Preventing Intrusions, Spam, Data Loss & More

Website security is no different than other aspects of creating a site from a task perspective. No one step of building a website is that complicated. The challenge is there are scores of steps. Smart website security has its own set of steps. It’s because of these numerous tasks, that many of the existing sites that GeekCoaches gets asked to fix are not properly secured like those built as part of our Web Design services. Unfortunately, not investing the money to have your website secured or the time to learn and do it yourself, often ends up costing people far more in the long run. Usually, when we get contacted by a prospective new client about their site being hacked or otherwise not working, it’s because they haven’t taken the most basic steps to keep their site safe. We often spend significant time fixing the problem and then putting in place all of the measures that should have been present from the start.

Sometimes sites are unprotected because they were built by someone doing the work for the cheapest price and they wanted to save time. Other times it’s because the person or agency being paid to build a site didn’t know any better. Of course, sometimes sites have been built by our clients themselves and they either didn’t make the time or they didn’t have the knowledge to secure their work. It’s one thing if a comprised site is for a hobby. It’s quite another if it is for your business. You wouldn’t leave the front door of your business unlocked when nobody was around. You shouldn’t leave your website open for crooks either.

On WordPress sites, which make up seventy percent of the web, a key set of safeguarding steps involves installing security plugins. We use seven different types of tools depending on the site. In addition to plugins, there are up to ten other tasks we perform for each of our clients depending on their needs. We take the ‘coaches’ part of our name seriously. So, we are happy to share all 17 steps here.

Website Security Plugins We Use

1. Firewall and General Website Security — Wordfence

One of the ways that hackers gain access to your website is by exploiting weaknesses in the software that runs the site. This vulnerability is even higher if you have a smaller site that shares a server with others. Even when you keep your content management system (such as WordPress), Themes and Plugins up-to-date, attackers can discover exploits that have not yet been addressed. So, it is important to have website security software with a firewall to protect your site. A firewall can secure your site against suspicious types of access. With a security scanner, it can also prevent improper changes to key files that would allow a hacker to take control of your site or insert malicious code. The firewall that GeekCoaches uses comes as part of a general website security package called Wordfence. If you have a site without sensitive information, the free version may meet your needs.  However, if handle client information or other important data, the premium version provides the most up-to-date protection.

2. Login Security — Limit Login Attempts, Wordfence

A common way of hacking a WordPress website is through the login page.  Hackers will use bots to conduct multiple logins and try to guess your login credentials. There are four easy steps you can take to make your login process more secure. First, you can limit login attempts. This security measure allows visitors a set number of attempts to login to the site and then locks them out of further attempts for a set period of time if they are unsuccessful.  Next, you can prevent bots from attempting logins by using reCAPTCHA which is that tool that sometimes asks you to type words or select items from a photo grid. If you prefer an even more secure login, you can use Two-Factor Authentication (2FA). 2FA requires a second verification method in addition to a password. You can use an app that generates a time specific code or have a code sent to your phone. Finally, you can use geo-blocking which prevents people from specific countries from being able to login at all. For login security, we use Loginizer or Wordfence. When our client prefers to limit login attempts, we use Loginizer and when they prefer just 2FA, we use Wordfence.

3. Email Address Protection — Email Encoder

On your website, you want to give people as many ways as possible to get in touch with you. This allows people to pick the communication method that works best for them. This ease of access means including one or more email addresses on your site. Unfortunately, email spammers know this too and they use bots to crawl your site and and capture any listed email addresses. This leads to your email address getting added to spam lists and your inbox taking abuse. Even if you have spam protection with your email service/client, spam can clog your email server. So, preventing spammers from capturing your email address in the first place can save you a lot of hassle over time. To help with this, there are plugins that encode (encrypt) your email addresses. People can still read them normally, but bots can’t find them.  To perform this task, we use Email Encoder. We have found it to be the best for this website security step.

4. Webform Protection — Contact Form Honeypot, Google reCAPTCHA, Akismet

A common source of spam comes from bots using your websites contact form to send you promotional messages or worse. This can seem difficult to deal with because you can’t mark you own site as a spammer and end up blocking messages from your site visitors. Fortunately, two website security tools can help you reduce webform spam. The first is a honeypot which adds a field to your contact form that is invisible to your users, but is filled-in by bots.  The other tool is Google’s reCAPTCHA which examines each visitor for bot-like behaviour. Both tools block messages from bots. WPForms-Lite and Contact Form 7 include built-in connections to the reCAPTCHA service. WPForms-Lite also has a built-in honeypot while Contact Form 7 uses the add-on Honeypot for Contact Form 7.  Neither of these tools examines the text of the messages for spammy content. If you need extra contact form spam protection, the premium tool (for companies) Akismet provides extra this filtering.

5. Comment Spam Protection — AntiSpam Bee, Akismet

If you have a blog on your site (and you should have), you likely have blog comments. Blog comments lead to blog comment spam. WordPress might catch these for you, but you are still left going through them approving legit messages and trashing the rest. That’s where an antispam plugin comes in. The most popular comment spam tool is Akismet because it is made by the Automattic, the company that makes WordPress, and is included. Akismet costs commercial sites $5 a month though. So, we recommend Antispam Bee unless your spam problem becomes severe enough to require the more robust options in Akismet.

