WordPress now powers over 30% of the websites in the world. This means that around 1 in 3 websites are powered by WordPress. It has grown a lot since the initial fork away from the b2 platform in mid-2003, now offering a fantastic platform with a lot of flexibility for many different types of business purposes.
As with any software, it’s important to keep your WordPress website secure. WordPress is a great tool, but like any software if you don’t keep it up to date, you can leave yourself vulnerable to problems.
Leaving your website out of date and ignoring basic security protocols would be similar to leaving the front door of your home open and setting up a neon sign outside saying “Please take anything you want”. This might sound silly, but that’s exactly how a vulnerable website will look to malicious attackers – pink neon and all.
WordPress website security is critical to your business if you own or manage a WordPress website.
Protect your investment
As a business owner, you’ve invested time and money into your website. For the vast majority of business owners, your website will have been built by a third party – typically a design agency or solo web designer. The smaller minority, who have commendably built your own websites, you’ve imparted your own knowledge into creating your website as well as likely scouring the Internet, looking for solutions to make the website function exactly how you want it to.
That’s not to mention that you have likely also invested money in branding, content creation, marketing, social media promotion and more. If you don’t have a plan in place to take care of your website, you put all of that investment at risk. Is that an acceptable risk for your business?
Recovering from a malicious attack or hack on your website can get quite expensive very quickly, even more so if you do not have a clean backup of your website available.
Having a clear plan in place to take care of your website, manage updates and to keep it secure will not only protect the investment that you have made, it will also bring you peace of mind.
What happens if it all goes wrong?
Let’s put ourselves in the position of having a vulnerable website for a moment and consider the problems that we could have when something goes wrong. Here’s a few examples and their potential repurcussions:
When a website is hacked, your hosting company may detect this (particularly if it has malware on it) and shut the website down to protect website users and other customers on their platform. With a website that is no longer on the Internet, you have instantly lost the major part of your web presence.
Should your website be taken down by a malicious user or your hosting company, your users are going to be affected. If you have an informational website, users can no longer interact with your content. Perhaps you sell online courses… guess who can no longer access the courses that they’ve purchased? Maybe you showcase your work and potential customers view these works in detail before ordering from you – how are they going to view your work now?
When a business website is maliciously attacked, one of the biggest issues will be lost income. Perhaps you sell products or services directly through your website – well, you won’t be getting any sales whilst your website is affected. This can be life or death for some companies, especially if their major income channel is their website alone.
For business professionals, the credibility of your business means everything. You always want to be seen as the best version of both your business and also yourself. If your website is offline, defaced or maliciously attacked in many other ways – this can mean an instant loss of credibility for your business. Imagine yourself as a 24 hour locksmith, for example, whose website has been hacked. Does that fill customers with confidence if the business owner couldn’t even keep their website secure?
This can be a huge issue, especially for companies in Europe or who work with European customers, since the GDPR changes that came into effect earlier this year. We see on an almost daily basis now, that companies are admitting data loss, including personal details of their customers. Data loss has to be reported and this can present many more legal and financial issues, including fines from relevant bodies such as the ICO (Information Commissioner’s Office – relevant for UK readers).
Hard Work Destroyed
In the worst cases, your website may be attacked to the point where it could be considered ‘destroyed’. In these situations, a back-up would need to be restored. You do have backups for your website right? I’m talking about backups that are aside from your hosting company – backups that you are taking and storing off-site. You should never ever rely on your hosting company to take backups for you. It’s not uncommon for backups to fail at hosting companies or in the worst situations for the hosting company to stop existing – particularly if they were at the lower end of the cost spectrum.
Do any of these options seem like an acceptable risk to take with your business website? Please do let me know if you genuinely answer yes to this question in the comments as I’d love to discuss that with you.
How does it go wrong?
You may be surprised to learn that most of the issues that occur to vulnerable WordPress websites occur through an error of judgement by the website owner or a member of their team. That seems harsh and to some extent it is – however, as the custodian of your company’s website – the buck really does stop with you.
