Privacy Checklist: 10 Tips for Protecting Visitors to Your WordPress Site

Businesses of all sizes—bloggers, SMBs, eCommerce companies, large enterprises, and more—understand the importance of having a website. Without it, a business is relegated to the more time – and labor – intensive (and not to mention outdated) method of increasing brand recognition and converting leads through cold calling and word-of-mouth.

Plus, if your brand doesn’t have a website, you’re relying on customer reviews on sites like Yelp, Glassdoor, social media, and others to dictate how consumers should feel about you.

You don’t want to do that.

A website is an essential part of every business’s identity. And like any part of your business that speaks directly to your audience, you want to make sure it offers a safe, reliable, and professional experience. Your site is an extension of who you are as a brand, a company, and a service provider, so it’s important to have full control over your online identity.

Website design, functionality, and mobile responsiveness are all important in helping brands establish credibility with their audience. However, without the proper security measures in place to begin with, all that effort you spend in setting up a great looking website may be for naught. If your site gets taken down, if a lapse in security leads to stolen customer information, or if your site becomes an attack vehicle for hackers, the effort you put into design and development won’t matter anymore—especially to visitors who had grown to trust you.

For the Web Is Dark and Full of Terrors…

The WordPress security team goes to great lengths to ensure they’re providing a safe and secure CMS for customers to build and manage websites from. The team includes security experts who are quick to act when there are potential security risks in the WordPress core software or third-party tools like plugins and themes. You also may have noticed they will occasionally release updates to patch up system fragilities. However, that doesn’t mean the platform is 100% free of risk.

Due to the popularity of third-party tools used in tandem with WordPress, the CMS is not always as secure as they’d like it to be. That’s no reason to start distrusting third-party plugins, themes, or software providers, however. It simply means you should be taking measures to ensure that if WordPress’s team misses a potential security risk, that you’ve got tools in place to monitor and protect your website and its visitors.

So Who Is at Risk?

Some of you may be thinking, “Well, I’m a [small business owner/independent blogger/freelancer/etc.] with a relatively small audience. I’m not going to get hacked.”

The truth is, hackers don’t care who you are. If they spot a weakness in your website’s setup, they will attack and put your business at risk. Even if your website doesn’t collect (or store) payment, login, or other personal information, hackers will find a way to make your website work for their own purposes.

So who really is at risk here? The answer: Everyone.

To clarify, “everyone” not only refers to your brand or business; “everyone” refers to any person who has visited your website. As you’ll see soon enough, attacks on websites aren’t always done for the purpose of destroying a business’s reputation (though that is pretty much a guaranteed end result regardless). Hackers often take advantage of site vulnerabilities in order to gain access to customer data they wouldn’t otherwise be able to retrieve on their own.

It’s important to remember the following:

• Don’t think you’re immune to an attack because of your business’s size or level of visibility.
• Make sure you’re aware of the potential risks.
• With the right monitoring and management tools and process in place, you can recover your website from a hacking attempt. Your customers’ information may not be so lucky, so guard it well (i.e. not on your site).

WordPress Website Risks

In a recent Wordfence survey, WordPress users were polled to find out what sort of attacks they’ve experienced on their website. Here is a summary of those results, ranked by the most common attack type:

Site Defacement (~25%)

What happens? Attackers either replace your website with their own content or they take down your website completely. Hackers don’t need a reason to do this other than to make a statement.

Email Hacking (~20%)

What happens? Attackers take control of your email and use it to send out spam. There may be a number of reasons why a hacker would do this; among them: to use your email server for free, to destroy your business’s reputation, or to send out malicious links and content on behalf of a source people trust (that being yours).

SEO Improvement (~18%)

What happens? Hackers will plant their own links and content within your site in order to improve their own website’s SEO. While search ranking criteria can change based on trends in how people use the web (eg. mobile device adoption, social media for search, etc.), one thing will stay the same: when a reputable source links to a website or content, that website will then be seen as a trusted source too.

Redirects (~15%)

What happens? Hackers will use your trusted source as a way to automatically funnel new, unsuspecting traffic to their site. So when someone tries to visit your website, they are instead taken to the attackers’ website containing malicious content.

Page Impersonators (~5%)

What happens? Attackers create what are known as phishing pages that look like valid forms. They’ll create these impersonator pages to lure site visitors into giving them personal information.

Malware Distribution (~3%)

What happens? Attackers gain access to your website and then distribute malware to all of your visitors’ computers in order to retrieve their personal information.

Information Jacking (~20%)

What happens? If you store sensitive customer information on your website (payment information, logins, personal information, and more), attackers only need to gain access to your site in order to steal it.

Attack Launchpad (~2%)

What happens? Again, by leveraging your website as a trusted source, attackers can use your server to gain access to and attack other websites.

Ransomware (~2%)

What happens? Just as the name implies, ransomware is a form of software attackers will implant on your website so you can no longer gain access. Their hope is that you won’t have a backup or another way to get back in, and will in turn be willing to pay a “ransom” for it.

Content Host (~1%)

What happens? Attackers gain access to your server in order to host their own malicious files there.

