You have probably invested a lot of time and money in your website and it’s an important tool for your business. Beware though, if you don’t have certain things in place then your website can be at risk.
The risk can come from a malicious source like hackers or simply from a technical mishap where something goes wrong and you can’t recover your site. Happily, there are simple ways to mitigate these risks.
I’m going to run through five essential features that you need to have in place in order to keep your website secure.
A good solid backup system is a great thing. It allows me to sleep at night! I am responsible for a large number of client websites and backups give me peace of mind. I know that whatever happens, no matter how disastrous it looks, I can quickly and easily recreate any of the websites I’m responsible for.
A lot of people rely on their hosting company to have backups of their site. Firstly, don’t assume this is the case. Backups aren’t automatically included in all hosting packages. Secondly, even if your host does provide backups, I recommend that you also keep your own independent backups stored elsewhere.
I use and recommend the free version of the plugin UpdraftPlus to automatically create backups that are then stored in my Dropbox. You can also set it to save backups to Google Drive.
As long as you have a backup, whatever happens you can simply roll back your website to an earlier version or completely recreate it if needs be.
2. SSL Certificates
An SSL certificate is what allows your website to use a secure, https, connection to the server. It’s what gives you the little padlock symbol in the address bar of the browser.
When you visit a website, the server has to send information to your browser in order to display the website; similarly, your browser sends information back to the server. If you use an https connection this communication is encrypted.
There are a number of reasons why this is important:
- If you collect people’s information on your website, e.g. you have an ecommerce site or even just a contact form, then you are protecting people’s data by using https.
- Even if you don’t collect any information, website users can be put off by an insecure warning, particularly if they are using a browser like Chrome that gives some quite scary warnings: “people might be trying to steal your data”.
- Google likes https. Google uses ‘page experience signals’ as part of the algorithm for ranking pages in its search results and having https is one of those search signals. It is better for SEO (search engine optimisation) to have an SSL certificate.
One of the common ways that websites get hacked is by people breaking into your site by discovering your username and password. There’s nothing sophisticated about it, they just use bots that try 1000s of different passwords until they hit lucky.
You can protect against this kind of ‘brute force’ attack using a security plugin. It’s one of the things included in general security plugins such as Wordfence or you can use one that specifically targets this situation like Limit Login Attempts.
These plugins are really useful but one of the best things you can do to protect yourself (and this is true with all of your online dealings including bank accounts, etc) is to use strong passwords. I know it’s a pain nowadays when we have so many passwords to remember but we really shouldn’t be using our pets’ names or Password123 as our passwords!
Here’s one method for creating a secure but memorable password:
- Think of an easy to remember sentence – song lyrics can work well
“I am just a poor boy, Though my story’s seldom told”
- Take the first letters – you can alternate upper and lower case
- Switch some of the letters to numbers and symbols to add complexity, e.g. @ for a, 1 for I
Ideally you wouldn’t use the same password for everything so add two letters on the end that relate to what the password is for, e.g. fb for Facebook, lb for Lloyds Bank and so on.
You can also used a password manager like LastPass to store your passwords so you only need to remember one master password. I resisted doing this for ages but since I started using LastPass I use much better passwords and have different ones for everything – no more password shame!
One of the big benefits of using WordPress is that it has a massive community of developers who create plugins (extenions) for it which means whatever you want to do it, you can be fairly sure that other people have wanted to do it before and somebody has created something to help you.
The downside of having all these extra pieces of software is that hackers sometimes find flaws in the software that they can exploit to access your site. This is particularly true of old, outdated software and one reason why you should keep your website software updated.
Have a regular plan for updating your version of WordPress, your theme and any plugins you have installed. For the same reason it is good to keep the number of plugins on your site to a minimum. If you need a plugin for something, by all means use it, but if you try something and decide not to use it remember to remove it. You can read more about best practice with WordPress plugins here.
Unless you have somebody else to manage everything on your website then you probably have a username and password that give you ‘admin access’ to the site. This allows you to login to the website dashboard and make changes: you can create blog posts, change the content on pages and update the software.
When you hire people to do work on your website you will need to give them access. This could be a VA who helps to keep content up-to-date, an SEO expert who is optimising your pages to rank better in Google or a developer who keeps things up-to-date and adds an extra functionality you need.
If you give people adminstrator access then they have
- Minimise the number of people who can log in to your website.
- Remove users once they no longer need access.
- Don’t share your login details with service providers. Give them their own access so you can revoke it if you need to.
- Only give the people the level of access they need to do their job.
You can read more about the different WordPress user roles and what they can do here.
None of the above security measures are difficult but if you make sure they are in place then you greatly minimise the risk of getting hacked. Also, whatever does happen, you have a solid system of backups which will allow you to be back up and running in no time.