Typical issues caused by the website owner or team member include:
- Not running updates regularly (core updates, plugin updates, theme updates)
- No backup plan or solution in place
- No security implementation on the website (firewall, security plugin, etc)
- Insecure password strategy
- Storing passwords in browser
- Poor choice of hosting company
- Giving freelancers that they work with the ‘keys to the kingdom’
I want to touch on that last one for a moment. Many of you as website owners will work with freelance designers, developers, marketers etc. When they need access to your website in order to perform tasks related to the work that you’ve contracted with them, don’t give them the keys to your kingdom. What I mean by this is that it’s alarming how many business owners will not create a temporary login (username / password) for the contracted worker to use for the duration of the work agreed. Instead, they give them the main login to the website or the main login to the hosting company. What you’ve just done here is created an unnecessary point of failure.
Now, before we get any further into this, I do want to say that freelance workers are not bad people at all. What I am saying, is that by giving someone your main login details you are not protecting your business. Business owners have come to me on far too many occasions over the last decade or more, telling me that they’ve fallen out with the person they were working with and can no longer access their website – or worse, their website has been deleted / broken deliberately. I’ve also seen occasions where the login details have been improperly stored by the freelance worker, whose machine was compromised. This then led to a further attack on the business owner’s website, which was easy to execute as working login data was available.
Preserve the security of your business by always creating secondary logins for people that work with you. These are used by those workers and when they’ve finished working with you, these logins can be deleted. See how there’s no unnecessary point of failure now?
How do I protect my WordPress website?
Now we come onto the actionable content. These are steps that you can action in your business today and keep your valuable business investment safe. I’ve broken these up into 7 key steps, with details for how to manage each in turn:
WordPress Updates (Core Updates, Plugin Updates and Theme Updates)
The WordPress core files are updated periodically to introduce new features, fix bugs and to patch potential security vulnerabilities. The same occurs with plugins that you use on your website and the theme that you are using to display your content to the world. It’s important that you perform these updates in the back-end of your website on an on-going basis.
Some people might tell you to carry out updates every day, but that’s not necessary. A good rule of thumb would be to carry out the updates once per week. This allows you to get all of the updates performed at once and also to avoid any potential issues that could’ve arisen from a bad update being released, which can sometimes happen. A good example of this would be an issue with the Yoast SEO plugin, where an option was accidentally set to “No” for re-directing image attachment URLs to the attachments themselves. This caused some users of the plugin to receive significant drops in their SEO rankings. So, it pays to be smarter with your update schedule and run through things once a week.
It’s also important to note that before you perform ANY update on your website, you should confirm that you have a backup schedule in place and a recent backup has been taken of your website.
Backup – Have a plan!
As mentioned earlier in this post, it’s critically important for you to have a backup plan in place for your website. If you take nothing else away from this post, just remember that an effective backup plan will save your website and be worth its weight in gold to you (or printer ink – as that’s pretty much liquid gold too).
To give you a recent example, we work with a number of other agencies and provide WordPress support for their clients. One of the agencies had a client whose website went down, unfortunately due to actions the client had taken on the website. We were able to restore the backup and have the client live again, before the client was even off the phone with the agency. Around 15 minutes in total. That’s the power of backups ladies and gentlemen. The situation for this agency was resolved in a matter of minutes, and they were left looking like heroes to their client.
For backups there are various plugins and options available. We highly recommend UpdraftPlus. There is a paid version of this plugin available for £45 (ex VAT), which provides a 2 website license. You can also use their free version on your website, used by over 1,000,000 WordPress website owners – which we’d recommend starting with, as there’s no cost for you to consider.
Setting up the plugin is easy, and there’s information on the UpdraftPlus website as well as walkthroughs on YouTube. If you get stuck with this, please do feel free to let me know in the comments and I’d be happy to walk you through this.
The most important two settings to remember are that you want to set your backups to be automated on a regular basis and you want to store the backups off-site. UpdraftPlus will connect to Google Drive, Dropbox and Amazon’s S3 service. We use Amazon’s S3 storage here, but you can utilise a free Google Drive or Dropbox account for your backups too.
