#1 – SECURE QUALITY WEBSITE HOSTING
One major factor behind these security vulnerabilities is low-quality hosting.
Invest in a host that places high value on security. You aren’t doing yourself any favors if you feel that cheaper hosting costs outweigh security. Part of your market research must include looking into the hosting company’s security record. Are they security-conscious? Do they rely on the latest technology and standards?
This is also true for shared hosting. While it is a cheaper option, it also means that you’re sharing server space with other customers. Unfortunately, all it takes is for one website to get infected, and the malware to spread across every site on the network.
This is why we should consider upgrading to the cloud, VPS, or dedicated hosting when we can afford it.
In addition, we should be looking for a host that offers the following services:
Up to date server software – Too many hosts still run on PHP 5, which has long lost support. At this point in time, servers should at least use PHP 7.0+. The same goes for other software like cPanel, MySQL or other database programs, and the operating system.
Malware monitoring and removal – Pick a host that actively makes an effort to detect and prevent malware infections, and possibly offers malware scanning and removal for when you do get breached. Not all web hosts have a policy for removing malware from an infected site, and among those that do, some will charge extra for this service.
Firewalls and other security measures – There are many ways that hosting providers can increase their server security. Possibly, the most effective among them is to rely on a firewall as it prevents unauthorized outside access to the server. It might be a good idea to check whether a provider has this and other means of prevention in place before making a choice.
Why we use and highly recommend SiteGround for our Web Hosting Services
SiteGround is one of the most popular and highest rated hosting provider in the Website community. They provide unique in-house WordPress speed and security solutions to make your site as fast and secure as possible. They are known for the best 24/7 support in the industry which is why they’re an official ‘WordPress’ recommended hosting provider. This is also why we use SiteGround for hosting all our client’s websites. SiteGround features include automatic upgrades, daily backups built-in WP caching, free CDN, free SSL, one-click staging and GIT version control. They are also one of the few companies offering location specific hosting with 6 data centers in USA, Europe, Asia, and Australia.
“DUE TO RECENT CHANGES IN NZ OVERSEAS SERVICES LAW, WE ARE NOW ONE OF THE ONLY AUTHORIZED PROVIDERS OF SITEGROUND HOSTING IN NEW ZEALAND”
#2 – STRONG PASSWORDS AND IMPROVE LOGIN SECURITY
When someone figures out your password without resorting to exploiting the site’s code, it’s most likely a result of brute force attacks. This involves forcibly trying various combinations of letters and numbers until they get the password right.
Sometimes a potential attacker will try common combinations, before moving on to using programs run an automated process that tries several random password combinations per second.
If you’re beginning to feel as though you might as well give up all hope of keeping your sites secure, don’t. There are tons of ways to slow down hackers, deter, and even prevent attackers from doing things like brute force attacks.
Website’ default installations generally rely on a similar login path each time. Making this a prime and easy target for hackers trying common or easily guessable passwords.
The reason that so many people continue to use WordPress is that many of these issues are easily fixed.
Create a Strong Login Combination
The first and most important step is to choose a proper username and password. We could hide the login page under a different URL, but if your login is something as mundane as admin/password, it wouldn’t make any difference once hackers find it.
Here’s a list of usernames you should definitely avoid.
Admin – This used to be the default username for WordPress and is, therefore, one that will definitely be tried in a brute force attack.
Your real name or nickname – This is both public information and as easy to guess as “admin”. In addition, it can make sense to create a separate profile without the administrator’s right to publish content. That way, the username of the main login does not appear on the website.
Any personal information – Including birthday, etc. Only use a personal detail if it’s something no one could ever know.
The title of your site, or something obviously related to it – “Kittens” for a cat adoption agency, etc.
You also need to choose a secure password. The general gist of this is the same: avoid personal info, obvious choices like “password”, or anything clearly related to your website.
A good password is 10+ characters, uses a variety of characters, and avoids common words and phrases. The best passwords are a long series of completely random letters, numbers, and symbols that no one could ever possibly guess. Services like Secure Password Generator can help you create them.
If you have a hard time remembering your login information, consider using a service like LastPass.
Lock Down Your Login Page
By default, anyone can log into your website by going to yoursite.com/wp-admin. You can stop them in their tracks by changing the URL entirely. WPS Hide Login allows you to switch it to whatever you want. Just install it and go to the plugin settings to change it.
You should use a login path that isn’t obvious. It might deter them a little if you change it to something like /login or /new-login, but if they’re determined, they’ll figure that out pretty quickly. Therefore, it’s better to choose something very hard to guess like /jacksparrowshideout.
Next, install a plugin to limit login attempts. Any person can spam your server with hundreds of requests until they guess it right. A plugin that limits login attempts will give them only a few chances before they’re locked out. It can also detect and redirect bots away from your login page.
Alternatively, you could activate a CAPTCHA to slow them down even further.
At this point, most hackers will search for easier targets. They can keep trying once their time is up, but in that time we could check our audit logs, notice their attempts to get in and issue an IP ban.
You could also try Cloudflare Rate Limiting. This automatically detects brute force as well as DDoS attacks and blocks the offending IP address.
The last step is to set up two-step authentication using a plugin. Besides requiring a username and password to get in, it asks the visitor for a third authenticator. The most common is a text verification of a message sent to your phone. A hacker might be able to gain access to your email, but it’s very unlikely they could steal your phone.
#3 – INSTALL A SSL CERTIFICATE
The first thing you should do is get a Secure Sockets Layer (SSL) certificate for your site.
SSL is the standard technology to transmit data safely between the web server and the browser. This ensures that information passed between the users and your site is encrypted (private) and safe.
For example, your site users may enter information like emails, credit card details, etc. This information will be transferred to the webserver after they submit it. SSL protects that process by encrypting.
You can get an SSL certificate from your domain registrar or from other SSL provider companies. Some companies like Let’s Encrypt provide SSL for free.
To know whether your site already has an SSL, you can simply check its URL. If it starts with ‘https://’, then it’s SSL certified. If it has only ‘http://’ without ‘s’, then you should quickly get it.
Using SSL is even more important nowadays because the latest browsers like Google Chrome show ‘not secure’ for non-SSL sites.
#4 – REGULAR UPDATES OF WEBSITE SOFTWARE AND PLUGINS
Most website platforms like WordPress, Joomla, etc. provide frequent updates with security fixes. They release new software versions to fix and stop the security issues found in their earlier versions.
So, you must always keep an eye on the new updates offered by the website platform you’re using and implement the updates immediately on your site.
Some software companies even hire people to attack their own software to find vulnerabilities. They try to track the loopholes and fix them all before any bad person takes advantage of them.
The bottom line, you should always use the latest version of any website software.
#5 – Frequent Scanning and Monitoring of Vulnerabilities
Attackers can leave malicious code to your site via comment or mail. There is a high chance that it can open vulnerability in your website. You have to be cautious of suspicious activities to protect your site from security threats.
It is important to frequently look for vulnerabilities in your website to strengthen your site’s security. Frequent scanning and monitoring of your site for any vulnerability, malware, and suspicious activity can help you take preventive measures against common attacks.
This can be achieved by using different security check tools and also extensions provided for different CMS life security check plugins for WordPress.
Using these check tools is the best method to constantly check the status of your site and its security. They will highlight your website’s weak points and enable you to solve them accordingly.
With our website, maintenance plans offer full website scanning and security check alongside free malware removal if any dreaded malicious code is found on your site