If you use WordPress for your website but don't take security measures to keep it safe and up and running, potential clients may leave your site because of a warning, or, one day, they may not see your site at all. Find out how your unsecure website is costing you business and what to do about it.
- Installing SSL
- Let’s Encrypt
- Really Simple SSL
- WP Force SSL
- 301 redirects
- Google Analytics and Search Console
- WP Engine
- Managed WordPress hosting
- Uptime Robot
A lot of designers use WordPress for their website but don’t necessarily take certain security measures to keep their site safe and up and running. This can result in potential clients leaving your site because of a warning, or they may not see your site at all.
Scaring Away Potential Clients
First off, if you don’t have SSL on your site, you’re very likely scaring away potential clients. You’re losing their trust right off the bat. They may be hesitant to fill out a form to contact you or, worse, they may leave your site because the browser is giving them a warning that your site or parts of it aren’t secure.
But when your website uses SSL, visitors see a padlock icon next to the URL. Your domain reads as “HTTPS” instead of “HTTP.” This ensures that communication between the browser and the website is encrypted—secure.
SSL not only builds trust but it can help your site’s performance, the time it takes to load a page. That means it can also boost your site’s rank in Google. That might be only a slight boost, but if it comes down to your site versus other designers’ sites in search engine results, your website could rank higher.
If you don’t have SSL, you can usually get it from your web host for free or at a low cost. Most offer Let’s Encrypt certificates that are free and valid for 90 days. Cloudflare offers them free and paid.
Most web hosts will install one for you free or for a small fee. Once you have the SSL certificate, you need to force SSL on your site. Your web host can usually advise you how to do this or do it for you, or you could use a plugin such as Really Simple SSL or WP Force SSL. Be sure to back up your site first.
You also need to redirect users and search engines to the HTTPS pages via 301 redirects in the .htaccess file in the root folder on the server and change the preferred URL in your Google Analytics account to show the HTTPS version of your domain. Google Search Console treats HTTP and HTTPS as separate domains, so add the HTTPS domain in that account. That’s important to do so your traffic stats won’t be inaccurate, because the HTTP and HTTPS versions are seen as completely different websites.
Although nothing’s 100%, you can prevent potential security issues by taking several steps.
The first is getting good hosting. Having a reputable web host goes a long way toward protecting your website. I really like Pair and WP Engine. I have colleagues who like A2, Siteground, Flywheel and InMotion.
Server-side security is also important. It is less of an issue for managed WordPress hosting than with shared hosting. Managed hosting plans cost more but they take care of a lot of security measures for you. They continuously check for malware and monitor for hacking attempts.
If you’re on shared hosting, you can install a security plugin such as Wordfence. Wordfence is available free and with additional paid options. You can configure it differently. For example, one of the options includes being notified when anyone with an administrator account logs into your site. Another option is blocking the ability to log in from other countries.
The third step is making sure you update on a continuing basis.
It’s essential to keep WordPress, the theme and plugins updated, especially if there are known security vulnerabilities in any of them. Managed WordPress hosting often automatically updates WordPress for you and will notify you if certain plugins have any security vulnerabilities, in which case they should be updated immediately.
Themes and plugins are created by all different developers and updated at different points in time. Some developers continue to develop their plugins; others may stop, which may leave your site open to issues—security related or a technical conflict.
Ongoing backups are vital. If you don’t update your site very often, you could set up weekly backups. But I highly recommend daily backups.
You or the host could update WordPress or the PHP on the server, and there could be a conflict somewhere that causes your site to go down. You might update something incorrectly in one of your template files, or you might update or add a plugin which causes a conflict or has a security issue.
You can set up backups to run automatically or you can perform them manually. Either way, you want to be sure to download them and keep them on hand—and not on your web server, where they take up storage space and potentially slow down your site, and could become inaccessible to you or compromised in case of a security breach.
I copy mine over to an external hard drive.
Now, your host may keep backups for you, if they do that at all. But note that they only store them for a certain period of time, usually 30 days. If a hack or malware is discovered on day 31, you won’t have any clean backups to restore.
You can easily set up backups with a Cron job on your server or by using a plugin such as UpdraftPlus, BackWPup or Duplicator. They have free and paid options and allow you to schedule backups on an ongoing basis and upload them to Dropbox, Google Drive or a slew of other places.
WordPress User Access
Another step you can take is to only use your administrator account for performing technical updates to your website and to use an editor-level account for adding and updating content to your site and blogging. That’s so the admin username doesn’t get exposed in the code of the site, making it easier for someone to get into the site. There is another way to address that, but it’s more technical.
Another security measure you can take is using a strong password. That means something hard to guess but also something that includes letters, numbers and special characters. The longer the better.
You can save the login credentials in a password manager such as LastPass or 1Password. Just make sure you have strong credentials for logging into the password manager as well.
Security isn’t a set-it-and-forget-it deal. Your site should be continuously monitored for potential security issues because, again, WordPress, themes and plugins get updated by their developers continually and at different times.
Wordfence and MalCare are great for monitoring your site. I like both and use both. There’s also a service called Sucuri.
And don’t worry. I have links to all of these in the show notes on the website.
I also added my websites to ManageWP, where I also used to monitor client sites on a monthly basis. It allows for security scans as well. I like to use multiple services for this, such as ManageWP and MalCare, because sometimes one catches something the other one doesn’t.
MainWP is another service you could use.
It’s also good to monitor your site’s uptime. In the event something were to happen and your site went down, you’d want to know right away. Now, that’s not always caused by a security issue.
But keep in mind that on a shared hosting plan, your site shares the server space with other customers’ sites. If someone hacks into their site, yours may become vulnerable or compromised, or it could go the other way around. Your site might get malware or get hacked and then infect others.
And if the server or your site gets hacked or faces repeat attacks, the host will take it down.
You can monitor your site’s uptime free with Uptime Robot. You will then get notified if your site goes down. MalCare also monitors uptime and notifies you if your site goes down.
Taking Action in Case of a Hack
If you discover your website had malware or been hacked, you need to take action, so that your site remains online or gets back online quickly, if it’s been taken offline.
Restoring From a Backup
If you know when the issue occurred and you have a clean backup, you can restore that backup. Some hosts make that easy to do, in one click. Backup plugins can help you do that as well.
Cleaning the Site
If you discover an issue and you haven’t backed up your site in a while, you may want to clean the site. Your host or another company could do that, but you might find success using MalCare first.
I just helped a friend of mine clean up his site, which had malware on it. The host had taken the site down and told him it would be $400 to install SSL and to clean up the site to get it back online.
Be proactive about your website security, so that doesn’t happen to you too. It may not only cost you money to fix the issue, but can cost you in terms of lost sales or looking unprofessional.
Once you’ve got someone’s attention and they’re on your site, you don’t want to lose it. So make sure your website is continuing to work for you.
Add the site UptimeControl.net to the article, because only they have a 3-minute site availability check interval on the free plan.