Build in Security from Day 1 to Prevent Website Hacks

Website security should be on the mind of every site owner. It doesn’t matter if your site is large or small – if it is important to your business, you need to keep it safe and secure. As a site owner myself – and primarily a WordPress site owner – I’ve come up with a checklist I go through every time I spin up a new website for myself or a client. Let me share it with you in hopes that you will pick up a few new ideas. Let’s look at what it takes to secure a website.

Choosing A Secure Web Host

It should go without saying, but security starts with your web hosting company. I’ve used everything from ‘do it yourself web hosting’ to ‘concierge level hosting’. The trick is to find the level you need and the support you are comfortable with.

Check their support

The first thing I do when considering a new web host is to check their support and response time. I’ll sign up for a free trial, put up a site, and then ping support to ask a question. How quickly they respond and how well they understand the question gives me clues as to what I can expect from them if I host with them.

Check their security features

I’ll then check their website and hosting plans to see what security tools and features they provide. I’ll look for essential things like an SSL certificate to encrypt and protect my website data, domain privacy to hide my personal information from public Whois databases, 2-factor authentication to protect my website from unauthorized access, geographically distributed backups to have a safe copy of my website in case something goes wrong.

Other key security measures I’d like my website hosting provider to have in place is a Web Application Firewall – software that sits in front of my website and protects it from known bad traffic – to keep my host server safe from software exploits, DDOS and brute-force attacks protection, and the option for automatic updates to the latest PHP and WordPress versions to keep your site secure from malware.

If the host provides yet more security tools, that would be even better. For example, on top of all these features, available on the SiteGround platform, they also offer an in-house developed Site Scanner service and a free in-house built SiteGround WordPress Security plugin to make sure that your website would be as secure as possible.

Check their blog

Step 3 when selecting a web host is always to read the last 5 entries in their blog. 

• Are they recent?
• Do they talk about security?
• Do the blog posts seem helpful?

No, not all blog posts are going to be about security, but I’d better be able to find a recent one. The Security landscape changes quickly so they need to be posting regularly.

Check their price

Finally, I check their pricing tiers and figure out where my site will fall. Price is the last thing I check because if the first two boxes aren’t checked then the price doesn’t matter. They could be giving it away for free and I wouldn’t use them.

Build Your Site Securely From The Beginning

Once you’ve laid a secure foundation for your website, it’s time to start framing it and building it out. At every step, you need to make sure that security is “baked in” not “bolted on”.

Security is baked in when you think about it before you start building your website. 

Security is bolted on when you build out your entire website and then decide to just add a security focused plugin to cover your bases.

Baked in is always better.

What does it mean to bake in security?

Install an SSL certificate as soon as you get the website set up

Don’t wait until you are ready to deploy your website before you remember to install your SSL certificate. These days a secure website is just a few clicks away. Take the time to do it now and then make sure you force all traffic to be https after it is installed. For those users hosting with SiteGround, your Site Tools makes setting up and enforcing SSL easy. Just a few clicks and you are in business.

Set a strong password policy before you start adding users

Passwords are the lock on the front door to your site. When building out your site, put a strong lock on the front door by requiring all users to use strong passwords. Doing this before you let users start coming into your site will make sure that no users set up weak passwords.

Require Two-Factor Authentication (2FA) for any user that will have admin level rights in the system.

Two Factor Authentication is the deadbolt on the inner office in your site. Yes, a strong password is important for anyone to get into the site, but to get to things like financial information or user management, you want a strong deadbolt as well. Keep your system secure by implementing 2FA for all your admins. The SiteGround Security plugin makes setting up 2FA very easy.

Set up a backup system that will regularly backup your entire website and store those backups securely.

You need a 30-day backup system implemented from day 1. Not 1 day, not 7 days, 30 days. The reason is, if your site gets hacked, you may not notice immediately. Once you do notice, you want to clean your site and one of the best ways to do that is restore your site from a clean backup. 

SiteGround’s Site Tools provides an intuitive tool for scheduling nightly backups and restoring from them when needed. 

While we are talking about backups. Don’t forget to force a backup before any upgrade, major site redesign, or installing a new plugin. It never hurts to have a fresh backup in case things go bad.

Adhere To The Principle Of Least Privilege

Before you start letting users into your system, think about the roles that they will play. A role is a set of permissions or privileges and you want to give each user the absolute minimum level of privilege they need to use your site.

There are several good role editors for WordPress and I suggest you install one, learn how to use it, and then audit the roles you have in your site to make sure they have only those privileges they need to use your site. 

On a regular basis – at the very least once a year – review these privileges to make sure they are still valid and to make sure that no role has been granted a privilege it does not need. 

