As a small business website owner, you may be wondering what you can do to improve your online security — within the context of your current setup. Here are ways to keep people out of your accounts in the first place and limit the damage they can do if they gain access.
Your first goal is to keep unwanted people out of your accounts in the first place.
Be difficult. Strong passwords are the key element of limiting access! Lifehacker has a great article on strong but remember-able passwords if you need some assistance. A password manager can be a big help here as well, remembering all your strong passwords for you (except for the one you use to get into the password manager). You can compare various password managers at PC Mag and Lifehacker, or search for “password manager reviews.”
Be different. Never use default usernames: they give someone trying to crack into your account one sublimely easy guess. In particular, on WordPress your administrator account username should not be “admin.” If it is, though, you can fix it. Usernames on WordPress accounts cannot be changed, but attribution of blog posts and pages can be transferred. If you have admin as your username, to change it you’ll create a new account with administrator privileges (and a stronger name), log out of your “admin” account and into the new one, and then delete the “admin” account. As part of the deletion process, you will be able to assign authorship of admin’s blog posts and so forth to your new account. For screenshots and more details, check out BobWP’s post How to Delete Your Default Admin Username Safely.
Be current. Keep your software up to date. Even in the most well-tested software there can be “back doors” that hackers can exploit to damage or access your site. When those are discovered, fixes are implemented and updates released, but those releases amount to announcements that older versions are vulnerable.
Be cryptic. Another sort of access you can limit is access to the communication between your website and its visitors (including you): SSL. SSL secures your website by encoding all information that passes between the site and the user, such as your password when you log in. Your site will become HTTPS instead of HTTP, and most browsers will show a closed lock image in the address bar to indicate to visitors that the site is secure. Note that going “HTTPS everywhere” can require some changes behind the scenes to maintain full functionality, but the benefit is security, increased visitor trust, and a boost to your Google rankings (see HTTPS as a ranking signal on Google’s Webmaster Central Blog). The easiest way to go HTTPS is to buy an SSL certificate through your web host, but you can also get free certificates through Let’s Encrypt.
Side note: Never enter credit card information or social security numbers on non-HTTPS sites.
The second goal of online security is to limit the damage a hacker can do if one gains access to one of your accounts. There’s only one rule here: least privilege. Everyone and everything should have only as much access as needed to do the required work. This is a process of restriction and separation.
Least-Privilege Passwords: Use different passwords for different sites. If you have the same password for your blog, social media, and email accounts, then obtaining the password to one means gaining access to all. Imagine if losing your car keys meant your house and office were at risk as well! Again, a password manager can be very helpful for this.
Least-Privilege Hosting Accounts: If someone got access to your web hosting account, how many sites could they harm? Having distinct accounts is another separation you can make. There is a convenience cost to having to log into different accounts for different sites, and possibly a monetary cost for not “buying in bulk,” but if you have particularly sensitive websites, consider giving them their own hosting account. Your web hosting company should be willing and able to move the site files for you.
Least-Privilege Site Accounts: WordPress allows user accounts with varying permission levels. The endgame here is to have two accounts on your site, one with full permissions (Administrator) and one with only enough to let you write and edit posts and pages, add media, and manage comments (Editor). Log into the Editor account most of the time, and the Administrator account just at regular intervals – and on trusted internet connections – to apply software updates or edit widgets. Fewer logins means fewer opportunities for someone to grab the account’s credentials, so this way the account from which someone could do more damage is also less at risk. Enacting this change is very similar to changing your admin username: create a new Administrator account and log into it, but instead of deleting your previous account, change its role (permission level) to Editor. You can read more about WordPress user roles and permissions at The Theme Foundry.
Bonus Tip: Restore
You will never achieve 100% security, and damage can occur, so here’s your bonus tip: Make regular backups! An exploration of all the options would be a post in itself, but your web host likely offers backup service – in fact, some degree of backups may be included for no extra fee – and there are many WordPress plugins to assist you as well.
Keep it secret. Keep it safe.