A-Z Website Security for WordPress Business Owners
Thank goodness that only mega-huge corporations have to worry about cybersecurity, right? All you small business owners out there with WordPress sites can heave a sigh of relief that hackers aren’t interested in you.
The reality is that hackers are extremely interested in small to medium-sized businesses (SMB). A small business tends to have a smaller cybersecurity budget and fewer qualified staff to properly secure a network. In the Internet Age, all data is valuable, and perhaps more valuable than money in a cash register.
The Nature of the Threat Environment
For this article, we’re going to focus on threats particular to the WordPress content management system (CMS), since it is approximately more popular than sliced bread. How popular? Try on these numbers.
- 35% of all websites use WordPress
- WordPress owns 62% of the CMS market
- WordPress powers almost 15% of the Top 100 websites (including Disney and Microsoft)
- Market share is still growing
Obviously, with that kind of popularity, hackers aren’t going to decide en masse to just leave the platform alone. There are particular security issues that go hand-in-hand with running a WordPress site.
Here are the most common:
- Brute force attacks
- File inclusion exploits
- SQL injections
- Cross-site scripting
The reality of the online world today is that a certain level of security is already built into the most recommended web hosts. If it weren’t, they wouldn’t be in business long. They take care of the majority of security behind the scenes at the server level and won’t let you back there to futz around even if you ask.
But let’s get down to the nitty-gritty on what actions a small business owner should take today to make sure the bad guys stay on the outside. Here is our A-Z Website Security Guide for WordPress Business Owners.
Update Software Regularly
You’re lucky because this one doesn’t require intelligence, planning, or effort. Have you ever noticed messages in the WP dashboard area urging you to update themes, plugins, and the actual core platform? Sometimes the best way to troubleshoot these problem areas is to update the software. Have you proceeded to blithely ignore the request? Here’s a bit of advice. Stop doing that and update instead.
To understand why you should update every time you are asked to, consider the fact that new security patches and code updates are issued daily, sometimes hourly. Hackers don’t take a break and neither do the automated algorithms they deploy to attack sites around the clock.
A regular update schedule on these three critical software areas is surprisingly effective for the amount of effort required (not much). So right now, before you spend an hour changing fonts on your blog, please update your software.
This is the single best way to immediately reduce your vulnerability and prevent an unexpected cash flow interruption, which is the reason 82% of SMBs go out of business. When you also take into consideration that the average cost of recovery from a breach is more than $2 million, we’re talking about a serious interruption indeed.
Make Malware Detection a Priority
Is your site protected against viruses and malware? In case you’re a little fuzzy on the differences, a virus is a specific type of malware. The word antivirus arose in the 1990s more as a marketing tool than anything and referred to unwanted malicious programs that were designed to replicate and spread.
On the other hand, a partial list of currently popular malware includes viruses, spyware, worms, trojans, nagware, adware, rootkits, keyloggers — and the list goes on.
Complicating the matter is how security product manufacturers refer to both anti-virus and anti-malware products. Which do you need? Without getting into a soliloquy on the nuances of this topic, for self-hosted or VPS WP installations, we suggest that you install one antivirus security suite and one good malware scanner.
You can define “good” however you like but suffice to say that the usual suspects have good products: Avast!, McAfee, Norton, and newcomer to the malware field Malwarebytes. Having said that, if you have a WP site on a shared hosting platform, it’s unlikely they’re going to let you into the server management side of things to start installing whatever security software your little heart desires.
With shared hosting, you are stuck with whatever measures your host chooses to take. The good news is that legitimate hosts take client security seriously—they wouldn’t be in business long if large swaths of their network were going down every day. What you can do in this situation is either review the security FAQs on the hosting site or get in touch with tech support and ask questions.
Here’s a list of typical protections offered by a shared host, in this case, Namecheap, which also offers upgrade options like SSL certificates and VPN services for additional fees.
SSL certificates, in particular, are a must-have, and the best WordPress hosts come with them by default. This is because an SSL is critical for establishing trust between a browser and the webserver. As an added bonus, it’s also good for SEO.
Is Your DNS Secure?
Unless you’re really into the technical side of things, the security of a DNS (domain name server) request is probably not high on your list of topics to ponder today. To simplify, a DNS request is the process by which a browser interprets a set of behind-the-scenes numbers that define a website (for example, Google is 220.127.116.11) and translates it into the familiar www.Google.com you see in the URL at the top of your screen.
Essentially, the DNS process is like a huge phone book for the internet, for those who remember what a phone book is. The unfortunate part of this hallowed process is that, since it was developed in the early days of the internet, it was not designed with security in mind. Since then, hackers have developed a variety of ways to meddle, most of which are delivered by malware: DNS spoofing, tunneling, and hijacking.
For shared hosts, securing your DNS means you need to have access to the server, which your host will almost certainly not allow. The best action you can take in this area is to check with your host to find out what measures they are taking to secure DNS requests. If you have a bit of technical acumen, this discussion of the problem and some solutions is a good primer on the subject.
A Universe of Secure Software at Your Fingertips
In recent years, an entire industry has arisen offering secured versions of common software. Whether for business or personal use, anyone who goes online should give a hard think to moving away from software like the incredibly intrusive and unsafe Gmail and towards secure email, browsers, and virtual private networks.
