monster website hackers

Top tips to protect your website from hackers

Many website owners don’t even think about website security until it is too late.  Only when the hackers come knocking do website owners feel the true pain of it all.

Security packages are a bit like an insurance policy, you hope you never need it and many try (and succeed) to get away without the requirement. But when the worst happens, with no back ups, your maybe expensive website goes down the toilet leaving you with a massive bill to start again, or if it can be rescued, the fairly large bill to have it rectified.

Why do so many businesses ignore website security recommendations?

Small businesses often stretch their budgets to the max for website development and security packages aren’t typically included, they’re an extra. What do we all do when faced with an upsell? We tell them to go away. But wait, this upsell is genuinely important.

Whose responsibility is your website security?

Unless you are explicitly paying your someone to take care of your website security, the responsibility is yours. Not your hosting company, your web developer or your marketing person. You may be able to find support from these people, but without an explicit website security contract in place you’ll need to pay them to fix it should the worst happen.

So how do I protect my website from hackers?

1) Take regular manual back ups

It’s worth taking a manual back up of your website every so often, even if you have a back up and security plugin. I recently experienced a hacked website where the hacker had gone into the security back up log and deleted them all so have a manual back up saved on your drive or somewhere external. I always recommend taking a backup before you do any updates too as sometimes updates can cause unexpected problems.

How do I backup my website?

  1. Install the All-in-one WP Migration Plugin
  2. Activate the plugin and click on it after it displays in the left side bar
  3. Click export
  4. Then click “Export To” and choose where you’d like to store it. Choosing “File” is a good option if you just want a copy on your computer.
  5. Wait for it to finish compiling
  6. Click download
  7. It’s a good idea to rename the backup to include the date and which website it is for e.g. “Speccymedia.com backup May 2019”

2) Keep your version of WordPress up to date

WordPress regularly patch up bugs, update things and stay on top of the fast moving world wide web. With that in mind you should regularly update your version of WordPress.

How do I update my version of WordPress?

  1. Log in to your WordPress.
  2. Under the dashboard tab, click on updates
  3. You’ll either get a note that says “Your website is up to date” or “An update is available”
  4. If an update is available, take a manual back up first, then press update now.
  5. After it’s done, check nothing looks broken when you view your site.

3) Update your plugins regularly

We all love plugins. They give us helpful code snippets and software without needing a developer to add that functionality for you, but they MUST be kept up to date to avoid security vulnerabilities.

How do I update my plugins?

  1. Login to your WordPress Site
  2. Scroll down to where it says plugins in the left hand sidebar
  3. Click on “Installed Plugins”
  4. The plugins which need updating will have a highlighted orange strip with a prompt.
  5. Take a manual backup if you haven’t already
  6. Click on “update now” within the orange bar
  7. After it’s done, check nothing looks broken and the plugins are still working

4) Make sure that you buy licensed themes and plugins

Hacks often happen because of unlicensed or out of date software, themes or plugins. If you build your website yourself, this is an important one to remember. So if your friend bought a theme or plugin and you thought it was a good idea for them to send you it to save money, restrain the temptation. Themes and plugins have their own verification key which is unique to the purchase and whilst their version it might work on your site, it won’t get the security updates it needs.

Many plugins require annual fees so don’t be alarmed if your web developer asks you if you’d like to renew later down the line and make sure you say yes!

Another note on plugins, do your research before you download one. If it sounds too good to be true, it usually is. Plugins can come shrouded in Malware or break your website so make sure that whatever you download has good reviews and is suitable for your set up.

5) Use good hosting

There are so many hosts out there that appear to be offering amazing deals…but if it’s super cheap, there’s usually a catch. Maybe the customer support is rubbish, maybe it’s a slow shared server or maybe the security is rubbish. For good hosting, one of the best out there is probably WP Engine, but it comes at $35 per month which might be too much for some. A cheaper and still good option is Siteground.

6) Install an SSL

An SSL ensures that all data passed between the web server and browsers remain private and integral. The behind the scenes of it are complicated, but either way, you need one. Google likes SSL’s and having one boosts your SEO. Without one, your users will be confronted with a big error which will scare them away. Having an SSL gives the browser a padlock in the top left corner and results in your website having a HTTPS prefix. You can get a free SSL from Let’s Encrypt but some hosts don’t accept these and force you to purchase one – another read to get a good host in the first place! You may also need to pay a developer to install it properly for you.

7) Don’t use simple passwords or the same password for everything

Most clients have insecure passwords because they are easy to remember. If they’re easy to remember, hacker software will find them easier to target, and no, it’s not about someone physically guessing it. Nobody expects you to remember a password which is full of complex letters, numbers and characters but that is what you need. Let me introduce you to an extension that will change your life….password managers!

I use Lastpass but there are others like One Password which work all the same. They works off of a master password. It can be your beloved dogs name (with some extra caps, special characters and numbers please!) or whatever you like, but it’s one password that manages them all. Once sat in your browser, it even puts usernames and passwords into the password fields for you on mobile and on desktop. Give it a try, it’s free, lifechangingly simple and AWESOME.

8) Get someone else to look after your website security

You knew this one was coming…you can always ask a professional to look after your website security. Passing the responsibility of website security to somebody else…weight off your shoulders much? Most web developers and creative agencies offer some kind of security package and you don’t have to get your security from the same place that built your website. Shop around for the best deal. Of course I’m happy to quote you if you’d like!

Can my website get hacked even with these recommendations in place?

Yup. That’s hacking for you and the busier your website, the higher the risk of being targeted. Hackers are smart and mean. They adapt, get better, find backdoors and beat the security but with these in place at least you’re at reduced risk.