No matter how secure you keep your website, it can still get hacked and you should work on the basis that eventually it will be. Hackers are getting more sophisticated all the time and it can be so important to keep your site safe from hackers.
Many people take for granted that the web hosting company is doing mysterious high-tech things to keep your website safe. This is a dangerous assumption to make. As many bloggers have sadly learned some companies knw how to prevent hackers better than others. When you’re searching for web hosting, make sure you investigate the extent of the hosting company’s security measures.
Check out my post about how I almost lost my site to hackers due to a bad host.
Let’s review some tips to keep your WordPress website safe and secure from hackers and other unscrupulous users. These tips will help you keep control of your blog and website and prevent some embarrassing mishaps. Yes, I know you’re busy and just want to concentrate on writing great posts or sharing great photography, but especially if you run a business, managing your security is CRITICAL and can avoid a lot of embarrassment and headaches. A hacker attack can easily ruin the reputation of your business, get you banned from social media accounts, or even have your site blacklisted.
In other words – PAY ATTENTION to these important security tips. I don’t mean to yell, but as a virtual assistant, I see the non-public side of a lot of websites, and I see clients making crazy mistakes with their security.
Simple Things You Can Do to Keep Your Site Safe from Hackers
Some of the things you can do to secure your website are pretty easy, but some of them are a little more complicated. Let’s start with the simpler stuff. Let’s start with your username and password. A hacker needs just two pieces of information to get into your site – your username and your password. This means you have to make them as difficult to guess as possible.
To give you a bit of context, I had 40 hack attempts on my site just last night. Yes 40 attempts! How do I know?? Because I have strong passwords and good security software that kept them out and notified me of the hack attempts, including what country they were from, their IP address, and the user names they were trying to use.
And this happens to one or more of my sites at least once a week. Now are you interested in talking about security??
Username and Password – Do it RIGHT!
This is where a lot of my clients go wrong. Really wrong. When you set up a new site, the first thing you do is set up your user name and password. Here is what your username SHOULDN’T BE:
- Admin (never, NEVER use this!)
- The name of your site (nope, definitely not)
- Your name or anyone’s name (too easy to guess)
- Your Email (still too easy)
PS: In case you’re interested, the 40 hack attempts last night used ALL of these choices.
Hackers are trying to get into your site every single day, I promise you. Lots of ’em. So, what to choose instead for your all-important username? pick a phrase or something funky that you can easily remember – I-c00k-f00d (those are zeros), #sm@rtbl0ggr, #1SmartCookie – something like that.
And your password – make it HARD. Don’t use your kids names, or your dog’s name, or anything recognizable. Here’s a little trick I like to use. We type passwords in a lot, right? So make them something motivational – Im#Awes0meX365 or something that gets you pumped up! Then it’s easy for you to remember, but hard to hack.
PS: I also use a password keeper apps like 1Password to store your zillion passwords for everything. I’m always yelling at my husband because he is constantly resetting his passwords. With a password keeper, you won’t have to do that. Plus, I have literally 300+ passwords these days, I couldn’t possibly remember them all. Note that I do NOT use LastPass. I know it’s very popular, but I have a very low trust level with it.
See my post on LastPass and Loom and why I WON’T use them because I feel they compromise my personal security and I’m kind of paranoid when it comes to security.
This is funny! You can just watch the first three minutes. We all need a good laugh sometimes.
Keep Everything on Your Website Updated
Every time you log into your site, you will have notifications on your top bar to tell you what items need updating – your plugin, your themes, or your WordPress version. Takes no more than 5 minutes and it’s a critical thing to do. Here’s the important thing to remember about each of these – do just ONE of them at a time. That way if something breaks your site, you’ll know what to tell your Host to fix for you – yes, a good Host like Siteground will always help you with this.
Use a Good Security Plugin (if you have a WordPress website)
I recommend either WordFence or WP All-in-One Security plugins and I sometimes use BOTH. WordFence is awesome and has both a paid and a free version, but it can be a memory hog, so I sometimes use the All-in-One version for faster load times. WordFence is the one who told me about the 40 hack attempts and tells me anytime ANYONE logs into my site – even ME! The paid version has options for blocking by country, so you can lock out countries that are known to have a lot of hackers.
Take a minute to configure these options correctly. I set mine to lock out users after 3 attempts and lock them out for 6 HOURS. That’ll teach them. I also set it to automatically log out anyone using Admin or any of my other no-no username options I listed above. That teaches hackers that I’m more vigilant than most users, so they move on. It’s like having a big deadbolt on your door.
