Nothing could be worse for your tourism business – a potential guest goes to your website and, instead of seeing exciting images and details of your safari tours, finds a big, red screen with the warning message:
Warning: Visiting this site may harm your computer!
Their business is gone forever. Worse, every client or agent who goes to your website will be driven away by the same warning.
A hacked website could cause you to lose thousands of dollars worth of business.
Your website is at risk of being hacked.
Hackers are always looking for new ways to break into websites. Sometimes that involves a new technique and sometimes they discover a new vulnerability to exploit.
No website is 100% secure but there is a lot you can do to minimise your risk.
WordPress is an excellent content management system which is why 25% of all websites in the world use it. Poor security practices and lack of maintenance can make it vulnerable however.
The most common causes for a hacked website are:
WordPress website security best practice involves a 3 step strategy.
To start securing your website you must implement basic security practices to lock out hackers and keep your website safe and secure.
Only give a select group of users access to the dashboard of your website. Only give each user the access level required to do their job.
A former client’s website suffered the Red Screen of Death recently. When they asked me to rescue them I logged in to the dashboard and found multiple users who had complete control of the website.
A series of contractors had worked on the site. All had free run of the website and had not been removed after the work was finished.
Tip: Never hire a contractor who is using a gmail or yahoo email address. If there is a problem , they are gone.
The security of your website is only as good as your password. Simple passwords are simple to discover and give easy access to your website.
The simplest way to hack a website is by a brute force attack: the attack tries usernames and passwords, over and over again until it gets in. Using a default username like ‘admin’ and a simple password is like leaving the keys in the door when you go out.
Look at a section of my own website security report and you’ll see multiple attempts to hack in using the ‘admin’ username. My security plugin identified these attempts and blocked them.
I know a strong password is hard to remember but it’s far better than having a hacked site.
Old software is one of the biggest security threats to a WordPress website.
WordPress is updated semi-regularly and these updates often address security vulnerabilities as well as enhancing performance. When a security issue is identified a security update is released immediately.
Similar, themes and plugins are updated over time to address bugs and compatibility issues, add features and, importantly, remove security vulnerabilities.
It’s very common for website owners who are managing their websites to not bother updating the website components but that leaves you open to a hack.
Security plugins are an important defence for your website. These plugins protect your website is a number of ways including:
I use Wordfence, but there is an array of good security plugins to choose from. BulletProof Security,Securi Scanner and iThemes Security Pro are popular choices. Most security plugins have a free version as well as a premium version so there is something for everyone.
Not every hack is obvious. Some hacks are quite subtle and can add hidden code to your website.
For example, when reviewing Thousand Hills Expeditions website for the 2014 Indaba I noticed strange code hidden on many of their web pages.
A hacker has inserted links to dubious websites throughout the Thousand Hills Expeditions website. This hack will have very likely damaged Thousand Hills Expeditions’ search engine rankings.
Whilst the web page itself is hard to read you can’t see the changes the hackers have made. The code is still there more than a year later.
Some hacks can make changes to other core files which are very hard to identify. These hacks can wreak all sorts of damage and try and corrupt visitors to your website.
Running a regular scan of your website with a security plugin can quickly identify that a hack has occurred and help you to fix it.
If the worst occurs you need to be ready to get your website up and running again as fast as possible. The best protection can still be circumvented so it’s essential to be prepared.
Imagine if you lost your website. How many thousands of dollars of business would you lose whilst it’s down? How much would a new website cost you if it can’t be recovered?
Whatever you do, make sure you take a regular backup of your website.
Once is not enough as you’ll make changes to it over time and that will all be lost if you don’t backup regularly.
There are plugins that enable you to schedule automatic backups so you’ll never forget to do it. BackupBuddy is highly popular and the plugin that I use. Other popular plugins are VaultPressand UpdraftPlus.
How often you should back up your website depends on how you use your website but at a minimum do a complete backup monthly and a database backup weekly.
Store your backups off-site so they aren’t effected by a hack as well.
This gives you an overview of the essentials of WordPress website security. Please talk to us if you’d like to know more.
We have several website support packages which include regular security scans and complete off-site backups for your peace of mind.