Website security is an extremely important but often overlooked aspect of managing your online presence.
Your website is an indispensable part of your academic entrepreneur strategy. If set up correctly, your site will work around the clock on your behalf, promoting your brand, and generating revenue.
But failure to protect your website can lead to significant extra cost to fix or replace it, not to mention the psychological and emotional stress on top.
Therefore the purpose of this article is to explain in simple terms:
- Ways hackbots attack your site
- How to reduce the risk of getting hacked
- What to do if you get hacked
- A cautionary tale on website security
- Who the heck wants to hack my website?
- 1. Use good quality hosting
- 2. Update your website regularly
- 3. Use the latest PHP version
- 4. Hide the login screen
- 5. Change default usernames
- 6. Use a cryptic password
- 7. Use Google Captcha
- 8. Use 2-factor authentication
- 9. Limit login attempts
- 10. Use Cloudflare
- 11. Restrict file uploads
- 12. Set up Google Search Console
- 13. Backup your website – often
- Take-home message
A cautionary tale on website security
Imagine your site is humming along until, one day, you wake up and find that it’s been converted into an online Viagra pharmacy!
Well, that is exactly what happened to me many years ago.
I was a university academic at the time and I was getting savvy with blogging and strategic search engine optimisation. My articles were ranking well in Google organic search results and garnering a lot of page views.
Then one day I got a terrifying email from Google telling me to check my site because there were signs of malicious code. Sure enough, I had been hacked and it was bad. Further investigation revealed the hackers accessed my site through a vulnerable plugin file.
I had to pay a fair bit scrub the site clean but, even after that, I decided to do a full rebuild and start fresh. It was a terrible experience, but it was a powerful wake-up call to the importance of website security moving forward.
Who the heck wants to hack my website?
What are the chances of your website getting hacked? Higher than you think.
Truth is, automated hack-bots scan and scour the internet 24/7 probing websites for vulnerable code.
It’s nothing personal and no one in particular is out to get you (unless you have some highly motivated and determined enemies).
We recently launched the Academic Entrepreneur website, but as you can see from our security software logs in the above image, it didn’t take long for hackbots to find us and start poking our site for vulnerabilities.
1. Use good quality hosting
I’m starting off with hosting because it is the bedrock of your website and you need to get it right from day one.
Not all website hosting is created equal. As with virtually any service provider in any profession, there are good guys and also some shady operators.
For example, a colleague of mine hired a “web developer” from a small third-world country because he was offering her a “deal” on the website development and hosting.
Up front, it sounded great…. until it wasn’t.
Her organic traffic had dwindled to a stand-still and she had no idea why. When I audited her site, I dug deep into the hosting account, examined the files, and found that her site had been seriously compromised.
I found odd named folders with files pointing to Indian Viagra, porn, and illegal drug sites. I don’t know if her site was externally hacked by a bot or if someone from within the dodgy hosting company was running a spam factory from client sites.
I helped her clean her site and migrate it to a trusted Australian hosting provider. Before long, her traffic returned and she was back in action.
The bottom line is that you need to use good quality hosting and be prepared to pay a fair and honest price. If you go to online gun-for-hire markets like WeWork or Fiverr, you must be EXTREMELY careful because you just might get what you pay for.
I discuss hosting in more detail in my setting up your academic website article.
2. Update your website regularly
You MUST update your website regularly. Period. No exceptions.
Every web software update comes with additional security features that patch older versions which may pose a security risk.
A few years back, a health communications company hired me for a routine site audit and blogging/SEO upskilling session with their team. I flagged numerous issues but the biggest problem related to extremely outdated WordPress core files, themes, and plugins – as in loud red sirens outdated.
I warned them in no uncertain terms that they were at very high risk for getting hacked and that they should either update or redesign their site as soon as possible.
Unfortunately, they didn’t take action and three months later I received frantic text messages, emails, and voice messages informing me they’d been hacked.
In the above screenshot, you can see that it didn’t take long for Google to slap a warning sign on their site – yep, that’s guaranteed to scare off potential visitors!
