It’s hard to imagine a small business owner who would feel okay leaving shop doors and windows unlocked after business hours, even in a sleepy small town where everyone knows one another. I’m certain that many employees are terminated when they repeatedly fail to secure equipment, gates, and doors at the end of their shift.
So it’s always a head-shaking moment when one of the things we discover when first engaging with a company or organization is the online equivalent of unlocked doors and broken windows. Websites are vital business locations and the same concerns and cautions must apply as with brick and mortar.
Most websites aren’t simply billboards — a company’s website is equivalent to a branch or sales office. The power of an online presence derives from interactivity, the ability to both send and receive information to and from prospects and customers. But beneath every two-way communication point in a website lies a potential weakness.
Just as with physical locations, thieves rarely blast through walls to get in. They pick locks, break windows, or find your key hidden under the doormat.
Here are a few of the equivalent website weak spots:
- Easy-to-guess passwords equal easy-to-find “keys.”
- Un-patched database connections, in forms like logins and information requests, equal easy-to-pick “locks.” All it takes is a bit of technical knowledge to break in.
- Unguarded comment systems are like a mail slot in your front door. You can be left with the digital equivalent of a mysterious white-powder-filled envelope stored inside your website.
Okay, I’ve likely taken this analogy about as far as it needs to go. In summary:
The security issues to which websites are vulnerable are as extensive and expensive as those of a brick-and-mortar business. And when you consider that the “neighborhood” of your website is global, accessible 24/7 from an apartment in the most crime-ridden neighborhood on the planet, failing to take steps to protect your website is a very risky proposition.
Five Actions to Secure Your WordPress Website
Here’s a condensed list of our recommendations to secure your website. Since many companies practicing content marketing, and most of our customers, use WordPress-based sites, I’m going to focus on that great platform. If you’re not using WordPress, many of the concerns I’ll discuss may apply, but the solutions may differ.
1. Keep WordPress, WP Themes, and Plugins Up to Date
You can’t simply check on your site every few months and expect it to be secure.
Website software is constantly being tested by forces for good and for evil. It’s a constant evolutionary struggle — very Darwinian. Every day, we install updates for WordPress, WordPress themes, and the plugins that enable the various functions on WordPress sites.
You must commit to logging in to your site every week — at a minimum — to identify and update everything that needs updating.
This is what you want to see on your WordPress Updates – screen shot
If your website isn’t being managed actively by a WordPress specialist, a word of caution: sometimes a software update will be poorly coded, or will interact badly with other existing code, causing your site to break in some way, sometimes completely, often unexpectedly, always inconveniently.
The simplest precaution is to make backups of your website each week, and to do your updates after the backup has been made. Then, test your site to make sure it’s working as expected. And make sure you’re familiar with how to restore your site if it’s been taken offline by a bad update.
Unfortunately, all this can get pretty technical. So unless you’re handy in this area, you really should consider having someone do this kind of active maintenance for you. Or, if you get stuck, be prepared to call your web hosting company’s technical support.
2. Disable Comments on Your WordPress Blog
Back when the Web was young and we were all naive, incorporating reader comments was a good idea. Today — except in very rare circumstances such as dedicated online communities — comment systems on private websites are almost always, at best, a waste of time and resources. At worst, they’re magnets for spammers, spambots, and hackers. They’re the most likely pathway for attacks on your site.
If yours is like most businesses, your website’s comment system isn’t creating much that’s profitable, so shutting it down is the best option. Turning off comments bypasses the ability of baddies to create sham accounts and upload malicious code onto your site. By exploiting weaknesses in comment systems, hackers can hijack your website and do some real damage, like redirecting your visitors to another website, completely shutting down your website, or even infecting your visitors’ computers with a virus — to name just a few examples.
Additionally, turning off comments on your website means you save valuable time you’d waste moderating even a tiny audience of commenters.
But note: not inviting comments on your website doesn’t mean you can’t converse with your customers. If you want to interact with your website’s visitors, the best option is to hold those conversations on Social Media platforms, like Facebook, Twitter, and LinkedIn.) Because those sites are less anonymous, you can be a bit more certain who is commenting. Determine the social networks through which you’re most likely to connect with your customers, and direct your readers there to post comments.
This is an example of using social media for comments − Copyblogger using LinkedIn
If you’re following best practices for your content marketing efforts, you’re already in the habit of promoting your blog posts and other content through social media. Social media sites provide built-in opportunities for sharing, liking, and subscribing. These valuable interactions aren’t features of your blog’s comment system, so there’s a clear upside to engaging visitors through social media.
And if you actively contribute to the comments on social media, your words will be seen by more people, and will demonstrate that you’re engaged and that you care about your audience.
If you don’t want to give up on comments on your WordPress site, install Akismet. This is a free service (with paid premium services) that eliminates a great deal of comment spam and other problems. You’ll still need to place a hold on all comments, then spend time reviewing comments — even those that Akismet thinks are okay or isn’t certain about — to determine whether or not they’re spam.
How do you know if a comment is spam? If the comment includes a URL anywhere, it’s best to mark it as spam. Comment spammers have created lists of seemingly benign, neutral comments — like “Great blog!” or “Love your writing, keep it up!” — which are intended to appeal to your vanity in the hope you’ll overlook the link to a Mich*el K@rs Handbag or whatever malicious links they’re trying to place on your site.
