Website security is a boring subject. I know. However, unless you’ve been living in an underground cold war bomb shelter for the last few years, you’ve undoubtedly seen, read or heard a few stories about one business or another getting hacked.

If those stories don’t make you a little concerned about your own website security, then you’ve probably fooled yourself into believing that this is something that only happens to other people. That “ You don’t have anything that a hacker would want, so you’re good“. Well, you’re wrong. You’ve just been lucky.

I know what you’re thinking: That your website has no physical connection to internal company files or information. That you use great passwords, & have an anit virus program,  so your website security is fine. Also for the $3.95 a mo. you pay for the cheapest possible hosting there is,  you have it all taken care of.

Sorry to start bursting balloons at your confidence party, but a motivated criminal hacker doesn’t give a shit care about your passwords, anti virus, & doesn’t operate based on what you think. They’re criminals. They mainly operate in anonymity from anywhere in the world. They don’t follow your rules, or  convenient logic that you’ve created to make yourself feel better, & they don’t wait to attack you or your website until you get time to “deal with this” at some arbitrary future date .

The FBI reports that there are at least 4,000 cyber attacks on U.S. businesses EVERY DAY, with the bulk of attacks being ransomware, a script that takes over your computer, network, or devices until you pay a ransom for the decrypt key.

  • Do you really think that we have enough law enforcement, & cyber security professionals to stop, or investigate 4,000 attacks a day?
  • Even if you could pay the ransom, are you really going to put all your trust in that transaction to be safe, & honorable?

If you’re starting to get the picture that we’re going to be on our own for a while, you’d be correct.

Small businesses are easy targets

Once you underst& that in most cases hacking isn’t personal, it’s a crime of opportunity, you’ll approach your own website security just as seriously as the lock you put on your front door. You know that lock won’t stop a determined criminal, but it will slow down, or stop the dirt bags who are just looking for an easy opportunity to score some dope money.

According to IBM Small & mid-sized businesses are hit by 62% percent of all network & website cyber-attacks, &  60% of small businesses who suffer an attack are out of business within 6 months.   Yep, that’s a real thing that is happening.

Recently a small clinic in Cincinnati was hacked, & the personal information of 500 employees was taken. They found out about it when the employees started filing their tax returns, & to their surprise the IRS rejected them saying they’d already been filed & paid out. Oh my!

Yes, you do have something hackers want

The misconception that hackers are only after company secrets & bank account information is Hollywood fiction.  Maybe you personally are a waste of targeting, but how many contacts do you have direct access to on your computer & devices? How many clients, customers, or business associates? How many friends, & family members?

So yes, you do have something that criminal hackers want. Easy, bulk access to other people’s information.

Website security vs. home security

Your website is open,  & publicly accessible 24/7 . It’s a central area that can reach a variety of clients/customers, employees, & co-workers who visit it regularly.  Given that, to a hacker it’s a great place to sit in wait to steal user & client information, hijack eCommerce orders (& customer information), & distribute malware that can infiltrate or take over office computers, phones, steal your contacts (& infect them too), & so on & so on.

Thor forbid, if something happens to your home, as long as everyone is safe you will eventually recover. You can rebuild a structure. You can get new stuff.

But what if something happens to your business, & all of your co-workers, employees & clients are also breached?  Will you still recover? How long does it take to repair credit? Fix all the things that happen because of identity theft? Recover stolen money? Re-establish trust & credibility?  I don’t want to find out.  Do you?

I’m going to explore a few ways that you can harden your website security, & how to protect yourself, & your company from being an easy target.

1. Stay on top of software updates

Everything runs on software. Criminal ( or black hat) hackers are constantly figuring out new software exploits. Most reputable or experienced developers stay on top of exploits & deliver updates & patches regularly. Hackers know the exploits.  The lazy ones look to see if you’re still running an outdated version of something that they can use to get into your systems.

If you don’t know how to keep up with updates, find out.  Ask people. Ask your webmaster. Ask your host. It’s imperative that you know when updates are happening so that you can keep up with them.

WordPress does automatic updates for the core software, but not for themes & plug ins since those are generally from 3rd parties. It’s important to know what themes & plug ins you’re running, & watch for any updates they may have. As a rule of thumb when WordPress updates, there are going to be corresponding theme & plug in updates as well.

2. Stop using cheap hosting

Cheap hosting is great for struggling start ups, or anyone just messing around as a hobby.  It is NOT for business websites, I don’t care what they tell you on TV.  Once you’ve passed the amateur stage of business, it’s time to stop using amateur tools. While most (not all) hosting companies do the best they can to keep their servers safe, anyone who tells you the level of security & service is the same no mater what you pay isn’t being truthful.

