If you think that your business is too small for your website to be hacked, then you’re wrong! Cyber security is a growing industry and the number of small business sites that are hacked continues to increase every year. Just as you take precautions to secure your home against thieves, you need to take similar precautions to secure your website against hackers.
If you’re running a WordPress website (the world’s leading CMS, i.e. content management software for websites), there are already some security features in place. However, on the flip side, web publishing software is targeted by hackers because sensitive data may be stored there. When you compare CMS software across the globe, there are no platforms that are impervious to attack; even the best content management system, therefore, needs some additional security measures in place.
Three ways hackers can access a WordPress website
1. Unsecured hosting servers
Hosting is where your website’s files, databases, and settings are stored. Sometimes email accounts are set up there too. You could be in big trouble if it’s not set up correctly.
Think of the hosting server as a block of units and your website as one of the units within this block. If the main door to the block is left open, thieves can quickly gain access to the whole unit. Once inside the building, thieves can take their time to break into any number of units. Your hosting server is like this block of units and if hackers can gain entry through an open door, they are one step closer to hacking into your website’s CMS.
This means that you need a hosting server that is buttoned up tight. Consider the following:
- Avoid shared servers and look for a managed hosting package that includes regular maintenance, upgrades, and backups.
- Limit which files and folders can be modified, which makes it much more difficult for hackers to gain access via insecure code within website themes and plugins.
- Log all actions on the server, so that any hacking attempts are logged, making it easier to trace the culprits and block them.
2. Unmanaged software
Using the same analogy as above, you can think of plugins as tradies who come into your home. You hope they’re trustworthy and you do your due diligence, but it always comes down to crossing your fingers. Plugins are like these tradies, because you hope that they’re secure and you cross your fingers that the developer keeps them updated with patches to prevent a security breach. The problem is that plugins aren’t often updated so hackers can quickly gain access to your website content management system.
The solution is to remove any plugins that are no longer updated by their developers, as these are an open invitation to hackers. Abandoned plugins will be removed from the WordPress depository, but can you wait that long? Your best strategy is to engage a website developer to review any plugins you want to install on your site to ensure that they’re not a security threat. Then get them to update all your plugins every month, because they can identify any security issues immediately. It’s also a good idea to keep WordPress itself updated, as these updates include new security patches. Your developer can test these updates in a staging area to ensure that they don’t crash your site due to incompatibilities.
3. Insecure logins
If a thief has the key to your home, they can walk right in! This is why hackers use brute force tactics to get your username and password details. These hacking bots can run through hundreds of commonly used passwords and logins (admin is a very common username!) and quickly gain access to your website. This is one of the most successful ways that hackers break into WordPress sites.
The solution is to use strong passwords and delete all no longer used user accounts. You can also upload a security plugin, but hackers can hack the security plugin! So, the best option is a server-based security software solution.
Our top website security tips:
- Update your password to something secure. This can be completely random, otherwise if you want something you can easily type, use a simple pattern such as a symbol then 3 numbers then two words with a capital letter each, e.g. %947StolenBooks.
- Enforce 2FA (2 factor authentication) for all WordPress admin logins (and offer the option for customers that log into an account on your website too). We use and recommend Keeper for shared 2FA codes and password management, with Daito being another great option for accessing 2FA codes within your organisation (without requiring a mobile device).
- Use separate logins for all website users so that no one is sharing passwords.
- Set up email forwarding when staff leave your organisation. Set their old email to forward to an email address that can still be accessed by someone else (e.g. admin@…). This way, if the staff member had a login for any important apps or websites that no one else has access to, they can still be accessed by performing a password reset then updating the email address within that app/website.
- Enable maximum security features in your website and other software. Yes, some security steps such as 2FA can be annoying, but is it worth the risk of your website being hacked, no matter how small that risk may seem?
No matter what website content management system you’re using, whether it’s free CMS software like WordPress or an enterprise solution, ensuring your data is secure is absolutely paramount. Sitting well within the top 10 content management systems globally, WordPress can be a big target for hackers, so make sure you’re always one step ahead.
GO Creative has decades of experience developing and supporting WordPress websites. Contact us now if you’re ready to take your website security seriously.
