Keeping your Financial Planner website safe and secure
A few weeks before Christmas, I woke up to a flurry of emails from our website hosts; one of the websites we manage on behalf of a Financial Planner client was under attack!
Thankfully, the hackers didn’t get very far. By following the steps I describe in this video, we ensured the website was as safe as can be. Of course no website is completely secure; last year saw some high profile website hacks and data breaches, including eBay, the European Central Bank, Equifax, and many others.
Coming up in this video, the steps you need to take to keep your Financial Planner website safe and secure in 2020.
Website security is one of those things you probably don’t think about too much, until of course someone has a crack at your site and causes serious problems. The tips I’ll share in this video are broadly applicable to all websites, but specifically for sites built using the WordPress content management system. WordPress is the CMS we use to build websites and it’s the most popular in the world.
Starting point then is choosing a good hosting company. I regularly come across Financial Planners who have picked the cheapest possible provider to host their site. Cheap hosting is a false economy. It’s likely to result in slower loading speeds, dire customer services, and pretty lousy security standards.
The best website hosts provide multiple layers of security. Our preferred host, Flywheel, includes security at a server level. They limit login attempts; brute force attacks are one of the most common ways hackers exploit websites, and a good hosting company will stop this from happening at site and server level.
And if your website does get hacked, which can still happen with even the most diligent security steps, a good host like Flywheel will remove malicious code from the website, quickly and for free.
The second thing to avoid is using cheap website themes. Premium themes are coded by professionals; free WordPress themes are put together by anyone with a working knowledge of website design, and can often by full of holes, ready for hackers to exploit. Free themes are another false economy; you get what you pay for. Make sure you pick a premium theme that’s still being actively updated by its developers.
You can customise a premium theme to match your colours, fonts and preferred layouts, but using a theme from a small scale developer is asking for trouble. Watch out where you’re buying from too. Sometimes, websites will offer premium themes at a lower price, or even for free, but the theme will already be infected with malicious code. Always buy directly from the developer, or from a reputable themes website.
With your premium theme installed with a great hosting company, the next step you can take is to install a security plugin. Our favourite for WordPress is called WordFence, and it’s packed with features designed to keep your website safe. I should mention at this stage that our preferred website hosts, Flywheel, say a separate security plugin isn’t needed, because of their own security measures. But installing the WordFence plugin is a bit like having a locked door and a burglar alarm. We’re running it across every website we manage and it’s proven itself on several occasions.
Make sure you use a strong password for your website. Use a strong password generator to come up with a password that’s got lots of characters and a mix of letters, numbers and special characters. Don’t use the same password that you use elsewhere, in case that gets hacked. And make sure you keep your password somewhere safe.
Look, I know it’s a pain in the backside having to use a different, complicated password for every website your use or visit. But from a security perspective, it’s an essential step. There are some great utilities out there, including LastPass, which look after all of your passwords and make it easy to enter them across multiple sites and multiple devices. But please don’t use simple passwords to access your website.
Does your website address start with https? You absolutely need to have a Single Sockets Layer, or SSL certificate installed and working properly on your website. As well as boosting your search results, having SSL enabled means information is encrypted before it is transferred between the browser your website visit is using and your server. This makes it harder for hackers to read the information passing between your server and visitors, and makes your website more secure. Quite frankly, it’s irresponsible to have a website without an SSL certificate these days, and the certificate comes free with our preferred hosting.
You need to keep your WordPress version, plugins, and themes up to date. When you stay updated with the latest versions of these, it makes it harder for hackers to exploit loopholes in code which were found in older versions. If you install the WordFence plugin, it will email you when updates are available, which is a handy reminder. I also recommend deleting themes and plugins from your WordPress installation that you’re no longer using. Deleting old themes and plugins from your website means you don’t need to worry about keeping them updated.
There are other steps you can take to keep your website secure, like disabling file editing, changing the address of where you login, and hiding configuration files, but following the steps I’ve described in this video are generally enough to deter most hackers.
I’ve put together a free tip sheet to accompany this video, which you can download at bamfordmedia.co.uk/hackproof, as a handy reminder for the steps you should take to keep your website safe and secure.