Website Security Checklist: 36 Tips to Complete Your Website Security Check
It pays to be paranoid in today’s online world with all the potential website security threats because the bad guys REALLY are out to get you…Check your website security often!
We were hacked not long ago. And let me just confirm, it’s no fun.
But this time, it wasn’t so bad because we had systems and tools in place to shut down the hacker fast.
First, evverything is ok. No data was destroyed nor was any customer information revealed. But it was a close call. This is what we call a teaching moment. And since that is what we do best, I wanted to help as many of you as possible make sure that you have the right website security in place.
Stay tuned and we’ll give you a simple, but thorough website security checklist to help protect you from the bad guys.
Here's what happened to us.
Last week, during the Insiders Club call, Jen (my daughter and company manager) tried to login to the Learning Center to show people how to find a specific product.
She couldn't. She was locked out.
I couldn't log in. I was locked out.
None of the rest of our team could login. We were all locked out.
And we began getting support tickets - customers were locked out too. And that’s a really bad thing.
Website hacking is rampant. We all have to be incredibly vigilant because there’s a group of ne’er-do-wellers out there (and they seem to be growing) who would much rather do damage than do good.
This was the second time we’ve been hacked. The first was many years ago.
During our semi-annual workshop in February, a threatening message on the site homepage read:
“David Perdew, you owe me money and I will expose your database to the world if you don’t pay $15000.”
Of course, we had no idea the identity of this mysterious - and extraordinarily dumb hacker - since there was no contact information or payment instruction.
We called the FBI (zero help by the way) and hired a team of cyber sleuths to rectify the hack.
The damage was done though because it forced us to shut down the site for six weeks to clean up and harden the site. Basically, it was a complete rebuild costing us about $75,000 in lost revenue and expenses to get back up and running.
Ten hours after we discovered the attack, we figured out that a person in Jordan, who had signed up for one of our products, used his login and technical know-how to invade the system and plant a malicious file.
Even though our system is much more secure, no computer is foolproof.
So, when we were hacked again recently, I flashed back to that costly previous experience praying that we’d done a better job this time of backing up our systems, putting our WordPress security plugin software in place, configuring it properly, and working with our hosting company to be ever vigilant.
But our system, like yours, gets hit thousands of times a day by hackers and bots trying to find a simple and easy vulnerability to exploit.
If you think about this too long, you could think that doing business online just may not be worth the trouble. Luckily, there are simple ways to ward against 99.9% of the threats.
This time, when we saw the issue, Jen jumped on with LiquidWeb, our host, and they confirmed that they could see a rogue account with an IP from Tunisia that accessed our server and was in the account. They could see where he was and what he was doing.
And because of the unusual server activity, our WordPress security plugin, iThemes Security Pro, did it's job and shut down the entire site until we could stop the strange behavior in the server.
We'd caught a hacker in the act.
My first thought in a situation like this is about the backups. “Where's our backups?"
Website backups are not something we think about often, but when we do, it’s usually as the result of some tragedy. And while we never want to use the backups, we must have them in case we do.
One of the reasons our first hacking experience shut us down for 6 weeks many years ago was because our backups had consistently been overwritten with new backups that had become infected with the malicious sleeper file. That allowed the hacker to trigger his activity at a later date.
Rebuilding the site was our only option.
One backup isn’t enough. We like to have a couple of months of backups just in case. Yes, that’s probably overkill, but when you have unlimited cloud storage from a reputable company like Google, data space is not an issue.
Unlimited backup space seems like it would be really expensive, but it isn’t at all. About 18 months ago, I made a very small one time investment in a product called Unlimited Cloud Storage.
All of our backups are loaded on that Google drive account with multi layered 2 factor authentication security. We used those to restore our sites by suppertime and get everything back to normal with very little downtime.
After this episode, I begged the developer to give our community a special promotion code to get $10 off. If you’re interested in Unlimited Cloud Storage, be sure to use the promo code NAMS10.
Tools, tips and tricks to enhance your security with a site security checklist
But unlimited cloud storage is not the only website security best practice we use.
We’ll go through a few of the best practices we use and a few of the tools we like to implement those below.
Domain Registration/ Hosting
Even though this is so important, too many people overlook this simple step. For example, someone may register their domain Godaddy and decide to get hosting there as well. Their entire business can then be shut down by Godaddy if they don’t like your business for any reason.
If you register your domain in one location like Simple Niche Domains (our Godaddy reseller account), and host your domain with a separate company like A2 Hosting (we recommend highly with very reasonable rates for medium to smaller sites), you’ll be in control.
WordPress Admin Structure/Plugins/Themes
- Never use admin as your username
- Delete any account using admin as the username
- Always use a strong password - we recommend 20 characters with AT LEAST 1 Symbol, 1 Number and Upper and Lower Case
- Periodically remove admin accounts set up for support of your plugins or products
- Alway check for abandoned plugins. These are plugins that have had no updates recently (within the last year)
- Don't be a plugin hoarder. Make sure you delete plugins that are no longer being used or that are duplicates of another product.
- Never allow additional plugins to be added to your site without permission
- Avoid free plugins unless the company has an upgrade path.
- Always make sure you're updating your WordPress theme. If your theme has not had updates recently, change themes! (child themes can be hacked too so if your child theme is outdated, it may be time for a newer one)
- Keep your WordPress core software updated. Be sure you backup first before updating and if possible run the updates on a test site or server
- Do NOT use free themes
- You can schedule backups to run directly with your hosting company. These are not always the easiest to access but are good to have running as a backup of your backup system - or a redundancy.
- Make sure backups are running on all of your sites frequently. At least daily. If you add a lot of content to your site, we recommend backing up multiple times per day. We back up every 12 hours and load to our Unlimited Cloud Storage.
- Make sure your hosting company is running a Cpanel Backup as well. This does not have to happen as frequently as cpanel changes should be minimal.
- Make sure you have a cloud storage account for your backups
- Make sure you are deleting old backups, especially if you are paying for storage space.
- Use a WordPress Backup Plugin - These are super easy to configure and use. We use Updraft and recommend BackupBuddy as well.
Connect your backup plug in to your cloud storage and make sure to add extra security on your backup folder. Password protect the folder OR put 2 factor authentication on the folder
- Use a WordPress security plugin. A paid version with good support is best. That’s why we use and recommend iThemes Security Pro.
- Configure your security plugin correctly
- Remember your security plugin will protect your site from bad players but sometimes can flag innocent customers and users. You can automatically whitelist or remove a blacklist on a customer IP address in your security settings.
- Use recaptcha or two step optins to ensure you're not getting hammered by bots and bad sign ups
Use A WordPress and Security Company
- Amy Bair - eHemisphere
- Paul Taubman - Digital Maestro
- Debra Lloyd - WP WebWorks
We'll send it right over to your inbox!
David Perdew is the CEO and founder of NAMS - the Novice to Advanced Marketing System. He’s a journalist, consultant, and serial entrepreneur who has built one of the most successful and fastest-growing business training systems online today called the MyNAMS Insiders Club.
The Novice to Advanced Marketing System is a step-by-step system focusing on Team, Training and Tools to help novice to advanced business people build a Simple, Scalable and Sustainable business.
He took a year off in 2003 to personally build a 2200 square foot log cabin in north Alabama where he and his wife and two dogs and a cat live on 95 acres of forest with four streams and 60-foot waterfall.
The NAMS team includes his daughter, Jen, who is an email marketing and automation specialist. Jen runs the day to day business and is one of the primary trainers in our MyNAMS Insiders Club.