How to Keep Your Website Secure
A friend recently messaged me in a panic — her website had been hacked!
Not good news. Especially because she was in the middle of a project. She had no time for this! (Though, let’s face it, is there ever a good time to be hacked?)
But we dug deep and cleaned out the site, changing passwords, updating all themes / files / plugins, removing the hundreds (yes, hundreds) of spammy hacker files that had been secretly inserted to pollute her site, and then we dove back in and got the site ready to go.
It was scary and a gigantic pain for my lovely friend. Quite frankly, it’s a position I’d hate for anyone to be in.
So the important question is:
How can you protect your site from getting hacked in the first place?
you can take to ensure your site
is as protected and secure as possible.
I’ll be referencing WordPress a lot, but in general these tips can be applied to any program or product you choose to use for your website.
1 Use Advanced Passwords
I know, I know… it’s a big pain to try to remember all your passwords, especially if they’re more complex. But those hackers know what to look for first. They’ll try birthdays, they’ll try anniversaries and all other date formats, they’ll try 1234, they’ll try standard personal references and easy phrases. If you make it easy for them, they’ll get in and wreak havoc on your website, lock it up, destroy it, or use it for whatever spammy nefarious purposes they can.
So try not to make it easy for them.
- Make your passwords at least 8 digits in length (the longer, the better)
- Use a mix of upper and lowercase letters, numbers, punctuation, even goofy gibberish
- Don’t use “admin” as your login username (way too easy for hackers to figure out)
- If you can, don’t use the same password for every login
- When you do change your password, don’t use a password you’ve already used
2 Change Your Passwords Regularly
I know this sounds like a big pain, especially because everything’s online these days! Bank accounts, social media accounts, website logins, shopping accounts. You name it, we’ve got a login for it. The last thing we want to do is pause over our keyboard, trying to remember that damn password so we can buy that book, or pay that bill, or send that email.
But here’s the thing: the longer you don’t change your password, the more opportunity you give the hacker to figure it out.
On the flip side, if you do change it regularly (or even just semi-regularly), you’ll be keeping the hackers on their proverbial toes.
- Mix it up and make it an annual or semi-annual event in your calendar, just to make sure you remember when you last changed it.
- If you have other users who have access to your website’s administrative dashboard, make sure they use advanced passwords as well and that they change their passwords from time to time too.
- If you have a site made with WordPress, there are free or for-purchase security plugins such as Wordfence that can warn you if your administrators or your subscribers are using “too easy” passwords that need to be updated. Change the password yourself immediately as a precautionary measure. Then send them a quick but kind note, providing a link for changing their password, letting them know they’ll need to reset it to something they prefer the next time they log in, and explaining how updating their password with something a little more complex not only protects them and their information but also you and your site from hackers and spammers. Let them know that the more complex they make their password, the safer everything will be for everyone.
- Change your cPanel (website hosting account) password occasionally as well. That’s an area crucial to protect — it’s where your website files and all your content are stored with the hosting company. If the hackers can get in there, they’ll have access to everything connected with your website (and possibly your personal information as well). You really don’t want them to get in there.
3 Use Software, Themes and Plugins That Are Strong, Reputable and High Quality
I know free stuff can be enticing, but… if the content or software isn’t from a company or site you know and trust, it could end up being an easy way for someone to hack into your stuff.
Even products that aren’t free need to be examined first. Vet your choices carefully.
How can you tell? Check ratings, reviews, changelogs, comments and the seller’s website for signs that they’re active in supporting the programs, themes or plugins they create.
TWO WORDPRESS THEME COMPANIES WE TRUST
QUALITY CONTROL DETAILS TO CONSIDER
- How long has the seller / designer / theme company been around? Make sure they still support your theme or plugin of choice and offer good service. If you plan on using your theme for more than a year, it’s good to find a company and design that will stick around. The last thing you want is to spend the money and time setting up your website with a specific design program, content management system, theme or plugin, only to find it’s no longer compatible with the latest, most current software and programs. The longer a piece of your site isn’t kept up-to-date, the more open it is for hackers to find a way in. (I’m going to be saying this a few more times. I’d say sorry, but… it’s important!)