Referral Spam (~1%)

What happens? If you’ve ever reviewed your website’s referring sources list from Google Analytics, you may have noticed some odd-looking websites on there. These are due to bots that were set up on your website. So when traffic is referred from your website to another source, instead of seeing your url in their analytics, they’ll instead see the fake referral website.

As you can see, attacks can come in all shapes and sizes. Some hackers want to use your website’s good reputation for their own devious purposes while others just want a way to gain access to all of your visitors’ personal information. Regardless of the type of attack, it’s clear that hackers won’t discriminate on what type of business they hit if they see a weakness they can take advantage of.

Ensuring Privacy for Your Site Visitors

Regardless of your business type or size, it’s important to be aware of the risks your website visitors take when they go to your site. They trust that a visit to your site and the handing over of their private information will be handled securely. So if you want to maintain your customers’ trust and keep their confidence in your brand intact, you need to take the appropriate steps in securing your website.

1. Invest in Good Hosting

By hosting your WordPress website on a trusted provider’s server, you’re taking the first step in securing your website and protecting your visitors’ privacy. Quality hosting services will provide you with a number of site security assurances, including 24-hour monitoring, regular website backups, and individual hosting space (since sharing with another account could bring any corruptions from that site over to yours).

If you’re unsure of whether your current host provider or others you’re looking into provide a safe environment, check their reviews. If they have ongoing issues with security or have a track record of poorly managing issues customers have brought to them, you’ll want to find someone else.

2. Use a CDN

At this point you might be wondering why we would suggest that you invest in additional “hosting” services if you’re already paying for a reputable hosting provider. Well, a CDN (content delivery network) isn’t really a hosting service. A CDN sits on top of your hosting and aids in the delivery of your website’s non-static content to visitors, no matter where they’re located around the world.

CDNs are most commonly associated with faster site load speeds, but many of them—like CloudFlare—provide additional security checks for your website.

3. Set Up SSL

For any website dealing in sensitive information, SSL (Secure Sockets Layer) is an absolute must. Once you’ve lined up a hosting provider you trust, look to see if they offer SSL certificates as well (which many of them do). If they don’t, there are others who can issue a valid certificate for free, like Let’s Encrypt.

The main purpose of SSL is to create an extra layer of protection (via encryption) for your visitor’s information so third parties can’t gain access to it. In addition, SSL encryption comes along with the added benefit of improved SEO. As Google and the other search engines seek to refer traffic to valid and trusted sources, your SSL certificate stands as proof of this.

4. Consider DDoS Protection

In the Attack Launchpad security threat mentioned above, we discussed how hackers might be invading your site for the purposes of attacking another one. That’s essentially what DDoS (distributed denial of service) is. Hackers will use a number of methods to direct an overwhelming amount of traffic to a website in the hopes of forcing the site to crash and consequently denying site visitors any access.

If your company is a larger enterprise and/or you process a lot of transactions, making an investment in a DDoS mitigation service is not a bad idea. The cost of your site going down and all business coming to a halt can be disastrous for a company, so consider this extra layer of protection a necessity. A number of companies with CDN services—like Incapsula—offer DDoS protection as well, so take time to research and see whether it’s possible to bundle your security services under one umbrella (and save some money).

5. Install a Firewall

Your host provider should have already installed a firewall for your server. While firewalls are a great way to keep out unwanted visitors, many hackers these days have found creative ways to get around them. To be on the safe side, add a firewall to your website for an extra level of protection.

ConfigServer Services offers a free one you can use. If you’re unsure of how to install it yourself, check with your host provider and see if they can help. If you’re on a shared server, they should be able to do this for you without a problem.

6. Keep Plugins in Check

Most WordPress website vulnerabilities come from plugins. WordPress’s security team reviews all third-party tool submissions, but it’s inevitable that some insecurity will make it through—and plugins happen to be the most common place where it does.

There are three things you can do to make sure your plugins are kept in check:

1. Read through the information WordPress collects on all plugins. Check for WordPress version compatibility (which indicates they’re keeping plugins up-to-date alongside WP security updates), last update (which indicates a developer who stays on top of the plugin’s maintenance), active installs (which indicates how many other users trust the plugin), and ratings. Take it one step further and read through the negative ratings to see if anyone has reported security issues in the past.
2. Review the plugin’s scripts to verify there isn’t any malicious coding in it. Note: this will require that you know PHP. If you need assistance reviewing any scripts or coding, Defender can scan your site for vulnerabilities. Anything deemed unnecessary or potentially harmful should be stripped out.
3. Use a security plugin to monitor and report on any potential issues with other plugins as well as to use brute force protection. While there are a number of well-rated security plugins available, Wordfence is a popular option with over a million downloads and a rating of 4.9 out of 5 stars.

7. Disable Error Reporting

Did you know that when your site throws an error that your server path will be displayed for all to see? Hackers know this and they will keep an eye out for that information if you haven’t disabled front-end error reporting. Rather than give that valuable information away for free, disable those notifications.

