How safe is your blog? Have you taken steps to ensure your website is protected in case the worst happens? Here are 15 easy ways to protect your blog from hackers and other threats…
Blog security. Sounds a bit dull doesn’t it? It’s something a lot of bloggers don’t think about, forget to do or leave at the bottom of the do list, to be done ‘one day’.
But protecting your blog is super important and can save a lot of headaches later down the line. It’s not a pleasant thought, but your site is at risk from bots and hackers, technology fails and human error (your own and other people’s!) You have to put measures in place to safeguard your site from all these risks.
Protecting your blog, means you are protecting your all your hard work, time and effort; your blogging income AND means you are going to blog more productively too. (It takes hours, sometimes days, of your precious blogging time to sort out a hack, for example.)
So, do your future self a massive favour and put blog security as your number 1 priority this week.
Here are 15 easy ways to protect your blog from hackers and other threats…
1. Back up your website
OK, so this won’t actually prevent your website from getting hacked, but it will ensure that, if you do get hacked or something else goes wrong, you can simply revert to the backup.
In fact, you should be doing daily backups of your website (do you really want to lose more than a day’s work?).
I do two backups of my website: my host SiteGround* does one every day for me for FREE! But I also have a second offsite backup ‘just in case’.
I use VaultPress* for my second backup. Whilst it’s not free, it’s less than £3** a month. That’s less than a cup of coffee shop coffee a month, for peace of mind that even if my host blows up, I’ll still have a blog!
As well as the regular backups, SiteGround also offer you the option of ‘on-demand’ backups. You run these any time you want. It’s a good idea to back up your site before you make any major changes.
2. Make sure you have a good host
I have heard some rather scary host related horror stories: from hosts accidentally deleting blogs to hosts shutting down blogs which have been hacked but not actually telling the blog owner! Whatever you do, make sure you hand over your ‘baby’ to a host you can trust and a host that takes security seriously.
This is especially important if you are on a shared server (as the majority of bloggers are – you will know if you are not because having your own dedicated server is BIG MONEY!) You can do everything right, but if someone else on your shared server is lax when it comes to security, hackers could get into your server via that blogger’s website: scary stuff!
One thing I love about my host is that SiteGround really do take security seriously* and put measures in place to protect websites against this kind of threat. Do check what security measures your host takes to protect your site, and if you are not happy with your current host’s security, maybe it’s time to think about a change!
3. Make sure you have a security plugin
Whilst there is a lot a good web host can do to protect your site, you do also need a security plugin. This is not an optional extra, this is essential! There are a number of security plugins on the market: WordFence, Sucuri, Security Ninja etc. but the one I use is All In One WP Security & Firewall. It is free and it does a lot. It is also pretty simple to set up.
All you need to do is download the plugin from the plugin repository and then go through each page adjusting the settings. It explains each setting in simple terms and also tells you which settings you shouldn’t touch unless you know what you are doing!!
My favourite setting on this plugin, is the ability to ‘hide’ your login URL so hackers can find your login page to be able to hack it…
4. Make sure the hackers can’t find your login page
A common type of hack is what is known as a ‘brute force attack’. This is where hackers run a programme which tries to guess your username and password by repeatedly trying thousands of possible combinations.
A good first line of defence for these types of threat is not to use the default login URL. Choose a security plugin, such as All In One WP Security & Firewall to change the login page from the default www.yourdomain.com/wp-login.php to a URL of your choice.
5. Limit the number of times a person can try to login
As well as ‘hiding’ your login page, another good defence is to limit the number of times a person can try to log in. This means a brute force attack is impossible as the hacking programme will be locked out after a set number of attempts. Again, you should be able to adjust this using a setting on your security plugin.
6. Have a strong username and password
And whilst you are at it, double check you have a strong username and password. Your username should not be ‘admin’ and your password should not be ‘password123’!
To change your password on a WordPress blog, go to USERS => ALL USERS, select your profile and go to GENERATE PASSWORD.
To change your username, you need to create a new user with the role of admin, then log in with the new admin account and delete the old one.
7. Be careful who you share your login details with
Try not to share your login details with anyone unless absolutely necessary. But if you do need to (e.g. with your VA or website designer), make sure it’s someone you trust. Don’t go giving your admin login to some random person off Fiverr!!
If at all possible, try to give them their own login with limited access to your site.
There are a number of different roles you can assign users. For example, if you assign someone the role of author, they can publish and manage their own posts, but can’t edit anyone else’s posts or access the admin features. You can find these different roles under the USERS => ADD NEW USER.
8. Regularly change your passwords and login page (especially after you have shared it)
It’s a good habit to make sure you regularly change your passwords and login page URL, but this is especially important if you’ve had to share your details with someone else.
Once that person has done the job you need them to do, change all the passwords you shared with them as well as your login page URL. Who knows what that person might have done with your details or where they might have written them!
9. Make sure your own computer is safe
And whilst we are on the subject of passwords, make sure your own computer is password protected too. And if you use a shared computer, make sure you always log off from your blog’s back end after you have finished.
10. Be careful about which plugins you use
Another potential security weakness on your blog is your plugins. Be careful to only use well known reputable ones, which are well supported and regularly updated.
11. Regularly update your plugins
As well as making sure your plugins are not dodgy, make sure you keep those plugins you do use updated. Occasionally a plugin may develop a large gaping hole which hackers can take advantage of. As soon as a plugin developer realises they will (should!) release a security update. But if you don’t actually do the update, that gaping hole is still there!
12. Make sure you have a good theme
There are all sorts of ways that your website can be breached, through your plugins, through your host, through your own computer, but one that bloggers often don’t think about is their theme.
Old/free/unsupported themes can have security issues too. Make sure you invest in a good quality theme where the theme developer has taken security seriously.
13. Clean out old plugins and themes
And make sure you regularly make a habit of deleting old plugins and themes. You should only have the plugins and themes you actually USE installed on your blog. Old plugins not only pose a security risk but can also slow your site down. Get rid of them NOW!!
14. Make sure your site is https
By installing an SSL security certificate on your site, you are protecting the private details of your readers and customers, such as email addresses, credit card numbers and addresses. An SSL certificate encrypts that data and keeps the information private as it travels across the public internet
A good host should offer a security certificate for free. One thing I love about SiteGround* is, not only do they offer an SSL certificate for free, but it’s also super easy to activate and to ensure your site only works on https. Just a few clicks and it’s all set up!
They have a great support document on how to do this* or you can just go on to chat and ask them to help you do it!
15. Have your site regularly scanned
My last tip is to get your blog regularly scanned for security threats. I pay a very small amount of money to have SiteGround scan both my websites each week, using their Site Scanner*.
Sometimes a hack might not be immediately obvious – perhaps the hacker’s intent is not to bring down your site but to obtain sensitive information, add links or redirect your page views to their site.
By having your site regularly scanned for malware you can ensure you know about any breach as soon as possible and can take steps to stop it becoming a problem.
Over to you…
How seriously do you take your website’s security? How many of the above tips do you do? Would you add anything else to my list?
Don’t miss a thing!
Pin this post to read later
*This blog post contains affiliate links, this means if you click on a link and go on to buy the product I recommend, I will get a small commission, but you will not be charged a penny more – thanks in advance!
** prices correct as at 25/09/18