Securing Your Website From Hackers
It’s 3 a.m. You are in bed sleeping, but someone out there is hard at work at destroying your website. Are you protected against their attempts?
Unfortunately most webmasters are not protected.
After this website went live, within the first 10 days there were 14 different attempts to hack the site. No one is exempt from the hackers, so the best way to protect yourself is by putting some preventative measures in place from the start.
Your objective in this chapter is to better understand the malicious attempts of hackers and discover a few basic tactics to increase the security of your site.
Why Do Hackers Exist?
Here are a few common motives of hackers:
- They don’t like you or your content and want to destroy your website.
- They want to create a reputation as the best hacker (typically these people are hacking government or large corporation sites).
- They are curious about what is within their abilities.
- They are using “Black Hat” SEO techniques.
- They aim to steal information.
Other motives for hackers exist, but these are the most common. Everyone is subject to them, even people who simply use social media.
How to Know if Your Site Has Been Hacked
A hacker’s intentions will typically determine whether or not you know you’ve been hacked.
If a hacker’s intention is to steal information, they will probably purposely cover their tracks so you don’t find out. “Black Hat” SEO’s simply add a link somewhere on your site directing traffic back to them, but otherwise leave your site as it is so you don’t ever notice or fix it.
If a hacker’s intention is to deface your website, they may add a graphic or music to your home page with a message similar to “Hacked By…” so that they can be “credited” with the damage. If you’ve been hacked this way, the hacker has probably already hidden code all over source files and the database, making it virtually impossible to discover everything they altered.
For victims of this hacking, there only two methods of recourse: a) restore a backup from prior to the hack (hopefully you have a reliable one) or b) deleting everything and restarting your website. Unfortunately, both will probably result in some amount of lost data.
What to Do About Hackers
Restoring a website can be a huge hassle (in addition to restoring the possible damage it has done to your brand)! Therefore, we advocate that the best action is to be proactive and protect yourself from an attack.
Protecting yourself from being hacked
Step 1: Make sure that your website is automatically backing up content whenever it is added. This is very important with or without hackers.
Step 2: Make sure your website is difficult to target.
Imagine two cars in a parking lot. One is locked with the windows up and the second is unlocked with the windows down and cash on the front seat. Which one do you think a thief will target first?
Is your WordPress login the default “admin” and your password “password”? If so, you’ve got your windows rolled down.
While having the most extensive security possible for a small business website does not always make sense financially, it is important to make it more difficult to hack than the average website. If it looks like a pain to hack, most hackers will just move along to the next website.
Unfortunately, there is no perfect, 100% guarantee that your website will not be hacked. However, you’re already doing better than most if you follow the steps below.
Note: If you are collecting personal data such as credit cards or social security numbers, etc., we recommend that you visit with a security expert in lieu of this post.
Simple Fixes to Boost Security
Fix 1: Create custom and secure username and password.
The easiest fix is to have a custom username and a secure password. This can be done when the site is being installed. If you already have a site setup that is using a username other than “Admin” you can choose to just change your password to be more secure (minimum recommended).
Update your password
- On the left hand side of your WordPress dashboard highlight “Users” and click “Your Profile”.
- Scroll down to “New Password” and enter a new password there. Hints: ideally the password will be over 12 characters long, containing at least one of each upper-case, lower-case, number, and special character (don’t start the password with a special character). Click save and you’re done with this step.
Update your username
- If your username is “Admin,” we recommend updating it.
- With WordPress you cannot change your username. Instead, create a new user and then delete the old “Admin” user. To do that look on the left hand side highlight “Users” and click “Add New.” On this page simply enter the new user data. Make sure to set the role to “Administrator” and use a complex password.
Fix 2: Install plugins to increase security
You want to have a plugin or combination of plugins to manage security from other angles.
Wordfence Security and BulletProof Security are two popular choices that cover a variety of security issues. (With both of these plugins you want to make sure they are fully setup, not just installed.) Simply follow the tutorials offered by the plugins.
Remember, none of these updates or fixes are 100% guaranteed to protect your site. These are simply basic setting alterations to put in place. However, by utilizing these tips, you will significantly reduce your risk of being hacked, at least more so than the average WordPress site.
Huzzah! You’ve met your objective of better understanding the malicious attempts of hackers and discovering a few basic tactics to increase the security of your site.
There’s only one more chapter left in this series. You’re almost there. Keep up the good work!