Let’s set the stage: your brand new website is up and running, you’ve chosen a great web host (based on our last article), and you’re ready to make that ever-important first post on Facebook. Just as you’re about to click ‘Post’, you check your website one more time just to make sure everything is perfect – and to your surprise and dismay, it’s been replaced by a spammy redirect to some less-than-savory site.
This exact scenario (give or take a social media post) happens to about 30,000 websites a day, and an estimated 80% of businesses have to deal with some of their systems being hacked over the course of a business year. With stats like that, it’s more important than ever to harden website security against malicious attacks.
In our last Digital Best Practices post – “What’s a Website Host and Why Should I Care?” – we discussed the importance of website security hardening, and how good security practices begin with your hosting environment. For this second part of our three-step security approach, we’re going to discuss how to up your security game for your WordPress website. We’re going to focus specifically on WordPress, as it currently makes up about 52% of websites on the internet and the number one criticism of the WordPress platform is often its security concerns. If you have questions about other content management systems or other security questions, don’t hesitate to reach out and ask us!
Our number one recommendation for increasing the built-in security measures on your WordPress installation is to use an add-on website security platform. There are plenty to choose from, and most of them will charge a monthly subscription fee for the premium levels of protection. If you’re concerned about data-loss or house business systems on your website, don’t be afraid to splurge a bit for the higher levels of protection. While you’re evaluating these platforms for your site, these are the features you should look for:
- Website Integrity Monitoring – Integrity monitoring is like a constant health check on your website. A good scanner will sweep your site every 3-12 hours to ensure that your site is clean of malware, malicious scripts, malicious iframes, suspicious redirections, spammy link injections and more. Some platforms also offer blacklist monitoring to make sure that your site hasn’t been blacklisted by search engines.
- Server Side Scanning – This scanner often uses FTP/SFTP to directly connect to your website host and regularly scan and track all of your site files for malicious changes. This is often the first place we find warnings for hacked websites.
- WordPress Audit Log Plugin – One of the main security concerns on WordPress sites are third party plugins that have some sort of security compromise. First things first – choose only highly rated, well-supported plugins. If a plugin feels spammy or strange, it probably is. But in the event that you accidentally install a compromised plugin, a security platform should offer an audit log of all plugins to detect any changes that plugin installation has caused.
- Alerts – Because what good is a security platform if you don’t know when something is happening. Most platforms offer a robust selection of alerts that can be set up to alert you of recent account activity. Choose carefully when setting these up, as setting them too strictly can cause you to get an overwhelming flood of alerts that would dull the senses of even the most tech-savvy web gurus.
- Malware Detection and Cleanup Service – In the event that your website is compromised with Malware (and hey, it happens), some platforms will offer a cleanup service that will either restore a previous version of your website, or isolate and remove any infected areas so that it won’t happen again.
- WP-Admin Protection – The portal to access the administrative portion of your WordPress is usually stored in the same place, meaning malicious web bots can simply crawl the internet looking for unsecured portals to attempt brute force attacks on. There are a number of plugins and platforms that offer protection for this section by limiting login attempts and restricting access to this area.
- DDoS Mitigation – DDoS attacks are becoming more and more prevalent, as they’re a relatively simple attack to orchestrate and often work with overwhelming effect. A good website security platform will be able to alert you when these types of attacks are happening and mitigate most or all of the incoming traffic.
- Uptime Scanner – an Uptime Scanner will alert you anytime your website is down for any reason and provide overall statistics for how often your website is up and running.
- DNS/SSL Monitoring – as an added layer of support, some platforms offer monitoring solutions for your DNS settings and SSL validity. With these, you can be sure that there are no malicious redirects set up on your domain name, and that your security certificates are functioning as intended.
- Active Website Application Firewall (WAF) – as a final security measure, one of the most robust steps you can implement on your website is a Web Application Firewall. This works by filtering all traffic that is attempting to access your website through a firewall and blocking any suspicious or blacklisted traffic from ever reaching your website. Geographic-based blocks can also be set up to restrict access to only those who need to see your content.
If you’ve never considered website security, there’s a good chance you’re worried by now. Internet security is evolving as the technology does, and it’s moving quickly.
The good news is that you don’t have to worry about it alone. If you don’t have nerdy friends or an IT department you can ask more about this, we have a couple on staff and a team of digital professionals who are passionate about digital security. To learn about step 3 of our recommended security approach, check back soon for more in our Digital Best Practices blog series.
Looking to develop a new website? Contact Us to get a more individualized assessment, call us at 972.488.1660.
We are a Dallas advertising agency with extensive expertise in website development.