Someone will try to hack your website. That is just a fact.
Your website traffic is valuable and anything of value will be stolen if it is not protected.
Hackers will even use your website’s resources to attack other websites. It’s a crap sandwich that you don’t want to be a part of.
But there are a few simple things you can do to deter ne’er–do–wells from poking around your stuff online. Just like locking your back door or keeping the front porch light on, these tips will prevent the low-life turds from breaking in.
Use Strong Passwords.
If you ignore all of these tips, please remember this one. Strong passwords will prevent the majority of WordPress break-ins.
One of the most common “hacks” is to run a program or script that tries to log in to your website using a list of common passwords over and over until it gets in. It’s super easy to do this and only takes a few minutes. If you have a strong password, the wannabe hackers will move on.
So what does a strong password look like? Well, first check out this list of passwords you shouldn’t be using. Single words or names with a number on the end is a bad bad idea. A strong password is a random collection of letters, numbers and symbols. The longer and more random the better.
But do you want the hassle of an un-memorizable password? How about tracking down that little notebook where you wrote it down?
Use a password manager and it will make your life much easier and more secure. I like LastPass. It saves all of my passwords securely and autofills when I need them. Plus when I am setting up a new password it will create one for me that is long and complicated.
LastPass does require a password to access your vault, so you will need to know that one and it needs to be good. Also use the two-factor authentication option…more on that in a minute.
Keep your tools secure.
The tools you use to manage your online presence and create content should be locked down every bit as much as your website.
Every account you have online should have it’s own unique password. Again, a service like LastPass makes this easy.
If you need to write down your passwords, put them in a safe with your guns and your gold.
Your computer should be password protected. It’s annoying, I know, but if someone robs your house and takes off with your laptop you want that info inaccessible.
Another tip that most people don’t think of is to not use the administrator account for everyday use. If you get into some malware or a virus using the admin account on your computer, that virus has free reign. If you use a limited account, that virus will have limited access.
Also, keep your computer clean. Get a good antivirus and firewall program. Your internet service provider should provide that to you for free.
Secure your email account. If someone can get into your email, it’s game over. They can find every password for every account tied to that email. Use two-factor authentication if it is offered.
With Gmail, for example, when two factor authentication is required you have to enter your password AND a verification code that is either sent to you via text message or using their Google Authenticator smartphone app.
Use a good host.
Hosting your website is relatively cheap and eventually you will want to jump up from the shared hosting plans, but to start out I recommend Hostgator. You can get reliable hosting for a few bucks a month that lets you do just about anything you need to do and it’s still easy to use. Their support is great too.
There are tons of managed hosting options out there but if you’re running WordPress you will want to choose a plan from Page.ly, WPEngine, Synthesis, or Lightningbase.
Managed WordPress hosting is more expensive ($30-$90/month) but once you start getting more traffic, you’ll want to keep your pages loading fast and a managed host is the best option.
Get plugins directly from WordPress.
One of the great things about a WordPress website is the sheer number of plugins available that will let you do just about anything with your site.
Plugins are basically little apps that you install on your site to expand its functionality. You need to be careful where you get your plugins. Most come through the WordPress plugin repository which are screened and checked for malware. You can also access the repository from the plugins panel in your WordPress dashboard.
You can find plugins outside the repository but just be aware that they might not be the safest thing to install on your site. Just like you shouldn’t install random programs you download on your computer.
Don’t use free themes.
Free WordPress themes are a waste of time. They might look nice but the code behind them is usually sub-par and will cause you problems later on.
Themes are relatively easy to put together and if a baddie can convince you to install their theme, they can do whatever they want with your site.
You want your site to run perfectly and the best way to make that happen is to buy a professionally coded theme. I have always been a fan of StudioPress.com because of its simplicity. The code is clean, fast and SEO friendly. Plus they look great.
WooThemes and Themeforest are also good options.
Keep a Backup.
It’s important to understand that your site can never be completely secure. If someone wants in bad enough, they will find a way in. Because of that fact, you should prepare for the day when you completely lose everything.
If you are running your site on a managed host, this will most likely be taken care of for you but it’s good practice to have your own backup as well.
Manually backing up your site can be a complicated process so plugins like Backup Buddy or Vaultpress are a must.
It’s also a good idea to keep copies of your text and images handy incase your backups fail.
Know when you have been hacked.
The first step to fixing a problem is know that you have one. You should know when anyone logs in to your website, including yourself. You should know if you have been infected with malware and Google has blacklisted your site.
Sucuri’s plugin will help you monitor these things and I highly recommend installing it. It scans your site for malware, monitors your site’s files, and lets you know if you’ve been blacklisted.
It also offers some post-hack hardening features to limit whatever damage has already taken place.
When you have a problem, get help.
If you get hacked and your site goes down or is blacklisted for malware, don’t panic. Get all of your information together and go to Sucuri.net. They are the best WordPress security service out there. Get their $99/year plan and you should be back up and running in no time.
Essential Security Plugins I use: