One of the things I stress the most to small business owners is the importance of website security. In today’s age, ensuring your website is as secure as possible is more important than ever.
While many business owners neglect website security, thinking that their website is too small or unimportant to be hacked, the truth is that any website can be a target. Hackers are always looking for new ways to access websites and steal information, and they will target any site they think they can exploit.
Later in this article, we’ll give an example of how one small business owner’s site was hacked and how a hacker exploited it in a way you would never have thought possible.
Why does website security matter?
You may have heard of some of the devastating effects of a website hack – from leaked customer information to being blacklisted by Google.
A website security breach can cause irreparable damage to your business, so you must take the necessary steps to ensure your website is as secure as possible.
We’ll start with an example. I recently had a business owner reach out to me, informing me that his website was sending out massive amounts of spam.
How did he find this out? Well, his website’s IP address was blacklisted, and his host informed him. He was devastated. The host wasn’t happy because the server’s IP address was now blacklisted, which meant that other customers on the same server could be affected.
The business owner had no idea how this happened or what to do. He didn’t know how to fix it and worried about the repercussions.
Luckily, we were able to help him clean up the mess.
It turns out he had a contact form on his website that was not secure and had been hacked. As a result, his website was being used to send out spam emails without his knowledge. Another effect is that his IP could not send critical emails to customers, such as invoices or password resets.
This is just one example of how a website security breach can devastate your business. We’ll discuss this case throughout this article, but I’m sure you’re ready for business.
What are the ways you can protect your site from being hacked?
As a business owner, you want to ensure that your website is as secure as possible. While there are more than this, here are five fundamental ways you can make sure your site is more secure—
Use a CDN with a firewall.
A CDN (content delivery network) will help speed up your website by caching your content across multiple servers worldwide. In addition, most CDNs also include a firewall to help protect your website from attacks.
Think of a CDN as a gateway between a visitor and your website. They will filter out any malicious traffic before it even reaches your site. Using various algorithms and blacklists, they constantly update their defenses to ensure your website is protected.
We typically recommend using Cloudflare as it offers a free plan that provides the basic security for most websites. Their free plan offers a web application firewall (WAF). A WAF is a software that filters traffic to your website, much like a CDN. The difference is that a WAF is more customizable as you can add rules to block specific traffic.
In the example above, we implemented the Cloudflare WAF and immediately blocked the IP address sending the spam. This bought us time to patch the problem on their site and fix the problem correctly.
Using Cloudflare’s free plan is a great way to get started with website security if you are on a budget. However, if you have the budget, we recommend upgrading to their paid plans which offer more features and protection.
Install security plugins.
There are several WordPress security plugins available that can help protect your website from attacks. These plugins can scan your website for vulnerabilities, block malicious traffic and encrypt your data.
Do you have anti-virus software on your computer? If so, then you understand how these plugins work. Like anti-virus software protects your computer from malware, security plugins protect your website. They can scan all of your website’s files and database queries to ensure there is no malicious code.
Some of our favorite WordPress security plugins are Sucuri, Wordfence, and Jetpack. All three offer both free and premium plans depending on your needs. We recommend running a security scan at least once weekly to ensure your site is clean.
One of the things we noticed in the example is that they did not have a security plugin installed. If they had a security plugin installed, it would have caught the malicious code and prevented the attack in the first place. We installed WordFence and, after a scan, found that their contact form plugin was compromised.
Use strong passwords.
Using strong passwords for your website and all your online accounts is essential. A strong password should be at least eight characters long and include a mix of letters, numbers, and symbols.
One of the primary methods hackers use to gain website access is a brute force or dictionary attack. This is where they use a program to guess passwords until they find the right one automatically.
The longer and more complex your password is, the harder it will be for a hacker to guess it. Fortunately, WordPress has a password generator built-in that can help you create strong passwords.
And, it should go without saying, never use the same password on multiple websites. If a hacker gains access to one of your accounts, they will try using that same password on other sites.
Keep your software up-to-date.
It’s essential to keep your software up-to-date, including your operating system, web server, and WordPress install. Software updates often include security patches that can help protect your website from attacks.
One of the newest and best features of WordPress is automatic updates. WordPress will now automatically update itself when a new version is released. While this is a great feature, we recommend manually updating your plugins and themes.
This is because sometimes updates can break things on your site. If you have a plugin or theme incompatible with the latest WordPress update, it can cause your website to break. By manually updating, you can test the update on a staging site before pushing it live. If there are any issues, you can quickly roll back the changes.
Harden your server settings.
You can tweak several server settings to make your website more secure. For example, you can limit the number of login attempts allowed, require strong passwords for logging in and disable directory browsing.
Managing a server may seem daunting, but you can get a fully managed VPS or shared hosting if you’re not dealing with tons of web traffic. In these cases, the hosting company will manage server management for you. They (should) ensure that all of the server software (i.e., Apache, PHP, MySQL, etc.) is up to date and correctly configured for security.
Of course, you can always try your hand at server management with a VPS. If you go this route, make sure you do your research and ask for help when needed.
Have a regular backup routine.
Even if you follow all of the security measures above, there is always a chance that something could go wrong. That’s why it’s crucial to have a regular backup routine in place. You can quickly restore your website from a backup if your website is hacked or corrupted.
Many excellent WordPress backup plugins are available, including UpdraftPlus, BackupBuddy, and VaultPress. All three offer both free and premium plans. We recommend running a full backup at least once a week and even more frequently if you’re constantly making changes to your site.
In our case, we backup the server nightly. However, for our clients, we provide additional backups whenever we make changes to the site. So, for example, if we modify a client’s theme or add a new plugin, we’ll make sure to back up the site beforehand and again after the changes have been made. This may seem overkill, but it gives us a failsafe if something goes wrong.
Make sure you have peace of mind.
Website security is a monumental task, and it’s vital to ensure you have a plan in place if something goes wrong. Taking these precautions will help ensure your website is as secure as possible, but it’s also essential to plan what to do if something happens.