I’d like you to think about your house or unit for a moment.
Your house or unit has doors on the outside, and each outside door has a lock on it. Having doors with locks and shutting and locking the door when you go out is the bare minimum most people now do for the security of their home.
It used to be that you could leave your house unlocked, with doors and windows open when you went out, but now if you do that, you are asking for things to get pinched.
It’s the same with websites. Your website is your online home, and there are seven easy things you can do which are the same as shutting the windows and locking the doors on your website to increase security.
If you don’t do these things, you are relying on the thoughts and prayers strategy (and we all know how effective thoughts and prayers are.)
1. Delete Themes And Plugins You Are Not Actively Using
In the real world, we take good care of all the keys to the front door of our home. We restrict how many copies are made, and we know who has a key at any given time.
Your online world also has an online front door and virtual keys.
A typical small business website is made up of WordPress, the theme that gives your site its look and feel, and plugins that give your site extra functionality. Every theme and plugin on your site is a key to your online front door. How many keys have you handed out? Do you know who has the keys to your online door?
Many small businesses leave the sorting out of themes and plugins to their web designer, and never take a look at what is installed on their website. That’s great if you have a tidy web designer who only keeps what they are actively using, but many web designers leave a digital mess behind, including a lot of stuff that is not in use.
Other small businesses like to tweak their website and continuously add new plugins to test out what they do – and then leave them installed even if they are not using them.
Each theme and each plugin you leave attached to your website is a key to your online front door.
Most small business websites have an active theme and a child theme. They also have a default backup theme in case of disaster (WordPress 2019 is a good one). The problem comes when sites have test themes as well as a stack of old WordPress themes installed. Each one is another key out with some random company, and each key increases your vulnerability.
Plugins are another area of digital proliferation on most small business websites. Most sites need plugins to help with SEO, security and other functionality. However, every plugin is another key to your online front door.
One problem occurs when plugin developers abandon their plugin for different reasons, and the ancient code over time creates security gaps.
Plugins also can get pulled from the WordPress repository for breaching guidelines or being insecure. It is also not unheard of for plugins to be bought up by crime gangs, who deliberately add in backdoors to websites.
Every theme and plugin our website is a key to your online house.
If you are not using a theme or plugin – delete it.
If a plugin is abandoned – delete it.
If a plugin is no longer in the repository – delete it.
2. Use Complex Usernames and Passwords
With your website, the usernames you use to log into the back end of your website are also keys to your front door.
With WordPress, the default username is admin. If you have admin as your username, you have the same key as millions of other sites.
Having admin as your username is as secure as a kid’s lockable diary. All the hacker needs to do is break your password.
If you use a weak password (like “password”) or the name of the site, or even if you reuse passwords and your details have been leaked online somewhere (check out haveIbeenpwned to see if your details are already out there), then the password part is not an issue.
There are sites that tell you how long it takes to crack a password. Admin with one of the leaks or any of the top 100 passwords takes 0 seconds.
Using your child’s first name and their date of birth – 46.8 seconds.
But there are other common usernames: test, administrator, the name of the website (with or without the .com), manager. If you use any of these, hackers have you in their sights.
Replace all admin, test, administrator, the name of the website (with or without the .com), and manager usernames with more secure usernames. (Here’s a guide on how to change your admin username on your website)
Passwords should be 16 characters long with four pieces of complexity – upper and lower case, numbers and symbols (it is much harder to break) and be unique to the site. https://passwordsgenerator.net/
3. Keep WordPress/Themes/Plugins Up To Date
Out of date WordPress/ plugins and themes are the number one source of hacks into a website.
36.7% of sites Sitelock clears were running old versions of WordPress.
61% of sites Wordfence clears were running old themes or plugins.
Website maintenance used to be a once a month duck in, click a few buttons and duck out again. These days weekly is more where you need to be looking as many of the updates contain security patches for vulnerabilities that are being exploited in the wild.
For my client sites on maintenance plans, I run updates once or twice a week, spinning the site out into testing sites if the change is a major one and I want to make sure that the update won’t break something.
Website maintenance is undoubtedly something you can learn to DIY, but it is easier to outsource it to someone who knows what they are doing.
4. Turn Off Trackbacks And Pingbacks
Trackbacks and pingbacks are historical ego artefacts where you got a ping whenever someone shared your post on their blog.
Unfortunately, now the ego stroke is overrun by comment spam, and these pings and trackbacks can be used against your site as part of a DDOS attack. Turn off all trackbacks and pingbacks to reduce the DDOS risk to your site.
Go to settings > Discussion and uncheck any box near Attempt to notify any blogs linked to from the article and Allow link notifications from other blogs (pingbacks and trackbacks) on new articles.
While you are at it, turn off all comments after about 90 days. Most old comments are merely spam comments or trying to get around the “must have a previously approved comment” moderation rule.
As an aside, we are seeing more and more websites stop allowing any comments as a risk management strategy. Website owners don’t have the time to moderate discussions or keep pruning out self-serving or spammy comments, so many have decided to fully turn off any commenting on their websites.
5. Use Quality Website Hosting
Investing in good quality hosting that is fast, with 24/7 support that gets answered promptly and that have servers that are updated regularly, and which are located near where the customers are is vital to website security.
Small shared web hosts increase your risk as often they don’t keep their servers patched with the latest updates and are not accessible or responsive out of hours.
Some larger hosts have problems with trying to squish too many people on a server which can cause outages, or not adequately fencing off different clients, which means sites across the server are vulnerable from bad neighbours. Cheap hosting is often very very nasty.
I recommend quality hosting providers such as VentraIP, Panthur, Zuver, Kinsta, WP Engine, Siteground and Flywheel.
6. Run The Latest Stable Version Of PHP On Your Hosting
Your WordPress website is powered by a code language called PHP. The only current versions of PHP that are supported and which have security patches applied are 7.1, 7.2 and 7.3 – and 7.1 hits end of life on 1 December 2019.
74.7% of all WordPress websites are running on unsupported versions of PHP or 7.1.
Later versions of PHP are more secure than earlier versions – they also make your site run faster. You can update your PHP version from your hosting panel or talk with your web host to help you if you are not sure how to do it and get the extra security and speed boost.
7. Backup, Backup And Then Backup Some More
Your website is only as good as your backups.
Good quality hosting includes at least a fortnight’s worth of backups as part of their package, with no cost to restore the backup. If your hosting doesn’t include that – then change hosts!
But you can’t just rely on your hosting backups as clients on one A2 server found out this year when the server was hit with ransomware which also took out all their site backups with it.
You need to have your own backups which are stored offsite as an extra precaution.
I use UpdraftPlus as my backup solution, with all backups stored in Dropbox or Google Drive where you can recover deleted files if accidentally (or deliberately) deleted. Don’t store your backups in UpdraftVault or another storage solution where once a file is deleted it is gone forever (speaking from hard-won experience here).
If you use the premium version of UpdraftPlus, you can add in a password to add another layer of protection for your backups from being deleted. Yes, a determined hacker will get around this password, but password protecting the plugin settings stop opportunistic hackers from deleting stuff.
How many backups do you need? I keep at least a month of full weekly backups and at least 30 daily database backups for member/e-commerce sites.
If you have a small business website, then website security is part of the equation. Even the most modest small business website gets 62 hack attempts a day, so it pays to be security conscious.
A good web designer will help you set up or teach you these essential security steps, and then talk you through or set up more complex security options that are available (a bit like adding in burglar alarms and visitor screening to your home).
If you are not sure if your small business website is as secure as it could be, drop us a line and we will run a security audit for you and help crank your website security for you.