Nobody would ever want to hack your website, right? You own a small business. You do GREAT things online and in the world. Your mission is to serve others.
So, why would someone ever want to get into your site? It’s actually an easy answer…for the money. If this makes no sense to you, read this article for more info on why your small site is a target.
Unfortunately, every website out there is vulnerable, and it’s up to you, the site owner, to make sure that your site doesn’t become an easy target and that you’ve protected your site from hackers.
You must find the answer to the question, “How do I secure my website so it’s safe?”
There are lots of complicated tactics out there, and there are some much simpler, code-free strategies that will work effectively to protect you and your website.
#1) Use complicated passwords and DON’T share them
Create crazy long passwords. I use LastPass to create, share, and store passwords and the passwords it generates are long and complicated.
Don’t use passwords like 123456 or abcdefg. And make every password that you use different, especially when it comes to your website.
Also, don’t share your passwords.
This seems like the most obvious one, but really, the most common way people get passwords is by asking for them! You can set up all the security in the world, but if you get fooled into sharing a password with an untrustworthy soul, all of your security precautions don’t matter at all.
Be careful about who you share passwords with and HOW you share them.
Don’t ever email them, text them, or post them in your project management tools where other people might be able to have access to them.
Instead us a tool like LastPass which is what I also use to share passwords with clients, team members, and even family. Someday, I hope my young adult children will get their own Netflix accounts but for now, we use LastPass to share and store vital entertainment passwords.
If you don’t use a password tool but need to give your TRUSTED web designer or developer or even a friend your password, do it over the phone and make sure they’re storing it securely.
#2) Use a reputable hosting company
I strongly recommend Siteground as a host. It’s where I host all of my own sites as well as the host I recommend for my clients. They do regular security checks and daily backups of websites.
I have never had a problem with any sites hosted on Siteground. Unfortunately, I can’t say that for some other big, but not so great, web hosts.
#3) Keep your plugins and themes updated regularly.
Out-dated plugins can provide “back doors” for hackers to get into your site. Be sure to monitor your site on a weekly basis to keep it updated. This post walks you through several different options for easily and safely backing up and updating your plugins and themes.
#4) Delete any themes or plugins that you don’t use
Do you have any themes or plugins on your site that you don’t even use? That aren’t even activated? If so, delete them. Keep your site as lean as possible.
However, if you’ve used a designer/developer to build your site, PLEASE don’t start randomly deleting plugins that you think you don’t use but that might be crucial to your site. Only delete those plugins that have been deactivated and aren’t used at all. Or, check with your developer before you go on a deleting spree. Thanks!
#5) Keep WordPress updated
WordPress comes out with occasional updates many of which contain Security fixes. For example, as of this writing, the most recent WordPress Update released on July 5, 2018 included a security fix.
It’s super important to keep WordPress updated so hackers can’t take advantage of your site. WordPress is great about alerting you if your site needs updating or when you login you’ll note it too. Just be sure to run a backup of your site prior to updating.
#6) Use SSL encryption
This sounds techie but it’s not. Remember, this is a “no code” post. SSL stands for Secure Sockets Layer, and it all it means is that any communication between your website and another site is encrypted. For example, when somebody makes a purchase on your website, you want their credit card information to be encrypted before it travels to your credit card company processor.
To see if your site is using an SSL certificate, look in the URL bar at the top. If you see a little green lock and the word Secure, you’ve got an SSL certificate. Congrats!
Some hosts (like Siteground) provide free SSL certificates. If you don’t have one installed, login to your host and go to your C-panel.
Scroll down to the Security section of your C-panel and click on “Let’s Encrypt.” That’s a free SSL option. Not all hosts provide this option for free, however. You might have to pay for it.
On the next page, choose the domain you’d like to install the SSL certificate on. Then, select the Let’s Encrypt SSL button and click Install.
Next, go back to your website’s dashboard. Under Settings, click on General.
Under the General Settings, make sure that you change the URL for your site to https, rather than http. Then, be sure to Save your changes.
And, that’s it! Now, your site will have be secure which is important both for your SEO and for your visitors who might want to pay you.
#7) Change the standard login page
If somebody types in your URL followed by wp-admin, and you’ve got a WordPress site, they’ll go to the standard login page where they can try to login. They also know that you’ve got a WordPress site!
The easiest way to avoid this is with a plugin called WPS Hide Login.
Go to your Plugins page and click Add New. Search for WPS Hide Login. When it comes up, click Install and then “Activate.”
Once it’s on your site, you’ll see this box. If you don’t automatically see this box, hover over Settings in the left dashboard menu, and click on WPS Hide Login. Scroll down and you’ll see it.
You can name your new login page whatever you want. Just be sure to bookmark it, so the next time you go to login, you can.
#8) Use a Security Plugin
There are a handful of highly recommended security plugins. The most popular are WordFence, Sucuri, and iThemes. I use WordFence, and it’s what I install on all of my client’s sites.
The default settings are great, but if you want to tighten up security a bit, you can by using the Brute Force Protection settings. This means that if a malicious bot is trying and failing to access your site, they’ll get locked out.
First, install the WordFence plugin (if you don’t have it installed already). They have both free and premium versions.
Next, click on Tools under Wordfence in the left hand dashboard. Scroll down to Firewall Options.
Click on the arrow next to Brute Force Protection. Make sure it’s turned on and revise your settings to the one’s below.
#9) Set up 2-Factor Authentication for Logging in
Two Factor Authentication means that after you login, you’ll have to enter a code from the Google Authenticator App on your phone. This can be a bit of a pain as it adds one more step to logging into your site, BUT it is highly doubtful that a hacker will have your passwords AND your phone.
Happily, WordFence has Two Factor capabilities. To set it up, first install the Google Authenticator App on your phone.
Next, go to WordFence -> Tools. The first tab is the Two Factor Authentication tab. Click on that.
Enter your username for your website.
Click the button next to “authenticator app” and click “enable user.”
A bar code box will pop up for you to scan with your phone which will link the two. Next, type in the authenticator code from your phone and it’s all set up!
These steps are not a 100% guarantee that your site won’t get hijacked and filled with malware and sketchy advertisements, but they will definitely help!
You don’t want your site to be an easy target, and if you secure and maintain it, you won’t be. Take these steps and you can say with confidence that “I know how to secure my website!” Now, pat yourself on the back and rest easy.
Let me know in the comments if you’ve got any questions.