Step 1: Backup your entire website
Make sure you have a worst case scenario backup plan. Sure any web hosting service worth it’s salt will keep backups of your website but don’t just rely on that. What if they went out of business and shut down operations suddenly, would you be able to get your website back online with another hosting provider? What if your website was hacked but you didn’t notice it for several weeks, would your hosting provider have a clean backup to restore? Take these matters into your own hands and have a backup plan in place. Make sure you have your own backup of your website. Make sure your backup includes everything needed to get your website back online. If you update your website regularly you should save a new backup at regular intervals.
Step 2: Keep your website software up-to-date
Cyber-criminals and hackers are constantly scanning the web for websites with security vulnerabilities. Popular CMS software such as WordPress is scrutinised for any security weaknesses that can be exploited. If any security holes are exposed the WordPress team responds quickly with a security update. But you must update your website software to the latest version of WordPress to make sure you have all the security updates. If you are running an old version of WordPress, it may have known security holes which leaves your website vulnerable to attack. So make sure you regularly update to the latest version of WordPress (or whatever CMS software you are running). Beware that updating the software can have it’s risks – the upgrade could fail leaving your website inaccessible or there could be incompatibility issues, so it is important to backup your site prior to upgrading. WordPress plugins should also be kept up to date for the same reason. You can read the release notes for WordPress and plugins to determine if the latest release includes any security updates.
Step 3: Use strong passwords and keep the safe
A weak administration password could be the biggest security hole in your website. It is best to use passwords of at least 10 characters. They should contain a combination of upper case, lower case, numbers and symbols. It is safer not to use the same password for multiple different purposes (read about risks of reusing passwords). It is also recommended to change your passwords from time to time. That can mean a lot of passwords to remember so a secure password storage utility such as KeePass (Win), KeePassX (Mac, Linux) or Password Safe (Win) comes in handy for keeping track of all those passwords in a secure manner.
Step 4: Ensure your website is configured as securely as possible
Certain measures can be taken to add an extra layer of protection from hackers scanning your website beyond what is provided by the out-of-the-box content management system. e.g. Certain information that does not need to be displayed but could be of help to hackers can be hidden. For WordPress websites there are security add-ons that assist you with making your website more secure. One that we use and recommend is Better WordPress Security.