[11] 5 Steps to Website Security You Can Trust

The Transcript

Jerod Morris: Welcome to Sites, a podcast by the teams at StudioPress and Copyblogger. In this show, we deliver time-tested insight on the four pillars of a successful WordPress website: content, design, technology, and strategy. We want to help you get a little bit closer to reaching your online goals, one episode at a time.

I’m your host Jerod Morris.

Sites is brought to you by StudioPress Sites — the complete hosted solution that makes WordPress fast, secure, and easy … without sacrificing power or flexibility. For example, you can upload your own WordPress theme, or, you can use one of the 20 beautiful StudioPress themes that are included and just one click away. Explore all the amazing things you can do with a StudioPress Site, and you’ll understand why this is way more than traditional WordPress hosting. No matter how you’ll be using your site, we have a plan to fit your needs — and your budget. To learn more, visit studiopress.com/sites. That’s studiopress.com/sites.

Welcome to Episode 11 of Sites.

Last week, in episode 10, we discussed user experience design, and how it benefits website users and can deliver bottom line business benefits as well.

But there is one sure-fire way to sink even the most immaculate user experience design … and that is with poor security.

Nothing will erode your audience’s trust in you faster than visiting your website and getting a security warning, or having Google flash a “You can’t trust this site” message in your search results.

Even worse, have you ever navigated to a site, started reading, and then been suddenly redirected to some spammy, shady looking sweepstakes page … or worse? You try to press the back button, and you can’t? I have.

It’s a pretty good sign that something got hacked on the original site, whether it was the site itself or a piece of code, like an ad script. It definitely makes me think twice about visiting again.

Don’t make your website visitors think twice!

The simple reality is that website security has never been more critical. Hackers, ransomware, and denial of service attacks are all concerns for the modern business.

With WordPress, the power of the platform is also the reason that security holes can develop and be exploited. While the ability to mix various themes and plugins with the content management system provides that flexible power, it also increases the potential for malicious access.

So what can you do, as a site owner, to protect your website from the evildoers who will stop at nothing to harm your site for their own nefarious purposes?

The first step is the most important.

1. Choose a security-focused hosting provider

The most important security-related decision you will make is where you host your website. As you peruse different hosting options, or step back and review your current host from this perspective, ask this simple question: what is my host bringing to the table in terms of security?

You need a host that is specifically designed to provide an integrated environment that keeps your website safe from the bad guys.

What does that look like? Well, a strong host should essentially take care of the rest of these steps for you. Sounds like a pretty sweet deal, right? Absolutely. You don’t want to stress about security, you want to work on your content and build relationships with your audience members and, hopefully, future customers.

So let’s look at these other steps and see what your hosting provider should be delivering to you.

2. Have automatic WordPress updates in place

The beauty of open source software like WordPress is that there are thousands of people constantly making it better, as well as thousands of eyes looking for security issues.

But it’s generally up to you to make sure you update your version of WordPress when there are problems with a previous release. This means you have to keep track of when WordPress updates are available, backup your site, and then cross your fingers that the update doesn’t bork something. And then do it again a few weeks later when a new update is out.

That’s cumbersome. And it can be stressful.

But it’s necessary.

The best solution is hosting your site with a provider that has an automatic update feature — and to turn it on, if it’s not on by default. Then, basically, your host is taking this responsibility and pressure off your plate. That’s good. That’s the value you’re paying for.

3. Respect the risk presented by themes and plugins

The next question is will your theme or plugins you want to install add security holes?

If your host comes bundled with themes and recommended plugins, like StudioPress Sites does, for example, then you can feel comfortable that everything will play nicely together and be as secure as it can be.

Shoddy theme and plugin code leads to easy access for hackers. Plus, it can kill your site speed and performance. A double whammy. This is why using themes and plugins that have been fully vetted by a security-conscious host is a smart idea.

Take the Genesis Framework as an example. This is the framework on which our themes are built at StudioPress, and every StudioPress Sites website comes loaded with Genesis and 20-plus child themes.

Not only does the well-coded Genesis provide a strong line of defense, it also auto-updates when a new version is released and adds a layer of protection on top of the newest version of WordPress.

Make sure you watch your plugins too, both in what you allow into your site’s environment, and in ensuring that those plugins are always updated to the latest version. Plugins can be the blessing and the curse of WordPress, and you want to stay vigilant in keeping them updated at all times.

Helpful hint: if you’re running a plugin that does not update quickly after new versions of WordPress come out, start looking for a new plugin. It might mean that the plugin developer has abandoned the plugin, which doesn’t bode well for future improvements. At best, you’ll be using an outdated plugin, which is a recipe for security disaster.

Finally, let’s discuss two more areas where you and your hosting provider need to be really serious about security:

4. Protect yourself from DDoS attacks

Have you ever heard of a DDoS attack?

