Imagine you’re a new small business owner who has just opened a small retail shop on Main Street, USA. Within this shop, you not only have all the widgets and wares you sell, but also a safe full of cash in the office, and computers containing your customers’ sensitive personal and credit card information as well. One night, after an exhausting 12-hour day, you leave the shop and head home, only to realize halfway there that you forgot to lock the door. You race back to the shop and find, to your relief, that no bad guys discovered your error, so you lock up and go home. This story has a happy ending, but it may make you think a bit more about how to make sure your business is safe without having to worry about whether you locked the door every night on the way home. Maybe you’ll invest in security gates or an alarm system, just for the added peace of mind.
If you’re willing to go the extra mile for the safety of your brick-and-mortar business, why wouldn’t you do the same for your online business, into which you’ve likely invested just as much time and expense? Each month, almost 20,000 websites experience malware attacks, with a great majority of these sites running a CMS like WordPress or Joomla — not because these platforms are inherently less safe, but because users running them tend to make assumption that, because of the built-in security features of the platform, they do not need to take extra precautions. This is a dangerous assumption for any online business.
In this week’s post, we’ll walk you through nine basic steps you can take to make sure you’re not the victim of a malware, crypto-mining, or any other type of attack that could put your business at risk.
- Use a strong password. Yep, we’re aware that this one is a no-brainer, but even in 2018 we’re still consistently astonished by the number of people who tell us that they use their birthday, their cat’s name, or even the word “password” as their password. What many don’t realize, apparently, is that hackers now use sophisticated password cracking programs that can run through literally hundreds of thousands of words and combinations of words and numbers in mere seconds, until it finds one that works. It’s up to you to be smarter than these programs and generate a password that even the best hacking tools won’t land on. If you’re creating the password yourself, always be sure to use random strings that contain upper and lower case letters, numbers, and special characters (such as !, %, ^, ], ~, etc.) It’s much, much more difficult for a program to guess NA2WiR26=7\1w4q than it is to guess Fluffy2018. There are free sites, such as Strong Random Password Generator, that can instantly provide strong passwords or, if you use a password-storing program like Dashlane, it will generate one for you and warn you if you’ve chosen a weak one.
- Don’t use “admin” as an administrator username. If you manually install WordPress on your server, you are automatically assigned the easy to remember (and easier to guess) username: “admin”. Retaining this login name is wildly insecure and will be the first one hackers try. The very first thing you should do after a successful install is to log in, go straight to the “Users” panel, and create a new administrative user with a unique, hard to guess, username. Then, log in with the new username, and delete the original “admin” user. When choosing your new username, try not to use your first name or your first and last name, since this info can often be easily obtained via public domain registration information, or even from pages on your site itself. That said, you’ll probably want a username you can remember, so a more secure method would be to use an email address as your login, preferably one that is not associated with your business.
- Perform frequent and regular backups of your site. One of the easiest way to keep your site safe from compromise is to make sure that you are regularly backing up your site. That way, if you do experience an attack that brings down your site, you can easily get things back up and running, sometimes with a simple click of a button. While there are several free and paid backup plugins you can use such as XCloner and BlogVault, the one we recommend here at LLD is UpDraftPlus. Not only does UpDraftPlus make manual and automatic full site backups a snap, you’ll also have granular control over which site components get backed up and when. For example, you can choose to have absolutely everything, including the WordPress core, backed up, or any combination of core, database, uploads, plugins, themes, etc. As an added bonus, UpDraftPlus will allow you to back your site up to up to 15 different destinations, including FTP, Dropbox, AWS, Google Drive, Backblaze, and many others.
- Delete any unused plugins and themes. One most common methods online malefactors use to infect websites is to access them through security holes in plugins or themes, particularly ones that haven’t been updated to fix any new security risks. This is any easy thing to monitor and remedy. First, check your plugins regularly and perform any updates that are needed (WordPress will flag any plugins that need an update.) If there are any plugins that you may have disabled, and/or haven’t used in awhile, delete them, using the “Delete” link located under the name of the plugin. Even if you have a plugin that is still currently enabled, assess whether it’s something you actually need and use and, if not, disable it and then delete it. You should also check the date the plugin was last updated by the developer (click the “Details” link under the name of the plugin) and if hasn’t been updated in 2 years or more, delete it. Plugins that aren’t updated are likely to have been abandoned by the developer, and may be full of unpatched security holes. After you’ve finished cleaning up your plugins, head over to your themes (found under “Appearance => Themes” in the left menu) and do the same. WordPress comes with several themes pre-installed and they pose the same security risks as plugins if not regularly updated. If you’re not using any themes you have installed, it’s time to let them go.
