2023 WordPress Website Security Guide for Small Business Websites

There has been a lot of news recently about data breaches and customer information hacking. Each week, we have a new corporate who has been hacked and their customer data compromised. Small business owners must be feeling a degree of trepidation if large corporates like Optus and Medibank are experiencing data breaches. We want to support you with WordPress website security guide for small business websites. This is how you can safeguard your small business website and the steps that can help to prevent these kinds of attacks.

Confetti Design have put together recommendations you can action to better safeguard your website.

WordPress Website Passwords – the stronger the better

It will surprise you to know that some of the most common passwords used, and most vulnerable for attack, includes numbers 12345, the word password and also qwerty. The use of common words and numbers might be easy to remember, but significantly exposes your website to hacking! You can always check the strength of your password, and the longer, the better.  A good rule of thumb is to include letters, numbers, capitals and symbols in your website password to strengthen it.

Small business owners should regularly change their passwords, if not at least monthly. This does sound like hard work, but many computer operating systems, whether they are running Microsoft or Apple, offer the ability to generate and manage passwords within their PC or laptop.

Action: Diariase to change your password regularly. Do not hesitate to use your PC or laptop password recommendations as they tend to be difficult to replicate. Don’t wait to be prompted to change your password.

SSL Certificates

SSL stands for Secure Sockets Layer, which is a security protocol that creates an encrypted link. An SSL certificate is a digital certificate that authenticates a website’s identity. It enables an encrypted connection between a web server and a web browser. The best way for a small business owner to identify an SSL certificate is by the website address (URL). When a website URL has a https:// before the website address, such as https://confettidesign.com.au

This is evidence that an SSL certificate is being used.

The great news is that many hosting providers offer an SSL certificate for free, as part of your hosting plan. It is in the interest of hosting providers to do this as it helps to minimise customer websites being compromised. Alternatively, SSL certificates can cost around $100 for an annual subscription.

You can also go back and read a previous blog post we wrote about digital certificates here.

Action: If you do not have an SSL certificate on your website, see if your hosting provider offers a free SSL certificate. If not, it is worth the investment.

Your Website has the latest WordPress version.

WordPress is an open source website content management system and as such, is regularly being maintained and updated. As such, you need to regularly login to the backend of your WordPress website and update to the latest version. This also includes updating the theme that might be used to build your website and the plugins that are installed. Typically, WordPress themes and plugins are created and maintained by third-party developers who are responsible for updating these themes and plugins. You need to update your version of the theme and the plugins regularly. You will know if they need updating because a red dot will appear next to the Plugins navigation item on your dashboard.  A number in the red dot will indicate how many need to be updated.

Action: Login to WordPress and on the left-hand side there is an “Updates” field in the menu. You can select the themes and plugins you want to update.

WordPress comments

One way that hackers can cause damage to your website is by leaving comments in your contact form. These comments typically have a link that appears harmless, but when opened, enables a virus on your website. You will need to regularly go into your WordPress backend and review the comments, deleting those that are spam or could potentially have a harmful intent. A word of caution, these hackers are trying to disguise viruses as legitimate comments and enquiries, so be careful when reviewing comments and in particular, clicking on any links (that’s how they get you).

Backup your WordPress website regularly

You can protect your website by taking a regular backup of your site. No website security can ever be 100% guaranteed and those hackers are devious players. If you are hacked, having a backup of your website will enable you to quickly restore your website on a new hosting in case you can not remove the offending viruses or infected files.

The first step is to check your hosting provider and find out if they have a process to backup your website. Many hosting providers do have an automated backup so check the frequency, preferably real-time or daily. If it is weekly or monthly, you’ll need to make a call if this is often enough.

You should also ensure that you save your backed-up website to a remote location. A shared drive like OneDrive, Google Drive or DropBox.

WordPress also has a vast choice of plugins specifically created to backup your website. BlogVault, UpdraftPlus, BackupBuddy and BackWPup are a few plugins that enable you to backup your website. Some of these plugins are free as well!

Action: Check if your hosting provider does this for you and if not, look at plugins that will enable you to take a full backup of your website. Keep the backup in a secure and separate file.

Install WordPress Website Security Plugins

You can enable a security plugin to protect your website against hacking. Security plugins monitor your website and keep track of what is going on including failed login attempts. Security plugins also provide a malware scanning feature that scans your website for malware and removes infected files regularly. There are free security plugins, but we think it best to invest in these tools to safeguard your website from hacking.

The team at Confetti Design have been using Sucuri for many years and recommend their security service and plugins.

The above recommendations are options we think most small business owners can do. There are more complex ways to protect your website from hacking and they include:-

· Enable a firewall: firewalls block malicious traffic before it even reaches your website

· Disable PHP file execution: particularly in directories where it’s not required

· File editing is disabled: this stops editing your WordPress theme and plugins

· Directory indexing and browsing should be disabled: directory browsing can be used to find vulnerable files and directory browsing can be used to look into your files

If you want to know more, there is additional reading available here and  here. 

All a bit too much, too many things to think about!

Don’t hesitate to reach-out, the team at Confetti Design are here to help!