Methodology of cyber attacks has two main options. Either the attacker deliberately picks up a specific website he wants to hack, or he tries to target the widest possible number of websites which happen to have a certain kind of malfunctioning or just a weak spot, aiming to abuse that spot.
The number of those websites is always huge. Some estimates say that as much as 95% of all the websites in the world are targeted for one or another kind of attack.
By the time you notice that something’s gone wrong, it’s often too late. If Google has ringed the bell and marked your website as unsafe or hacked in search results, or the warning comes from your browser or even the hosting provider (who most often just turn the infected websites down, to prevent the plague epidemic on the server), or you can’t even access your website, the evil deed has already been done.
This is why you should approach your website’s security carefully and act proactively.
Here are a few things you should do to avoid this terrible inconvenience and spare yourself some energy and resources.
1. Back up on a regular basis
Performing a backup has saved many skins since it was invented. Remember those ancient times of floppy disks that we kept our tiny little files on, just in case something went wrong with our computers?
Basically, every backup means having a floppy disk, only bigger. Actually, the bigger the better. You could have it at your workplace, or a remote server on a different continent (you may even not know which continent exactly), or a cloud server. Some hosting providers offer you backup as a part of their service. Whichever option you choose, don’t forget to always keep your data in a safe space. It may not always be an evil hacker. Even a simple update can mess things up.
2. Update every time a new release is available
This is pure logic. WP core developers and collaborators are already doing a great job for all of us, working day and night to patch any security hole that might emerge. It would be pity to waste their effort. It would be expensive to pay the price for it (and there always additional fees when a website is breached). Furthermore, it would be a catastrophe to have your IP address blacklisted because your website became a phishing lair and send spam to zillions of people.
3. Monitor your website for changes
Any change that was not induced by you or a member of your team should be suspicious. So, you should be there as frequently as possible and try to always have a clue about what’s happening. Content injection or defacement is a sure indicator that the website has been breached. The most recent example was the defacement of stunning 1,5 million WordPress websites by hackers who abused the REST API vulnerability.
Monitoring of just about every page on your website, as well as its infrastructure, can be a tedious job. The traffic also needs to be observed, as a sudden traffic rise can be a sign that your website has been malvertized. There are so many areas that can get abused, and one needs to sleep every now and then. That’s why it might be good for you to choose a service that could automatize this process. Plugins such as Sucuri, WordFence, VaultPress can also be an option, but even the best plugins are not 100% sure.
4. Secure the login page
First of all, forget about using “admin” for login.
Brute force attacks rely precisely on that, because the attackers know that there will probably always be enough people who aren’t very careful about their usernames and passwords. As they fire an immense number of attempts to guess your login, with all possible combinations, be sure to give them hell. It’s highly recommendable to use utterly nonsensical password, or generate them by pressing random keys, including numbers, upper/lower case, special characters.
There’s another easy guess for any dishonest visitor to a website. The login URL can often be accessed by merely typing /wp-admin at the end of the regular website URL. This is another customizable thing you don’t want to leave by default.
5. Get an SSL (Secure Sockets Layer)
The SSL certificate is a feature every website owner should have in 2017.
Getting it will secure your browser’s communication with servers by encryption, so no third party can understand it, even if they are intercepting the conversation. Basically, it’s like inventing a secret language that will never again be used after this conversation is over. It’s a mighty measure of precaution.
It is also becoming mandatory, for Google has set out on a mission to flag every website without the HTTPS protocol. So, watch it.
6. Have us do all of these things for you – and more
Having prevented more than 5 thousand threats and monitored over 1,5 thousand websites to this date, we’ve fought against pretty much every possible kind of attack, and have never lost a battle.
Now a moment of honesty.
We won’t lie to you that there will be no attacks if your website is under our supervision and protection. We are not Supermen. However, we have the means to bring back order and restore everything, without your website experiencing downtime.
First of all, we’ll put your website through a magnifying glass to ensure that it hasn’t already been compromised. If yes, we’ll clean it up. Backup and updating are our topmost priority, as data is the core of your Internet presence, and must never be lost. Even when we’ve covered everything, secured all the aspects, fixed whatever was wrong or weak or malfunctioning, we will monitor your website, so that you may never worry about the terrifying news you hear about all the cyber criminals out there.