Over the last couple of months we outlined in our posts the importance of security for online shops and websites in general. While the hosting provider plays a very important role in keeping your website secure, there are measures you can take as well to protect your website from hackers and unhappy surprises.
Since a lot of our customers are running wordpress we made this post closer to this platform but the tips and principles are applicable for all websites and platforms.
1. Keep wordpress core and plugins up-to-date
All vendors and software providers try to make their products more secure and they work continuously to improve their code and close any security holes. It thus very common to release a new version of the product every couple of months.
To stay in synch and take advantage of the latest fixes you also need to keep both your worpdress core (that is the wordpress software) and any third part plugins you have installed up to date. It is very easy to do and all you have to do is login to your wordpress dashboard and select UPDATES from the left menu and then choose which components you want to upgrade.
2. Install only wordpress plugins you can trust
Plugins are a great feature of wordpress but at the same time one you should be very careful about. Installing plugins that are not from trusted sources can make your website more vulnerable to hackers with your permission! The best approach is to:
- Install plugins only when you cannot do something with code
- Install plugins that have enough ratings (read the reviews before installing)
- Never add your wordpress username, password or any other credentials in the plugin
- Search the web for any negative reviews concerning the plugin developer
- When applicable prefer paid plugins that have better security than free plugins
3. Keep your computer protected and software up-to-date
Since you are accessing wordpress from your PC make sure that your computer software is up-to-date and that you have a good antivirus (and updated) solution running. What happens in many cases is that while wordpress is perfectly secure, malware running on the PC ‘collects’ the credentials and sends them to hackers without you understanding it.
4. Use strong passwords
It sounds like an old advice but yet many people still use easy passwords for their websites. It was not a long time ago that splash data released the worst passwords list which shows that a lot of users do not understand the importance of having a strong password.
As a WordPress administrator you should create strong passwords for all WordPress users (admin, authors, and contributors) but also for all WordPress system users (database user).
5. Scan you website for malware and other security issues
Hackers have become very intelligent these days and when they hack a website they enter code into the pages that it is displayed only to certain type or users (i.e. not administrators) or to a certain range of IPs (i.e. in particular countries) or to bots (search engine crawlers) only. The end result is that normal users or you may not understand that the web site is hacked.
In order to make sure that your website is not a victim of this you should do regular checks by using these 2 simple ways:
- Sucuri site check – They have a free service that checks your website for malware, blacklisting and other security related issues. In the unfortunate event that your website is affected by malware, you can use their services to remove it.
- Google webmaster tools – One of the great features in Google webmaster tools is that google can notify you if there are any security issues with your website. Make sure that your website is registered with Google webmaster tools (it’s free) and that you have enabled “email notifications” so as to get notified by email about issues related to your account. For more information you can also read this guide by Google.
6. Keep a working back of your files and databases
If all measures to protect your website fail then you need to have a way to restore your website to the last known good state. The best way to do that is to have backups of your files and database in a working state. In other words you need to test your backup/restore procedures and make sure that they work and that you know what to do when you need to restore your website to a previous version. The most common mistake that many people do is to keep a backup that cannot be restored properly.
When it comes to the security of a website all experts agree that it is better to invest time and effort in pro-active measures rather than trying to recover after you are hacked. For wordpress websites it is always suggested to use a minimalist plugin approach, keep your wordpress software up-to-date and perform regular checks using dedicated tools to ensure that your website is not hacked or suffering from any other security issue.