- Is the program easy to use? Do they provide clear documentation for setting up and using their product?
- Do they provide a place to request support if you encounter issues? Do they answer people’s support questions in a timely fashion? Do they provide helpful solutions? (Do they provide any solutions?)
- Do they have a refund policy?
- How often do they update their products (to keep it up-to-date with the latest changes in technology and security)? For example, if it’s not updated regularly to sync with the latest WordPress releases, your website could be vulnerable to security breaches.
- Check overall numbers. How many people have downloaded the theme / plugin / program? What kind of rating does it get? If it’s very popular, has a high rating amongst all those users and very few complaints, it could be a good plugin to use. If it does get complaints, what kind of complaints does it get? Are people complaining that it doesn’t work right and no one’s getting back to them? Then it’s likely they won’t get back to you if you have a question either. Best steer clear!
- Check changelogs. How often does it get updated, and when was the most recent update? Again, if they’re not updating it or it’s been more than a couple years since it’s been updated, the developer may not be keeping their plugin current with the latest programs and security needed. That puts your site at risk.
4 Make Sure Your Plugins, Theme and Website Software Are Up-To-Date with the Most Current Versions
This intertwines with the previous suggestion. Making sure the products you use are of good quality and regularly kept current are crucial to keeping your site clean.
- Check for when the theme / plugin / program was first created and how long it’s been since the developer updated their product. If it’s brand new and only has one version to its credit, it might need to have bugs worked out first. Check the support forums for it, and see if people are complaining about a lot of issues. If there are, is the developer addressing and correcting them? If so, it may be safe to try. If not, they may not be keeping it up-to-date, which makes it a vulnerability if you use it on your website.
- If you found and used a great product on your site, but then you notice that the developer hasn’t updated their product in a few years, it may be time to shop around for a new theme/plugin that can do the same thing, and replace the old one. The longer it’s been dormant without an update to comply with the most recent security measures, the more vulnerable it is to being hacked.
- Update update update! Update your themes. Update your plugins. Update your core files. For example, if your site is using WordPress 4.3 and they alert you that they’ve just come out with version 4.4, update your site to have the latest version. Along with great new theme features, the WordPress team creates patches to fix security holes, and each update may provide something to further protect your site. The older your program version is, the more vulnerable your site is for hackers to find a way in. Keep everything current!
- If you’ve got someone else managing your site, make sure they’re updating your theme, plugins, and/or website programs on a regular basis. Again, the longer those pieces have sat dormant without an update, the more vulnerable your site is. The hackers will use those weakened pieces of your site as doorways to get in.
5 Get Rid of the Old Stuff!
If you’ve got super old plugins, themes or programs that haven’t been updated by their creator in years, or if it’s stuff that you’re simply not using anymore, delete it from your system.
If your site still needs the functionality of it in some way, replace the program, plugin or theme with something stable, well-monitored and regularly updated.
Don’t just “deactivate” the theme or plugin and let it sit in your admin screen or in your website folders. Hackers can still use those dormant pieces to get in. The only way to keep it from hackers is to completely uninstall and delete the stuff from your site.
Remove ALL the files related to them so every trace of that plugin or theme is gone. I know I sound like a broken record, but it bears repeating. The older they get, the more vulnerable they are because they haven’t been updated and synced with the latest security and technology. That makes the old stuff more easily cracked open for hackers to get in and do their business.
Seriously, if you don’t need it, if you haven’t used it in ages, if it’s not being maintained by its developers… please, please get rid of it. Every trace.
6 Install A Security Plugin
If you’re managing your site yourself, install a trusted security plugin that will scan your site regularly for malware and other vulnerabilities. Such security plugins also help by tracking and banning repeat login attempts from the same computer.
Hey, that was a short one! (You’re welcome.)
