1. Firewall and General Website Security — Wordfence
One of the ways that hackers gain access to your website is by exploiting weaknesses in the software that runs the site. This vulnerability is even higher if you have a smaller site that shares a server with others. Even when you keep your content management system (such as WordPress), Themes and Plugins up-to-date, attackers can discover exploits that have not yet been addressed. So, it is important to have website security software with a firewall to protect your site. A firewall can secure your site against suspicious types of access. With a security scanner, it can also prevent improper changes to key files that would allow a hacker to take control of your site or insert malicious code. The firewall that GeekCoaches uses comes as part of a general website security package called Wordfence. If you have a site without sensitive information, the free version may meet your needs. However, if handle client information or other important data, the premium version provides the most up-to-date protection.
2. Login Security — Limit Login Attempts, Wordfence
A common way of hacking a WordPress website is through the login page. Hackers will use bots to conduct multiple logins and try to guess your login credentials. There are four easy steps you can take to make your login process more secure. First, you can limit login attempts. This security measure allows visitors a set number of attempts to login to the site and then locks them out of further attempts for a set period of time if they are unsuccessful. Next, you can prevent bots from attempting logins by using reCAPTCHA which is that tool that sometimes asks you to type words or select items from a photo grid. If you prefer an even more secure login, you can use Two-Factor Authentication (2FA). 2FA requires a second verification method in addition to a password. You can use an app that generates a time specific code or have a code sent to your phone. Finally, you can use geo-blocking which prevents people from specific countries from being able to login at all. For login security, we use Loginizer or Wordfence. When our client prefers to limit login attempts, we use Loginizer and when they prefer just 2FA, we use Wordfence.
3. Email Address Protection — Email Encoder
On your website, you want to give people as many ways as possible to get in touch with you. This allows people to pick the communication method that works best for them. This ease of access means including one or more email addresses on your site. Unfortunately, email spammers know this too and they use bots to crawl your site and and capture any listed email addresses. This leads to your email address getting added to spam lists and your inbox taking abuse. Even if you have spam protection with your email service/client, spam can clog your email server. So, preventing spammers from capturing your email address in the first place can save you a lot of hassle over time. To help with this, there are plugins that encode (encrypt) your email addresses. People can still read them normally, but bots can’t find them. To perform this task, we use Email Encoder. We have found it to be the best for this website security step.
4. Webform Protection — Contact Form Honeypot, Google reCAPTCHA, Akismet
A common source of spam comes from bots using your websites contact form to send you promotional messages or worse. This can seem difficult to deal with because you can’t mark you own site as a spammer and end up blocking messages from your site visitors. Fortunately, two website security tools can help you reduce webform spam. The first is a honeypot which adds a field to your contact form that is invisible to your users, but is filled-in by bots. The other tool is Google’s reCAPTCHA which examines each visitor for bot-like behaviour. Both tools block messages from bots. WPForms-Lite and Contact Form 7 include built-in connections to the reCAPTCHA service. WPForms-Lite also has a built-in honeypot while Contact Form 7 uses the add-on Honeypot for Contact Form 7. Neither of these tools examines the text of the messages for spammy content. If you need extra contact form spam protection, the premium tool (for companies) Akismet provides extra this filtering.
5. Comment Spam Protection — AntiSpam Bee, Akismet
If you have a blog on your site (and you should have), you likely have blog comments. Blog comments lead to blog comment spam. WordPress might catch these for you, but you are still left going through them approving legit messages and trashing the rest. That’s where an antispam plugin comes in. The most popular comment spam tool is Akismet because it is made by the Automattic, the company that makes WordPress, and is included. Akismet costs commercial sites $5 a month though. So, we recommend Antispam Bee unless your spam problem becomes severe enough to require the more robust options in Akismet.
6. Backup — Updraft Plus, Archiver, Server Tools
Imagine if the company that hosts your website suddenly went out of business. Do you have a copy of your site and data to get back online? You website sits on a computer, and like any computer it can crash or be taken down. That’s why you need to have your own backups of your site as the ultimate website security precaution. At GeekCoaches, we maintain both on-server backups for quick and convenient site restoration and off-server backups in case the worst happens. To do this, we use Updraft Plus. Sometimes, you might want to reach even further back to get your content. We once had a client come to us three years after he abandoned his site and domain to ask if we could get his data back — we couldn’t. However, a snapshot of his site had been save to the Internet Archive Wayback Machine. We built him a new site, but he was able to repost all his old material. The Wayback Machine will eventually crawl your site, but to make sure particular content is added, we use a plugin called Archiver. With the push of a button you can permanently save the text of any webpage. Finally, your webhost likely provides automatic backups of everything that comprises your site. For example, GeekCoaches provides daily backups for 30 days. Just remember to check your webhost’s policies — there maybe settings to configure in advance.
7. Broken Link Monitoring — Broken Link Checker
You’ve hit a broken link before. It happens when you click on a link and instead of getting the content you want, you see an error message. This is usually a ‘404 Not Found’ error. Broken links occur when you get the link wrong on your website or the content you were linking to disappears. Broken link monitoring sends you a notification when this happens. We use Broken Linker Checker for this. This plugin is not the kind of tool we normally think of as a security tool. However, website security is about keeping your site working and Broken Link Checker helps do that. So, we decided to include it. You can call it a bonus tip.