Most users are not trying to do bad things, but we have to assume they would if they could. Adhering to the Principle of Least Privilege will help make sure that bad actors, or curious users, can’t do things to your site they aren’t supposed to.

Only Use Software From A Trusted Source

In software development – as in building a house – your supplier’s reputation is critical to your project’s success. If you use a cut-rate supplier for the framing materials of your house, the entire project will suffer. Worse yet, it will cost you more later on to fix these problems than it would to just buy good materials to begin with.

Building your website with quality materials like plugins and themes from reputable vendors will usually cost you money in the short run. However, knowing that you have companies standing behind their products and updating them when issues arise is worth the money.

Yes, you can choose a free plugin or theme to build a critical feature of your website on. However, what do you do if you discover that there is a security flaw? Worse yet, what do you do when you discover that flaw and then discover that the author has abandoned the project? At that point you have 2 options, neither good.

1. Hire a developer to fix the security flaw
2. Rip out the plugin, find another one that does the same thing, implement it and make any changes to your process that are necessary.

Both of these can be expensive propositions that could be avoided by simply choosing wisely in the beginning.

SiteGround recently looked at the data from a lot of compromised websites. What they found was that the majority of the compromised websites were compromised because they had unpatched plugins that had security flaws in them. Much of the time these were the free versions of paid plugins downloaded from untrustworthy sources. Only download plugins and themes from trusted sites like WordPress.org or vendors you trust.

The WordPress plugin repo is a reputable source. WordPress.org has implemented a review process – both human and scanning software – to help filter out plugins that have potential security issues or otherwise violate WordPress policy.

Scan Your Site Regularly

Just like you build a security system into your house, you want to set up a security scanner for your website as soon as you build it. Security scanners look at your site both internally and externally to make sure that there are no known vulnerabilities. It will check your website for viruses as well. No security scanner is perfect, just like no home security system is perfect. But your website is more secure with one.

A good scanner will look for things like Cross Site Scripting vulnerabilities among other things. These vulnerabilities can allow your site to be used in the attack of other sites or attacks on the end user themselves.

SiteGround has a great scanning system available. I get regular emails from it telling me which sites it has scanned and either that they are all clear or that there is an issue I need to address…immediately.

Beware of Phishing Scams Related To Your Site

Once you’ve built a new house, you don’t hand out keys to anyone who asks, even if they claim to have a good reason for wanting in. Similarly, you want to make sure that if you get an email that says it is from your site, you don’t automatically click on the link.

You should know every email your system is capable of sending. When you get one that you don’t remember setting up, you need to investigate. Don’t click, start looking at it. Check the headers, look at the exact URL any links go to. Most importantly, quarantine the email using your virus detection software. 

Unknown emails purporting to come from your site are just another way that bad actors try to get into your site. These phishing attacks come from servers that are not under your control, so you can’t stop them. You can however, be aware so that when you get them, you delete them. In almost all cases, if you don’t click, the email itself can’t do any damage.

Tools I Regularly Use To Bake Security Into My Sites

Keeping a WordPress website secure doesn’t have to be a full-time job if you bake security into it from the beginning. To do this, there are a couple of tools I use on almost every WordPress website I have.

• SiteGround Security plugin
• SiteGround Optimizer plugin
• SiteGround Site Tools

The SiteGround Security Plugin is the first plugin I install on any new website I spin up. I install it, I install an SSL certificate, and I configure everything to be secure before I do anything else. If I get this part right, everything else is easier. 

The SiteGround Optimizer plugin is a great way to make my site faster, but it is also where I check the “HTTPS Enforce” checkbox. This way all the traffic on my site goes over HTTPS even if it wasn’t originally. Having an SSL certificate is important, enforcing it on all traffic is equally important. 

SiteGround’s Site Tools have a lot of great options to make managing a website easy. The one tool I use in setting things up though is the Backup tool. After I get SiteGround Security and SiteGround Optimizer setup and configured, I have my foundation laid – I force a backup. This is my fallback in case I mess something up while building out my site. 

Then before I install each plugin or theme, I create a new one. I name these backups “BEFORE “ + the plugin or theme name. This way I can roll back to any point in the process.

Wrap Up

If you lay a secure foundation for your website and then think about security at every turn, then you can rest easy at night, knowing that your site is as secure as possible. No website, however, is bullet proof. Therefore, the last step is to build your Disaster Recovery plan. What steps do you take when your site has been hacked?

The SiteGround Security plugin has a series of steps you can take just for that situation. It is not a complete disaster recovery plan but when you combine it with 30 days of backups, you are well on your way to having one.