In the end, the entire episode could have been prevented (or the risk significantly reduced) by simply updating their site on a regular basis.
I helped them move to better quality hosting and we did a site redesign which included multiple layers of security to protect them moving forward. To date, they have not been hacked again.
WordPress core files
WordPress is your website’s content management system, much like the frame to your home – yeah, it’s important!
New WordPress core updates often come with enhanced security features, so it’s imperative you update as soon as possible.
In the image above, you can see that WordPress gives you three different dashboard update indicators so don’t ignore them.
Click here to learn more about setting up your academic website with WordPress.
Themes are like “skins” that wrap over the top of your WordPress installation and give it its outward appearance to the world.
As with WordPress, you need to update both your active AND inactive themes. Remember that even your inactive themes can have vulnerabilities, so I recommend keeping a single back-up theme and deleting the other ones you’re not using.
Click here to learn more about WordPress themes.
Plugins add additional functionality to your website that is not natively available in the WordPress core or theme files.
As with WordPress core files and themes, update your plugins as soon as the notifications appear. Create a habit of checking your site for available updates at least a few times per week.
As a general rule, before you install any plugin for the first time, always check to see when the developer last updated it.
In the image above, you can see that this plugin hasn’t been updated in six months. While that does not automatically mean that it’s a bad or untrustworthy plugin, if the developer has pretty much abandoned it, then it could pose a potential security risk to your site.
Bottom line: always play it safe and choose plugins with a regular update history.
Click here to learn more about WordPress plugins.
3. Use the latest PHP version
PHP is the main language used in WordPress’ core files, so it’s important to ensure you’re running the latest stable version (version 8.0 as of February 2021) for the latest performance and security features.
But don’t take my word for it, hear it direct from WordPress:
PHP, like WordPress, is maintained by its community. Because PHP is so popular, it is a target for hackers – but the latest version will have the latest security features. Older versions of PHP do not have this, so updating is essential to keep your WordPress site secure.
If you’re building your own WordPress site or having one built for you, set it to the latest PHP version from the start.
You can set it within your hosting account, but if you’re not sure, contact your hosting company or tech person and have them update it for you.
Note: Because PHP 8.0 is still a new release, it is possible some WordPress themes and plugins may not yet be fully compatible and could cause glitches. If this is the case, you may need to revert to a previous version like PHP 7.4.
4. Hide the login screen
On any WordPress site, the publicly available default login URL is: your-academic-website.com/wp-login.php.
Hackbots know this and they use sophisticated software to try and force their way into your website.
Fortunately, free plugins like WP Cerber allow you to block the default URL and set your own private login URL.
Not only that, if anyone tries to access the default URL, you can set it to block their IP address so they can’t try again. This makes sense because, no one without authorisation should be trying to access your website’s login page.
There are other custom ways to block the login page, but WP Cerber offers a quick and easy solution with a lot of other features and benefits to keep your site hack-free.
5. Change default usernames
When you install WordPress, the username “admin” is automatically assigned as the default administrator unless you manually change it.
If hackbots get access to your login screen, nine times out of ten, they will put “admin” as the username and then use brute force software to guess your password.
Pro tip: Delete “admin” and replace it with anything but “admin” (i.e., your full name, website name, etc).
6. Use a cryptic password
I know it’s common sense (or should be), but use a strong password!
It’s 2021 and if you’re still using your pet’s name (or grandmother or children’s names) as your password, then it’s only a matter of time until you get hacked.
Use long cryptic passwords that include upper and lower-case letters, numbers, and symbols. You can save them in a password program like Keychain on Mac or other commercial password-saving services like Last Pass.
7. Use Google Captcha
Install Google Captcha and stop hackbots in their tracks.
Google is getting more sophisticated with identifying bot behaviour and shutting them down before they can do any harm.
So if for any reason hackbots manage to get to your hidden login screen, there will be yet another virtual moat for them to cross before they can have a crack at breaking into your site.
8. Use 2-factor authentication
Two-factor authentication (2FA) is exactly what the name implies. You need to authenticate your login with your password and another type of information.
