Website security has never been more critical. Hackers, ransomware, and denial of service attacks are all concerns for modern business websites.
Nothing will erode your audience’s trust in you faster than visiting your website and getting a security warning, or having Google flash a “You can’t trust this site” message in your search results.
Even worse, have you ever navigated to a site, started reading, and then been suddenly redirected to some spammy, shady-looking sweepstakes page? Or worse … you try to press the back button, and you can’t?
I have. It’s a pretty good sign that something got hacked on the original site, whether it was the site itself or a piece of code, like an ad script. It definitely makes me think twice about visiting again.
Don’t make your website visitors think twice!
With WordPress, the power of the platform is also the reason that security holes can develop and be exploited. While the ability to mix various themes and plugins with the content management system provides that flexible power, it also increases the potential for malicious access.
So, how can you protect your website from the evildoers who will stop at nothing to harm it for their own nefarious purposes?
The first step below is the most important.
Step #1: Choose a security-focused hosting provider
The most important security-related decision you will make is where you host your website. As you peruse different hosting options, or step back and review your current host from this perspective, ask this simple question:
What does my host bring to the table in terms of security?
You need a host that is specifically designed to provide an integrated environment that keeps your website safe from the bad guys.
What does that look like?
Well, a strong host should essentially take care of the rest of these steps for you. Sounds like a pretty sweet deal, right? Absolutely.
You don’t want to stress about security; you want to work on your content to build relationships with your audience members who will hopefully become future customers.
So, let’s look at these other steps and see what your hosting provider should deliver to you.
Step #2: Have automatic WordPress updates in place
The beauty of open source software like WordPress is that there are thousands of people constantly making it better, as well as thousands of eyes looking for security issues.
But it’s generally up to you to make sure you update your version of WordPress when there are problems with a previous release.
This means you have to keep track of when WordPress updates are available, back up your site, and then cross your fingers that the update doesn’t bork something. And then do it again a few weeks later when a new update is out.
That’s cumbersome. And it can be stressful. But it’s necessary.
The best solution is hosting your site with a provider that has an automatic update feature — and to turn it on, if it’s not on by default.
Then, your host essentially takes this responsibility and pressure off your plate. That’s good. That’s the value you pay for.
Step #3: Respect the risk presented by themes and plugins
The next question is will the themes or plugins you want to install add security holes?
If your host comes bundled with themes and recommended plugins, then you can feel confident that everything will play nicely together and be as secure as it can be.
Shoddy theme and plugin code leads to easy access for hackers. Plus, it can kill your site speed and performance. A double whammy. This is why using themes and plugins that have been fully vetted by a security-conscious host is a smart idea.
Take the Genesis Framework, for example. This is the framework on which all themes are built at StudioPress.
Not only does the well-coded Genesis provide a strong line of defense, it also auto-updates when a new version is released and adds a layer of protection on top of the newest version of WordPress.
Plugin security is important too. First you must carefully select which plugins you allow into your site’s environment, and then monitor those plugins to make sure they are always updated to the latest version.
Plugins can be the blessing and the curse of WordPress, and you want to stay vigilant about keeping them updated at all times.
Helpful hint: If you’re running a plugin that does not update quickly after new versions of WordPress come out, start looking for a new plugin. It might mean that the plugin developer has abandoned the plugin, which doesn’t bode well for future improvements. At best, you’ll be using an outdated plugin, which is a recipe for security disaster.
Now let’s discuss two more areas where you and your hosting provider need to be really serious about security.
Step #4: Protect your site from DDoS attacks
Have you ever heard of a DDoS attack?
You’ve probably heard the term, even if you didn’t know what it means.
A distributed denial of service — DDoS — is a brute force attack that is the result of multiple compromised systems (for example, bots) flooding your site with traffic.
You need to make sure that your site’s host has proactive technology that allows it to detect and mitigate attacks quickly, while repeat offenders are detected and banned accordingly.
Good WordPress hosting will probably have some kind of proprietary technology in place for this — something like an “always on” intrusion prevention technology that works continuously to keep your WordPress install safe from vulnerabilities, intrusions, and exploits.
You would be wise to ask your host how they handle DDoS attacks, and you should hope they have a detailed explanation.
DDoS attacks are a serious problem, and they need to be treated with serious solutions.
Step #5: Deploy continuous malware monitoring
Finally, you need continuous malware monitoring. This really isn’t negotiable.
Unless you constantly monitor all of the folders and files that make up your website, how will you know if a hacker has broken in and left something?
Not all hacks and malicious code reveal themselves immediately in a public, obvious way.
And if your site has a ticking time bomb buried within it — really, if it has anything in it that you didn’t put there yourself — you need to know about it so you can take action.
Many WordPress hosting providers partner with Sucuri for continuous malware monitoring, scanning, and remediation. If malware is found, the host (via Sucuri) takes the responsibility of removing it so you don’t have to worry about it.
Additionally, most hosts (any one worth using, that is) also scan for advanced threats, including conditional malware and the latest cyber intrusions. This should all be included as part of your hosting plan.
Adequate website security shouldn’t be an add-on that you pay more for, or something you have to completely rely on third parties for. Strong security should be a standard part of any web hosting package, so make sure you have it.
What should you do next?
I’d like you to pick one of the following actions. You can either …
Create a recurring calendar or to-do list item that reminds you to check every other week for WordPress, plugin, or theme updates.
This way, you’ll never go more than two weeks without checking, if for some reason you don’t happen to log in to your WordPress dashboard and/or miss the alerts in there.
Now, if your hosting provider has automatic updates for WordPress and even your theme and certain plugins, you may not need to do this. Just make sure the automatic updates are turned on. Then you can choose option #2 …
If you don’t already know, ask your hosting provider how they are protecting you from DDoS attacks and malware injections. You may need to put in a support request, or find the answers in your host’s knowledge base or documentation.
You need to know this, even if it’s just for your own peace of mind.
I hope those options help direct your next step for today. Let’s keep building powerful, successful, and secure WordPress websites together.
Need recommendations for hosting and security providers?
Then you need to check out The Copyblogger Guide to the Best WordPress Tools: Hosting, SEO, Security, Plugins, and More.
Over the years, our team has researched, tested, and used thousands of essential WordPress tools, and we’ve shared useful advice on all the most important WordPress topics:
- What WordPress hosting is the best choice for your site?
- What kind of security precautions do you need to take?
- What SEO plugins and services should you purchase?
- What other tools and plugins do you need to spread your words, build an audience, and drive business results?
On this page page, we’ve distilled our best, most current WordPress recommendations, to answer all these questions and more.
If you’re going to use WordPress to build an audience or support a business, this is your one-stop-shop for all the basic tools and services you absolutely must have.
Reader Comments (4)
I think it’s fair to say that we all think about website security to “some” extent and the reality is that it’s getting more and more cumbersome for all of us with blogs and businesses that we’re trying to operate online.
We must provide our visitors with a pleasant experience and not one whereby they are being bombarded with things that aren’t related to your blog.
As you mentioned in your post, I completely agree. Don’t make the visitor think twice about your website because of what’s transpiring while they are there on the page they’ve navigated to. When you instill a sense of fear in the visitor about something unusual going on, trust me.. they aren’t coming back.
Additionally, being mindful about your hosting provider is a great piece of advice and connecting that to a mindset of the strength of website security is extremely important and not something to dismiss. It can be the difference between protecting all of your hardwork or losing it all due to poor security or attention to it in the first place.
With that said, to basically piggyback off of what you’ve mentioned regarding protecting your website against DDoS attacks and your mentions regarding plugins and themes, looking at WordPress plugins that focus on beefing up your basic WordPress security like adding a firewall and bruteforce protection will be extremely valuable assets to your overall blog security.
Thank you for this article. One area I would mention is to update to a different theme if the one being used has not been updated in a while. WordPress sites, while an extremely great CMS, are a playground for malicious activity. People will find holes.
Having experienced a hack myself, I think that these recommendations can not be stressed enough. Every site owner, WordPress or not, needs to take advantage of security tools that are available either through the hosting provider or plugins. You don’t want to find yourself blacklisted from Gmail because someone hacked a vulnerable theme to spam email through your account.
Hi,
I think the advice given in #3 is really good advice. A lot of WordPress website owners out there are totally unaware of the risk posed by using different plugins that have been knocked together without considering security issues. Not only are they unaware of the risk but they are totally unaware that they need to be keep these plugins updated regularly.
In relation to #1, something else to add here is to find a hosting company that can provide seamless backups and restores. When all else fails and your site has been hacked then you need an easy way to get the latest clean version back up there.
Thanks for these website security tips. Many security problems are often due to a lack of attentiveness. If you don’t take your security seriously, you are vulnerable to an attack, and it doesn’t matter if you’re a large ecommerce store with thousands of customers, or if you’re a small-time blog with only a few hundred readers.
This article's comments are closed.