Just yesterday I received five phone calls from five different people who had been notified by their hosting provider or customers that their websites had malware.
Some complained that their hosting provider was hacked and now they’re left holding the bag and have to spend the money to fix it. Others had no idea that website malware was a thing and just wanted their sites back online.
Who’s responsibility is website security?
The short answer, yours and the hosting provider.
The hosting provider has a responsibility to secure the servers they are providing.
And it is your responsibility to secure your individual website.
Let me help clarify the situation. If you’re on a shared hosting plan, it is very likely that your website is one of a hundred thousand plus on a single server.
It would be impossible for your hosting provider to provide the necessary security required by an individual website when there are that many sites. Every account, FTP user, and application install (i.e WordPress) creates a new vulnerability.
Which is why you should take the necessary steps to secure your site(s).
Why would someone want to hack me?
I get this question all the time. People think that they have a simple blog that nobody is going to care enough about to hack.
Which, is understandable. The hacks that most people hear about are the ones that make it in the news (i.e Target in 2016).
These hackers typically want three things from you:
- High-jack your SMTP server. They upload a script that uses your relay server to send spam email to hundreds of emails every day. Until your hosting provider shuts down the relay server.
- High-jack your website traffic. They will redirect traffic coming from search engines to their money maker websites. These sites will be branded with your colors and logo, so that visitors think they in the right place.
- Distribute Malware. Have you ever visited a website to have a message pop up that says you need to update your Flash player and when you click on it you end up with a virus on your computer? That is one way that virus gets delivered, from hacked websites.
If you have a website that is hosted on a hosting account, you should have Website Security!
How to secure your website
- Use strong usernames and passwords
- Change your passwords often
- Install an SSL certificate
- Limit login attempts
- Monitor the site for malware daily
- Use a firewall to block the malicious traffic
Use strong usernames and passwords
Look, I know you want to use the same password you use for everything else because you don’t want to have one more password to remember. But do yourself a favor and use a app that tracks logins for you.
I use 1Password (available for Mac and Windows) and KeyChain (Mac built in app).
Let’s talk usernames for a minute. Never user admin, administrator, webmaster, your name, your website url, or anything that can easily be figured out by visiting your site.
There is a thing called brute force attacks that are common on WordPress websites, don’t make it easy for them to hack your WP Admin!
Change your passwords often
Often? I always recommend quarterly.
Most large corporations have this protocol built into their network systems that require their employees to generate a new password every three months in order to have continued access to the system.
This isn’t a big deal if you use a spread sheet or a user management system like I mentioned above.
You’ll want to change your WordPress user password, cPanel passwords, FTP passwords, and any other passwords you have that are connected to your website.
Install an SSL certificate
An SSL will not keep hackers out of your site. However, it will keep them from being able to see personal information that is transferred from your website to another.
For example, if there is a form on your site that once filled out and submitted sends that info to another site, that info is transferred over the web for anyone who knows how to grab it.
Let’s get specific, if you have a cart or checkout on your site that collects customer info, name, address, phone, email, and then transfer to say, PayPal for processing the payment, that customers info is being passed to PayPal, and without the SSL is NOT encrypted.
An SSL protects you and your customers from unnecessary risk. You could be held liable if the customer info was stolen while using your website.
Limit login attempts
As mentioned, hackers will run a brute force attack against your WP Admin login page, so having a solution to limit the logins will automatically block IP address and lock down the login page making people wait 30 minutes or however you configure to try again.
Some limit login plugins will also add some form of human verification to the login page, asking to complete a math problem, which the hacker scripts can not do.
Some of the security plugins listed below have these features built-in.
Monitor the site for malware daily
You will want this to be automated, otherwise you have to manually run a scan on the site, which will get old real quick.
The key to this is knowing when you have issues so that you can stay on top of things and make sure they get handled quickly.
You can use a free and/or paid plugin that will allow you to do these scans. These are a couple of the plugins I recommend:
These plugins will also monitor other important things too.
Use a firewall to block the malicious traffic
A WAF, or Web Application Firewall, will intercept and inspect all incoming requests to your website and strip them of any malicious requests before they arrive safely at your website.
Simply put, it stops the hackers, hacker bots, and malware from getting to your website in the first place.
The best firewall available is from Sucuri, they’ve been providing website security for 8 years and are the leaders in the industry!
So. Do you really need it?
The short answer, Yes!
It’s not a question of if, but when will your WordPress website be hacked.
I guess it really depends on if you want to be proactive or reactive.
Would you rather have piece of mind and know you won’t have to deal with a hacked website and the associated risk?
Would you rather just wait for it to happen and pay someone to clean up your site and deal with it then?
The best course of action
Don’t get yourself overwhelmed thinking about the additional work and all the pieces you’ll have to figure out.
You just need to make one decision.
Do you sign up for my service to maintain your site for you, or do you just sign up for Sucuri’s Website Security.
If you want to manage and monitor this yourself, you’ll want to signup for Sucuri. If you want to set-it-and-forget-it, then you’ll want to signup for my maintenance service!
Either way, it only takes a couple clicks and your’re good to go.