Web security is arguably the least fun aspect of managing your own online business. Like all safety measures, web security is easy to overlook until something disastrous happens to your site, such as a customer data breach or other hack.
But, fear not– we’ve rounded up some best practices that all bosses should implement to protect their website, customer data and your company’s reputation.
FOLLOW THESE BEST PRACTICES TO KEEP YOUR WEBSITE SAFE
Use complicated username and password combinations .
It’s such a pain to use complicated username and password combinations, but you must! Avoid using “admin” as the main username that you use to access your WordPress dashboard. Follow the password guidelines in this article for even more instructions.
Having a hard time getting creative? Websites like Strong Password Generator can help you come up with long, complicated combinations for your passwords. Just make sure to keep your passwords somewhere accessible and secure (we like using Last Pass).
Keep WordPress and plugins updated at all times .
WordPress is constantly updating its platform to improve performance, use and security. It’s crucial that you always keep your WordPress updated to keep your site secure and stable. Follow the instructions in this article to automate updates for major WordPress releases.
Before adding a theme or plugin, know what to look for.
WordPress is an open-source technology, which allows for incredible innovation and options from developers all over the world! With that, it’s important that you look for reputable, trusted products when installing themes or plugins. A few things to check for before you install:
- Number of installs vs. number of reviews – this will give you an idea of how many people have not only installed the plugin, but how many approve of its performance.
- Last updated date – an engaged and reliable plugin developer will likely update its plugin once a week. If its been months or years since the last update, don’t install.
- Support center – look through the plugin developer’s Support/Help section (be sure that there is a Support/Help section) to see how robust and responsive their customer service is.
Most plugins and themes will be updated by its developer once a week. To update, you’ll follow the instructions from your WordPress dashboard when you login. You can also follow these instructions to allow certain plugins to automatically update.
Minimize the number of plugins installed on your website.
It’s arguable whether or not adding too plugins can harm your website, but we recommend keeping plugins to a minimum. Adding too many plugins or insecure plugins can lead to slow website speed, crashes or hacks.
We know it can be tempting to add new plugins to your website for added functionality, but choose wisely before installing. Be sure to remove any unused plugins from your site, and before adding new plugins, be sure that one of your existing plugins doesn’t already offer the functionality you’re looking for. We recommend this article which provides a ton of detail regarding plugin best practices.
Change your WordPress login URL (don’t use /wp-admin).
One of the first things that you do when setting up your self-hosted WordPress site is to define the URL that you’ll use to login to your WordPress dashboard. By default the login page will look like www.example.com/wp-admin. We know this, and so do hackers. There are a number of ways to change the “wp-admin” URL string. The plugin WPS Hide Login is a lite plugin that offers this option.
Implement an SSL certificate.
A few definitions: HTTP (HyperText Transfer Protocol) and HTTPS (HyperText Transfer Protocol Secure) are both protocols, or languages, for passing information between web servers and clients. HTTPS is a secure connection, whereas HTTP is unsecure. To migrate your site from HTTP to HTTPS, you’ll need an SSL (Secure Sockets Layer) certificate.
Implementing an SSL certificate on your website is not only good for security, it’s good for your search rankings. A few things to consider:
- HTTPS sites can load significantly faster
- Google flat-out said they would start giving preference to sites with an SSL in 2014.
- In January, Google Chrome began displaying security warnings for web visitors on sites without HTTPS.
- As of September, 2017, Google started implementing even more security warnings for sites without SSL certificates.
Implementing an SSL certificate can be laborious so it’s best to do so right from the launch of your website, if possible. Click here for more detailed instructions on how to enable HTTPS on your website.
Update the .htaccess file to block IPs from all except your site’s administrators.
This gets slightly technical, but a great way to block your WordPress dashboard from unwanted hackers-to-be is to update your .htaccess file to block IPs, groups of IPs or better yet, only grant access to specific IPs, which is what we recommend– no plugin needed! This editing is done through your main File Manager files found in your web host. Here’s a step-by-step instruction guide:
1) Login to your website’s cpanel
Typically accessible via www.example.com/cpanel
2) Click on File Manager
3) Be sure to display Hidden Files (this might be accessed under “Settings”)
Find the Settings dialogue box to display hidden files.
4) Click on the .htaccess file and click Edit
5) Add the following code at the top
Deny from all
# whitelist Jane’s IP address
allow from 99.999.99.99
Add CAPTCHA for Contact Forms and WordPress Login Forms .Have you ever had to tap that “I’m not a robot” box when completing a Contact Form on a website? This is a great way to block insecure bots and other malicious hackers from accessing your forms. Use the Google Captcha WordPress plugin or Better WordPress Recaptcha plugin on your site.
Add a double-login .
Another way to protect your WordPress dashboard is to implement a double login, also known as two-factor authentication. Yes, it’s another username/password for you to remember, but one more layer of security from bots designed to hack into your site. Wordfence is a WordPress security plugin that allows you to setup a secondary WordPress login page, and also automatically blocks IPs with too many failed attempt to login to your website. Other recommended security plugins include Ithemes and Login Lockdown.
This post is part of our series 11 Essential Steps to Launching Your Online Business. We invite you to join the Digital Dame Collective by signing up for our emails to be the first to know when our new posts go live.