Your website is a security risk.
As uncomfortable as that sounds, it’s a reality check that you need to understand.
If you have a website, you have a security risk.
It’s not because you’re doing something wrong, or because you specifically are being targeted; it’s because you have a set of code that’s published on a publicly-available web server and, despite every effort of yours, there’s still a chance it could be hacked or used inappropriately.
This is why we’ve called website security an arms race.
The bad guys out there – we’ll call them hackers, for lack of a better term – are always looking for vulnerabilities they can exploit. Unfortunately, given the sheer number of websites, there are always going to be hackers finding opportunities to cause trouble.
Want to avoid becoming an easy target? Here’s how.
There are three general principles to ensuring your website’s security:
Each has specific actions you can take to improve your overall website security.
To do that, we recommend using the iThemes Security Pro plugin, which helps lock down your WordPress website and ensure that the most common vulnerabilities are addressed.
The security best practices you should implement include:
When someone logs into your website, require an authentication code before they can access the WordPress backend.
You’ve seen this before on your online banking or social media sites; at this point, it’s relatively common to require a second piece of data to confirm that the right person is logging into the account.
You can choose to have the authentication code emailed, texted, or delivered via an Authenticator app. Either way, this is low-hanging fruit to ensure that the right people are logging into your website.
For the users who do have access to the backend of your website, make sure that they’re required to have strong passwords.
This may seem like a no-brainer, but you’d be surprised by how frequently people use the most common passwords (or maybe you won’t be surprised).
Make sure that your team has strong passwords, and don’t be shy about encouraging them to change passwords on a regular basis.
On insecure websites, anyone can see the list of files contained in a website directory.
There’s no value in allowing users to see what files exist on the server; all it does is allow the bad guys to look for compromised files or see if there are any opportunities to make their way into the server and cause trouble.
Turn off directory browsing and you’ll help limit access to your website and server.
When you have a login page that is generally accessible with a well-known URL (as WordPress does with /wp-admin/), it’s easy for bots and hackers to try and “brute force” their way in.
Essentially, they’ll run scripts that try dozens/hundreds/thousands of username and password combinations until they find a set that gives access to your WordPress backend. Because it’s a computer running the script, it doesn’t get tired and it won’t stop until it succeeds.
Brute Force Protection will block any IP address that fails its attempts to login after a set number of tries (normally 5 or 10). Once the IP address is blocked, the bots can’t try to login anymore from it.
If a file gets added or deleted from your website, it’s important you know about it.
With File Change Detection, you’ll get notifications (email or otherwise) that something’s changed on the server. Obviously, some websites have more changes than others – for example your team adding new images or PDFs to the Media Library – so you’ll see those changes reflected as well.
It’s important to keep an eye out for new files that shouldn’t be added to your server and any files that get removed but shouldn’t have.
PHP, the programming language that powers WordPress, can do a lot. Almost everything that your website is capable of doing happens because of PHP – which means it’s incredibly powerful for the good things, and just as powerful for the bad things.
Files containing PHP should only be used and placed in certain folders on your website, like your themes or plugins. By disabling PHP in subdirectories, you ensure that any malicious code can’t be run from a folder it shouldn’t be in.
There are a number of services that will scan your website for malware; it’s worth using them as another layer of protection.
These services, like Sucuri SiteCheck, will run on a regular basis to check what they have access to and see if there’s any known malware running on your site. While you can’t count on them to catch everything – especially anything happening in your WordPress dashboard – it’s another tool in your arsenal to make sure you’re protected.
Have a question about your website security?
Contact us and we’ll happily do a Website Audit and see how we can make your website more secure.