How secure is your business website?
Most website owners don’t consider website security as a priority until they get hacked.
You may be wondering “why would anyone want to attack my website?”, especially if you have a low traffic website. However the vast majority of hackers are not looking to steal your data or delete important files. What they want is to use your server to send spam emails. This can slow down your website significantly or even disable it.
Website security is like having an alarm system in your home. You get it because you are interested in protecting your investment. It needs to work and you’re willing to pay a little more for that peace of mind. But how do we know if our website is secure?
The answer is not always black and white and just about every hosting company will brag about the security of their servers. It’s important to note that even the biggest brands get hacked from time to time. We all heard the stories about big box stores like Target or Home Depot who had personal data stolen followed by massive lawsuits. Even Social Media giant LinkedIn confirmed some user’s passwords were hacked which resulted in Facebook founder Mark Zuckerberg’s Twitter and Pinterest account also being hacked because he used the same password on all three. Not to get off-topic, but the security of your password can also result in your website getting hacked.
Side note: Try this nifty little tool to see if your email has ever been compromised: https://haveibeenpwned.com/
Wordpress is by far the most popular web publishing platform on the Internet and a favorite among web publishers and agencies. Unfortunately, that makes the tool a target for hackers and spammers. Out-of-the-box WordPress is terribly vulnerable to attacks but thankfully 99.99% of these attacks can be prevented by simply addressing the known security issues. Sadly, according to WP White Security more than 70% of WordPress installations are vulnerable to attacks.
Tip #1 Choose a reputable web agency
Although smaller websites tend to fly under the radar, there are attacks on those servers 24/7 that you will never hear about. While most of these attacks are prevented, the occasional server is breached. Hackers will often install malicious software aka Malware or use a website as a means for propaganda. Often times, you may not even know there is a breach until you see a message like this:
and financial strain for the business and service provider alike. Without sounding all doom and gloom, there are ways you can prevent most types of website attacks.
In a 2014 article, WP White Security reported the following statistics about hacked websites:
- 41% were hacked through a security vulnerability on their hosting platform
- 29% were hacked via a security issue in the WordPress Theme they were using
- 22% were hacked via a security issue in the WordPress Plugins they were using
- 8% were hacked because they had a weak password
51% of those attacks were made through a WordPress theme or plugin which means that even though they may have a reliable hosting provider, WordPress was the Achilles heel, and hackers always find a way in through the path of least resistance.
Tip #3 Ask your website agency how they handle security, especially when using WordPress
It’s important to note the difference between server security Vs. application security. A web hosting company will secure their servers but not necessarily your web application (e.g. WordPress). Where these are two different entities as seen in the previous statistics, it’s important to find out if your application’s security is also covered under your agreement.
While there are no silver bullet solutions, here some key considerations to discuss with your web professional:
- Have a Service Level Agreement (SLA) with your web agency to regularly update your WordPress version and plugins.
- Ask if the correct file permissions are in place for your website files and folders.
- Turn off PHP error reporting so hackers don’t gain access to valuable server path data.
- Ensure proper techniques for protecting your .htaccess. This important file contains your database connection settings.
- Create strong passwords using tools like strongpasswordgenerator.com or password managers like LastPass.
- Hide your login page.
- Have an automated regular backup schedule in place.
- Be careful who has access to your website and regularly review account permissions.
- Does my website host have application security for WordPress.
These are but a handful of website security checks that should be in place. Most of these are standard features for agencies but do not assume your website is protected just because you paid big bucks for your website. Always ask!
Tip #4 Add a security alarm system to your website
You already have insurance on your home (we’ll call this hosting) which is required for any home or a website. You also have the ability to change or upgrade your locks and windows (your password). But let’s say an intruder finds their way in your home… how will you know? If your home already has a security system in place (application security), you would be instantly notified.
The same holds true for scanning services like Sucuri which not only help protect applications like WordPress with firewalls, they notify your web agency of the impending attack and help fix any comprised files on the spot. Now that’s peace of mind.
It’s been said that prevention is better than the cure. Protect your website and thanks for reading!
Many great points borrowed from: https://premium.wpmudev.org/blog/keeping-wordpress-secure-the-ultimate-guide/