If you only read ONE post on this entire site, it HAS to be this one.
As a blogger, you invest so much time and effort into designing your website and writing original material for it, but do you ever stop to think what would happen to all that hard work if your site was hacked?
Today’s post comes to you from Heather at Designmancy. She’s a go-to-guru for site security, and describes herself as a “closet food-lover”! If you’ve got your own blog, then you’re charged with the task of being your own web technician and developer, but perhaps you don’t know where to start with the more technical aspects, the updates and hack-proofing. Having to deal with this kind of thing can be very frightening for those not “in the know,” and often, it gets neglected simply because we don’t know where to start.
Heather has written two posts for us on how to look after your site; this is the first in the series and tells you what you should be doing NOW to prevent attacks from hackers, as best you can. Her second post, Maintain Your Website in Just 30 Minutes a Month, has a handy checklist of site maintenance tasks you should be doing – and it only takes 30 minutes a MONTH!
Protecting Your Site From Hackers (When Hack-Proofing Doesn’t Exist)
First, I need to make one thing clear: there’s no such thing as a hack-proof site.
Scary thought, isn’t it?
The reason I don’t believe you can ever truly prevent all hacks is this: hacking methods are constantly improving. It’s like a space race on the internet. On the one side you have people working to perfect website security and keep us all safe, and on the other side you have hackers determined to find the latest vulnerabilities and exploit them.
Fortunately, there are two main ‘types’ of attack online and the more dangerous one is much rarer. The first (and most dangerous) is when a human being decides to spend time and effort breaching your security. This is the stereotype you see in most films, where they use complex software to help but they’re actively sitting monitoring the situation and frantically typing to break through firewalls. Impressive, showy, and not terribly common.
The second type is handled automatically, by scanning through thousands of sites looking for the same weakness and pouncing. This type happens almost constantly, but it’s fairly easy to protect against.
Prevention is the name of the game
How do we prevent automated attacks? By using a very good, monthly maintenance routine and starting from a “protected” base.
In this first part we’re going to talk about setting your WordPress site up for success security-wise. Then in the next one (which is where the real prevention magic happens) we’ll talk about how to maintain your site in just 30 minutes a month while handling all the tasks you need to.
Pin me for later!
Step One: Update Your Website
This step is important. I.M.P.O.R.T.A.N.T.
Many automated attacks rely on exploiting existing security holes in your themes and plugins, or in WordPress itself. They scan around, see the one they know how to use, and leap in. When you update, most of the time you are plugging those holes.
So go ahead and do any of the updates you have waiting (side note, if you can’t update your theme without styles breaking then come and have a quick word with me and I’ll help you by making your site push-button easy to update again).
After that, have a quick glance at your Themes and Plugins to see when they were last updated by the developer. It should tell you in smaller text right alongside or underneath each one. Any of them saying it’s been over 6 months to a year since they updated are a risk and it’s worth thinking about replacing them with something else.
Step Two: Install a Security Plugin
Whichever you decide to install, make sure you go through the setup steps and scan your site / harden your security. Follow their recommendations. This will help you configure your basic site security settings and make sure that you’re clean, clear, and ready to go.
Bonus Useful Steps
If you’ve done the first two steps you’re now well on your way, but here are some other helpful things you can do for your website:
- Change the password on any old user accounts that no one is using any more.
- Make sure your password is strong; The best way to handle this is by installing a password manager like LastPass or OnePassword and generating a unique password. (Those are a good idea for any sort of online account you have, actually)
- Check your site from time to time using either https://sitecheck.sucuri.net/ or http://scanner.pcrisk.com/
- Log into your hosting account and make sure that any FTP accounts were created by you or they’re the default ones your site came with. If there are any unknown/new ones, delete them.
The last thing you may want to look into is your hosting provider. These aren’t created equal; some are more likely to have their server hacked than others. Most hosts have had a security vulnerability at some point or another but what you’re looking for is how they responded and what’s being done to prevent future ones. It’s best to Google “your host security vulnerability” to see how they’ve reacted and how people feel about their level of protection.
Congratulations, you’re off on the right foot!
Following this list (or even just those first two steps!) will set you up for success. Next time we’re going to go over a system that will *keep* you as safe as possible over the long haul.
Discovered a problem? Not able to complete these steps? Come find me at Designmancy and I’ll be happy to help you.
What’s your favourite tool for protecting your site?