How to keep your website safe from hackers & bots.
The way I see it, there's no point in buying a brand new, flashy car if you don't lock it at night. Equally, why pay for a beautiful, modern website design if you don't take the proper steps to keep it secure?
When I handover a website to my clients, I always provide them with a maintenance and security guide and a tutorial video or two on how to keep their site safe and up to date. I've written about some of the things I usually include in that guide below...
1) Avoid an 'admin' user login
When you install WordPress with your hosting provider, it will ask you to create a user and password so that you're able to login to your new website from the word go, and the install will usually automatically generate a user called 'admin'.
It's very common that people will leave it as 'admin' and create their own password, but think about it - you've just made it one step easier for a hacker or bot to guess your entire login credentials. Try a username that will be hard to guess (ie, not the website name, and not your first name only).
If you've already created an admin username, don't panic! There's a fairly simple fix.
2) Keep your Passwords Unpredictable
I probably don't need to tell you this, but really try to make your password as random and unpredictable as possible. If you're adding numbers, don't just use '123', think of something obscure. Adding the occasional exclamation mark or @ sign can be good too!
3) Never write your password Down
Don't write down your full password anywhere; online or on paper. If you're like me and have loads of different passwords & places to login, I suggest keeping a password tracker app like '1Password' but again don't write the full password - write a password hint or clue to help you remember instead!
4) Update your Plugins & Themes
Updating your plugins, themes, and WordPress itself is probably more important than you think. Without going into too much detail, out of date plugins can actually be a way in to your website for hackers and bots, so regularly checking your WordPress back-end and performing updates is a MUST! I personally log into my websites once a week to perform updates.
5) Regularly Backup Your Website
I install the UpdraftPlus Backups plugin on all my own and my clients' websites. It's simple and quick to set up and provides a good range of backup storage options in the free version too! I have mine set up to download backups to my Dropbox, and I usually perform these (manually with the free version) a couple of times per month.
If you're posting content regularly, like I do on my blogs, then more than once per month is recommended, but if your website is updated less frequently then once per month should be fine.
Just so you are aware, there are 2 main different types of backups - content backups and database backups. You can actually perform content backups (backups of your blog posts, page content and media) just by going to Tools > Export. But for more thorough backups of your entire site database and files I recommend a plugin like UpdraftPlus.
6) Install a good Security Plugin
There are plenty of security plugins available; free and paid. My personal favourite is the free Wordfence plugin. Here's what this plugin can do for your website:
- Show you live traffic so you can see hacking attempts in front of your eyes
- Block dodgy IP addresses that are linked to hackers & bots
- Audit how effective your passwords are
- Send you alerts when your website is under attack
- Scan your website for vulnerabilities
Wordfence can also improve the performance of your website with caching. I've written a post full of tips on how to improve the speed & performance of your site.
7) Limit any Login attempts
This is a must have feature on your website! There is a plugin called Limit Login Attempts that will do this, or Wordfence (mentioned above) has the ability to do this in its options.
Basically it's a good idea to make sure that anyone (or any bot!) trying to login to your WordPress back-end is shut out after a couple of attempts. Obviously this relies on you remembering your password so you can get in, but you can set it to unlock after a set period of time (from 5 minutes to 24 hours). Any type of lockout is usually enough to dissuade attackers anyway.
BONUS: Enable Two-step verification
Two-step verification means that to login to your website, you not only need to have the correct username and password, you also need to be in possession of a set phone number that will be sent a verification code for you to type in before you can access the site.
You may have already seen a this feature on sites like Google and Facebook, and it's actually a very good idea to set this up! It adds an extra, fairly bullet proof layer of security! There are a few plugins that can set this up for you.
* The tips above are mostly for WordPress websites. If your website is on Squarespace, you can still follow tips 2, 3 and 5 rigorously!