Hi All, Robert Cairns here. I am the CEO/Chief Creator of Amazing Ideas at StunningDigitalMarketing.com. I hope you all are having an amazing day.
Today I wanted to dive back into the topic of WordPress security and share with you some of the things we do to secure websites. I want to help you secure your websites even more. A website being down due to a hack can hurt your Business, Brand and reputation.
This might surprise you but one of the biggest causes of all website hacks is web hosting. Many hosts really do not care about the security of their servers. Two of those are the EIG hosting group and Godaddy.
Frankly, these two companies and many others do not want to be the partner in helping you the client who is hosting a website. All they care about is cheap hosting and if you go to them for security help they say they can help you at a fee. These charges usually get very expensive. Not only are they not good hosts for security but for many other things. There are many better-hosting choices.
Our favourite hosting choice for our agency is Siteground. Siteground is an amazing choice and wants to help protect you the client. Let me give an example.
Late in 2018, a major security vulnerability was discovered in the number one GDPR plugin being used on WordPress sites. The hacker had come up with a redirection to a porn site. Not nice at all!
Siteground block the hack at their firewall level. This helped save many sites from the infection. Unfortunately, the only time I have ever been hit, our agency site was in the meantime. We had a backup which I will talk about later. We were able to recover in 15 minutes!
Good hosting does matter and the Siteground team will always be amazing in their partnerships with customers. They rock!
The second thing you need to get is an SSL certificate. This encrypts all traffic from the the website user to the server, This is a really good idea and can help minimize man in the middle attacks.
The third strong bit of advice that I have is if you are going to work on your WordPress site in a free public Wi-Fi such as a library, coffee shop, hotel or even a Co-Working Space, get a VPN. A Virtual Private Network will help encrypt your traffic and stop a man in the middle attacks. These accounts can include things like even stealing your login passwords.
The next step is to make sure you have current backups. We use the Updraft Plus Backup plugin in our agency on hundreds of websites. We set our Backups to run on a daily basis. Once the backup is completed, it is automatically uploaded to Amazon S3 cloud storage. This put the backups off-site from the server.
We keep 6 months of weekly backups on our NAS server – a Synology as well. In some cases, we have had to go back several weeks to do a restore.
Now you might say why do I need to run my own backups? Does my web host not do that for me. Yes and no – let me explain.
Many shared hosting services only do backups once a week if that frequent. Some are like once every two weeks or even a month. This is not good.
Several big hosts outside of North America have had their backup servers hacked as well. So why not put it in your control. Remember backups are an insurance policy against something going wrong.
Also, make sure you test that your backups can be restored. Retore them to a test site on s subdomain to make sure they are working properly. Remember your backups are only as good as the ability to restore them. Test and Test again.
Now that we have talked about backups, let us look at WordPress core and them updates. Do them at least once a week. The one exception we make is that if a WordPress Core update comes out we always do them the same day. This minimizes any possible security issues, Out of date software is a big part of it.
One suggestion always do a backup before doing any software updates. This way you can roll back/restore easily.
Now let us talk about the WordPress admin account. Do not use the default admin name – change it and change it now.
Also, do not give admin rights to users who do not need it. If you are just doing blog posts then that is all you need not admin rights.
Passwords – use strong passwords and frankly change them every 30 or so days. Also, use different passwords for each website. Check out LastPass to manage your passwords. That is all I am going to say about passwords as our next podcast will be devoted to passwords and only passwords.
Install a security plugin. We personally like WordFence and the Ithemes Security plugin (both the free ones). If configured right you can run them both at the same time.
Change the WordPress login back end URL. This helps make it a little more difficult for script kiddies to hack in. Also, turn on Brute Force protection. Itthemes Security will do both of these.
Also, change the WordPress Salts – defaults are a bad idea.
You might want to turn to Two-Step Authentication to help protect logging in more. The cool thing is Wordfence handles that but not just using SMS. I am actually making a move to key fobs (if you got this way get at least two tied to your authentication account if you lose one).
The last tip goes without saying. If someone leaves your organization terminate their access right away. There is no question about this one. Past employees who are not happy can cause lots of issues if they still have access to your website.
A few resources to help you:
- Think Like a Hacker Podcast
- WordPress Weekly Podcast
- Sucuri Blog
- Wordfence Blog
- Security Now Podcast.
- This podcast!
- My Business, Marketing and WordPress Newsletter.
Now I know there is a lot here. If you want some help with all this, my team does offer WordPress Care Plans. If you email email@example.com for $780 we will do our $980 Care Plan. I will put a link in the show notes.
Link to care plans: https://stunningdigitalmarketing.com/wordpress-security-services/
I should also tell you the care plans are changing and so is the price structure – it is going up as of August 1 when I launch the care plans on a separate website.
If I can help you in anyway, please send me a note and I will be more then happy to get back to you.
Have a great day!
Thank you for listening to the SDM Business, Marketing and WordPress Podcast. This show is hosted by Robert Cairns, the CEO and Chief Creator of Amazing Ideas at StunningDigitalMarketing.com
This podcast comes out every week. It is available on all podcast platforms.
If you would like to be a guest on this podcast, please email us at firstname.lastname@example.org
If you would like to find out more about the Digital Marketing Services we provide, please go to StuningDigitalMarketing.com
If you are interested in all the projects our CEO/Chief Creator of Amazing Ideas Robert Cairns is involved with, please go to RobertBCairns.com
This podcast is dedicated to Robert’s late father, Bruce Cairns.
Have an amazing week. Keep your feet on the ground and keep reaching for the stars. Make your business succeed.