Let me guess. You’re one of the many website owners who hasn’t bothered to put any security measures on your website. And you hope you’ll be safe from hackers just by luck.
You know it’s a good idea. You know you really SHOULD at least have backups. But who has the time?
So how about I paint a picture for you. It’s some morning in the future – it could be in a year, three months from now, or even tomorrow morning….
You wake up to an email from a grumpy customer saying that your website looks funny, and why isn’t the shopping cart working? So you go look at your website yourself, and what you see horrifies you.
Words like Viagra and Cialis are everywhere. Your stomach turns as you realise the disastrous truth: your website has been hacked.
You start by logging into your website and quickly realise that you have no idea what you’re doing.
So you hop on Facebook to ask your biz buddies if they know anyone who can fix a hacked website.
Good news: you get a few recommendations. Bad news: it’s going to cost you hundreds of dollars, no matter who you get to help you. Hundreds of dollars that you don’t have, because sales aren’t coming in, because your website isn’t working.
You beat your forehead against your desk repeatedly, asking yourself ‘why didn’t I bother to protect my website before this happened?’
Three security features every website needs to be safe from hackers
I’ve had to repair hacked websites before. It’s not fun, I can assure you of that. And I’d hate for you to have to go through that kind of ordeal.
So that’s why this post exists: to show you that you too can keep your WordPress website safe from hackers – in under an hour, and without having to give up your coolness.
Seriously, this is so quick and easy, even my 6 year old can do it.
Step 1: Back up your website
If you don’t do anything else from this post, start doing regular backups of your website. What this means is that when (not if!) your website gets hacked, you’ll be able to restore it to what it was before the attack, and pick up where you left off.
After lots of trial and error (and tearing my hair out using overcomplicated systems), I found the best and easiest backup plugin for WordPress – UpdraftPlus.
UpdraftPlus will seriously get your site backed up with only a few mouse clicks. There’s hardly any setup required, unless you want to store your backups somewhere other than your web hosting account (which I stongly suggest you do). But even that has easy to follow instructions (I mean, how much simpler can you get than ‘click here’ and it just works?)
Even better – there’s a free version, and it works just fine.
You’ll want to login to your WordPress dashboard and navigate to the Plugins → Add New item on the menu.
Type in ‘Updraft Plus’ and wait for it to come up with results. When you see it come up, click on Install Now and then Activate.
When it’s finished, go over to Settings → UpdraftPlus Backups, and click on it. You can add external storage (such as Google Drive, Dropbox, Amazon S3, etc.) from the Settings tab (again, very good idea to store the backups elsewhere). When you’re ready, click on the big blue Backup Now button.
You’ll get a pop-up menu with a few tick boxes. Leave them how they are, unless you know what you’re doing.
Then click on ‘Backup Now’ and go grab yourself a cuppa. This is gonna take a while.
This is the most time-consuming part of the process – waiting for the backup to happen. Don’t move on to step 2 until the backup finishes.
Step 2: Run your updates
WordPress and its themes and plugins need updating regularly to fix bugs and add new features. If you skip doing updates, you’ll miss out on the latest and greatest features.
Not only that, but hackers like to target outdated software. You’ll be leaving yourself wide open to attacks. You don’t want that.
So about once a week – or whenever you’re in your WordPress dashboard – take a few minutes to check what updates are available.
The easiest place to see all your updates is on the Updates screen. To get there, you can click the two arrows in a circle in the top bar (it’ll have a number next to it telling you how many updates are available), or hover over Dashboard and click on Updates.
Before you update anything, always run a full backup! It’s not uncommon to have one of the updates break your site. If that happens, you’ll want to go back to the previous version, and the easiest way to do that is with a recent backup.
The top section is for your base WordPress version. This usually updates itself, but occasionally (like in version 4.9.3) the update mechanism breaks and has to be updated manually. If this is the case for you, click on the button to update it and wait.
Then, go back to the updates screen and update your plugins and themes. You can do each one on its own, or tick all the boxes at once and let it go.
The benefit to doing them all at once is that it’s quicker. The one big drawback, however, is that if something breaks the site, you’ll have to go through a lot of trial & error to find out which plugin or theme is the problem. It’s up to you which you decide.
Step 3: Monitor for potential attacks
So you’ve got backups going. All your website software is up to date. You’re doing GREAT!
Now, how do we keep your site safe from hackers?
You’ll want to install a security plugin that monitors your site for hacking attempts, such as brute force attacks. A brute force attack is where the hacker keeps guessing at something like a PIN or a password till they get the right one.
A good security plugin will let you limit how many login attempts before a user is locked out of their account. It’ll also email you when such a thing happens with all the information about who was trying to login and from where. If you have enough of these attacks, the user’s IP address can get blacklisted. (Don’t worry – if someone legit can’t remember their password and gets locked out, you can always override any blacklisting.)
The two best security plugins I’ve found are Sucuri (the most popular WordPress security plugin) and Wordfence (which has built-in tutorials). I use both of these on different sites.
Both run daily security scans and email you the results. They’ll also lock out users who have attempted too many logins. And, both have free versions!
Go back to the Add Plugin menu and type either Sucuri or Wordfence into the search box. Install, then activate, and go through the settings for whichever one you’ve chosen.
Your plugin will want to do an initial scan, which will take some time. Go pick up the kids or get yourself a latte or something. 🙂
When you get back and see the results of the scan, you’ll probably see a few suggestions of how to improve your website security (such as removing the ‘admin’ user or changing permissions on some folders). Some of these you’ll even be able to do from the dashboard.
That’s all it takes!
Want all this – and more – done for you? I’m opening the new WordPress Security Checkup in a few days. Pop your details in the form below to be the first to know when it’s ready!