Interesting fact: I have a .org website that I manage for a charity. That site gets a surprisingly high volume of hack attempts likely because they THINK it’s being managed poorly compared to commercial websites. If you have a website like this, keep an eye on it.
Be Cautious About Who You Trust
This is a big one. If you allow others to access your website, like technical support folks – do not give them your login info. Set them up with their own login, but only give them the access level they need. WordPress allows five default user roles: administrator, editor, author, contributor, or subscriber. Use a plugin called Simple History so you have a record of all changes they’ve made in case you need to reverse them. I found this helpful last year when I had a VA doing some work for me who was a little shady and I had to remove her login and reverse all her work.
Backup Your Site
I use a free service called Updraft to create daily backups of all my sites to Dropbox. That way if my Host backup fails, I still have my own copy. Why not – it’s free and it’s another way to keep my site safe from hackers.
Here’s my post on how to use Updraft.
More Complicated Options You Can Use for Website Security
There are some next level options you can add in, but you’ll want to use them judiciously in case you manage to lock YOURSELF out!
Change the WordPress Database Prefix to keep Your Site Safe from Hackers
One of the best ways how to protect a WordPress site is to change the database prefix. The default WordPress prefix is wp_. Since everyone (especially hackers) knows this, it’s best to install it properly and change the prefix. This is more of a intermediate level change, so work with your hosting provider if you’re unsure. If you’ve already set up your site, you can still fix it using the link below, although it will be much harder to accomplish. However, it will make your website safer and more secure.
Disable File Editing
Every WordPress website allows you to update the code using the built-in code editor. You can disable this feature by turning it off. You’ll have to do that by updating the code in your wp-config.php file or by using a one-click hardening feature in the Sucuri or WordFence plugin.
One of the basic features all web hosting companies should provide is SSL certification. This means ‘secure sockets layer’ and it’s an extra layer of protection for pages in which your users have to enter information. SSL involves encrypting your data and sending it in a sort of tunnel that hackers can’t intercept. When a user visits your site, they can see that your site is certified, which gives them peace of mind.
I have a whole post on what is SSL and how to get it on your site. Very important as users can be blocked from your site if your SSL is outdated.
Most web hosting companies allow you to set your file permissions through them. File permissions allow user access to either read, write, or execute files (or any combination thereof). This is important for the security of your files. When you set up your site, you’ll set these permissions through the web hosting company, which can be changed at any time.
When researching web hosting companies, you should consider where your data is going to be stored. These companies use data centers for storing your files. Good web hosting services use multiple data centers so that, if there’s a problem at one, your site will still be up. This is also better for your site’s security.
Malware and Spam Scanning
Your web host may perform malware and spam scanning. Good companies scan their networks constantly, looking for malicious programs. They’ll have their own firewall and will backup your data for you. You should perform all of these tasks yourself, but it helps if your web hosting company does it as well because it means added protection.
We utilize a third party company that scans all of our customers websites every four hours for malware and offers a full cleanup and blacklist removal service, this is what you should have on your business website because heaven forbid and you are attacked, being blacklisted could seriously affect your bottom line.
Good Customer Support
If your site gets hacked and your data compromised, you need a web hosting provider that is going to fly into action to take care of it. Before signing up, contact them and see how responsive they are. You can also find out about their customer support by reading online reviews of their service. This why I love SiteGround so much. Check out why!
Their chat support is the BEST I’ve ever seen for any company. I am speaking to a live person within 90 seconds, EVERY time, night or day. This in itself is like Willy Wonka’s Golden Ticket! When you have a problem, you need help FAST! They offer FREE SSL and will convert your site from your existing host for FREE! Who does that – seriously?
Plus free backups (not just one day backups – see my POST on WordPress Backups) and low-cost basic security software – for daily virus and malware scans. Their speed is FAST – my site is ridiculously fast compared to my previous no-name host (You’ve never heard of them and that’s a good thing because they SUCK – I didn’t know any better when I started) and Siteground seems to have amazing uptime.
If you sign up with my affiliate code – HERE. You get a big discount on any of their hosting plans and I get a little bonus too. Win-win!
I hope this helps you keep your site safe from hackers. I know I sound like a paranoid loony, but I’ve had friends who’ve lost their whole site and I don’t want that to happen to me OR you.