
4. Change the default admin username
Your administrator user account controls a lot of major user permissions for your site. Because of this, it’s a common target for attacks that use brute force to break into your account. Because access requires both a username and a password, it’s important that both these pieces of information are safe. If a hacker can identify one, it makes the other easier to crack.
Unfortunately, many users never change the default settings on their account. If your username is simply “admin,” then you’re taking a risk with your account. Similarly, changing your login URL to something other than the default can make it harder for hackers to find the portal and crack your account.
5. Follow strong password protocols
Passwords are, sadly, another huge security hole for many businesses. It’s estimated that 10% of users use one of the top 25 most common passwords—phrases such as “qwerty,” “123456,” or (yes) “password.” Password security can also be compromised by reusing passwords, or even by having passwords that are too short. The best option? Use only strong passwords, which usually consist of a string of 16+ randomly-generated characters. Write it down and store it somewhere safe. Then use a password manager to help you log into your accounts.
6. Enable multifactor authentication
Another way to improve the security of your account is to require different types of information from a user to verify their identity. These types, or “factors,” are usually broken into three groups: something you know, something you have, and something you are.
Things you know include passwords and user names—information you can memorize. Something you have might be a phone or email account. When you go to log in, a short code is sent to the phone or email address asking for verification, so that a hacker would have to have access to one or the other of them to hack your account. Finally, something that you “are” would include biometric data, such as a finger print. As these are usually difficult to use online, most multifactor authentication requires a password plus a login code that is texted to your phone.
7. Create user permissions
Any time an account is hacked, it creates a potential security breach. However, you can limit the damage of such a breach by restricting account permissions. Your admin account should have the widest range of settings. However, you can create other accounts with a specialized permissions based on the user’s need.
That way, instead of granting access to your entire site, you only grant access to what the user will actually use, thus limiting the damage that could happen if their account is hacked.
8. Limit login attempts
Another way to slow a possible hacker is to delay the number of times they are allowed to attempt access. This does not have to be a long delay. If a user enters a username or password incorrectly more than a few times in a row, even a delay of a few seconds can be enough to effectively thwart a brute force attack. If an account receives many attempted logins, especially if they happen faster than it is humanly possible to enter login information, the account should be suspended and the account owner notified.
9. Install SSL certification and redirect http:// traffic to https://
SSL certification protects data as it moves from your website to your user’s browser. Without encryption, a hacker can intercept the data on the way and edit it to display something other than what you intended. Or, they can intercept the data on its way back to you, stealing your users login information in the process.
However, by installing SSL (that’s what the “s” indicates in https://), you protect your visitors. If you have an unencrypted URL (one that begins http://, without the “s”), then have your traffic redirect to the secure version of your site.
10. Automate site backups
Finally, if your website is hacked, you will want to ensure you have a complete backup of your site in a secure, off-site location. Without a backup, you may need to start over from square one. With automated backups in place, you can protect your site without adding another item to your to-do list.
Work with your web developers to ensure your site meets WordPress security standards.
It is crucial for every business running their website off WordPress to maintain security standards—not just for themselves, but for their users as well. At stake is not only critical business assets, but also the security of website visitors and users.
If you’re worried about your WordPress security, talk with your web developers about the steps they’re taking to protect your site. And if you’re building a new site, make sure the team you’re working with understands and follows the right security measures.
Most importantly, don’t fall into the trap of believing your business is too small to matter. If Google can find you, so can hackers. Keep your doors locked.