You put a lot of work into building your web site, making it look and perform exactly as you wish. The last thing you need is for some miscreant to deface it, take it down, or take it over. To prevent that, you need to be proactive. This article originally appeared on lightningstrikestudios.com. If you’re reading it anywhere else, it’s stolen. Please let me know at firstname.lastname@example.org
1 – Strong Passwords Matter
Your first line of defense is a strong, unique password. WordPress generates complex random passwords for you, but many people choose to use something easier to remember. Worse, they often use the same password across multiple sites. Sure, it can be tempting to use something like Rover2018 as your default password for all your accounts. It’s easy to remember, easy to type … and easy for hackers to exploit. In fact, hackers count on this behavior.
In recent years, cybercriminals have captured millions of passwords from a number of popular sites including LinkedIn, Equifax, and Yahoo. Thus armed, they try those same passwords on other sites. So if you use a password on one site, and that site is later compromised, hackers may try using that same password to access other sites, including yours.
Does a variation of a standard password help? Not really. Hackers know that if you used Rover2017 last year, you’re likely to use Rover2018 this year. They know that if you use LinkedIn12345 as your password for LinkedIn, you’re likely to use Facebook12345 as your password for Facebook.
Of course, cybercriminals don’t sit at a keyboard and manually type passwords. Instead, they use programs that run complex algorithms to do the work for them. These programs, often running on sites the hackers have already compromised, attempt to break into other sites. Depending on how your site is configured, they may be able to try tens of thousands of passwords a minute.
So what should your password look like? A strong password is long – aim for at least 16 characters – and incorporates both upper and lower-case letters, numbers, and symbols, all in a random order. Of course, no one wants to try to type or remember something like V33AOsT+N\iJyP57t-:S(L~zf every time they log into their site. Fortunately, with a good password manager, you don’t have to.
Password managers allow you to store all of your passwords in a database, secured with a single master password. You only have to remember that one master password to open the database, and then you can copy and paste the password you need, without having to retype it. Some managers will even enter the password for you when it determines which account you’re trying to access.
There’s a wide array of password managers available, both free and commercial. If you’re looking for a good, free solution, consider KeePassXC, available for Windows, Mac, and Linux.
Whatever system you use, just make sure to keep a backup of your password database. Of course, you regularly back up your computer anyway, don’t you?
2 – Keep Your Site Updated
In an ideal world, everything would just work and keep on working. There would be no need to update the software that runs your website. Unfortunately, we don’t live in an ideal world. While the developers who create and maintain WordPress, its themes, and its plugins do an excellent job of making sure the software works the way it’s supposed to, occasionally bugs creep in. To counter this, the developers issue updates … so many updates.
By default, WordPress applies minor system and translation updates automatically. While it’s possible to configure WordPress to apply major updates as well, you shouldn’t. Instead, only apply major updates of the core WordPress system yourself, and only after taking some preliminary steps.
Make sure your site is fully backed up. (See the section Backup Your Files And Database below.)
Make sure that any plugins and themes to be updated are compatible with the latest version of WordPress.
If you’ve made any modifications to your theme, be sure to take note of them so you can re-apply them afterward, since updating the theme may overwrite them.
When you’re sure everything is ready, update WordPress, followed by your theme, then your plugins. After the updates are complete, examine your site carefully and make sure everything still looks right and works as it should.
3 – Use A Firewall
On its own, WordPress is remarkably secure, due in no small part to its open source nature. With hundreds of active developers and thousands of others examining the code, bugs and vulnerabilities are quickly found and corrected. Well, most of them. The occasional bug does manage to slip through, leaving a hole in your site’s armor. And there’s a never-ending hoard of hackers always probing your site, looking for those holes. To stave of that assault, you need a robust firewall.
As always, with WordPress you’ve got an array of options. One excellent choice is Wordfence, from Defiant. Installed and managed as a WordPress plugin, Wordfence keeps attackers at bay by:
- Blocking brute force attacks
- Blocking login attempts from known attackers
- Scanning your site for known malware and suspicious activity
- Repairing damaged files
- Alerting you to available updates
For the most part, Wordfence is install and forget. However, the application includes a variety of monitoring tools that let you see – in real-time – who’s accessing your site. There’s something very satisfying about watching a storm of hacking attempts, knowing your firewall is keeping them out.
4 – Backup Your Files And Database
Even with strong passwords, regular updates, and an impenetrable firewall, your site can still fail. Bugs can sneak past the developers of WordPress, its themes, or its plugins; or into any of the multiple layers of software supporting your site. Any one of the countless hardware components on which your site resides can malfunction.
To recover from these eventualities you need a reliable backup. How you back up depends on your circumstances. How large is your site? How often do you make updates to your content, including your blogs?
In most cases, a plugin like UpdraftPlus will serve you well. It’s free option backs up your files and database to your own Dropbox account, Google Drive, or other locations, while, for a small fee, you can encrypt your backups and have them stored on UpdraftPlus’ own servers.
Assuming your hosting provider offers you the necessary access, you also have the option of backing up your site manually using tools like sFTP for the files and phpMyAdmin for the database.
Whatever option you choose, it’s important to periodically test your backups. Ideally you’d use your backup to create a temporary parallel site. Of course, that’s a lot of work and likely not practical for most people. Instead, periodically download your files and database exports from wherever your backup stores them, and examine them to be sure they’re complete.
5 – Get Help
WordPress makes it easy to maintain your website. It alerts you when updates are available and allows you to apply those updates with a couple of clicks. It’s an excellent system and it usually works well.
Every once in a while, however, bad plugins, conflicting plugins, or a broken theme can make your site – including the dashboard – inaccessible. When that happens, sometimes the only way to fix it is by editing your files and database directly, performing WordPress surgery. If that prospect seems a bit daunting, contact your web designer.
Any half-decent web design company will provide a maintenance agreement under which they’ll take care of all of your site maintenance – updates, security monitoring, and backups – for a modest annual fee.
Don’t Leave Your Site’s Safety To Chance
Considering all we’ve discussed, taking care of this on a regular basis may seem like a lot of work, and it is. Is it really worth it?
Figures vary, depending on who you ask and how they calculate their results, but estimates put the number of websites hacked at more than 30,000 every day. A recent survey of web developers found that 38.9% had seen their website compromised in the past 12 months. At the same time, those who are more experienced web developers are also the most concerned about security; they understand the dangers.
If your website is important to your business – or just important to you – don’t leave its safety to chance.
If you don’t have the time to create and maintain your own web site, contact us. We produce modern, responsive sites with compelling content, and then maintain them to keep them functional and safe.