How to keep your website from getting hacked

wpfueled-twitter-headerProbably the most common issue that small and even many mid-sized business face with their website is the lack of a dedicated employee to make sure the website is updated and secure.  The latest estimates from the National Small Business Association put the cost of a hacked website at over $8,500 and they report that over 44% of small businesses have been cyber attacked, so what can you do to insure that your business doesn’t become part of these statistics?

Keeping your site updated

Since most small to mid-sized businesses rely on content management systems like WordPress, Drupal, and Joomla, the importance of keeping the CMS updated is incredibly important.  In the days of static HTML coding, the only way for a hacker to gain access to a website was by gaining access to the server itself.  But today with almost every website running some variant of CMS, hackers now have multiple potential holes, via themes/template, plugins, and the CMS itself, to exploit to gain control of a website and turn your business’s website into a spam-ware host or link farm.  So what can you do to combat this threat?  The first step you can take is to always keep your website updated on the latest version of your CMS.  Since WordPress is by far the most popular CMS available today, most of our recommendations and terminology will focus on WordPress installs although the advice is relevant to any CMS.

Only use trustworthy plugins

Since themes and plugins present another potential hole for a hacker to exploit to gain access to your website, it is incredibly important that you choose plugins that are trustworthy.  By trustworthy, I mean only buying premium plugins from trusted companies and only using free plugins that have been updated within the past 6 months or less.  If it has been longer than that since a plugin has been updated, chances are the developer isn’t actively maintaining the plugin and any potential security flaw can be exploited.

Enforce good login policies

If you are running WordPress, by default your primary user is named “Admin”  Since this user has complete access to your website, by not changing your username from “Admin” you are presenting a very tempting target to anyone wanting to gain access to your WordPress site via a brute force attack.  So if your username is “Admin” do yourself a favor and login to your website and create a new username for yourself.  Name yourself anything you want except Admin.  Now you can delete your “Admin” user and migrate those post to your new account.  This, along with a strong password that makes use of upper-case and lower-case letter, numbers, and special characters makes your website much more secure.  If you have multiple users, encourage them all to check their passwords, if they don’t measure up to “Strong” on the WordPress password strength meter, then they definitely aren’t strong enough and depending on the individual’s access level, they could be opening the backdoor to your website.

Make sure your server is secure

Most of today’s website hosting happens on shared hosting environments.  While this is a great way to keep website hosting costs low, this can open your website up to additional security loopholes.  Since not all hosting environments are created equally, some have laxer security policies to enable them to lower their operating costs.  So the $1/month unlimited hosting plan that you found when you Googled “Cheap hosting plans” might end up not being so cheap after all.  But that’s not to say that all inexpensive hosting providers are bad or are going to open your site up to cyber attack.  So before you signup for the all you can consume storage, bandwidth, and bacon plan, check around for happy and unhappy customers.  Trust me, every web host is going to have unhappy customers no matter how great they are, it’s just part of doing business, but they can help you decide if that host is right for you.  If you would like to talk about hosting options, drop us a line and we can look at your website and help you get setup on the best option for you.

What else can you do?

If you would rather not deal with the security requirements of running a website, you can contract with a company like Oso Studio that offers a WordPress maintenance service.  We call our service WPFueled and depending on your level of service, we will scan your site on a monthly basis and ensure that you don’t have any strange code lingering waiting to open your site to attack, we will take care of all of your backend updates so you never have to worry about an out-of-date plugin or theme allowing your site to be hacked, and regardless of which level of service you choose, you will receive unlimited WordPress fixes, tweaks, and support available 24/7.  It’s like an insurance policy to keep your website running.

If you are worried about your website’s security, give us a call today for a security consultation or signup for WPFueled and never have to think about the IT side of your WordPress website again.