Content security – 8 Steps to Securing your Content
Over the last few years you've created a website full of content that promotes your products or services. You've either spent hours of your time crafting it yourself, or you've invested your hard-earned money in hiring someone to write it for you. But have you thought about your content security?
If you get hacked, you have no content marketing strategy.
And this is something I found out the hard way over the last week.
Content Security – My Story
I had always thought that my website was secure. I used strong passwords, and kept my plugins and themes up-to-date.
Sure, I had a couple of other websites that I was planning to use in the future, but I thought nothing of this.
A hacker managed to find a vulnerability in one of these sites, and was able to upload a script to my server to infect my websites – all seven of them.
The first sign I had been hacked was when I saw my Google search rankings disappear overnight. But I thought nothing of it.
A couple of days later I was rooting around in the Google Search Console and saw that my sitemaps had errors. Thinking this was strange, I looked further and found that my xml sitemaps had been replaced with static HTML pages – pages left by the hacker.
This was scary.
I got straight in touch with the team at WP Saracen, who started locking my site down.
I felt relief, but it wasn't to last.
The next morning I woke up and my homepage had been taken down.
Back to panic stations!
Over the next week the fantastic team at WP Saracen restored my website backups and set up a suite of new security tools:
- Bulletproof Security Pro
- UpDraft Plus, and
We've also enabled 2-step authentication with Google Authenticator.
Now I'm starting to see my Google Search Rankings return, another worrying factor
What does this mean?
Well, I've in a good place with my content security. As long as I maintain my site – keep it updated, use strong passwords – then my content security should stay in place.
But what have I learned from this terrifying experience?
8 Steps to Content Security
1. Don't have more websites than you can manage
My first mistake was to have websites on my server that I couldn't maintain. This meant they were vulnerable to hackers. I thought that if my active sites were up-to-date, they would be fine. I had no idea that a hacker could take down everything from that point. I have now deleted and merged 7 sites down to 2. This will mean that I can keep them all updated and secure.
2. Keep your website up-to-date
I thought I was doing well here. On my active sites I always update my WordPress core, plugins and themes. Last time I saw a friend's backend (oi, naughty!) she had more that ten updates outstanding. This lulled me into thinking that I was more secure than I actually was. The sites that I wasn't actively using were out-of-date, and this was the exploit.
3. Don't use the default username
Wordpress websites set the default username as ‘admin'. Guess what hackers try first when they try a brute force attack? I've now taken to using a password generator to choose my username, because no one will be able to guess bjKjb4jJKb52£n (note: not my actual username or password). I also wouldn't recommend using an email address associated with your website domain (e.g. firstname.lastname@example.org)
4. Use a secure password
The easiest step to content security you can have is to use a secure password. I recommend using 1Password or LastPass. Don't use ‘password', ‘abc123' or any of these commonly used passwords. Again, hackers know these passwords are common, so they will be the first ones that are tried.
5. Install security plugins on your website
As I've mentioned, WP Saracen installed Bulletproof Security Pro, Sucuri, Updraft Plus and Wordfence. I'll admit, I don't know what these do, but I do trust the experts that installed these for me.
6. Be careful what plugins you use
Wordpress is great because there is a plugin (or several) to do whatever you need. And many are available for free. Here lies a problem, as free plugins are more likely to contain malicious code than paid premium plugins. This is not to say that all free plugins are harmful, but developers of paid plugins can afford to keep them updated. Here are a few clues to guide you:
- How many installs has it had? 100,000 and you're probably okay. 30 and you should probably avoid.
- What are the user ratings? 5 stars (from a large number of people) and you should be fine. 1 star or no reviews and you should avoid.
- When was it last updated? Last week, great! More than six months ago, I'll give it a miss.
7. Use 2-factor authentication
The final step I've taken is to use Google Authenticator to confirm my login. This gives me a 6-digit code on an Android app that I enter to prove that it's me that's logging in. It means that no one can log into my website without having access to my phone.
8. Make regular backups
I cannot guess how long I've spent working on this website. If I didn't have a backup, all of that work would have been lost. And it would have taken me even longer to get back online. Updraft Plus is a useful plugin for backing up your site.
Being hacked is a very scary experience, and one that I wish I hadn't experienced. It has taken me about 30 hours to get my online properties back online, and I was lucky to have backups – without these it would have been even longer. I've shared some ways you can increase your content security for free, by keeping your site updated or using stronger passwords, but some security measures will come at a cost.
But the 30 hours I spent getting back online was 30 hours that I couldn't take on any clients, which cost me more than implementing the new security methods.
It's easy to think that it won't happen to you – that's what I did. But now it's happened to me I won't be so complacent again.
It may have cost me money, but what price can you put on piece of mind?
This article is not a guarantee that your site will not be hacked, but these steps may reduce the chances that you are.