Once installed run a test backup and verify with your external storage that you can see the backup in place.
Firewall / Security
Your next step is to ensure that you have an appropriate WordPress firewall / security strategy in place. Your hosting company will have security at their end that will protect you from a lot of malicious actions on a daily basis, but you still need to add some additional security to your website.
What we’re looking to do here is to make your website 99.9% more secure than the next website that someone may maliciously target. We can never be 100% secure with websites due to 0-day exploits (brand new attack strategies that aren’t yet patched), but from the point of view of a malicious attacker – if we can make our website 99.9% more secure than the next – we can quickly frustrate them and they’ll move on to someone who is happy to leave their website vulnerable.
There are a number of plugin options here, so please find a link below to each:
- Wordfence – One of the most popular security plugins and one that we use for many of our clients.
- iThemes Security – Again, a very popular security plugin. This was formally known as Better WP Security and has many great options for business owners.
- Sucuri Security – Sucuri are a powerhouse in the world of website security, so much so that they were acquired by GoDaddy in 2017.
- Malcare – Malcare are a newer player on the scene and their free version is quite lightweight, which can help users on slow servers.
- All in One WP Security & Firewall – A long time in the market and a very capable plugin, however it has been overtaken by the popularity for some of the other plugins.
I would recommend using Wordfence or iThemes Security to get started here. Most of the options above will have an additional premium version which will give access to further functionality and features. From the perspective of this blog post, I won’t go into the value that each offers – the most important thing for you to know right now, is that you should get something in place on your website.
Another item for you to consider would be to implement Cloudflare on your website. Their free plan allows you to filter all website traffic through their systems before it comes to your website. This will help protect your website against what is known as a DDoS (Distributed Denial of Service) attack, which is where your website is flooded with traffic, which will slow it down and eventually take it offline. Another benefit here is that using Cloudflare can boost performance, particularly if you have visitors to your website from around the world.
Hosting – Good hosting is important
The majority of business owners that I speak to on a day-to-day basis started hosting their website with a fairly average provider. Not to disparage or bad mouth any of these companies, as I believe they offer an important service in helping people to get online – however if you want good security and performance for your website, the low cost providers that you see advertising on TV or in magazines are typically not where you want to aim for.
Your hosting provider should have a proven track record when it comes to website security. You’ll want to be able to access support for any questions or queries that you have and to be able to receive a response at a reasonable time. Most importantly, the hardware and software architecture that they use on their hosting platform should be up-to-date and well put together.
We use hosting companies for our clients that provide fast, reliable hosting, with great support and performance. I would happily recommend the following managed WordPress hosting companies to you:
- Kinsta – One of the best managed WordPress hosting companies around. They host websites exclusively on Google’s Cloud platform, which is extremely fast. They have an excellent support team and are highly recommended. Hosting starts from $30/month.
- Flywheel – Another great managed WordPress host who are currently in the process of moving clients over to Google’s Cloud platform. They offer a great platform and have good support options. Starts from $15/month.
- WPEngine – A major player in the managed WordPress world who have recently updated their services and are targeting slightly larger clients. As such their prices start at $35/month.
As managed WordPress providers, these three companies are some of the best places to host your WordPress website. Their platforms include many great features, but one that I’d like to pick out for you that is particularly relevant to this post is the ability to create a Staging version of your website. This is basically a clone of your website where you can test updates / new features etc, before implementing them directly onto the live website.
These platforms might seem a little more expensive than the usual host that you are likely to use right now – typically the price of a coffee or two per month, but you do get what you pay for. In my professional opinion, hosting is not something that you want to scrimp and save on.
It would be remiss of me not to recommend an alternative for those who do not want to spend a little extra on hosting, so for the UK and European readers, I can also highly recommend Krystal. They’re a UK-based company, provide excellent hosting services and they have a great support team. If you can’t afford to consider a managed WordPress hosting provider, Krystal would be a great option to look at – starting from as little as £3.99 per month.
It’s important to monitor if your website is online or not on a regular basis. Thankfully this task doesn’t mean constantly refreshing the homepage of your website repeatedly throughout the day. Not only would this be a massive waste of time, but you’re also going to wear out the F5 key on your keyboard.
