There’s nothing worse than getting that email from a customer, just letting you know that your website looks a bit weird? It looks like that’s Russian on your website? Maybe it’s hacked?
And you realise you’ve been spending hundreds on ads to send people to your hacked website…
How many days has it been hacked before someone told you?
Of course, it happens on the weekend, so you have to do a mad scramble and try to get a response from a developer to fix it up,
And restore your website from a backup copy from…. 3 months ago? Was that really the most recent one?
It’s a stressful (and often expensive) nightmare scenario I’ve had to rescue people from a few times over the years.
There is an ever-growing list of threats to your business website, each month, more and more new malware is released into the internet,
Created by nefarious people trying new ways to spread their message, or dupe people into scams or earn crypto or whatever else they do.
And because of the ever-changing nature of the internet and software (and the occasional carelessness or neglect of a software developer),
There are always new opportunities for these threats to exploit. New holes appear in the armour all the time.
So Security is an ongoing process. Not a one-and-done kind of job.
WordPress is not necessarily less secure than other platforms.
No website is secure, and no security measures are 100% effective.
But, WordPress websites do take a bit more work to maintain high security than some other options, because the greatest strength of WordPress is also its biggest weakness.
It is the most popular website platform and it is open source. So it is infinitely customisable and there are hundreds of WordPress developers and bits of software add-ons.
But that means there are regularly new vulnerabilities to exploit, and it is a very nice big target for someone creating malware.
But if you strengthen these 7 key areas of WordPress website security, you will avoid the nightmare scenario I outlined earlier!
One way for malware infections to enter your website is via the hosting platform.
Avoid older cPanel setups running old versions of PHP. Newer Cloud hosting platforms are more secure.
Cheap shared hosting environments allow opportunities for an infection to spread from someone else's badly maintained website onto yours.
As a rule, cheap hosting is usually less-secure, because a big part of the cost of hosting is in updating and maintaining the infrastructure and keeping it secure.
But you also need to make sure you keep your hosting account details secure, with long passwords that you don’t share. And be very careful who you give access to.
Keeping your login details secure is the first line of defence. Use a long password, mix up the characters, but the key is to have 12 characters or more.
Use a good password manager (like Lastpass), don’t save them on your computer or somewhere they could be found.
Set up other people with their own account, rather than sharing your password, and if you do share a password, use a one-time secure link
Remove admin users that don’t need access to your website anymore
Change the login address on your website from /wp-login to something different to reduce login attacks.
Only use plugins from the WordPress repository and use Themes and Plugins that are well supported by established teams (avoid lone developers or marketplace themes or plugins)
Use a child theme so that you can always update your Theme to the latest version.
Stay up to date with the latest version of WordPress.
Load everything via https and setup security headers on your website that prevent some attacks from being able to use your site even if they do get in (this also helps your SEO).
Update plugins and themes to the latest version at least once per month. Install security updates and vulnerability patches as soon as they are released.
Updating everything more frequently creates extra work and allows more opportunities for conflicts and display issues, but leaving it longer than a month starts to be less secure.
You can use a firewall at the DNS level, and that creates a good barrier, but it hurts your page speed a bit.
Wordfence is a solid solution, it’s free and widely used so they have a great database to identify threats.
Sucuri is a great solution but the firewall is premium.
Malcare is another solid solution, not as popular but the firewall is free.
We use all 3 services for our clients.
Whichever security plugin or service you use should have a malware scanning function that you can set to regularly scan the website for malicious files, it is worth using 2 different scanners as some pick-up things that others don’t.
And it is worth manually running these scans each month when doing security maintenance to ensure that they are being done and to act on vulnerabilities quickly.
Backups should be taken regularly & you should have several layers of redundant backups.
Daily backups should be taken at the server level and stored in an off-site location.
We take incremental backups (immediately backup the changed files after each change) but at least weekly WordPress backups should be taken.
For good measure, we take a monthly full backup of the site and store it in separate cloud hosting, so if everything else goes wrong, we have a fall-back position.
Having a security team on hand, with a range of website monitoring in place can help you identify threats, vulnerabilities or infections on your website quickly and allow you to fix the problem before anyone notices.
Subscribe to the notifications from the security plugins to get alerted when new vulnerabilities are found and announced, so that you can install the patch as soon as it is released.
If you want us to implement all of these security measures for you and make sure your website stays secure, you can sign up here - WordPress Security Support
You can stay on your existing hosting, or move over to our managed servers, whichever works best for you.