A hacked website can be devastating for a company, no matter its size. In fact, 58% of malware attacks are directed at small businesses! And the last thing you need as a busy entrepreneur is to worry about losing customer trust, search engine rankings, or website files.
While WordPress is inherently very secure, there are several ways a site can be hacked, including theme and plugin vulnerabilities and outdated server software. Most hacks are implemented by automated bots that scour the web looking for vulnerable sites without considering business size or popularity. So don’t think that you’re immune to a hack — a bot can attack any website at any time.
In this post, you’ll learn the website security essentials that every site owner should have and find out if you need to implement any advanced measures to protect your site in 2020.
Start with the basics
If you’re a Jetpack user, then you already have access to a variety of security features. Make sure you take care of the following before considering a security upgrade:
Choose strong passwords and usernames
The easier your password is to guess, the easier it is for hackers to get in. Here are a few components of a strong password:
- Contains at least ten characters.
- Uses both uppercase and lowercase letters.
- Includes symbols — like asterisks and parentheses — and numbers.
- Doesn’t use common words like “password.”
- Isn’t tied to known information about you, like your last name or date of birth.
Avoid common usernames like “Admin,” “Administrator,” or your business name. Instead, choose something meaningful to you but not obvious to a stranger.
Prevent brute force attacks
Creating strong passwords can be difficult, which is why brute force protection is so important. Brute force attacks occur when a hacker or bot tries to guess the correct username/password combination for your site’s admin dashboard. They often use automated software that speeds up the process tremendously — some can guess thousands of passwords a second!
Jetpack blocks these login attempts, and protection begins automatically when you connect Jetpack to WordPress.com. Navigate to the Jetpack dashboard to ensure Protect is turned on and see the number of blocked attacks.
There are huge benefits to using an open source platform like WordPress, but there are also some security risks. Source code for each plugin is readily available, allowing hackers to take advantage of vulnerabilities. In fact, plugin vulnerabilities are responsible for 55.9% of known entry points for hackers.
Typically, developers find vulnerabilities quickly and fix them in a plugin update. Installing those updates as soon as possible protects your website and often gives you valuable improvements and new features as well.
If keeping all your plugins up to date seems too time-consuming, try Jetpack’s auto-update feature: choose to turn auto-updates on per-plugin or manually bulk-update all your plugins at once.
Add an SSL certificate
An SSL certificate (Secure Sockets Layer certificate) creates a secure connection between your website and your site visitors’ browsers. It encrypts any data shared on your site — like addresses, emails, phone numbers, and credit card information — and protects that data from hackers.
If you don’t have an SSL certificate, your site will show a “not secure” warning on users’ browsers, which can reduce your legitimacy in their eyes. SSL certificates also have a positive impact on search engine rankings.
The process of setting up an SSL certificate will depend on your hosting provider. Some hosts include free certificates, while others charge annually.
Set up proper user roles
User roles define the capabilities and permissions of people who have access to your WordPress site. The “Administrator” role has the most permissions — administrators can perform absolutely any action on your site.
Carefully consider each of your users’ job functions and only provide them with the level of access they absolutely need. If you’ve hired an intern to write content on your blog, assign them the role of author or editor; they don’t need full admin access. Learn more about user roles and security.
Monitor your site for downtime
If your site is hacked and goes down, it’s important to know as soon as possible. Jetpack’s downtime monitoring feature checks your website every five minutes from locations around the world and sends you an email if your site is down. You’ll also receive a notification when it’s back up.
To enable Downtime Monitoring:
- Go to Jetpack → Settings in your WordPress dashboard.
- Toggle the button next to the text, “Get alerts if your site goes offline.” It will turn blue when enabled.
Does your site need more advanced security features?
Security is critical for any website and we always recommend the most advanced level of protection possible. We harden security measures in our homes when we feel vulnerable or think we’re likely to sustain a break-in. The same is true for websites. Here are a few reasons you might want to increase protection for your site:
- Your site is growing quickly and your visitor numbers or sales have increased.