6. Backup — Updraft Plus, Archiver, Server Tools

Imagine if the company that hosts your website suddenly went out of business. Do you have a copy of your site and data to get back online? You website sits on a computer, and like any computer it can crash or be taken down. That’s why you need to have your own backups of your site as the ultimate website security precaution. At GeekCoaches, we maintain both on-server backups for quick and convenient site restoration and off-server backups in case the worst happens. To do this, we use Updraft Plus.  Sometimes, you might want to reach even further back to get your content. We once had a client come to us three years after he abandoned his site and domain to ask if we could get his data back — we couldn’t. However, a snapshot of his site had been save to the Internet Archive Wayback Machine.  We built him a new site, but he was able to repost all his old material. The Wayback Machine will eventually crawl your site, but to make  sure particular content is added, we use a plugin called Archiver.  With the push of a button you can permanently save the text of any webpage. Finally, your webhost likely provides automatic backups of everything that comprises your site. For example, GeekCoaches provides daily backups for 30 days. Just remember to check your webhost’s policies — there maybe settings to configure in advance.

7. Broken Link Monitoring — Broken Link Checker

You’ve hit a broken link before. It happens when you click on a link and instead of getting the content you want, you see an error message. This is usually a ‘404 Not Found’ error. Broken links occur when you get the link wrong on your website or the content you were linking to disappears.  Broken link monitoring sends you a notification when this happens. We use Broken Linker Checker for this. This plugin is not the kind of tool we normally think of as a security tool. However, website security is about keeping your site working and Broken Link Checker helps do that. So, we decided to include it. You can call it a bonus tip.

Additional Security Steps We Take

8. Implementing SSL Encryption — Let’s Encrypt, Really Simple SSL

SSL Encryption is the website security feature that puts the little lock symbol next to the URL for your website in the top of a visitor’s browser. It means that data sent between your webhost and their browser is encrypted. This encryption prevents someone (called a man in the middle) from passing false content to your visitor or from collecting private information from either end as it’s sent. SSL Encryption is important to have even if you are not sharing or receiving private information because without it the web browser displays a ‘Not Secure’ notification. Visitors to your site can be concerned about risk even if there is none and they can question whether they should trust your company in general. If you have an e-commerce site where customers can make purchases, we recommend a premium SSL certificate. However, for sites providing information only, we use Let’s Encrypt.

We are going to slip one more plugin here as well. If we are converting an existing site from unsecured to SSL encrypted, it can require an involved process to get every bit of the site secure. To make this quicker, and therefore less expensive for our clients, we use a plugin called Really Simple SSL. It handles most of the conversion process for you (or us) automatically.

9. Employing Staging Sites

Despite all the precautions we recommend at GeekCoaches, every now and then, we get the call — ‘When I visit my site, all I get is an error message.’ Often, this is preceded by, ‘I was just updating something and I don’t know what happened’. That’s why some of our clients have us do the updates for them. To help prevent the ‘updating crash’, we recommend using a staging site. A staging site is an offline duplicate of your main site where you make all your changes first. When you are satisfied that the changes haven’t caused any unexpected errors, you push a button and the staging site updates your main site. To create new sites, our web hosting system uses Softaculous which comes with staging site capability built-in.

10. Ensuring Secure Passwords

Four percent of all people use the password 123456 and it has been the most popular password for years. It’s important you and others using your site employ passwords that bots can’t try to easily guess. WordPress warns you when you are using a weak password, but does not enforce strong passwords. There are strong password enforcers available if you want to go that extra step, but GeekCoaches prefers to use other measures such as two-factor authentication.

11. Limiting Users and User Roles

If you have a team, it’s generally advisable to have them engaged in presenting your online presence. However, you want to be careful to limit site access to those that actively update your site. Furthermore, you need to manage your user list removing those such as former employees.

In addition to appropriately limiting the number of users on your site, you want to carefully manage the roles each user is assigned and limit those with higher level access. For example, WordPress offers a number of default user roles including Administrator, Editor and Author. An Administrator has complete access to your site including plugins and settings. An Editor can change any content on the site including that by other users. An Author can only make changes to their own content. If you have users that will never need to change settings or the like on your site, they should only have Editor or Author access.

12. Updating WordPress, Themes and Plugins

One of the top points-of-entry hackers use to gain control of your site is via security flaws in tools on your website that have not been updated to the most recent version. We have certainly gotten that call here at GeekCoaches. On WordPress sites, required updates include WordPress itself, themes and plugins. (There are server tools that also need to be kept updated, but that is generally best left to your webhost.) A website security tool such as Wordfence helps protect your site, but updated themes and plugins helps avoid exploits not yet discovered.

13. Using Trusted Themes and Plugins

In addition to using current tools, it is important to use trusted themes and plugins. At GeekCoaches, we always try to use themes and plugins that have thousands of users, good reviews and frequent updates.

14. Applying Domain Privacy

In addition to your website itself, another place that spammers harvest email addresses is from the contact information that you are required to provide when you register a domain name. That information is passed on to the Internet Corporation for Assigned Names and Numbers (ICANN) and is public information unless you request that the information be kept private. Domain registrars offer this privacy