You’ve probably heard the term even if you didn’t know what it means.

A distributed denial of service — DDoS — is a brute force attack that is the result of multiple compromised systems (for example, bots) flooding your site with traffic. You need to make sure that your site’s host has proactive technology that allows it to detect and mitigate attacks quickly, while repeat offenders are detected and banned accordingly.

For example, we have a proprietary technology in place for this at StudioPress Sites. It’s an “always on” intrusion prevention technology that works continuously to keep your WordPress install safe from vulnerabilities, intrusions, and exploits. Our team has years of experience, plus we’ve sought audit input from multiple third parties, all of which allows us to create configurations and settings that keep the bad guys away without handcuffing your working style.

You would be wise to ask your host how they handle DDoS attacks, and you should hope they have a detailed explanation like what I just provided about StudioPress Sites. DDoS attacks are a serious problem, and they need to be treated with serious solutions.

5. Deploy continuous malware monitoring

Finally, you need continuous malware monitoring. This really isn’t negotiable.

Unless you yourself are constantly monitoring all of the folders and files that make up your website, how will you know if a hacker has broken in and left something? Not all hacks and malicious code reveal themselves in a public, obvious way right away. And if your site has a ticking time bomb buried within it — really, if it has anything in it that you didn’t put there yourself — then you need to know about it so you can take action.

To give you another example, the way StudioPress Sites handles this is to partner with Sucuri for continuous malware monitoring, scanning, and remediation. So if malware is found, we take the responsibility of removing it so you don’t have to worry about it.

Additionally, we also scan for advanced threats, including conditional malware and the latest cyber intrusions. This is all included as part of your plan. And that’s how it should be.

Adequate website security shouldn’t be an add-on that you pay more for, or something you have to rely totally on third parties for. Strong security should be a standard part of any web hosting package, so make sure you have it.

To review, here are the five steps you can take to have a more secure website are:

1. Choose a security-focused hosting provider
2. Have automatic WordPress updates in place
3. Respect the risk presented by themes and plugins
4. Protect yourself from DDoS attacks
5. Deploy continuous malware monitoring

Now stick around … this week’s hyper-specific call to action is coming up.

Call to action

For this week’s call to action, I want you to pick one of the following:

You can either …

One: Create a recurring calendar or to-do list item that reminds you to check every other week for WordPress, plugin, or theme updates.

This way, you’ll never go more than two weeks without checking, if for some reason you don’t happen to log in to your WordPress dashboard and/or miss the alerts in there.

Now, if your hosting provider has automatic updates for WordPress and even your theme and certain plugins, you may not need to do this. Just make sure the automatic updates are turned on. Then you can choose CTA #2 …

Two: If you don’t already know, ask your hosting provider how they are protecting you from DDoS attacks and malware injections. You may need to put in a support request, or find the answers in your host’s knowledge base or documentation.

You need to know this, even if it’s just for your own peace of mind.

Okay — coming next week, we’re back to strategy, and we’re back to SEO. We’re going to ask — and answer — the question What if You Could Simply Eliminate SEO from Your Life? Come back next week to find out.

Finally, before I go, here are two more quick calls to action for you to consider:

Subscribe to Sites Weekly

If you haven’t yet, please take this opportunity to activate your free subscription to our curated weekly email newsletter, Sites Weekly.

Each week, I find four links about content, design, technology, and strategy that you don’t want to miss, and then I send them out via email on Wednesday afternoon.

Reading this newsletter will help you make your website more powerful and successful. Go to studiopress.com/news and sign up in one step right there at the top of the page. That’s studiopress.com/news.

Oh, and I should mention, we occasionally include special offers in these emails too — stuff that isn’t otherwise marketed publicly. So if you like StudioPress products, keep your eye out for special deals in your Sites Weekly email. Again, it’s studiopress.com/news.

Rate and Review Sites on Apple Podcasts

And finally, if you enjoy the Sites podcast, please subscribe to the show on Apple Podcasts (formerly known as iTunes), and consider giving us a rating or a review over there as well.

One quick tip on that: to make the best use of your review, let me know something in particular you like about the show. That feedback is really important.

To find us in Apple Podcasts, search for StudioPress Sites and look for the striking purple logo that was designed by Rafal Tomal. Or you can also go to the URL sites.fm/apple and it will redirect you to our Apple Podcasts page.

And with that, we come to the close of another episode. Thank you for listening to this episode of Sites. I appreciate you being here.

Join me next time, and let’s keep building powerful, successful WordPress websites together.

This episode of sites was brought to you by StudioPress Sites, which was awarded “Fastest WordPress Hosting” of 2017 in an independent speed test‏. If you want to make WordPress fast, secure, and easy — and, I mean, why wouldn’t you — visit studiopress.com/sites today and see which plan fits your needs. That’s studiopress.com/sites.