You might receive a text message or email with a temporary code you need to enter. It could be a biometric like a fingerprint.
The real value of 2FA is that even if hackers manage to get to your login screen and guess your password, there is no way they’ll be able to access your phone or email for the temp code.
Check out this article for more information on two-factor authentication.
9. Limit login attempts
Limiting login attempts is a great way to shut down hackers in their tracks. In the image above, in my WP Cerber plugin, I only allow three login attempts within 5 minutes.
I set it to three because if for any reason I make a mistake while logging in, I want to have at least another couple chances.
Hackbots, on the other hand, will easily use all three attempts, after which their IP address is blocked for 60 minutes.
10. Use Cloudflare
Cloudflare is a service that, once configured, sits between your host servers and your site visitors. It delivers numerous security features and performance enhancements such as a content delivery network (CDN) that helps your pages load fast for visitors anywhere on Earth.
You can see in the image above that Cloudflare provides you with layers of protection against bots, login attacks, and DDoS attacks to stop the bad guys before they start!
11. Restrict file uploads
As a general rule, only allow file uploads (images, video, audio, documents etc) to your website from trusted users (i.e., admins and contributors).
There are plugins and custom coding options available to restrict uploads but, by far, the easiest way to manage this is by simply limiting who has access to your website.
Here’s a short article which provides more detail on file upload restrictions.
12. Set up Google Search Console
Google Search Console (GSC) helps you measure your site’s search traffic and performance, fix issues, and make your site perform well in organic search results.
GSC is not a security feature in and of itself, but think of it as an extra set of eyes and ears that are continually monitoring your website’s health.
Reflecting back, if not for this service, I would never have known my site had been hacked. I took action as soon as I received the alert and was quickly back online without any significant loss of traffic.
13. Backup your website – often
And now the bad news… and what you can do about it.
Even if you have every security feature installed on your site, you are only minimising, not eliminating, the risk of getting hacked.
And this takes us to… BACKUPS!
Run your website like you EXPECT to be hacked and keep multiple levels of backups (which I’ll discuss below).
In our case, if Academic Entrepreneur got hacked today, I could literally wipe out the infected site files and database, reinstall a clean backup, and be up and running within a few minutes. The only tricky part is figuring how the hackers penetrated the site in the first place so I can patch it and prevent a repeat hack (i.e., vulnerable plugin, theme, etc).
Automated cloud storage backups
For the Academic Entrepreneur website, you can see in the image above that I’ve set up automated backups from the hosting account to my Google Drive. We’ve set the site to backup daily, weekly, and monthly
While automated backups are great, sometimes, for whatever reason, they fail and no longer save to the cloud. You should periodically check to ensure your cloud backups are working.
At least a couple times per week, I physically go into my hosting account and take manual backups of our website files and database that I store on an offline external hard drive.
It might seem like overkill, but until you know the terror of getting hacked, it’s always a good idea to keep two or three steps ahead and plan for website Armageddon!
Lastly, with good quality hosting, you should have something like Acronis Backup which takes an image of your entire hosting account. The cool thing about this is that you can restore your entire hosting account, website, or specific files to a previous time point.
In the image below, you can see that Acronis captures hourly images of everything. On a related side note, aside from getting hacked by the bad guys, it’s not entirely uncommon to make mistakes on your own site that may require restoration to a previous time stamp.
I tend not to rely on this but, as with manual backups, it’s just another handy feature for buffering against those unforeseen Armageddon scenarios.
Your academic website is an important tool in your academic entrepreneur online strategy and it is imperative that you implement strong security features to protect it.
Hackbots are ever-present and continually finding new ways to breach sites and install malware that could allow access to your or your web visitors’ sensitive details (i.e., credit card numbers etc).
While there is no way to completely eliminate the risk of getting hacked, you can take steps to significantly reduce the risk.
If you are prepared with multiple layers of backups, then a website hack can be reduced to a minor headache rather than a cataclysmic meltdown.
Feel free to reach out to us if you have any questions.