Your website is your shop front and for many businesses the main source of leads or purchases. Clients expect to be able to interact with a clear, fast loading and safe website, and you as an SMB are likely to be concerned about the ongoing security of your website. You will hear many worrying stories of sites being hacked, of customer information being stolen, or of clients being infected with viruses.
The bad news and the good news (in that order)
What can you do…..?
Surely your site wouldn’t be a target?
Surely heightened security is only accessible to large companies with big budgets?
Well, there is some bad news… but some really good news too: First off, unfortunately, no site is safe, as hackers and viruses are on a mission to infect as many sites as possible that will then continue to infect users and so on. Secondly, however, BIG security is available to the masses, at affordable prices that bring super peace of mind.
Security Essentials Checklist
Here is the WordPress Security Essentials list:
• Apply some best practices to your WordPress installation (core ones listed below)
• Regularly update your WordPress installation, plugins and themes
• Security plugins for WordPress (we list them below)
• Website Firewall service (one recommended below)
1 – Apply some best practices to your WordPress installation
There are a range of settings that should be changed in any WordPress installation that could cause it to be vulnerable. For example, using the original default username of “admin” gives potential hackers one less thing to guess whilst they try to brute force your password.
Here are core best practices. Please note that either of the two Security plugins for WordPress that we recommend allow you to do all of the below at the click of a button, so don’t panic, no code access is needed.
• Change default admin username from “admin”.
• Enforce complex security policy for all users
• Ensure your database prefix is not the default wp_
• Activate a limit on login attempts to stop people guessing
• Set up daily backup of your database
• Enable SSL (https) for your wp-admin area
• Hide the wp-admin area with an alternative name
These are the essentials, but the security tools in section 4 not only cover these but give you recommendations as you go on how to further protect your site. They make getting your WordPress website up to standards VERY easy.
2 – Regularly update your WordPress installation, plugins and themes
It is super important that you make sure you are running the latest version of WordPress. There is a team of developers and contributors around the world adding amazing new new features, and also keeping up to date with bugs and vulnerabilities. This means if a vulnerability that can be exploited has been reported, the latest version of WordPress will address that providing greater protection.
It is equally important you ensure your plugins are kept up to date too. The authors will be continuing to ensure compatibility with the latest version if WordPress, as well as hardening their own code, and fixing any bugs discovered.
Finally, if you have a purchased or obtained a free WordPress theme that receives updates, you should ensure you update your theme. As a theme can contain the same sort of code a plugin can, there can’t be potential compatibility issues in the future or vulnerabilities if not checked.
A word of warning regarding updates
As important as it is to update all areas of your WordPress website, it is also important you are VERY careful. Running updates can cause unforeseen issues. It is always best to run a full backup of your entire site so that it can be quickly restored in the event something goes wrong. If you are able to, you can clone the site over to a “Staging area”, your host can advise on this, where you can run the updates.
Now there is nothing like getting some help in for things like this, so instead of struggling/worrying there are amazing WordPress services out there that charge a low monthly fee to do pretty much anything you ask of them in WordPress. As a Digital Agency, I recommend that clients check out WP Curve: (http://wpcurve.com/) The reason being, they have a huge global team that is able to respond quickly and provide epic WordPress maintenance and support.
From $79 a month they promise to:
• Stop Site Hacking
• Boost your brand
• Boost conversion
• Speed up your site
• Grow your business traffic
• Increase search engine traffic
• Reduce your bounce rate
Getting all your bases covered with a team of WordPress Experts at such a low cost really gives you peace of mind. You’ll be benefitting from what large enterprise organisations would invest thousands of pounds in consultancy and staff. (Told you BIG security is available right!?)
3 – Security Plugin for WordPress
So you know I told you not to panic right? Well here goes. Two WordPress plugins (pick the one you most like the look of) that will make all those recommendations a click of a button. Oh, and if you decided to go with WP Curve, then all you need to do is ask them to set it up for you and for them to secure things. (Even easier).
Right without further ado:
All In One WordPress Security – https://en-gb.wordpress.org/plugins/all-in-one-wp-security-and-firewall/
Lightweight, easy to use, AIOWP is a great tool that does what it says on the tin. As you work your way through each screen, you can then pop to the dashboard and check your security rating. Each new setting activated and BOOM, you move up the rating till you have a robust website. If you have multiple sites, you can then export all your settings and import them into any other WordPress site. Perfect for marketing agencies managing multiple sites.
The only cons to this product are:
• It is free (why is that a con) so there is no paid support available
• It can be a little complex to understand, and there is no friendly wizard
Which leads us onto what is slowly turning into my favourite solution:
iThemes Security – https://en-gb.wordpress.org/plugins/better-wp-security/
This plugin contains a great one-page wizard that shows you potential issues. You click the FIX IT button and are taken the relevant screen to click whatever options appear. Their brute force protection is also fantastic as it connects to a network and bans computers that have tried hacking into other websites meaning if they try and hit your site, iThemes is going to reject it…. and that is loaded in free!
Then for a low yearly cost, if you choose to purchase their pro plugin, you get their support if there is an issue, and tonnes more features included. The most exciting being Two Factor login. This means you can require people to have Google Authenticator on their phone that has been authorised against your site. Then if someone logs in, they have to tap in a code their phone generates on the fly…. Pretty awesome and this is enterprise level security we are talking about!
You can check them both out via the links above and choose the one you feel the most comfortable with.
4 – Website Firewall service
What is a firewall? Well in simple terms it is like a massive wall all round your website. There is a gatekeeper, and they are responsible for checking every single request for entry. (Please don’t get a bricklayer in, this was an elaborate metaphor).
To be honest, there is really only one service that we as a Digital Agency would recommend:
The team behind Sucuri are leading experts, who provide a robust service where you direct your site through their service, and your site instantly benefits from advanced firewall protection. Starting at $16.66 a month, this is super cheap compared to the 1000s of pounds of cost you would have as an enterprise purchasing servers, firewall hardware and consultancy. I told you so didn’t I? You really can get BIG security for your SMB!
Sucuri have also been improving their network to allow for faster content delivery making your site MUCH faster. And IF your site has ever been infected with a virus, they will remove it for you and deal with Google to get your site back off the blacklist. They will also virus scan your website every 12 hours. This is pretty epic.
There is no other service we are aware of that gives you all that security, protection and service for such a competitive and affordable rate.
I really hope I’ve helped you understand why you need to secure your website, and how easy and affordable it is to get a very high standard of protection for your site for very little cost. If you get stuck along the way, then feel free to reach out to me with questions. I wish you all the best in securing your website, and “you’re welcome” in advance for those restful nights you are about to get once you have got it all setup.