A noticeable increase in website attacks has been happening lately, some attempts are even exploiting the global pandemic in malware phishing attacks and spam. Many of these attacks are using fear tactics given the rise of companies shifting to working remotely which may open the companies up to inadequate security protocols protecting company data or information. 

Although at Enspire Creative we apply best practices for our clients with our security and hosting plans, the number of cyber-attacks continues to increase as well as the many ways vulnerabilities are exposed lately. 

We highly recommend that businesses be aware of the risks associated with website attacks and the need for websites to have proper security and to keep their site and plugins updated. This is especially important for e-commerce sites who may conduct transactions or store sensitive customer information through their website. 

The last thing anyone wants to deal with is a cyber attack on their website where valuable information has been compromised or losing endless hours trying to repair a site that has been injected with malware. 

We highly recommend implementing these best practices for your website:

  1. Backup your website regularly*
  2. Update your WordPress website, theme, and plugins*
  3. Ensure your website is hosted securely (uses HTTPS protocol)**
  4. Install a security plugin (we recommend Ithemes Security or Wordfence)*
  5. Change the login URL*
  6. Enable 2-factor authentication for login
  7. Use strong passwords (not used elsewhere)
  8. Remove unused plugins
  9. Tighten admin user settings

We dive a little deeper into each of these recommendations shared above…

1. Backup your website regularly*

A backup is essentially a copy of your website that is stored elsewhere that can be used in the case of an attack which can be useful in restoring your website.

Having reliable backups run automatically on a regular schedule such as once a day or week will be helpful as it is one less thing to think about and provides peace of mind in the case of the site being hacked.

Most website hosting providers offer this as an option and may allow you to set your own backup schedule.

It’s helpful to check the backups every so often and to have multiple backup versions available in the case to recover website files from a point prior to an attack.

2. Update your WordPress website, theme, and plugins*

Every day websites are compromised due to outdated software or plugins, so it is important to keep your website updated regularly as well as any plugins or themes.

This is especially common for WordPress websites as they release core updates and use plugins and themes that need to be manually updated within the backend of the website.

This keeps the automated bots away as they are constantly scanning to find vulnerabilities or holes to exploit and cause damage.

3. Ensure your website has an SSL certificate**

An SSL certificate shows visitors to your website that it is using a secure encrypted connection between the server and the browser.

An SSL certificate will not protect the website from an attack or hack, but it does signal to the visitor of your website that your website is legit and secure for transactions and submitting information through the site.

4. Install a security plugin*

We recommend installing a security plugin that can help in keeping out bad login attempts from spammers, securing data from a database, or adding a firewall.

We recommend considering plugins such as Ithemes Security or Wordfence.

5. Change the login URL*

The default login page for all WordPress sites is /wp-admin, which is a known fact for many spammers and hackers. Changing the link of the login page to a custom URL makes it harder for attackers to find and try to enter your website.

6. Enable 2-factor authentication for login

Enabling 2-factor authentication for logging into your website adds a layer of security other than just a password.

Passwords can be hacked, especially if they are not strong, but if 2-factor authentication is enabled it means the hacker would need a code sent to your phone or email in order to continue in the login process.

7. Use strong passwords

Keep your passwords strong and don’t reuse them. We recommend using a password manager that helps generate strong random passwords and stores them securely.

Use long random passwords that don’t contain any real words, even replacing the letter O with 0 is not enough.

8. Remove unused plugins

By keeping unused or deactivated plugins on your website, it can create clutter and may even slow down your site. They can also be a threat to your website leaving your site open to vulnerabilities as the plugin may not be updated as time passes.

If you won’t be needing the plugin anymore, we recommend uninstalling or deleting it. Sometimes those plugins may leave unwanted data behind, so you may need to check for this depending on the plugin that was installed.

9. Tighten admin user settings

If you have multiple users who need access to your website to manage or update it, we recommend only giving them access to the settings they really need and then removing the user once they no longer need access to the website.

This minimizes the risk and potential hacks to user accounts in trying to gain access and flooding your site with spammy content.

Keeping an audit log will also help in identifying who has made changes to the website and what has been done will also help in identifying if there were any hacked user accounts.

Serving Our Clients in Keeping their Websites Secure

Keeping websites safe and secure is a high priority at Enspire Creative, wanting to save our clients precious time and energy in mitigating risk.

We have support plans available that provide many of the best practices we mentioned above from running backups to updating plugins regularly. Save yourself time and headaches by discussing the best options for your website with our team.

 

*We do this with the following services: Support Package, Security Package, & Fully Equipped Package

** We do this with the following services: All Hosting Levels