Contractor Website Security – How to Avoid Getting Hacked
Learn how to keep your website as secure as possible.
There’s nothing more unsettling than waking up in the morning to find your contracting website has been hacked; It’s alarming to see your website directing readers to inappropriate material, clickbait, or any other link over which you have no control because your website has been hacked.
Recently I had a contractor come to me asking me about the security measures we perform for our website clients as his website had been hacked more than once. I’ve learned a thing or two in the years I’ve been helping contractors, and today I want to give you a few tips on how to keep your website as secure as possible.
Currently, if you have a website and any online presence, it’s not so much a matter of IF your website will come under attack, but WHEN—so here are five tips to ensure you have a rock solid, protected website!
1. Update Your Passwords
This is a very foundational tip, and one that’s important for you to practice across all your online activities—not just your website. Updating your passwords on a regular basis is vital and important for your online safety.
Also, it is highly, highly important that you create indecipherable and unique passwords for each of your accounts. Hackers are primarily able to access accounts through insecure passwords, and passwords created with your first name, last name, or date of birth are very insecure. To make sure your password is strong, use a combination of uppercase/lowercase letters and numbers or symbols such as stars, dollar signs, hyphens, etc.
Lastly, I then recommend that you change your passwords regularly. Twice a year is sufficient, but if you want to be really proactive, change them once a month.
Store your passwords in a secure space such as LastPass, where you can access them, but no one else can!
2. Use WordPress Security Plugins
The second security tip I have for you today (and this is assuming that your websites are built on WordPress) is to use the security plugins built for WordPress.
Here are a couple of WordPress security plugins I recommend:
SUCURi is a powerful WordPress security plugin. It does auditing, malware scanning, and hardening. The plugin developers are constantly updating SUCURi and building it up so that it works better and better every year. There’s a lot of things that I certainly don’t understand about hacking, but having a plugin like this installed in your website will definitely help with checking for malware, spam, blacklisting and other security issues.
The next plugin I want to recommend is called Wordfence security. Wordfence security is pretty simple to understand; it’s an antivirus firewall and malware scan and it constantly runs in the back of your website keeping track of what internet users are doing or trying to do with your site. If something goes wrong in your website, it will be recorded by the plugin.
The developers at Wordfence are continuously analyzing the current threats and developing new detection rules and protection to help stop hacks before they happen.
Brute Force Attempts
I want to encourage you to make sure your security plugins are set in such a way to limit brute force logins to your website. A brute force login is when a hacker will try to login to access your WordPress dashboard by using what are called ‘brute force robots.”
These robots go out to comb the internet, find a WordPress website, and start hitting the login with combinations of usernames and passwords. I mean, we’re talking thousands and thousands of attempts to log in within minutes—possible because it’s all done by robots and not by people. So you can imagine that by just sheer brute force they can eventually figure out what the combination is and get in to the website.
It’s very helpful to have a plugin that will limit brute force attempt. In other words, if you try to log in three times and all three times you fail, the plugin will stop the login option, making it impossible to login. Having that capability built into your website is very important to keeping your website secure from hackers.
3. Use a WordPress Framework With Child Theme
All right, we’re going to move on to our third point; use a child theme framework on WordPress. A WordPress child theme is a website theme that sits on top of a WordPress framework. The child theme takes care of the look and feel of the website, and all the customizations that may have been made. It makes updating your website easier, and there is no risk of losing your customized features.
We use and prefer the Genesis framework from Studio Press. We have used this framework for years, and it’s very, very good, rock solid, and secure. When they were developing Genesis, they brought in one of the core WordPress developers to make sure that the Genesis framework was as secure as possible. With his guidance, they were able to build their framework to follow all WordPress’s best security best practices, and they have continued to do so.
I highly recommend Genesis and a child theme for your WordPress website. Not only is it secure, but it also makes updating your site and your site customization easier.
4. Regularly Update Your Website and Plugins
It’s very important that you update not only your WordPress site, but also your plugins on a regular basis. Hackers often take advantage of vulnerable websites through outdated plugins. The plugin developers will continue to run updates to keep their plugins secure.
Whenever they issue a new update, you should immediately go into your dashboard and update those plugins. This is so important that we’ve included regular updates to all the core codes and plugins of the website as one of the main services we offer in our contractor website maintenance package. It helps keep your website very secure.
5. Secure Your Website Domain Name
Our final tip for this article is to make sure that your website domain name is secure. I’m talking about the SSL certificate at the front of your domain name.
If you go to a website on a desktop and you look at the domain name, it should say (https://). It will not be just “http” because the “http” is not secure and Google is now requiring that all websites have the “s” added. This creates a secure socket layer and makes it obviously harder to hack—better for Google and better for everyone.
This is also something we require of all our contractor website clients as well, and thankfully, secure socket layers are not expensive. They’re also easy to purchase and install. Of course, there are different levels that you can purchase. One level contains a green bar that shows very quickly if a site is secure. It costs a little bit more, but still it’s not too expensive. In my opinion, it’s totally worth it. Securing your domain name is a practical way to protect your website from hackers.
To keep your website as secure as possible, update your passwords regularly with unique and indecipherable passwords. Install WordPress security plugins to protect your website, and update them every time an update is released. Use the Genesis WordPress Child Theme for a secure, easily customizable website, and ensure that your contracting company’s domain name is secured and approved by Google.
These are just a few simple tips to help you zip up your website and make it secure in the present and as you move forward with building your online presence!
Thank you for joining me today. If you have any further questions or comments, please join the conversation in the comments below.
Follow me on Instagram for behind-the-scenes stuff. And if you want to go deeper with marketing your business, you may get a free copy of my contractor marketing book, Contractor Marketing Simplified.