Before we jump into the question of how to secure and maintain your website, let's first talk about the basics of website security.
Why Is Website Security Important?
Website security and maintenance is pivotal for any legitimate website owner collecting data or selling products online.
If you are running an e-commerce store or collecting users' personal information on site through webforms and not following proper maintenance and security protocols, you could be
- Opening yourself up for a website security hack which could both flatline your site and get you blocked by Google search engines
- Putting your customers and their personal information at risk for personal data breaches and identity theft
- In violation of PCI DDS (Payment Card Industry Data Security Standard), your states’ data privacy laws, or the FTC (Federal Trade Commission) Act, which means to a certain extent you could be held liable for any security breeches that happen on your site.
If you are going to own and run a website that collects personal information or is selling goods online, you need to be a responsible website owner and maintain the proper security systems to ensure both your site, your reputation and your web visitors stay safe and secure.
OK, so how do I secure my website?
The first step in ensuring proper infrastructure for your website is to sign up with a secure and reputable host, (not just the cheapest one you can find).
Whichever host you chose, it is important that they include their own WAF (Web Application Firewall) to help mitigate attacks. The hosting company should prioritize security and have a dedicated team constantly monitoring for vulnerabilities in server software, applications, modules and PHP versions.
Both these hosts offer a top of the line WAF, Free wildcard SSL certification (another very important element in your website security plan which MUST be applied), free Daily automatic backups and much more.
Both hosts beginner level plans (which are typically appropriate for any single site with low - medium traffic) start at $180/year.
2. wordpress security software
Next, you're going to need to purchase and install a dedicated Wordpress security software. You will want one that will perform scheduled malware security scans of all your site's files to look for file changes, vulnerabilities and injected code.
There is a lot of debate as to which security software is the best, but the software that continually rises to the top and seems to be the gold standard for website security is Sucuri.
You'll need to educate yourself on how to setup, implement and monitor Sucuri's systems on your site and spend time each month monitoring and making the appropriate patches and upgrades when applicable.
Sucuri's Basic Platform plan which is said to be "Perfect for bloggers and small site owners" will run you $199.99 / year.
3. Own your plugin licenses & Keep up to date
Next, you need to make sure you own the licenses for any and all plugins and themes your site is currently running. One of the most common source of attack on Wordpress sites is through plug-in vulnerabilities. Plug-in creators will routinely put out updates to help patch these security vulnerabilities along with updates to fix bug and compatibility issues.
Most premium plug-ins come with a yearly licensing fee. If you are not working with a developer, you need to make sure you own all your licenses and are keeping all these plug-ins up to date.
The licensing costs for the plugins running on your site is completely dependent on your site's individual structure. The average cost for your site's licenses could be anywhere from $0 - $500/year.
4. keep offsite backups
Speaking of plugin updates, it's also important for you to keep regular offsite backups.
In addition to the possibility of your host's backups being corrupted after a security failure, you will also want offsite backups to be able to quickly roll your site back to its previous state in the event of a misconfiguration following a plugin or theme update.
Before you go to update your plug-ins or themes, you should always run a secure off site backup first. Sometimes a new plugin update can cause conflicts with other code running on the site leading you to experience either the "white screen of death" or other frustrating conflicts throughout the site. In this event, you will want to be able to quickly roll back your website to the state it was in prior to the version update so you don't experience any prolonged downtime.
UpdraftPlus is a great plugin to help with making offsite backups. If you already have a subscription to a remote cloud storage such as DropBox, Google Drive or AWS, the free version of the plugin will suite you just fine.
5. Use difficult passwords and limit access
The final thing we'll cover is the importance of using difficult passwords and limiting administrative access to your site.
At a rate of 15 million key attempts per second, the average 7-character password takes about 9 minutes to crack. Hopefully you are properly maintaining your firewall and have blocking protocols in place to permanently ban any IPs who incorrectly guess your password after 5 or more attempts, but regardless of your firewall, you need to make sure you are using difficult and convoluted passwords.
The basic rule of thumb is - if you can pronounce your password, it's not secure. In order to keep track of all our passwords we use a great password manager called LastPass.
Though there is more that could be talked about regarding the process of Wordpress Security, if you follow the basic protocols listed above, you will be well on your way to securely maintaining your website and gaining overall peace of mind.