7 Make Sure Your Hosting Company Provides Good Security
Not only do you need to keep your website programs up-to-date, but it’s important that your hosting company does the same. Some hosting companies even provide weekly core files, theme and plugin updates for you.
A HOSTING COMPANY WE TRUST
9 Planets Hosting provides 24/7 monitoring of your site, nightly off-server backups, daily malware scanning, knowledgeable technical support and a money back guarantee. They also do weekly updates to your WordPress core files, plugins and themes.
FAIR WARNING: We do contract web design work for 9 Planets, so we’re obviously very biased. But even if we didn’t work with them personally, we’d want to, because they’re fantastic and they know what they’re doing. Not only have these people have been hosting websites for almost 20 years, they’re smart and helpful, offer fair prices, and fit all the criteria listed below (and then some). We highly recommend 9 Planets for your domain and hosting needs. Case in point: we trust them to host this site.
No matter what hosting company you hire, consider this before diving in…
ASK YOUR POTENTIAL HOSTING COMPANY QUESTIONS
- Do they have firewalls and malware scanning?
- Do they do daily backups of your entire site? Do they do off-server backups as well?
- Do they provide hotline help if you come across an issue?
- If something goes wrong, are their servers monitored regularly and on alert for any issues?
- If you try to update a piece of your website and everything stops working, does the hosting company provide debugging or help with configuration or coding issues?
8 Backup backup backup!
Before you make any massive changes to your site, before you delete anything, backup your entire database and site files. That way you always have a safe copy to use in an emergency.
Make sure your hosting company does daily backups and if possible even does off-server backups in case something terrible happens to the main servers. That way you always have a safe backup copy to go back to if you need to (and if you do get hacked, you’ll be able to restore a safe copy of your site from before you got hacked, a version that isn’t filled with their garbage files).
Also, if a new update to your theme, programs or plugin throws off something on your website (such as the design or layout), you’ll be able to contact your hosting company and have them revert you back to the previous day’s backup copy, from before you attempted the site update. That way, you can determine if the update just had a problem with one of its files or if it’s conflicting with your theme or one of your plugins, find the issue and then make adjustments to your site.
Or, if you aren’t a programmer or coder and aren’t comfortable making adjustments or fixes to your own site, you can have your hosting company revert to your backup, then contact the theme or plugin company and let them know how their latest update affected your site. They may be able to advise you on your options.
Or, you can revert to your backup and wait a week first — sometimes the developers have been alerted to the issues already and their next update will correct the problem so you won’t have to do any adjusting or change code on your overall website at all.
These are just a few of the measures you can take to protect your website from being hacked. The main rules are to keep all your files and programs up to date, and remember to change your passwords every so often. Nothing is impenetrable, but if you do your best to maintain your site and its contents, you can keep your site as safe as possible.
WHAT IF BY SOME HORRIBLE CHANCE YOU DO GET HACKED?
That is a whole other topic for another post, with many steps to take, but one piece of advice I can give, one first step you should take immediately, is to CHANGE ALL PASSWORDS TO ALL YOUR ACCOUNTS.
If you’ve saved any passwords in your accounts, including via email (which can also be hacked if it’s an email account that’s tied to your website), that means the hackers who got into your website and/or website email account now have potential access to those saved passwords and any other accounts referenced within.
Change all passwords immediately, especially to more vulnerable ones like bank accounts or health record related accounts that might contain your most personal information. If you used the same or similar passwords for those accounts, the hacker may be able to use the info from hacking your website to get into those other, most personal of accounts. If you’ve been hacked in one place, you may end up being hacked elsewhere, so — just like when people’s credit cards are stolen — it’s important to immediately report the problem to your hosting company and change every password. Keep them from getting in everywhere.
NOW IT’S YOUR TURN
Do you have any helpful security tips and tricks of your own? Please share in the comments below. You never know who might read your words and benefit from your knowledge and experience.
And if there’s a topic you’d like to see covered here in the blog, please let us know.
LET’S WORK TOGETHER
SUGGEST A BLOG TOPIC
BROWSE OUR PROJECTS
SHARE THIS ARTICLE ON