- Virtual Private Network (VPN): A VPN can be easily installed as software or an app on any computer or mobile device. Your first action when you’re done reading this article should be to swear a sacred oath never to go online again unless you’re navigating through a VPN-protected connection. The simple version of what it does is create a private encrypted tunnel that not only obscures your physical location but shields all the data that passes back and forth between your computer and the internet, unusable to prying eyes. Just be very careful about using free VPNs, as they can often have the opposite effect and put your data at risk.
- Secure Email: If you’re using any of the free name-brand email services (Google, Outlook, Yahoo!, AOL, etc. — all of which flow through unencrypted channels) then you must secretly want to be hacked and spied upon. The good news is that there is a better way. Even with a VPN in place, your web host can still see all your data. For supreme protection, check out secure services like ProtonMail, Mailfence, or Hushmail. These email providers charge a few bucks a month but offer end-to-end encryption, which is the only way to ensure absolute privacy and safety.
- Secure Browser: In case you aren’t aware, your typical free name-brand browser — you know who we’re talking about — will betray you in a heartbeat. The bottom line is they really don’t care about privacy. Here’s what they do:
- Anyone who gains unauthorized access to your computer can review all kinds of personal information at their leisure. Think bank login details, social security information, or credit card numbers. The list goes on.
- Even worse, your typical browser is the worst blabbermouth you can imagine. As a matter of daily business, it gladly shares this same information with websites you visit. Social media sites, in particular, drop cookies on your oblivious browser left and right, a sneaky marketing tactic that explains why the internet seems to be reading your mind.
Does this sound like a good strategy? If it doesn’t to you, be aware that there are browsers on the market right now that are built for security. Avoid Chrome, Opera, Microsoft Edge, and Internet Explorer. Instead, check out this list of secure alternatives.
While, obviously, these choices have no direct effect on the security of your website, it behooves you to encourage the use of secure software when possible, especially to customers who visit your site frequently. The more junk they carry on their systems when interacting with yours, the better the chance of cross-contamination.
Improve Your Password Security Game
If you’re still using any of these common passwords in 2020, with full knowledge of the staggering number of cybersecurity threats that exist, you really should be banned from the internet completely.
Not so many years ago, recycling passwords and opting for easy-to-remember combinations could almost be forgiven but the recent rise of sophisticated multi-authentication methods and easy-to-use password manager software has rendered the “There are too many to remember!” excuse irrelevant.
We’ll grant you the reality that you’re drowning in passwords (the average user has almost 200). Every person who spends any appreciable amount of time online probably has to enter dozens of them daily to access the various services and sites you use. But that’s no excuse for ignoring password best practices and choosing something simple that could put you at risk.
A good password manager not only generates impossibly complex passwords, the kind that would take the world’s most powerful computer eons to break, but it also stores them all for you and enters them in the right place when you go to venture into a password-protected page. The best password managers should come with security features such as the latest encryption, data breach alerts, and unlimited installation on multiple devices.
There are such full-featured managers ranging from free to a few dollars per month. Your next step, after software updating, should be to download, install, and USE a password manager.
- Multi-Factor Authentication (2FA): Deploying an additional passcode on top of your typical user and password combination (often sent to your cell phone) has become a common way to greatly enhance WP site security, especially when logging into the backend. We offer several options to start using 2FA, all of them free, so there’s no good reason not to add this tech to your security toolbox.
- Brute Force Attacks: If you recall, we mentioned that brute force attacks are perhaps the most common WordPress vulnerability. This refers to when a hacker sends a malicious bit of software that enters different user/password combinations automatically until it hits on the correct one — hundreds, thousands, or even millions of attempts later.
There are a couple of ways to short circuit a brute force attack. First of all, don’t leave the user field set to the default “admin.” Change it to something harder to guess. Secondly, check out any of these free plugins that detect when a certain number of unsuccessful login attempts have been made and reject any further attempts from that IP address for a period of time.
Do You Look at Your File Logs?
Maybe a better question is do you even know what a log is in the WP vernacular? File logs are simply where the WP software tracks and records things like who is presently on your site, recent code errors, and any changes made to your site. The process of regularly reviewing this information is called a security file audit and it’s a REALLY good idea. This is a critical tactic for troubleshooting problems that arise.
This in-depth discussion of the types of logs you can access and how to read them should be mandatory for any site owner.
The bottom line is that from the moment your site goes live it will be under attack from hackers and their automated malicious programs on a larger scale than you can imagine. The latest statistics show that there is an attack about every 39 seconds. More than 30,000 sites, most of them small businesses, suffer a breach daily. Some of them survive and some don’t.
You don’t want to roll those dice.
You also don’t have to be a security expert in order to take an interest in the ways and means security is executed for your site or online business. Stay up-to-date with cybersecurity news. Subscribe to a few industry blogs. That way when your host or security guy or gal starts talking to you about the latest threat and how to remedy it you won’t turn deaf, dumb, and mute.
If you’re after new security products or need to refresh expiring ones, you can make big savings in our #CreateFromHome sale, designed to keep you creative during lockdown.
If you’re looking for hosting for your next WordPress site, you can’t go wrong with Namecheap—check out EasyWP for managed WordPress hosting or one of several other great hosting options for websites of all sizes.