The internet, just like the real world, can be a wonderful, but also a scary place. There are many risks that come with having a website, but today I want to focus on hacking – an ever-present threat for every business, large and small.
There seems to be a belief, especially among small business owners, that they’re too small to be noticed by hackers. They’re not aware that most hackers use automated tools to find vulnerable sites.
Hacking is not just about stealing data.
Hackers want to use small businesses as a means to enlist their compromised sites in attacks on other sites and any site can serve that function.
Even if you’re not collecting sensitive data on your website, you’re still at risk. According to this article by Security Week, 18,500,000 websites are infected with malware at a given time each week, and an average website is attacked 44 times EVERY DAY!
All it takes is for one piece of malicious code to be dropped into your site, which can lie dormant for months before being activated.
The fact is, new vulnerabilities are found every day and one line of code in a theme, plugin or WordPress core can open you up to thousands of breaches.
The good news?
It’s really quite simple and inexpensive to protect yourself from that happening, but you have to follow some best practices.
But before we get to those best practices, let’s take a step back and ask a very important question.
Why should you be concerned about being hacked?
Time is money.
Clean up can take from hours to days, all of which means lost traffic to your website… and which consequently means fewer leads and potential revenue for your business.
You could disappear from search engines like Google.
Most search engines, including Google, take prudent measures to protect users from hackers, including removing your website from search results if they think it could be harmful to visitors.
Once Google determines your website has been compromised, they will blacklist your website and modern web browsers will display a message about your website containing harmful programs and prevent users from accessing it.
No one visiting your website! Yikes!
Damage to your business reputation.
Clients don’t want to visit a site that could infect their computers, and it only takes one upset person to spread the word. Your website is supposed to help bring you business… the last thing you want it doing to is to LOSE potential leads!
So how do you protect yourself?
Now it’s time to get into those best practices I mentioned.
Use strong passwords.
I know that every website you register with these days tells you you need a 73-word password that includes numbers and letters and symbols and hieroglyphics. The fact is, your password should not be easy to guess.
I realize this sounds obvious, but I wouldn’t be mentioning it if weak passwords weren’t an epidemic, and a very common way people get hacked.
Truly strong passwords will be a minimum of 12 characters in length. Some resources say 12 or more, others say 15 is the minimum for truly strong passwords. Basically, the longer and more random it is, the better.
Of course, I realize that makes it a bit difficult for our overburdened brains to remember.
So, with that in mind, you may want to look into a solution like LastPass. LastPass is a password management service that gives you the ability to record all your passwords in a single, strongly encrypted location.
You still need a password in order to unlock the encrypted file, but you only need to remember one password, but that one password has to be a strong one!
If you’re going to lock up the keys to all of your online accounts with just one password, don’t be using your mother’s maiden name as the master key!
Keep your WordPress up-to-date.
This includes WordPress theme updates, version updates, and plugins updates.
You may need web development support here as updates don’t always go 100% smoothly (so give us a shout if you would like some help on this front), but if you have a proper backup system in place, you should feel confident running those backups from your WordPress dashboard, and know that if an update doesn’t go smoothly, you have a backup you can rely on to put things back in order.
Choose a unique username.
While WordPress no longer sets “admin” as the default username when you install the WordPress.org software, many people still seem to choose to set that up as their login username, so I would caution you against doing this.
Since so many people still choose to use this username, consequently, brute force hackers often go after WordPress sites that have this username. In simple terms, a hacker goes to the login page on your website and tries every password it can to see if it can get in.
These are automated attacks, and they go after thousands of websites all targeting the ‘admin’ username.
So using ‘admin’ puts you at a higher risk, especially if you have a weak password.
Use professionally trusted security solutions to protect your site.
I like to recommend Sucuri, a web monitoring and malware cleanup service that frequently scans your website and alerts you if you’ve been hacked or infected.
As part of its services, it also provides advanced protection services, and I can tell you that every client we have on Sucuri has been spared entirely from security threats.
While Sucuri comes at an elevated cost (and so it should, for the services it provides), there are more cost effective solutions that can protect your website if you are on a stricter budget.
Here are two available options:
iThemes Security Pro
iThemes Security Pro is easy to setup, so if you’re DIYing your site, this is the route I’d probably recommend to easily add a layer of protection to your website.
It should be noted that iThemes Security Pro is a plugin for preventative measures but does not fully protect your website. It only has partial spam protection and malware cleaning.
Also, it’s important to note that this particular plugin can take up a lot of your website server’s resources, so you may see your website’s speed and performance take a bit of a hit as a result.
If you are a bit more confident with your website tech knowledge, or if you have a developer supporting you, I’d recommend Wordfence over iThemes Security Pro, as Wordfence offers more security than iThemes. It also provides login security, security scanning and other solutions that are beneficial to your websites security.
However, to set it up properly, it does require some intermediate tech knowledge so you may want or need to have a developer assist you with configuring the plugin properly.
Due to the nature of the plugin, it uses a lot of resources on your website’s server when executing certain tasks which could affect your page load speed.
For example, if you used iTheme’s scanner tool, it’s going to hog resources from your website host’s server and as a result, your website may be slower during this time, and potentially for a few hours (or longer) after. It won’t *always* be slow, but at times it can be, so it’s worth noting.
Make sure you have regular backups using an automated backup solution.
Do not rely on your hosting provider to do your backups!
I highly recommend VaultPress for WordPress users. We like it, not just because of its reliability, but it’s also super affordable – perfect for small business owners like you.
There’s an idiom that says “Hope for the best and prepare for the worst,” and that pretty much sums up how I feel about backups.
It’s very possible that at one point or another, you will find yourself in a situation where your website content can’t be fully recovered. The last thing you want to happen is to have your primary lead generating marketing tool suddenly out of commission.
This is why solid backups are so important!
Your website is one of your biggest business assets
Don’t leave it vulnerable.
Just as you would do for a home in a busy city, protect your property, and the contents inside of it.
Don’t be a site owner who regrets leaving the door wide open.