Amateur Crash course in Website Security:
Over the last several months I have been helping a client with a hacked website. This is not an area that I work in or that I know much about, however, I can jump on the phone with GoDaddy and connect clients with consultants that can help.
It’s interesting to me that small business owners spend $1000s of dollars on their website and then try to cut corners on paying a consultant to keep it up to date. This equates to buying a house and not taking care of it, you wouldn’t do that right?
A website isn’t something you set and forget. The site needs to be maintained. WordPress, plugins, and themes need to be updated each time a new security patch is released. Truthfully, they should be tested locally and not uploaded directly to the production site, as an update could potentially cause live issues resulting in days or even weeks without your website and inevitably, lost revenue.
I wanted to share with you what we learned. As a small business owner I know we are all very busy, but please take the time to understand the basics and check back with your website consultant. If your website consultant doesn’t have the heart of a teacher get rid of them. You want someone that will explain what they are doing and most importantly will call you back in a timely fashion. We had an experience of just trusting our guy but came to find out that the backups to the site hadn’t been set up. It may have been a misunderstanding, or maybe he forgot, but in the end it was our responsibility to follow up with him and double check. Our lack of understanding didn’t aid us in this. The client learned this lesson the hard way. After several months of trying to clean and debug the site, we had to completely destroy a 9-year-old site and start over from scratch. That’s a bummer. A clean backup could have fixed our issues in just a few hours. Instead, we struggled for months trying to fix the site, who knows how much business we lost.
Before this issue happened we had one login to Go Daddy and two to our WordPress site, our new guy has set up separate access to our account so that we can monitor anyone that has access and we will know who has done what to the site. Access needs to be limited, a website is a big asset for your business don’t just let anyone muck around in it.
We also learned that we need a separate site to test all plugin and updates. WordPress updates the software all the time as there are security holes in the software. With a separate site to test everything on, we will be able to install the updates and ensure it will not break the site before installing it on our live site.
Daily backups are a MUST and are kept for several months or even years! If you are a small business some of the hosting companies offer services to automatically perform backups. With clean backs, you can restore your sites in hours instead of days.
Install a firewall: a firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. Depending on your hosting company they may offer this service for a monthly fee.
Lastly, check in with your website consultant quarterly, here are a few of the questions I think would be important to know:
How often are backups happening? Ask them to double check.
How far back do you keep backups?
Confirm that these intervals have been set up.
If on WordPress / How are you handling the security updates on WordPress and WordPress theme, once a month automatically?
Plug-In Management: How many plugs are we using, how are you keeping them up to date, will you remove inactive or out of date products?
No one should have access to your website! Your webmaster can do most of your updates, don’t cheap out on this. You can pay now or pay MORE later. Your choice.
Ask about installing a firewall, a firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules.
Set up the google search console ( it’s pretty easy to do so), this console will report back issues with the site, with the google search console you can also request a reindexing of the site using this product, this is how I found out our site was still infected.
This is not a complete list, clearly, this is just based on my experience over the last several months dealing with this. I know you think it’s not going to happen to me but when it does if you follow a few simple sets hopefully you’ll be protected. Losing the content of your website is a big deal, the website is the center of most of our traffic were clients check to see if we are legitimate, find out how to contact us, reviews our services, request quotes etc. This is an area that isn’t that complicated you don’t need to understand HTML just asking a few questions will help you keep all of this together.