- Enable SSL. These days, it’s practically a requirement that a site, any site, implements Secure Socket Layer (SSL). What this does is ensure that any data transferred between your site and a user’s browser is encrypted, making it much more difficult for a hacker to gain access to your or your users’ information. SSL certificates used to be expensive, but now you can get one inexpensively or even for free. Most hosting companies worth their salt will offer something called “Let’s Encrypt” which is an open source, free SSL certificate, which works just as well as anything you’d pay for. An added benefit of adding an SSL certificate is that the Google gods smile upon sites that use SSL, and doing so could significantly increase your search rankings.
- Install a security plugin. This is one of the easiest and most effective solutions for managing your site’s security all in one place. There are myriad plugin options to choose from and many are excellent, but the one we at LLD use on our clients’ sites is Wordfence. The security features of this plugin are simply outstanding. There are paid and free versions, but even with only the free version, you get a web application firewall, sophisticated protocols providing defense against brute force attacks, regular scans of your site so that malware is detected and removed early, automatic blocking of IPs that are on known blacklists or that seem to be trying to access your site, and many other features. Wordfence will even email you when your plugins or themes need an update so you don’t have to manually check every day. Of course, Wordfence is not without its competitors, so other plugins you may wish to look into include: Sucuri, Cloudflare, and Sitelock.
- Consider using Managed WordPress Hosting. Most small businesses, when they first start out, tend to go with a shared hosting plan with their provider. This is mainly due to cost, which tends to be very low for shared hosting. The problem with shared hosting is that you’re literally sharing your server’s resources with several other websites. Therefore, if your server-mates aren’t keeping up with their security practices, this could put your site at risk as well. Hackers could get to your site through this virtual “back door” if left unlocked by your next door neighbor. Managed hosting services, on the other hand, isolate your site from others, activate very strict security measures, and will monitor and update them so you don’t have to. Is this more expensive than shared hosting? Of course, but not prohibitively so. WP Engine, one of the most popular managed hosting services, has plans starting as low as $35 per month.
- Disable file editing. This tactic is just a wee bit more complicated than the others, but not exceedingly so if you’re comfortable with FTP and performing a simple edit to a text file, and it’s well worth it from a security standpoint. WordPress, by default, comes with an editor in the admin area, with which you can edit various files in your installation. This is convenient for sure, however it can also offer a serious security vulnerability because if a hacker manages to get into your admin area, they will then have access to many other files on your site, giving them fertile ground in which to sow their seeds of destruction. The good news is that your power as an admin allows you to turn this ability to edit files off. To do so, simply log in to your server via FTP, and locate the ‘wp-config.php’ file which will be found at the root level of your WordPress installation. Open this file—either by downloading it to your desktop or edit directly on the server, which many FTP clients allow you to do, and add one simple line of text at the very bottom of the file:
Then save the file and, if you’ve downloaded it to your desktop, re-upload it to your server, overwriting the old one. Easy, right?
- Consider installing additional security plugins. While we don’t normally recommend loading up your WordPress installation with too many plugins, which can slow down your site, there may be one or two additional plugins you may wish to install which provide still more layers of safety. Here are three might want to take a look at:
- WP Security Questions – This plugin will require users to set security questions (e.g. ‘What was your first pet’s middle name in high school?’) that users must answer when registering, logging in, or resetting their password.
- Inactive Logout – This handy tool will log users out after a given period of inactivity, to keep others from accessing admin areas or sensitive materials. This is especially important if you work in an office, co-working space, coffee shop, or any other environment where others are present.
- Login LockDown – One of the defining characteristics of a brute force attack is that the perpetrator will continue trying to log in, over and over again, until they achieve success. What Login Lockdown will do is bar anyone trying to log in after a certain number attempts, stopping anyone from that particular IP address or range from accessing your site. Of course, this is a feature that comes bundled with Wordfence as well.
If you go through this list and follow each step, you can rest assured that your site will be far safer than it was when you started. Think of it as installing that security gate on your shop with a pair of heavy duty police locks. You want all your assets, both physical and virtual, to be as secure as possible. Keep in mind, however, that no system is perfect and new threats emerge every day, so the most effective defense against attack is your own vigilance. Monitor your site as often as you can, and keep yourself in the know about any new risks that could affect your site. The Wordfence blog is a great resource for this.
If you need help with setting up or managing your site’s security protocols, LLD is there for you. Contact us for a free consultation, and we’ll get your site locked down in no time.