WordPress is the most popular website creation platform in the world. It’s open-source software, meaning anyone can study and work with the basic design language or code. It’s also a huge target for hackers searching for vulnerable business website. 86% of sites run out of date WordPress software that hackers mastered years ago.
That’s not good news for the security of your website.
February saw the largest brute force attack against WordPress sites that most experts had ever witnessed. Distributed brute force attacks use an automated network of computers to bust their way in to your website, trying every possible password in seconds. Every day I see small business owners using passwords children could guess.
WordPress is a fast car that too many business owners are unwilling to maintain, which is a shame. The question is: How do we fix security issues for small business websites?
Use Managed WordPress Hosting
Cheap shared hosting plans (those $3/mo. deals) just don’t cut it if you’re serious about your website investment. Would you put used tires on a Ferrari? No way.
The goal of managed hosting is to treat your website like a celebrity. Invest in A-level everything. Managed WordPress hosting with WP Engine goes for about $30 a month and lands you daily site backups, malware protection and built-in site speed optimization features tweaked by experts. They go to great lengths to prevent hacks and other nightmares. If something bad happens they offer to fix it for free, which is super cool and well worth your money.
Other managed WordPress hosting options to compare:
- Synthesis, from the people who publish Copyblogger.
- Pagely, one of the first managed WordPress services.
- GoDaddy just announced their own managed WordPress hosting at “a fraction of the cost of competitors”. Dreamhost has its own managed WordPress product too. Expect other traditional website hosts to follow suit.
Employ A Caretaker
Once you know your web host has your back on the big stuff, commit someone in your organization to take care of the little stuff. Ok, it’s all big stuff. A caretaker’s job is to do all the routine tasks specific to your site and your people. They are the people who call your hosting company when things go south.
Your caretaker needs to be trained on WordPress. They need to be very tech savvy. Ideally, these duties should belong to one of your full-time office staff. With a little staff training and support from a solid web host, your site can be secure from the inside out. However, if there’s no-one in your office to do this- or you just want to hand it all off- you totally can. There are WordPress experts online and in your local community who’d love to be paid to help out.
Checklist For Caretakers:
- Keep WordPress and all of your plugins completely up to date. Some managed hosts do this for you.
- Remove unused themes and plugins, these are sitting ducks for hackers.
- Use secure, frustratingly difficult to remember passwords for everything. Seriously. And change them often.
- Use the Limit Login Attempts plugin. This simple, but powerful tool blocks the repeated login attempts typical of brute force attacks.
- Make sure you have website backups. Ask your hosting provider how they backup your site and use a plugin like BackupBuddy to keep your own.
- Be vigilant. Know when shady things are happening around your site with the Wordfence security plugin. Get notifications if your site goes down with the Monitor feature in Jetapack.
- Create a maintenance schedule with all of your regular upkeep tasks so nothing falls through the cracks.
Still a little iffy on this website security stuff? iThemes lays out the risks and the best practices to avoid them in an easy-reading guide to website security. If you’d rather watch a video, WPMU DEV just released a YouTube series that talks you through WordPress security basics.
Managed WordPress hosting will block most hackers. But maybe you’d prefer to take a hands-on approach and code your own layers of protection. Here’s a few links for the vigilante in you:
- Get example code for defeating script-kiddies in keyboard-to-keyboard combat: The Definitive Guide to WordPress Security by Moz.
- Lock down your site by hand: 10 Useful WordPress Security Tweaks by Smashing Magazine.
There’s so much more you can do than just keep WordPress up-to-date. So. Much. More.
Managed WordPress hosting should be part of your security strategy; so should personal attention from a caretaker. Both can be costly, but these investments are absolutely required if you’re serious about doing business online.