If your website gets hacked, it’s a big black mark on the reputation of your business. I was reminded of this recently when someone shared an article with me, and my attempt to view it was blocked due to malware present on the website. One of the most important and overlooked security tasks for businesses is protecting their website. I see so many neglected small business websites in my MSP practice that I know this has become a sure-fire threat to many businesses. Many of these small businesses use WordPress as their website platform, and we will look at some ways it can help you and some ways you can secure it to make sure malware and span do not end up on your site.
Most small businesses contract out their web design and then pay those same people to post the website for them. Then they don’t pay them anything further, which means that the website falls into disrepair. Instead, they really ought to be paying for the maintenance of that site. At the very least, every website requires regular maintenance to stay functional and safe. A website maintenance plan should include the following items:
- Regular backup
- Regular security patching
- Regular plugin and theme upgrading
- Verify contact email
- Security configuration and alerting
Why? Because your website is both the front door and the brochure for your company, at the very least. For some, it’s also a sales and ordering tool. This shortlist of maintenance tasks shouldn’t be expensive. My firm performs these tasks for our clients as part of our regular network maintenance services.
Some suggestions to secure your WordPress website
WordPress has the largest ecosystem of plugins written by third-party developers of any of the web formats. This means that you’ll find hundreds or thousands of available plugins. Most are inexpensive to help you achieve the basic list that I outlined above. I’m going to show you a couple of my favorites as an illustration, but feel free to use any that appeal to your specific situation. There are many good ones.
Akismet: This anti-spam plugin reviews comments and automatically cleans up the obviously spammy ones. Below you see that in the past six months that Akismet removed 2,001 spam comments from one of my websites with a 99.95 percent accuracy rate. Akismet comes with my Jetpack subscription. No one wants to see a long list of spammy pharmaceutical (or worse) ads on your website.
Jetpack: This plugin tool has several levels of subscriptions that offer backup and spam protection. Similar to the Akismet anti-spam service, the Jetpack backup solution is very simple to use and captures the changes to your website as they happen. Changes include updates to the plugins that make your site function.
Jetpack will also offer to install all plugin and theme updates for you automatically, but in my experience, updates need to be done carefully because once in a while, you get a bad one.
Wordfence: This plugin is a firewall of sorts to secure your WordPress website. Wordfence looks for and blocks brute-force password guessing and other types of security attacks on your website. You might think who would bother to attack my website? Well, every spammer and every malware bad guy. They are always looking for neglected websites on which to host their malware files or send out those volumes of spam email we all get.
As you can see, my site gets hit regularly, and this isn’t unusual. Small websites are big targets. In addition to blocking hackers, WordFence will also alert you if the site is unavailable or needs updates.
ReCAPTCHA: This tool installs multifactor authentication to the login pages of your website. You are probably familiar with it as the “I’m not a Robot” checkbox or where you pick objects from the photos provided or do some simple math, all to prove that you aren’t a robot. To further secure your WordPress website, you can also require it for comments.
Don’t forget the built-in tools
WordPress has a number of built-in tools that will help secure your website:
Complex password generation: While it is tempting to use a password for your website that you can remember, you should instead let WordPress generate one for you. Doing so will present a nice long, complex password.
Update theme: The theme is the basis of the design of your website. The theme is the framework upon which your website designer created the site. Updates to the theme make sure that that framework stays functional and that security flaws are patched.
Update plugins: Plugins provide functionality to your website. It could be a picture grouping, a contact form, and mailing functionality, or a hundred other things depending on how your website is organized. And while WordPress can be a great tool to both secure your website and make it look professional, it also has a flip side you need to be alert to. Vulnerabilities in WordPress can arise, typically through plugins that are not patched. The plugins need to be updated to fill security flaws and to maintain functionality as the theme and WordPress itself is updated.
Update WordPress: WordPress now updates automatically. This is both a good thing and a bad thing. It’s good because it means that the platform remains secure and grows in features. It’s bad because if any of your plugins or your theme fall out of compatibility with the new version of WordPress, then parts of your website or some parts of it can stop working.
Your website is a living object. Even if you aren’t filling it with new content, it still isn’t static because all of the underlying pieces that make it function aren’t static. The bad guys are always looking for a way to take advantage of a piece of code.
Avoid becoming a black hole: The final piece that is part of the minimum set of maintenance tasks is to test your website’s ability to send email. Some web developers write their own code to create forms and mail the completed form to you. Some use plugins to perform the task. In either case, nearly every website has the ability for a potential or current customer to contact you. Too many times, I’ve attempted to contact a company by emailing the address on the website or by completing their contact us form only to have my request fall into some black hole. The company never gets the message, and I never end up hearing from them.
It’s sad, really, because this is one of the most basic features of websites. They are to provide information and allow people to contact you. Most businesses don’t expect a lot from their website, but if someone does want to contact you, they should be able to.
Testing the email feature is simply a matter of visiting your website and sending an email to the address shown there or filling out the “contact us” form if you have one on your website. Then see if the email arrives. If not, you have a problem to fix. You’ll want to contact the person in charge of creating your website or maintaining it and alert them to the problem.
Basic maintenance: A good start to secure your WordPress website
I haven’t suggested anything earth-shattering here. It’s just good basic website maintenance that, if acted upon, will put your website far ahead of the masses when it comes to security. There’s a concept in security that says, “Don’t be the low-hanging fruit.” Which means, don’t be easy to pick. Will these items make your website completely secure? Perhaps not. But it will make it pretty well-secured and more secure than most others. Being more secure than others means that most of the bad guys will go away to greener pastures because the simple techniques aren’t working on your website. There are too many poorly secured websites out there that there’s simply no reason to bother trying to hack sites that are decently secured.
Now that’s a blanket statement, obviously. If you are a large corporation with a strong e-commerce presence, then you have important data that makes you a larger target for theft of credit cards and personal information on your customers. But for most businesses, the brochure website can be easily and simply secured with minimal effort and adherence to basic maintenance schedules.
Featured image: Pixabay