Check for URLs not only in the comment text, but also in the commenter’s profile information. Don’t allow any URLs — not even for the commenter’s website — in commenter profiles. Often that “innocent” link is the whole motive for the comment. Someone is trying to build links at your expense.
The other check for spam commenters is to look for email addresses that look odd, such as long strings of numbers or letters. Those email addresses (perhaps something like email@example.com) are signs of computer-generated, fake addresses used by spammers.
Here’s an example of damage from open comments.
One website we recently worked on wasn’t being managed actively and had open comments spanning the past two years. The site had accumulated over thirty thousand — yes, 30,000! — user accounts. Dozens of those users had managed to upload malicious files onto the site, intended — among other purposes — to infect visitors and commenters or even to take control of the site.
In addition, those bogus commenters had added comments containing links to spammy sites. Those links harmed the host site’s search rankings, because Google could detect those low value, spammy, and often-broken links. That and other problems with this website led Google to reject it as a Google AdSense participant. In this case, open comments caused financial harm — by eliminating a valuable source of revenue for the site owner.
3. Require Strong Passwords
New versions of WordPress have made password strength a stricter requirement, but weak or easy-to-guess passwords remain a serious problem.
Weak passwords may be simply too short, or may consist of uncapitalized, simple English words. Today, a password should be at least eight characters long and include mixed capitalization, numbers, and special characters.
A good practice for your website is to use a plugin that enforces a password policy, including minimum length and strength, and an expiration time. Password Policy Manager is a good place to start. Login Lockdown is another good tool; it enforces a limit on the number of attempts to guess a password, and this can help prevent brute-force attacks.
WP Password Policy Manager – WordPress plugin screen shot
I must mention the standard precautions:
- Don’t use the same password or phrase on multiple sites.
- Never, EVER reuse any passwords for financial sites, like online banking or investment accounts.
- Change your passwords regularly.
And remember: just like a notebook lying around your home or sticky notes stuck to your computer monitor, a document stored on your computer is a valuable and vulnerable target for thieves. Use a secure online password storage system to keep track of your login information.
4. Install a Security System Plugin
The WordPress development community has created many dependable, easy to use, and well-maintained security plugins. Some are free, and some offer paid premium services. Many web hosting companies strongly recommend WordFence Security. This popular security plugin offers many features, including automated alerts whenever anything needs to be updated or patched. It will help you scan your site to look for any suspicious or malicious files. It also blocks IP ranges for traffic from known intruders. Another viable option is Securi; it protects your site from malware and other intrusions that can harm you or your visitors.
This is not, however, a blanket endorsement of all security systems. Some hosting companies offer premium (i.e., paid) services that promise added security for your web hosting account, but may not be all that useful. Research before you buy. If you’re tempted to sign up for your provider’s latest service or add-on, look for independent information and reviews. Some may offer value, but keep in mind that there are many options.
WordFence Security – WordPress plugin screen shot
5. Don’t Automatically Trust Emails About Your Website
Phishing is the technique of impersonating a communication from a trusted source, in order to obtain login or other personal information. It’s very common in the financial sector. Fake emails or even phone calls may claim to be from your financial institution, and provide a phony link or ask for account information.
Recently one of my clients and I received an email claiming to be from a web hosting company we both use. To the unsuspecting, the email appeared legitimate. On closer examination, the link in the email pointed to a different website, one with a similar URL, but which could have led to disaster had we tried to login.
If your hosting company, or any other company you do business with, sends you an email regarding your website, be careful: tempting as it may be, don’t click on a “Login Now” button or link. Instead, log in using your usual pathway, like a bookmark or memorized URL. If the message contains truly important information, you should be able to access it easily. If not, it can be ignored or dismissed.
Example of phishing email from a hosting provider – DON’T CLICK ANY LINK IN AN EMAIL LIKE THIS – it actually goes to a different (bad) link than the one indicated by the email.
One piece of related advice:
When you register or renew your website domain name or names, it’s a good idea to consider paying for a service called “Domain Privacy.” That’s because domain ownership information is public; it’s shared through a system called WHOIS. This system shares contact information — including the owner’s name and physical mailing address, email addresses for the owner and other contacts related to each domain, and where DNS information is controlled.
The combination of those pieces (DNS server, registrar name, and contact email addresses) are more than enough for a cyber criminal to generate emails like the one I received. In my case, domain privacy associated with my business site had eliminated those phishing emails, by showing only the name and address of an intermediary company rather than my personal details. But, because I own a personal domain, one that I hadn’t wanted to spend the extra cash to protect with domain privacy, I was targeted.
The good news is, this doesn’t happen often. The bad news is, it’s only going to get worse.
Especially this past year, all of the attacks and exploits described above have escalated rapidly in number, frequency, and sophistication. You’ll save yourself a lot of potential pain and suffering by following these tips:
- Keep your website software and plugins up to date.
- Disable comments.
- Require strong passwords.
- Install a security system plugin.
- Beware of phishing emails.
These steps won’t eliminate the threat — or the need for vigilance — but they’re a great first line of defense.