- You handle important or valuable information, including personal data and credit card numbers.
- You’ve recently seen an increase in attempted malicious attacks.
If any of these describe your situation or if you simply want to be as secure as possible, consider adding these more advanced features:
Implement malware scanning
If your site is attacked, it’s important that you’re notified right away. The sooner you remove any malware and restore your site, the less damage is caused. After all, the longer your site contains malware, the more likely it is that Google will blacklist it, which can lead to a 95% loss of website traffic.
Jetpack Scan performs automatic, daily scans of your website, looking for malicious code and activity. You can also choose to manually run a scan at any time. If anything is found, you’ll receive an email with details about the threat and affected files.
To activate Security Scanning, install Jetpack and choose a plan that includes Jetpack Scan — the necessary settings will be automatically configured for your website.
Filter spam comments
If you have comments enabled on your posts, pages, or products, then spam is inevitable. Too many spam comments negatively affect your user experience, search engine rankings, and security. They’re also a way for hackers to add malicious links, which steal your users’ personal information or inject malware on their computers. This, of course, can damage your hard-earned reputation.
Jetpack Anti-spam automatically filters comments, pingbacks, and contact form submissions for known spam, which saves you tons of time each week. You can choose to automatically delete the worst spam comments or review each one first. Plus, it’s powered by Akismet, an industry-leading solution that prevents an average of 7.5 million spam comments per hour.
To turn on Jetpack Anti-spam, install Jetpack, select a plan that includes the Anti-spam feature, and watch as it begins automatically protecting your site.
Use the latest version of PHP
PHP is the programming language that WordPress is built on. Just as plugins are updated for security and functionality, there are PHP updates for the same reasons. The latest version of PHP makes your website run faster, which provides a better user experience, and WordPress requires a minimum version to work successfully. But 38.7% of WordPress sites are still running on old, unsupported PHP!
The version of PHP used by your site is determined by your hosting provider, so you’ll either need to find instructions for updating the PHP files yourself or ask your provider to update them for you. Here’s a comprehensive list of providers with instructions for updating your PHP version.
We recommend that you perform a complete backup of your site and update all themes and plugins before updating PHP, to prevent any code conflicts and issues. You can also use the PHP Compatibility Checker plugin to make sure everything’s compatible on your site.
Perform regular backups
Backups are like safety nets for your site. If something goes wrong — deleted files, code errors, or injected malware — backups allow you to restore your website to a successful, fully-functioning version.
Jetpack Backup automatically creates daily or real-time backups of your full site (depending on your plan) that can be restored in a few simple steps. While daily backups are a must, real-time backups make a copy of your site based every time a specific action happens — published, edited, and deleted pages and posts; installed, activated, or deactivated plugins and themes; user logins; spam comments; and more. You can pair Jetpack Backup with Jetpack Activity, which provides a log of every action taken on your site. With both in place, if you know that a hacker accessed your site with a specific user account, you can restore your site to a point before they caused any damage.
Backups are critical for any security plan and it’s important that you store them in multiple locations, separately from your server. After all, if your server is hacked, your backup files could be too! Jetpack stores your backups offsite, so you can restore a clean version of your website even if you can’t log into your dashboard.
Set up two step authentication
Secure authentication adds an extra layer of security to your WordPress login. After entering your website username and password, it sends a code to your phone, and you’ll have to input that code in order to access the dashboard.
Instead of just requiring you to know the password, it requires you to have a phone in your possession. Even if a hacker or bot is able to identify your username and password, they won’t be able to access your website without also having your phone.
This is incredibly effective: Google found that sending a code to a phone number blocks 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks.
Be proactive about website security
The time to protect your WordPress site is now, before something goes wrong and protect your most valuable asset. You’ll have peace of mind knowing that your site is protected so you can focus on running your blog or business.
Explore the benefits of Jetpack
Learn how Jetpack can help you protect, speed up, and grow your WordPress site.Compare plans