For more on error reporting, check out our post Debugging WordPress: How to Use WP_DEBUG?.

8. Clean Up Your Spam

The amount of spam hitting a website can be a problem. Spam isn’t just an annoyance, but it also can pose some serious security risks. That’s why plugins like Akismet were created—so you can easily block comments from known spammer IP addresses.

In collecting IP address information on your website though, you’re putting visitors’ privacy at risk. The only way to keep that information safe is by not storing the IP address information from commenters in the first place. So if you get rid of IP address information on your site, how do you prevent spam comments as well as trackbacks and pingbacks from coming through?

• For splogs (fake spammer accounts), you can use our Anti-Splog plugin.
• For trackbacks and pingbacks, you merely need to update your WordPress settings to not “allow link notifications from other blogs.” You can read more about it in our post How to Stop WordPress Trackback and Pingback Spam.

9. Enforce Stronger Login Settings

There are two types of logins you need to be concerned with on your website: your own as well as those of your visitors. Any time someone is given access to your website (on either the front or the backend), there is an increased risk of someone else maliciously entering or gaining access to private information.

With that being said, there are a number of ways you can ensure certain login guidelines are enforced (just make sure you’re abiding by them as well):

• Encrypt users’ passwords with bcrypt hashing
• Secure the wp-admin directory (which contains access info for everyone) by requiring an additional username and password in order to access the folder.
• Add the Google Authenticator plugin for two-factor authentication.
• Require users to choose a strong password containing letters, numbers, and symbols.
• Limit login attempts and lockout anyone who exceeds a certain number of those attempts.

10. Restrict Access

Restricting access to your website isn’t just about keeping hackers out, it’s also about making sure that any user given access for specific purposes sticks to those purposes. Here are some restrictions you should plan on setting:

• Your wp-config.php file contains a lot of valuable information. In order to secure that file, move it up one level above your WordPress installation. This will ensure that whoever tries to access it receives an error message instead.
• Update your security keys regularly. Our Defender plugin will handle this for you with one click.
• You’ll also want to disable edit capabilities for admin users. This will force anyone trying to access your PHP files (like themes, plugins, etc.) to log in through FTP.
• Carefully manage your users’ roles and access within WordPress so they only have access to the areas of your site they need to get into.
• On a related note, make sure to remove FTP access immediately after a user has completed the necessary work within it.
• Disable directory browsing so hackers and unauthorized users can’t see any of the files on your website.
• The .htaccess file is going to be your best friend when it comes to controlling site access. Set up rules to restrict access and site visits automatically.

It should also be noted that all of these suggested tips for ensuring privacy are especially important for eCommerce websites that deal with the exchange of financial data. In order to achieve PCI compliance, you need to have certain systems in place to ensure you’re securing customer info.

Remember: your main goal in using more reliable security services and having stricter standards for your website is so you can protect visitors’ information. If they start to feel in any way that your website is compromising their safety, they’re going to abandon it in search of someone else’s who can give them that sense of security.

If you have any further questions on what you can do to secure your website, check out the Ultimate Guide to WordPress Security.

In Case Your Site Does Get Hacked

There are a number of ways you can find out if your website has been the victim of hacking:

• Google search warnings
• Google Webmaster tools detect malware
• Hosting provider takes your website offline
• Google Analytics shows a severe and permanent drop-off in traffic
• A customer tells you (which you want to prevent at all costs)

WordPress website security is not always a sure thing, but there are steps you can take to ensure the effects of an attack are not long-lasting or inflict irreparable damage to your brand.

1. Review WordPress’s guide on how to deal with being hacked.
2. Reset your WordPress, cPanel, FTP, and other database logins and secret keys immediately.
3. Check the list of website users. Anyone you don’t recognize should have their access privileges revoked.
4. Check in with your hosting provider, especially if you use shared hosting and your site’s attack has put others at risk.
5. Run a Sucuri or Wordfence scan (or use whichever security plugin provider you have) on your website.
6. Run a scan on your computer. Have all other website admins do the same.
7. Review your .htaccess and wp-config.php files for any errant coding or scripts. Remove any corruptions.
8. For any files, plugins, or themes found to contain potential security risks, remove and reinstall secure versions (if you still need them).
9. If your website has gone down or the rework needed to remove the malicious content is excessive, replace your website with a backed-up version.
10. Once the threat has been identified and removed, notify any parties potentially affected so they can take security precautions on their end.

In case you missed it last year, check out what happened to Jenni McKinnon when she skimped on securing her WordPress website and what she ultimately did to recover from it. There are some good lessons to be learned from her experiences.

Wrapping Up

A breach in your site’s security can mean huge losses for your business in revenue, time, SEO, brand reputation, and your audience’s trust

You can’t afford to hold off on securing your website until something happens. Do your due diligence and ensure that you’ve got the right security tools in place; that you’re working with trusted third parties; and that you’re not storing sensitive company, user, or visitor information on your website.

Your website is the face of your company and the only true touchpoint on the web where visitors can learn more about you. Don’t let their experience suffer or let them put their personal privacy at risk because you failed to take the appropriate preventative measures.