Can My Website Get Hacked?

Wordpress is the most popular website development tools and it is because of this that it is often targeted by hackers.  Generally hackers get in through vulnerabilities in the Wordpress files, theme files and plugin files.

How do you minimize your chances of getting hacked?

There are a number of things you can … and should do to ensure your website stays safe.

1. Upgrade Wordpress, theme and plugins regularly

Wordpress releases new versions every few weeks, so it is a good idea to upgrade when the new releases come out.  For most of my clients we do the upgrades every 3 months or so.

Your theme should also be upgraded, not only to prevent you getting hacked, but to ensure your website continues to work correctly.  I strongly recommend that you (or your developer) build your website using a paid theme such as Enfold or Divi.  That way you can be sure the developers will continue to upgrade the files, whenever Wordpress releases a new version.

If you use a free theme, you may find it becomes outdated (and hence vulnerable) very quickly since the developers don’t get paid.

Upgrade all your plugins whenever they release a new version.

2. Delete any plugins and themes that you are not using

Deactivating your plugins is not enough – you should also delete them if you are not using them and the same goes for your theme.  You should only ever have the theme that you are using installed on your website.

Be aware that whenever you upgrade Wordpress, it often installs its default theme, so you may need to go and delete it.

3. Only download plugins from reputable websites

There are thousands of different plugins available for just about any task or function.  It is a good idea to only use plugins that are compatible with the most recent version of Wordpress and ones that also get upgraded regularly.

When you search for a plugin, Wordpress will provide a list of the most popular plugins.  If you click on “More Info”, you can find details such as:

• Version No
• Who the author is
• When it was last updated
• What version Wordpress it requires to function correction
• How many active installations there are (ie. how many people are using the plugin)
• Reviews

Other things many developers provide include

• Installation instructions
• Frequently asked questions
• Changelog
• Screenshots

Look for plugins that have:

• Thousands or millions active users
• Great reviews and five star rating
• Get upgraded regularly

4. Never ever use “admin” as your username

Ensure your username uses a combination of upper and lower case letters, numbers and special characters.  Never ever use “admin” as your username.

One of the things hackers often do is send automated bots that try many combinations of usernames and passwords and since “admin” is the default username, they only have to guess the password to get in.

5. Make passwords secure

Just as with usernames, ensure your passwords are secure:

• Use upper & lower case letters, numbers and special characters.
• Your password should be 16 characters or more
• Each account should have its own password – ie. you should not use the same password for your bank account, email account, website
• Do not use any personal information such as address, phone number or date of birth
• Password should not contain any consecutive letters or numbers

People often use common words so they can remember their passwords, but this is never a good idea as they can get easily hacked.

If you want to see how quickly a hacker can figure out your password, go to

https://www.security.org/how-secure-is-my-password/

Here are some examples of passwords and how long it would take someone to break them

123456 – instantly
Happy – 9 milliseconds
happy2021 – 42 minutes
Happy2021 – 3 days
australia – instantly
Australia – 19 hours

Remembering and storing password securely can be a challenge, especially if you are used to writing them down in a notebook or keeping them in a spreadsheet.  But luckily there is an easy solution – Password manager such as LastPass, Dashlane or 1Password.  Then all you have to do is remember one master password and the rest of your usernames and passwords are kept securely  in your admin area.

6. Set up additional users & give them minimal access

If you have other people managing your website, such as an assistant or search engine optimization company, make sure you give each their own username and password and the minimal access they require.  Do not give anyone full administrator access unless it’s absolutely essential.

There are several different roles you can assign to users

Subscriber

Subscribers can generally only read posts, however if you offer members only content, users can create profiles on your website and login to specific areas of your site.

Contributor

Contributors can add and edit their posts, but they cannot delete or publish posts.  They generally can’t add images or media files

Author

Authors can write, edit, publish and delete their own posts and also upload files, but they are not able to edit other users’ pages

Editor

Editors can edit, publish and delete posts and pages.  They can also manage links and comments

Administrator

Administrators have access to all parts of a website – they can publish and delete posts, upload images, videos and audio files, change themes and add plugins.  They can also manage users and delete a website.

7. Install security plugin & limit logins

Whilst it is a good idea to minimize the number of plugins that you install on your Wordpress website, a security plugin such as iTheme Security or Wordfrence Security is a must to protect your website from the bad guys.

Website security is a complex process and both these plugins allow you to easily secure your website, even with their free versions. However, you may wish to consider upgrading for more advanced features.

8. Back up your website regularly – every time you do changes

Having a back up is like having an insurance policy for your website.  Webhosting companies do back ups, but those are generally only suitable for restoration of a complete server.  The back ups are usually not for individual website restoration.

Even if you are able to restore a backup from your webhosting company it may already be infected.  So it is better to keep your own back ups as well.

I offer my clients a manual back up service, so they know even if something happens to their website or with their webhosting account, they have a 3rd party back up.  For some clients I do it monthly, for others quarterly or annually.  And it costs less than a cup of coffee a day.

The backup frequency depends on how often you update and upgrade your website – you always want to have a copy of the latest version of your site.

I cannot stress highly enough how important it is to keep your own website back ups  in case your website suddenly stops working or gets hacked (unfortunately this happens more often than most small business owners are aware of).

There are many things that can go wrong with technology – both with the hardware (computers and servers) as well as the software.

And if your website gets hacked, you may not be aware of it for several weeks or even several months as hackers can install code within your website without you seeing any difference to the functionality.

It is not until Google displays a warning message instead of your website which says “This site may harm your computer” or drops you from their listing that you may become aware of it.  And by then your backups may be infected as well.  So it is vital you keep several copies of your backups.

If you need help backing up your website, we can do it for you.  Choose one of the packages below, depending on how often you update your website – if you update it once every few weeks or months, then choose either the monthly or quarterly backup.

When each backup is done, we will share it with you via Dropbox so you always have access to it.

Prices:

52 Weekly Backups – $1144 ($22 per back up)
12 Monthly Backups – $396 ($33 per back up)
4 Quarterly Backups – $176 ($44 per back up)
1 Annual Backup – $55