Nothing will erode your audience’s trust in you faster than visiting your website and getting a security warning, or having Google flash a “You can’t trust this site” message in your search results.
Even worse, have you ever navigated to a site, started reading, and then been suddenly redirected to some spammy, shady-looking sweepstakes page? Or worse … you try to press the back button, and you can’t?
I have. It’s a pretty good sign that something got hacked on the original site, whether it was the site itself or a piece of code, like an ad script. It definitely makes me think twice about visiting again.
Don’t make your website visitors think twice!
With WordPress, the power of the platform is also the reason that security holes can develop and be exploited. While the ability to mix various themes and plugins with the content management system provides that flexible power, it also increases the potential for malicious access.
So, how can you protect your website from the evildoers who will stop at nothing to harm it for their own nefarious purposes?
The first step below is the most important.
Step #1: Choose a security-focused hosting provider
The most important security-related decision you will make is where you host your website. As you peruse different hosting options, or step back and review your current host from this perspective, ask this simple question:
What does my host bring to the table in terms of security?
You need a host that is specifically designed to provide an integrated environment that keeps your website safe from the bad guys.
What does that look like?
Well, a strong host should essentially take care of the rest of these steps for you. Sounds like a pretty sweet deal, right? Absolutely.
You don’t want to stress about security; you want to work on your content to build relationships with your audience members who will hopefully become future customers.
So, let’s look at these other steps and see what your hosting provider should deliver to you.
To see which hosting providers we recommend, check out our comprehensive guide to WordPress tools and plugins.
Step #2: Have automatic WordPress updates in place
The beauty of open source software like WordPress is that there are thousands of people constantly making it better, as well as thousands of eyes looking for security issues.
But it’s generally up to you to make sure you update your version of WordPress when there are problems with a previous release.
This means you have to keep track of when WordPress updates are available, back up your site, and then cross your fingers that the update doesn’t bork something. And then do it again a few weeks later when a new update is out.
That’s cumbersome. And it can be stressful. But it’s necessary.
The best solution is hosting your site with a provider that has an automatic update feature — and to turn it on, if it’s not on by default.
Then, your host essentially takes this responsibility and pressure off your plate. That’s good. That’s the value you pay for.
Step #3: Respect the risk presented by themes and plugins
The next question is will the themes or plugins you want to install add security holes?
If your host comes bundled with themes and recommended plugins, then you can feel confident that everything will play nicely together and be as secure as it can be.
Shoddy theme and plugin code leads to easy access for hackers. Plus, it can kill your site speed and performance. A double whammy. This is why using themes and plugins that have been fully vetted by a security-conscious host is a smart idea.
Take the Genesis Framework, for example. This is the framework on which all themes are built at StudioPress.
Not only does the well-coded Genesis provide a strong line of defense, it also auto-updates when a new version is released and adds a layer of protection on top of the newest version of WordPress.
Plugin security is important too. First you must carefully select which plugins you allow into your site’s environment, and then monitor those plugins to make sure they are always updated to the latest version.
Plugins can be the blessing and the curse of WordPress, and you want to stay vigilant about keeping them updated at all times.
Helpful hint: If you’re running a plugin that does not update quickly after new versions of WordPress come out, start looking for a new plugin. It might mean that the plugin developer has abandoned the plugin, which doesn’t bode well for future improvements. At best, you’ll be using an outdated plugin, which is a recipe for security disaster.
Now let’s discuss two more areas where you and your hosting provider need to be really serious about security.
Step #4: Protect your site from DDoS attacks
Have you ever heard of a DDoS attack?
You’ve probably heard the term, even if you didn’t know what it means.
A distributed denial of service — DDoS — is a brute force attack that is the result of multiple compromised systems (for example, bots) flooding your site with traffic.
You need to make sure that your site’s host has proactive technology that allows it to detect and mitigate attacks quickly, while repeat offenders are detected and banned accordingly.
Good WordPress hosting will probably have some kind of proprietary technology in place for this — something like an “always on” intrusion prevention technology that works continuously to keep your WordPress install safe from vulnerabilities, intrusions, and exploits.
You would be wise to ask your host how they handle DDoS attacks, and you should hope they have a detailed explanation.
DDoS attacks are a serious problem, and they need to be treated with serious solutions.
Step #5: Deploy continuous malware monitoring
Finally, you need continuous malware monitoring. This really isn’t negotiable.
Unless you constantly monitor all of the folders and files that make up your website, how will you know if a hacker has broken in and left something?
Not all hacks and malicious code reveal themselves immediately in a public, obvious way.
And if your site has a ticking time bomb buried within it — really, if it has anything in it that you didn’t put there yourself — you need to know about it so you can take action.
Many WordPress hosting providers partner with Sucuri for continuous malware monitoring, scanning, and remediation. If malware is found, the host (via Sucuri) takes the responsibility of removing it so you don’t have to worry about it.
Additionally, most hosts (any one worth using, that is) also scan for advanced threats, including conditional malware and the latest cyber intrusions. This should all be included as part of your hosting plan.
Adequate website security shouldn’t be an add-on that you pay more for, or something you have to completely rely on third parties for. Strong security should be a standard part of any web hosting package, so make sure you have it.
What should you do next?
I’d like you to pick one of the following actions. You can either …
Create a recurring calendar or to-do list item that reminds you to check every other week for WordPress, plugin, or theme updates.
This way, you’ll never go more than two weeks without checking, if for some reason you don’t happen to log in to your WordPress dashboard and/or miss the alerts in there.
Now, if your hosting provider has automatic updates for WordPress and even your theme and certain plugins, you may not need to do this. Just make sure the automatic updates are turned on. Then you can choose option #2 …
If you don’t already know, ask your hosting provider how they are protecting you from DDoS attacks and malware injections. You may need to put in a support request, or find the answers in your host’s knowledge base or documentation.
You need to know this, even if it’s just for your own peace of mind.
I hope those options help direct your next step for today. Let’s keep building powerful, successful, and secure WordPress websites together.