But running your business website on WordPress has many benefits – it’s easy to customize, cheap to maintain and easy to use.
So, how do you keep your company website safe?
Before we dig into ways to keep your website secure, it’s important to note that signs of a hacked website are not always obvious.
You might be wondering what would anyone have to gain by hacking your business WordPress website, especially if you don’t deal with any sensitive information like credit cards or personal information.
With most WordPress takeovers, the hackers are not really interested in bringing your website down or holding it for ransom, like you hear on most high-profile hacking cases in the news. In fact, they’re much more happy to go undetected, for long periods of time and use your hacked website to:
- Send spam through your email server. This can affect your website domain credibility and can get your email addresses added to spam filters or blocked altogether.
- Serve malware to visitors to compromise their computers. After this threat is detected by Google, it will trigger a pretty scary red overlay to appear on your website announcing to the world that your website is trying to hack them. Needless to say, this is bad for business.
- Add hidden pages that link to external shopping sites. This tactic is called Search Engine Poisoning (SEP) and has been on the rise in the past few years. While you might never notice the pages on your website, they are visible to search engine bots and Google will scan them.
- Use your server as a bot for various bad things like targeted Denial of Service (DOS) attacks used to bring down other websites, bitcoin mining and other resource-heavy black-hat activities.
Left unattended for long enough, a compromised website will be delisted from Google search results (it is possible to relist it after it’s been cleaned up, but it does take some time).
Here’s how to keep your business website safe.
1. Back up your website regularly
The truth is that no matter what steps you take to secure your WordPress website, no website will ever be 100% protected from security threats.
Whether the threats are coming from your hosting provider, plugins you installed or WordPress itself, the best practice is to regularly backup your website. Automated backups can be easily enabled from your hosting provider administration area or by using a WordPress plugin – one of my favorite plugins is UpdraftPlus.
Two important things to keep in mind:
- Keep several backups, don’t just overwrite the last one. Your site might have already been breached when the backup was running and you risk uploading a compromised backup over and over again.
- Also save your backups externally on cloud services like Dropbox or Google Drive, and not just on the hosting server itself. It can happen that the whole hosting server goes down for unrelated reasons, making backup retrieval impossible.
2. Install a security plugin
A good WordPress security plugin is your biggest ally in keeping your website secure. It keeps bad login attempts out, blocks force-attacks, informs you of suspicious activity and of new updates available, scans your files for compromised files and, if a breach does happen, it can help you contain the damage.
There are several good options out there, I personally enjoy the simplicity and efficiency of the Wordfence plugin.
3. Install updates as soon as possible
Outdated plugins are the leading cause for hacked WordPress websites. So even if you don’t add new content often and have no reason to regularly log in to your WordPress website, it’s good practice to check in at least once a week and install any updates that are available. If your website breaks if you update your plugins or the WordPress core, you should get a new website designed, period.
You should never have to hold off security updates for fear of breaking the website and risk compromising your reputation.
4. Choose a good hosting company
When selecting a hosting package for your WordPress website, you usually need to select between shared hosting or dedicated hosting.
To understand the difference, besides the price – dedicated servers are usually several times more expensive – picture a hosting server like a folder on your computer. If you get the dedicated hosting, there is only one folder inside with your website files in it. If you get shared hosting, there are several folders in there, each containing a different website.
For a simple business WordPress website, shared hosting does the job nicely, with resources to spare.
The problem with shared hosting though is that, as the name implies, you share the same server with other websites. Other websites that can get compromised, and, through no fault of your own, your files can get compromised as well. This happens often on huge, cheap hosting providers, so try to go for a host that meets these criteria:
- Don’t go for the absolute cheapest offer you find, it’s safer to find something more mid-range $10-$20/month
- If the hosting company website has an outdated design, chances are their servers and scripts running on them are probably outdated as well, exposing you to security risks
- Avoid huge hosting providers (think of the ones that advertise on TV), go instead for something more personalized
- Check their reputation – look for good and bad reviews and try to find out how responsive their support team is
5. Use a secure HTTPS connection
Using HTTPS instead of HTTP means that your website URL will look like https://www.yourwebsite.com instead of http://www.yourwebsite.com. In some browsers, you’ll see a green lock next to the URL indicating the website is secure.
It’s highly recommended to use a HTTPS connection throughout your website, even if you’re not gathering sensitive information from your visitors, like credit card info or personal information.
A HTTPS connection makes sure that all traffic between your site and your users is encrypted and no 3rd party sources can hijack the traffic and insert malicious scripts in it. This threat can also come not just from your server being compromised, but also your user’s computer or the Wi-Fi network they’re using to access your website. For example, some hotels use their guest’s connection to add 3rd party ads on top of your website, without informing their users. And this is just a relatively innocuous example.
Another reason to switch to HTTPS is that Google will start soon start to display a warning to your users that your website is not secure.
You can easily enable HTTPS on your WordPress website by buying and installing a SSL certificate on your host and redirecting all HTTP traffic through HTTPS – for example if some types http://www.company.com, they’ll be automatically redirected to https://www.company.com.
Besides the security benefits, switching to HTTPS will also boost your presence in search results.
6. Keep your plugin footprint to a minimum
Plugins get hacked all the time. Not just the small, shady ones, big ones as well. In fact, they’re the most common way a WordPress website gets compromised. So, to keep safe:
- Delete any unused plugins – don’t just deactivate them, delete them. You can always install the plugin later if really needed.
- If you have several plugins that overlap in functionality, keep only one.
- Don’t install unnecessary plugins, especially if you’re not sure what they actually do, except offering a vague promise to make your website “better”.
Aside from the increased security risk, having lots of plugins activated will also slow your website down, degrading the experience of your users and hurting your SEO efforts.
So, to sum it all up – backup often, install updates as soon as they’re available, don’t install plugins you don’t really need, use HTTPS, don’t go for the cheapest hosting company you can find and use a good security plugin. Stay safe!
I hope this article sheds some light on how to keep your WordPress website secure. For more articles like this, please subscribe below, and if you’d like to take your business website to the next level, let’s talk!
Did you enjoy this article?
Sign up to receive updates about business website design best practices.