Cheap hosting is shared hosting. Shared hosting is bare bones. It also means that your site sits on a server with hundreds of other websites run by amateurs. I say run by amateurs because experienced website owners don’t use shared hosting. Besides the limitation of resources, the other amateur website owners on YOUR server are an additional threat to your security  because they are unwittingly a threat to their own.

If you’re serious about  business & website security, then it’s time to get a grown up hosting plan that puts your site on it’s own server, own email server, that doesn’t share resources or IP addresses with anyone else, & gives you unrestricted access to all of the tools & options your host, or your webmaster can implement.

I recommend & have used for years a Managed Dedicated Server. It gives me the benefits of my own server, but “managed” means that I don’t have to know how to run every detail of a server, I have support that does it for me.  Yes, it costs more. Yes, being in business is expensive. Whoever told you that the safety & security of your website, your most important marketing & sales tool, was supposed to only cost you $3 mo.,  lied to you. You wouldn’t put a $3 lock on the front door of your home, so why would you put one on your business?

3. Get a TLS/SSL

website securityTransport Layer Security (TLS) & its predecessor, Secure Sockets Layer (SSL), both frequently referred to as “SSL”, are cryptographic protocols that provide communications security over a computer network.

They are integral tool in stopping man in the middle attacks that can skim user information, making your site & any forms on it unsafe to use.

As more people become web savvy & security conscious, many will not frequent or engage with insecure websites anymore, & major browsers are now alerting users of whether or not a site is safe to use.

If that wasn’t enough to motivate you, Google is now giving secure websites preferential treatment in the search results to better protect it’s users. If you depend on search engine optimization as part of your marketing strategy  you need to get right with Google, & the other browsers & search engines that your website visitors are using including Chrome, Bing, & Firefox.

Your existing hosting company likely offers a variety of SSL/TLS options, & many like Bluehost are now offering free SSL’s for WordPress sites though open source solutions like Let’s Encrypt.  If you’re not sure if your host offers free SSL/TLS, it can’t hurt to simply call & ask them.  If they don’t offer a free one, they generally cost around $49-$79 yr. Big whoop.

4. Stop installing r&om plug ins for everything

One of the great things about WordPress is its plug architecture. Installed scripts & programs that add functionality to your website. As convenient as that is, it can also be a website security nightmare. Inexperienced webmasters typically become dependent on installing a plug in for everything, which over time can create some major security issues on their site.

  • Vet the plug ins that you install to see if others have reported issues.
  • Remove older plug ins that you no longer need or use.
  • Knowing some basic HTML, & CSS can help cut down on the number of plug ins that you install.
  • Check your WordPress plug ins against the vulnerability database. If they are on it, see if updates provide a fix.
  • Reduce the number of users who have admin privileges on your site, & can make decisions to install or change anything on it.

5. Don’t use your root for storage

Your root is the location of the files that make your website work. With a little knowledge & an FTP program ( or file manager in your hosting dashboard), you can access this area & manage the folders & files on it.

A tell sign that someone knows just enough to tinker, but not enough to underst& what they’re doing, is a root full of garbage including old files, back ups, old website versions, staging areas, zipped folders of stuff & just all around chaos.  DO NOT USE THIS AREA FOR STORAGE. Every folder, every file, every document that you store on your root is a new gateway to be exploited to hack your website. Not only that, but using the root for storage slows your website down, & can break your encryption.

If you need storage, get some. There are plenty of options for a certain amount of free storage through Google Drive, One Drive, & Drop Box. Additionally, you probably should have some kind of network attached storage (NAS) option for your business as well as part of your 3-2-1 backup plan.


 

Conclusion

One of the easiest ways to infiltrate your organization & client base is by laying wait on an unsecured website, & infecting all who engage with it. If the thought of your website going down doesn’t scare you, then the thought of it causing a chain reaction that costs you your entire business, should.

You see, it’s not about just you. It’s about how many other people or systems a hacker can breech or exploit THROUGH you. You have a responsibility to your business associates, family, friends & dare I say society in general, not to be the patient zero that infects other people.

Yes, I know that this sucks. Website security is just another thing to worry about that you just don’t have time for right now.

Well, make time.

No one said running a business was easy. No one said things would never change. No one told you the internet was “set it & forget it”.  You weren’t promised any of that.

Look. You’re not alone. We all ran into this internet thing head first, excited at the prospects of what we may accomplish. Well, now it’s time to slow our roll & realize that we made a big mistake in ONLY locking the front door in a house full of windows & it’s time to start correcting it.

If you pride yourself on being a leader, knowing how to adjust with the market trends, anticipate the needs of your clients, & knowing how to stay ahead of the game, then you need to get ahead of this the same way you do everything else, & knock it out of the park because there are no “do overs”.

 

Want to test the security of your WordPress Website? Then hire one of the good guys.
It takes a good guy with a laptop to stop a bad guy with a laptop. Check out some options at:
WordPress Website Security – WordPress Penetration Testing

 

###