8. Implementing SSL Encryption — Let’s Encrypt, Really Simple SSL
SSL Encryption is the website security feature that puts the little lock symbol next to the URL for your website in the top of a visitor’s browser. It means that data sent between your webhost and their browser is encrypted. This encryption prevents someone (called a man in the middle) from passing false content to your visitor or from collecting private information from either end as it’s sent. SSL Encryption is important to have even if you are not sharing or receiving private information because without it the web browser displays a ‘Not Secure’ notification. Visitors to your site can be concerned about risk even if there is none and they can question whether they should trust your company in general. If you have an e-commerce site where customers can make purchases, we recommend a premium SSL certificate. However, for sites providing information only, we use Let’s Encrypt.
We are going to slip one more plugin here as well. If we are converting an existing site from unsecured to SSL encrypted, it can require an involved process to get every bit of the site secure. To make this quicker, and therefore less expensive for our clients, we use a plugin called Really Simple SSL. It handles most of the conversion process for you (or us) automatically.
9. Employing Staging Sites
Despite all the precautions we recommend at GeekCoaches, every now and then, we get the call — ‘When I visit my site, all I get is an error message.’ Often, this is preceded by, ‘I was just updating something and I don’t know what happened’. That’s why some of our clients have us do the updates for them. To help prevent the ‘updating crash’, we recommend using a staging site. A staging site is an offline duplicate of your main site where you make all your changes first. When you are satisfied that the changes haven’t caused any unexpected errors, you push a button and the staging site updates your main site. To create new sites, our web hosting system uses Softaculous which comes with staging site capability built-in.
10. Ensuring Secure Passwords
Four percent of all people use the password 123456 and it has been the most popular password for years. It’s important you and others using your site employ passwords that bots can’t try to easily guess. WordPress warns you when you are using a weak password, but does not enforce strong passwords. There are strong password enforcers available if you want to go that extra step, but GeekCoaches prefers to use other measures such as two-factor authentication.
11. Limiting Users and User Roles
If you have a team, it’s generally advisable to have them engaged in presenting your online presence. However, you want to be careful to limit site access to those that actively update your site. Furthermore, you need to manage your user list removing those such as former employees.
In addition to appropriately limiting the number of users on your site, you want to carefully manage the roles each user is assigned and limit those with higher level access. For example, WordPress offers a number of default user roles including Administrator, Editor and Author. An Administrator has complete access to your site including plugins and settings. An Editor can change any content on the site including that by other users. An Author can only make changes to their own content. If you have users that will never need to change settings or the like on your site, they should only have Editor or Author access.
12. Updating WordPress, Themes and Plugins
One of the top points-of-entry hackers use to gain control of your site is via security flaws in tools on your website that have not been updated to the most recent version. We have certainly gotten that call here at GeekCoaches. On WordPress sites, required updates include WordPress itself, themes and plugins. (There are server tools that also need to be kept updated, but that is generally best left to your webhost.) A website security tool such as Wordfence helps protect your site, but updated themes and plugins helps avoid exploits not yet discovered.
13. Using Trusted Themes and Plugins
In addition to using current tools, it is important to use trusted themes and plugins. At GeekCoaches, we always try to use themes and plugins that have thousands of users, good reviews and frequent updates.
14. Applying Domain Privacy
In addition to your website itself, another place that spammers harvest email addresses is from the contact information that you are required to provide when you register a domain name. That information is passed on to the Internet Corporation for Assigned Names and Numbers (ICANN) and is public information unless you request that the information be kept private. Domain registrars offer this privacy service, but you have to request it as a premium option. If wish people to not have your name and contact information, you should request domain privacy.
15. Maintaining Website Monitoring
To maintain the security of your site, you need to know when there is a problem. Website Monitoring attempts to connect to your site on a regular basis to ensure your site is up. A monitoring service lets you know when your site went down and when it came back. GeekCoaches uses UptimeRobot. They have both free and premium plans. If you have an ecommerce site, you should consider the paid package.
16. Choosing Reliable Hosting
Your site is only as good as your webhosting service. If they have performance or reliability problems, it can create a poor experience for your prospects and customers. A failure to maintain servers or update software could completely crash your site or leave it open to hacking. Also, when you have an issue, you want timely support. Beware of cheap hosting packages that make your site unusable when you have multiple visitors. One tactic we often see is offers of unlimited bandwidth and storage. However, what they don’t tell you is that they restrict other resources important to your site’s performance such as memory and CPU (processor) allocations. GeekCoaches uses a hosting wholesaler as we are marketing and website geeks rather than hardware specialists. We did extensive research is selecting our provider and have been more than satisfied in the years we have been partnered. GeekCoaches offers managed webhosting — taking care of everything including signing you up.
17. Using Content Delivery Networks as Appropriate
Your website lives on a computer server somewhere and pages are sent to people from that server when they click on links. A Content Delivery Network (CDN) sits between your server and your site visitors. A CDN creates cached, snapshot versions of your webpages that can be quickly delivered to site visitors. It can also duplicate those cached pages on CDN servers across the country or around the world to make delivering your pages faster for distant visitors. To increase reliability of your website, a CDN can also served cached copies of your web pages even if your site’s server is down. This extra layer of reliability provides a security function in that it keeps your website working even if something else has compromised it. GeekCoaches uses Cloudflare CDN for those clients that need extra performance and reliability.