So you’ve taken all this time to setup a website for your business. You’ve added pages of content and your customers are starting to find you. Then, out of the blue, your website gets hacked. Your customers lose faith in your services, and Google blacklists your website which makes it harder for new customers to find you. This is definitely not the ideal situation. The reality you need to be aware of is that WordPress sites get hacked. There are usually two reasons why sites get hacked. First, the WordPress site, themes, and plugins aren’t properly updated, and second, the username and password aren’t secure and the admin account is hacked. Luckily, there are things you can do to protect your site.
Keeping your WordPress install updated
The most important think you can do is to keep your website up to date. Whenever you log in it would be a good idea to make sure there isn’t a yellow bar across the top of your site that says there is a new version of WordPress. If there is, you need to back up your website and then update it. You also need to periodically check if you have any plugins that need updating and that your theme is up to date.
Most plugins have “auto update” available which means you can just click the link and it will download the new version and install the update without you having to do anything. Way nicer than the old days when you’d have to download the new version, log in using your FTP client, and copy files over (although you can still do this and might have to if you have a premium plugin that needs updating.)
You need to backup your website regularly. This means the files and the database. (See this post for more information on backup plugins)
One thing that sometimes gets overlooked is when a theme needs an update. Some themes, like the genesis framework can notify you when there are theme updates that need to be processed.
If you are really concerned about keeping your website updated and clean and you also want a fast and secure website, pay for “Fully Managed” WordPress hosting through WP Engine. They will keep your website updated for you, back it up daily, scan for malware, fix it if it gets hacked, and even speed up your website. If you pay for the Professional of higher tiers you also get a CDN (Content Delivery Network) which speeds up your visitors experience even more. It is more expensive per month than say bluehost, but you get a lot of value in removing your headaches.
Protect Your Site From Malware and Hackers
Use Website Defender to protect your website. There are two versions of the product, FREE and PRO. You can view all of the differences here: [LINK] but in my opinion the important differences are that the PRO does:
- Daily security scans instead of only monthly
- Checks for Malware and viruses (Free does not)
- Backup and Restore
- WordPress Hacker Activity Checks (monitors admin users, themes and plugins for changes)
The FREE version does offer monthly scans, general security checks (SSL expired, broken links, dns hacks, etc) and checks if your website is blacklisted by Google. In full disclosure, as I have other backup solutions in place I am only using the free version right now but I think at some point I will enable the Professional version for my website.
Once you sign up [LINK] they will walk you through installing the program. (This isn’t a WordPress plugin so its a bit different.) The process was fairly simple so I won’t detail it here. After you set it up and install it will run the first time. When it finishes, you will receive an email with probably at least 3 alerts (here are mine):
The green two are more informational. The first says the scan was complete (and only shows the first time) and the second is alerting you that you have WordPress installed (which we already knew). If a new alert shows up like the second and says that you have a new WordPress installed after this first run, and you didn’t install it, that is when you should start to get worried.
The blue alert in this case is telling me that I used the default wp_ prefix (my tables all start with wp_). I will write a step by step guide here shortly on how to change your table prefixes and update this post to link to it. The reality is that as this is a low alert and I don’t believe it gives that much of a benefit for the amount of effort it takes to fix you might just ignore it (check the box and click the ignore button).
In my opinion, if you have a good backup (either one of the free versions above or the paid Website Defender Pro version that offers daily backups) then even if something happens it is easy to roll back to the previous version without much loss. If anything, running through the 10 minute exercise of installing this application has given me the peace of mind that right now my site has no malware and is mostly protected, and that in the future I have to worry less about my website, especially if I keep my plugins, themes, and especially WordPress up to date.
Leave a Reply