Much like securing your home, securing websites for your clients is a never-ending process that evolves as hackers change their methods to try to breach your walls. Website security isn’t the most glamorous part of building an amazing website, but a compromised site will cost your clients much more than putting precautions in place — such as running website safety checks — ahead of time.
Because most every site on the internet is under constant threat of attack, developers and browsers have created website safety checks that help site owners clearly see the origin of site traffic and alert hosts when a hack is in progress.
Companies like Google are transparently placing a greater emphasis than ever on security, which is affecting everything from algorithms to the way URLs are displayed in the address bar.
When a hack happens, you’ll know it and your clients will know it.
Thankfully, there are a few basic ways to run a website safety check to see whether or not a website is safe.
Customers can easily verify the security of any website by checking the address bar for https:// (instead of the unsecure http://). In Chrome, a green padlock icon also appears next to the URL to indicate the site is being served securely over SSL.
An SSL certificate is a small data file that must be installed on a server to make secure connections between server and browser. Essentially, this guarantees visitors that the site they’re accessing is what it purports to be (non-secure sites can be duplicated and turned into “imposters” by hackers) and that any sensitive data they enter will be encrypted by the secure server.
If you’ve installed an SSL, you can use a tool like whynopadlock to get a detailed report of each element of the site to guarantee that all content is being served securely. This includes images, videos, ads and other elements that might require additional clean-up. Sites which are served over the https:// protocol may still display a yellow “!” in the address bar, which means that at least one element still needs securing.
Because WordPress sites account for almost a third of all domains, they are especially targeted by hackers. Luckily, developers have an array of safety check plugins they can install and frequently run to test the safety of their sites.
Some plugins are free, some are paid, and most offer a combination of free services and premium options.
As an expert developer, you should determine which plugin best fits the safety needs of your clients’ websites on a case-by-case basis.
The checklist of potential threats these plugins work to thwart might be longer than you anticipated. Here are just a few of the common security threats all site owners face:
File integrity monitoring
Just because a file is live on a site in good condition doesn’t mean it’s not susceptible to security breaches. The only way to know if a file has been corrupted is to run frequent (and random) verifications comparing the current state of files with a solid baseline. Check out iThemes.
Brute force attack prevention
If it sounds aggressive, that’s because it is: hackers trying username after username, password after password, until they break into your site. WordPress defaults to allowing unlimited login attempts, but plugins that offer brute force prevention set a cap on how many attempts are allowed before an admin is notified.
Even if you think your password is hard to guess, if you’re not protected you’re underestimating hackers’ skill and patience.
Check out Jetpack, which offers brute-force protection and a number of other security features.
DNS and WHOIS scans
Even though you’ve registered your own domain, it can still be stolen. You’ll want to make sure the state of both your DNS and your WHOIS is secure. Only a select few plugins will feature this important monitoring feature. One of the best is Sucuri.
Spam comment protection
Comments from spammers might not pose the greatest threat to your overall website security, but getting inundated with bogus links and inappropriate content can quickly sink your site. Plugins like Wordfence monitor the source of each of your comments, filtering them to ensure they come from a friendly IP.
You can’t keep an eye on all of your sites at once. That’s why you need some form of site monitoring to alert you of any problems. Tools that track uptime will notify you the second a site is down or whenever a connection timeout occurs, and you can check for interruptions as frequently as every minute. ManageWP has the most comprehensive uptime monitoring tool.
Editor’s note: ManageWP recently joined the GoDaddy family.
Make website safety checks a priority
Keep in mind that you might be using a host that has all WordPress security already baked in. But if you’re not, find the plugin that will protect your site the best and consult with your client to sell them on why such a security measure is so vital.
The good news is that most security checks are automatic and will alert you in real-time if an attack is in progress. As long as you don’t discount the importance of shoring up your site’s protection, you’ll be able to focus on running your business while hackers get shut out time after time.