I recommend that you sign-up with a service such as Uptime Robot. It’s free to create an account, and your free account is actually pretty powerful. It will allow you to create up to 50 monitors, that will monitor your website at 5 minute intervals. If your website is ever offline, you can set the system to send you an email immediately. This allows you to act on the email immediately and to speak with your web developer or hosting company to verify if there is an issue with the website. You’ll receive a second email when the website is back online again.
It’s worth noting that with the cheaper hosting companies, you can expect some downtime on your website from time-to-time. Usually this will be because the load on the server is too great, another user has taken an action on the server that has caused a service to need to be re-started or a number of other reasons. Utilising a tool like Uptime Robot will allow you to monitor the uptime of your website and if you find that you’re having continued issues with your website being offline, you can use this data to rethink your hosting strategy and decide if the current provider that you’re using really is the best fit for your business.
In today’s modern world, strong passwords are absolutely critical for business. A strong password consists of letters (uppercase and lowercase), numbers and special characters. These can be created very easily using a website such as Strong Password Generator. It’s as simple as pressing the “Generate” button and you’re all set. If you’re like me and you want to have a system, you’ll click the button a bunch of times – because you feel it’s more random. It’s not – but we feel better about it, right?
How do you currently manage your passwords? If you write them down, it’s time to stop.
It’s important to securely manage your passwords and to have unique passwords for every single login that you use on a day-to-day basis. Unless you have an eidetic (photographic) memory, you’re going to struggle a little with remembering all of these passwords. Thankfully there are some great applications that can help you manage your passwords. Here’s a couple of recommendations:
These password management tools will store your passwords securely, requiring you to use your master password to access them. So, the only password that you need to remember is that master password. Much easier huh?
We find that one of the best benefits with these tools is that we can share passwords between users. As a design and marketing agency, we share passwords between team members using password management tools. This is a secure process and no password is ever used or sent in plain text.
But, I don’t have time for this!
I get it, I really do. You are a busy professional, working hard to grow your business and to service your customers. It’s hard for you to find extra time in your schedule to carry out this extra work and you’re left wondering if it’s really worth it. I understand any scepticism you might have – here’s a “website guy” telling you how important that it is you look after your website. Honestly though, you’ll only be able to answer the “is it worth my time, effort and money” question when your website has been attacked and you’re left picking up the pieces.
It’s easy for us as business owners to take our eyes off of the ball when we’re busy. We’re out meeting clients, delivering work, creating items, dealing with suppliers – you name it, it’s a task that we’re doing and something that takes up time. And that’s the funny thing with time – it’s something so precious, we can never have enough of it, nor can we bring it back when it has gone.
The good news for you as a business owner, is that there are companies that can help you with looking after your WordPress website, by offering WordPress Care Plans or WordPress Maintenance Services. In fact, we offer these ourselves and you can view our WordPress Care Plans here. They start at £49/month and include all of the items that we’ve discussed in this post, including high-performance hosting.
So, you have the opportunity to decide if the additional time and effort on your part is worth more or less than having a team of WordPress experts working with you on a proactive basis. For some of you, you’ll be able to easily handle this extra time – it’s what you live and breathe for. Other business owners – well, you’ll value your free time spent with your family, loved ones, dog or even your pet spider “Leggy” (you know who you are).
As one of the most critical foundations of your business, your website is a prized possession. You need to look after and protect your website, just like you would maintain and protect your house or car.
Having a clear backup, maintenance and security plan in place will help you to keep your website secure and online. Should the worst ever happen and your website go offline, for any reason, you can utilise your plan to quickly get the website back up and running – minimising any financial or credibility loss to your business.
If you don’t have time to manage your business website, you do not want to leave it to chance. You should make sure that you have someone that you trust who can carry out regular updates, maintenance and security tasks on your website as you move forwards.
Don’t be the business owner who is able to answer the “is it worth it?” question, whilst surrounded by the pieces of your website and panicking about the cost and time that it’s going to take to get everything fixed and back online.