A course creator on social media asks:
Tricia, I’m concerned about the scope of my security measures for my membership site. I’m a new business owner, and cash flow is still an issue. Could you please advise as to the minimum measures I should take to keep my site safe and secure?
Wow. This is a great question. When new entrepreneurs first start thinking about securing their membership site, quite often their focus is on protecting their content. Securing the site itself is often overlooked. Unfortunately, many of us wait until it’s too late to begin implementing solutions. Rest assured, if you have not had a problem yet, you will at some point in the future.
There are two types of threats you must guard against. The first category has to do with internal business operations. These have more to do with your host and include server disasters, data loss, and hard drive failures. It’s not uncommon to see frantic posts on social media about the many hours lost because business owners weren’t prepared for the possibility of something like this happening.
The second level of website vulnerability comes from outside of your business. Many small business owners mistakenly believe that only larger companies need to take precautions against threats like hackers and malware attacks. This couldn’t be more wrong. Often hackers threaten the smaller sites because they’re easier to break into, and with the growth of sophisticated hacking software, it’s easier than ever to hack hundreds of small and vulnerable websites. Combined, these provide the same amount of information a larger site would provide.
Therefore, while entire books could be written on the subject of website security, here are eight strategies you can easily implement today. Best of all, they won’t break the bank.
1. Regularly Backup ALL of Your Site Data
Chances are, you are already using applications like Dropbox, Google Drive, or OneDrive to backup documents and photos on your hard drive. Nonetheless, are you backing up all the important elements of your WordPress site? If you’re not, start doing so immediately!
Let me repeat that…start doing so immediately.
There are several great (and free) WordPress plug-ins that will automatically backup all of your posts, site pages, user information and database files. Personally, I recommend spending a few bucks for the Backup Buddy plugin. It is simple and easy to use and works behind the scenes to routinely backup your entire WordPress site. You even have the option to backup to multiple locations like your computer, your cloud storage account, or an FTP server. If for some reason a scheduled backup fails, it can even send you an alert so you can correct the issue before it’s too late. It will save you lots of time and is well worth the money.
2. Keep All Applications Up-To-Date
It is imperative that you keep all your plugins, themes, and the WordPress system itself updated to their current versions. This is as much for security as it is usability. If you don’t login into your WordPress admin dashboard often, it can be difficult to keep up.
It should go without saying, but before applying any update, make sure you have a complete backup of all your site data (see #1). Some of your plugins and themes may not work well with one another (especially if you have done any modifications). However, with a backup, you need not be concerned. Furthermore, consider setting up a copy of your site where you can apply upgrades to first. A backup tool (see #1) can help you with that as well.
To make life easier, I recommend WP Update Notifier. It will send you an email every time an update is available and ensure that your website is protected against any newly discovered security vulnerabilities.
3. Uninstall Unused Themes and Plugins
If you’re like me, you like to play with new themes and plugins…a lot. I’m always on the lookout for new toys. Nevertheless, once you use WordPress for a while, you may start to notice things have slowed down quite a bit, and the size of your backup files are much larger than they need to be.
Log in to your WordPress admin dashboard, choose Plugins > Installed Plugins. How many plugins are there that you don’t use anymore? Don’t just deactivate them, delete them. Also, when was the last time the ones you do use were updated? Many plugins and themes are almost never updated, and they become easy targets for hackers. If you find that a developer does not keep their products up-to-date, it’s time to get rid of them for the sake of security.
4. Use Strong and Random Passwords
This one should not have to be mentioned, but you might be surprised at how many people do not take this one seriously. Quite a few people still use kid’s names, birth dates, and combinations like ABCD1234 as their passwords. Listen carefully; it doesn’t matter how much time and money you throw at online security. Your weakest point is always your password. Modern password cracking techniques can make more than 300 billion guesses per second.
I highly recommend you begin using a password manager. They are quite secure and free you up from having to remember complex combinations of digits. They allow you to access your database with a simple master password and even makes it easy to regularly change passwords. For more information, check out this list of PC Magazine’s best password managers.
5. Do NOT Share Login Credentials
I am always amazed when a new client gives me their personal login information to access their WordPress site. Of course, I have built a reputation as someone who could be trusted, but this is a terrible thing to do! Yeah, it is quick and easy to do, but if you’re using a decent password manager (see #4), you can just as easily set up login credentials for multiple users. This is not only wise for security reasons; it helps you have better control of your data. You can take this a step further by limiting privileges for specific individuals (see #6).
6. Install ‘User Role Editor’ to Customize Site Access
User Role Editor is a fantastic WordPress plugin that makes it easy to add, edit, and delete user privileges. Very few people, if any, should have top-level administration access to your website. It uses simple checkboxes to create roles that are simple to update and change. It even grants you the ability to assign multiple roles to individual users. Believe me. User Role Editor will make your life much easier, and more secure.
7. Limit Login Attempts
As previously mentioned (see #4), today it is easier than ever for hackers to figure out your passwords. This tactic is known as a brute force attack, and they are very common. Unfortunately, WordPress by default allows for an unlimited number of login attempts. Install the Login LockDown plugin and change the number of attempts you will allow. I recommend that you limit it to less than five. If a user goes over this amount, the IP address they are using will be blocked for a pre-determined amount of time. You can make it 15 minutes or 24 hours. This simple solution might be enough for hackers to go elsewhere to find an easier target. If you find the limit you put in place becomes a challenge for your members, you can always adjust it.
8. Install Security Plugins to Further Lock Down Your Site
Since WordPress is a popular platform, it is a favorite target of hackers. WordPress is aware of this and has diligently worked to keep their sites secure. However, most vulnerabilities are found once you start adding plugins, themes (see #2 and #3), and weak passwords (see #4). This is why my final tip is to implement a powerful security plug-in. Three of my favorites are Wordfence, Sucuri, and iThemes Security (formerly Better WP Security). They each provide a strong level of extra of security to your site. They will all help you defend against hackers, brute force attacks, malware, and threats like fake bots that search your site for weaknesses. Some even provide you with an audit of your site’s logins. I highly recommend you check each of them out to determine which one is best for you.
In closing, I can’t emphasize enough how important these security measures are for your membership. Please don’t wait until your host has an issue, or you discover you’ve been hacked. I promise that the time and money you spend for recovery will be much more than the prevention. Also, as the old saying goes, “don’t be penny wise and pound foolish.” Attempting to save a couple of dollars today, may cost hundreds in the future. You’ve made a big investment by building a membership site. Spend a few more dollars to protect your membership.