Best site security discussions usually revolve around changes to your login, or adding plugins. But those things alone will not fully protect your site. Much of the low-hanging fruit for hackers actually lies outside your site. Here are easy steps you can take that will make your site, and every other online account you have, more secure.
Backups
The single best security blanket you can have for your site are several months’ worth of full backup files stored off your site. You don’t know how long your site may have been infected, so having more than a couple of recent backups will help you go further back in time for a good restore point. Yes, you may lose some posts and comments in the restoration. So? That’s nothing compared to losing your whole site.
How to Backup Your WordPress Site – get this free report with multiple backup plugins and storage options, all rated, plus tips on setting intervals and other important info to ensure you have an effective backup strategy.
Passwords
Your login password needs to be super strong. But that’s not the only password you need to be concerned with.
Here’s the real deal with passwords.
Most folks use the same email/password combo for multiple accounts.
If any one of those accounts is hacked,
then all of the other accounts are at risk.
Following are the steps that you can take to protect yourself with regards to passwords:
- Use strong passwords – see how
- Use a different password for every account – that includes all online accounts you have including:
- your site
- domain registrar
- social media
- premium plugin/theme purchases that required an account to download
- 3rd party services
- and go beyond your site to all other online accounts, such as bank and even Craigslist, every single one
- Get a cloud password generator/vault – LastPass and RoboForm are good choices. There are others, and many have mobile apps too.
2-Step Authentication
More sites and services are offering 2-step authentication now. Use it on all that offer it. Yes, it’s an extra step to log in. So? If you add up all of the that extra time, in a year it still will only be a minute fraction of the time it takes to recover your site or a hacked account. Get your priorities straight on this.
Mobile Device
Secure your mobile devices. You log in to a lot of apps on it. And you rely on it for the 2-Step Authentication.
- Ensure that your device log in is secure.
- Ensure your log in to all apps you use on it are secure.
- Ensure that you know how to wipe your device, should it ever be lost or stolen.
And another thing about mobile. Consider shutting down the ability to post to your site from your device. That keeps a vulnerability vector open. Read more about XML-RPC and shutting it off completely.
Hosting Account
During full Site Audits I find an average of 26 security holes, and most are not on the site. They are in the hosting account itself. Things like:
- no protection of the core files in the htaccess file
- multiple live sites that have been abandoned
- orphaned folder/files and database tables of plugins that were tried and then removed
- Base64 malicious code that no site scanner can detect
Bot Attacks
The best way to prevent a bot attack is to never let them get near your site. Plugins just detect their hits and hopefully reject them. But that eats up precious hosting resources. And attack vectors change all the time, like daily.
The best defense against all bot attacks is to keep them from ever reaching your site in the first place.
There are two good methods to accomplish this:
- CloudFlare – it’s the only CDN service that also offers some manner of bot protection in the free version.
Read How Site Performance and Security Work Together - Firewall on your host or other outside service – there are plugins that can do this, but again, the bots have to first hit your site for them to work. Better to have this service a level above, or outside your site.
The Internet of Things
Yes, there really is such a thing, abbreviated IoT. (Read definition here.)
You need to secure everything you own that is attached to the Internet. Those include:
- Cell phone
- Xbox
- Wi-fi router
- Smart TV
- Home security system
- Baby monitor
- Any smart device that connects to the Internet
Hackers want access to these devices for 3 reasons.
- Money – especially if BitCoins are involved
- Log in credentials (username, password, email)
- Fodder – to clog up the Internet highway during a DDoS attack
Stay Informed
Follow my Tips Tuesday Podcast on iTunes and/or the blog post
Hangout with me on G+ That’s where I cover news as it breaks and give you links and info for what you need to know and how to protect yourself.
Further Reading
Get to know more about different bot attacks, cyber security, and site performance, so you can properly vet the info you read online.
The Great Bot Attack of 2014 and What to Do About it
Disable XML-RPC in WordPress to Prevent DDoS Attack
DDoS Attacks, Brute Force Attacks, and Site Security
How Site Performance and Security Work Together
Get Your Whole Account Checked
Full Site Audits are the only way to get everything checked on your whole hosting account and site.
A deep dig through your database, core files, and plugins will make a world of difference to securing your site, and giving you peace of mind.