Why You Need a New Website Part 2: Security
By: Luther Andal | January 06, 2017
Having a secure website is harder than ever but it is vital not only to keep your data safe, but to keep the trust of your customers. Unfortunately, security has become a major issue for websites over the last few years. Hackers are targeting vulnerabilities more than ever before.
Hackers almost always target the most popular software used by websites such as WordPress, a content management system, or CMS. They don’t do this because WordPress is less secure than other content management systems, rather because the hackers are lazy. In order to attack tens of thousands or millions of sites, they have to write programs that do the work for them, and this takes effort and time. It makes sense to then go after the most popular content management systems such as WordPress so that they have a much higher possibility of success by sheer volume of sites to attack. Unfortunately they are very successful because lots of WordPress sites are not kept current with the latest updates and security patches and thus are left vulnerable to attack by the hackers’ programs.
WordPress is the most popular content management system in the world with more than 25% of websites using the platform. So many are vulnerable, and it is estimated that nearly 4 out of 5 hacked websites are running WordPress. Again, we reiterate that does not make WordPress a bad choice or content management system. The truth is quite the contrary, but it does highlight how often it is targeted and how important it is to keep it up to date and secure.
The question is -- what can you do to keep your site secure?
- Keep any software you use on your website current with the latest updates and security patches. This includes plugins, modules, themes, 3rd party add-ons, integrated software, etc.
- Add an SSL certificate to your site and require SSL on your site. This will add an extra layer of protection for your site visitors ensuring their connections are encrypted to your site. It will also have the added bonus of improving your site’s Google search engine ranking.
- Use strong passwords for your content management system and any other passwords you use for your site. Do not use the same password anywhere else and change it regularly.
- Consider using a CMS feature or a plugin or module to implement a lockdown feature for failed login attempts. This allows you to specify a certain number of failed login attempts before the IP address is banned from logging into the website.
- If possible, consider implementing 2-factor authentication which means site managers use two different login methods each time they log in. For instance, in addition to a username and password combination, site managers can have a security code sent to their phones via text that they then type in to an additional login field. This makes it virtually impossible to circumvent the login on the CMS.
- Change the login URL from the default one. As an example, on WordPress change it from the default yourdomain.com/wp-admin to something unique for your site. This makes it very difficult for hackers’ programs to find the login.
- Secure important directories such as wp-admin on WordPress so that they require a password. This makes it much harder for hackers’ programs to circumvent.
- Be deliberate and careful when adding user account to your website, especially administrator accounts. Be sure to require the use of strong passwords, and set up the CMS with a plugin or module to require changing of passwords often.
- Use a file monitor plugin or module that checks your CMS core files regularly and notifies you if they have been changed.
- Make sure you have a scheduled daily, weekly and monthly backup of your site that is not stored on the same server as your website. This will allow you to recover your website quickly if a hacker gained access. Plus it is a great practice to have in place in general. Backups are lifesavers!
That secures your CMS, but what about the server? We highly recommend having your website scanned for vulnerabilities, not just in your CMS but at the server level as well. We will be glad to perform a scan of your site for free. Just click this link and fill out the form and click submit.