It is every single website owner’s worst nightmare to realize that their website has been hacked. Infected sites can wreak havoc for everyone and cause a lot of damage in its wrath. It is a very serious matter that should be tackled as soon as the infiltration has been discovered. However, the first thing to do at this moment, is take a slow, deep breath, and know that your website will be up and running clean once again. Listed below is my step-by-step guide for anyone with an infected WordPress website who is wondering what to do next. [Read more…] about Oh no! My WordPress site got hacked!
I get asked all the time “what is the big issue with maintenance? My site is online. Why should updating or backing up the site matter?”
First websites are not build them and forget them like many people think they are. Too often when a site is built by someone else, they forget to tell the site owner that there are certain things that need to happen once they turn the site over to the user. This can end in bad news for the site owner later down the road. Maintenance can take just a few minutes each month and can save you a lifetime of headache in the long run.
Backups are essential!
I tell clients and new users all the time “nothing is every permanent if you have a backup.” This should be learned back in the high school paper writing times and then carried with you for the rest of your life. Remember staying up late writing a paper and then closing down your machine without saving to find out the next morning the paper was gone? Imagine that happening when you are working on your website. Any time you are adding a new plugin, editing any of the files, or changing any functionality of the site, it is crucial to make a backup first. This is for when things break, you always have a backup to revert to. Plugins like BackWPUp, BlogVault, Jetpack, and Backup Buddy can help you to setup automatic updates of your site. Just remember to have them sent to a place other than your server for safe keeping. Most plugins have a cloud option or you can have them sent to a Dropbox account or AWS S3 storage canister.
Updates are crucial!
A major line of defense from hackers is updates. Security experts preach often about the necessity of updating a site. They are not wrong.
Updates are made for three reasons.
- The Release of New Features
- To Fix A Bug/Outdated code
- To Fix A Security Vulnerability.
Updating the core, plugin, and theme files when they come through will keep known vulnerabilities at bay. It is always best to update your site on a staging environment to test before making the live changes. If you do not have the option for a staging site, always run a backup before updating for if you need to revert the site back due to conflicts.
Remove any unused plugins and themes
It goes along with the old saying, “if you are not going to use it, get rid of it.” If there are plugins that are sitting in “deactivated” mode, it is best to delete them and then re-add them when you need to use them again. The WordPress Plugin Repository has a fantastic feature where you can save your most liked plugins as “favorites” in your profile. That way you never have to search for the ones you like to use.
As for themes, it is best practice to only keep the theme in use and the most recent WordPress default theme to use for conflict checks if needed. All the other plugins should be removed from your site.
Inspect your site regularly
You know your site better than anyone else. Take the time to look at the front end of your site to ensure that everything is working properly. Definitely do this after running updates on your site. Look for any console and visual errors on your site. Doing this regularly can close the gap from any issues on your site being noticed by your visitors before you know they are there.
Change Your Password
With all passwords, you should be changing them every 6 months to a year. Your password is your first defense at keeping unwanted people out of your site. You can see more of what Can’t Speak Geek thinks about passwords by reading Preaching About Passwords. Also, make sure your passwords are unique and not easily remembered. The harder to remember, the harder it is for password crackers to guess.
Keep up with the commenting
Spam comments can fill up a database very quickly these days. Using something like Akismet can keep unwanted comments off your site and out of your database. It is still good measure to check on your comments often and approve them to share the conversation on your blog posts.
Check your forms
Your forms are what can connect a first time visitor of your site into becoming a customer. If your forms are not working, then your leads from your forms will stop as well. We recommend making a test submission to your forms monthly to ensure they are working properly.
Test your e-Commerce portals
Every so often, we recommend monthly, run a test purchase through your site. The last thing you want is to find out you have lost sales due to your checkout not working. If you are testing your checkout on a regularly basis, you will know before your customers do if something is wrong and can fix it before you lose any sales.
How is your site holding up? Make sure that it is not suddenly slowing down or performing horribly due to changes on your site. Google still looks at site speed as a very important piece of where you will be in their list. I suggest using Pingdom and GT Metrix for performance testing.
Put 404’s to rest along with Broken Links
If a user tries to go to a place on your site that does not exist, it will cause a 404 to happen. Now, 404 errors that happen because a reader accidentally mistyped an address are normal and nothing to be worried about, but when 404 errors happen due to a page that is no longer available can cause bad user experience and people to leave your site.
Broken links happen when you have links to outside sites that no longer work. We see this often when linking to other blog posts and/or YouTube videos.
It is a good measure to check on 404’s and broken links to ensure that all links work on your site. The plugin Broken Link Checker does. great job in taken care of both issues. If you need to make redirects for your site, I would recommend the plugin Redirection.
These basic maintenance steps are essential to keeping your site online and running properly. Site maintenance is key. In the event you would rather have someone else to take care of the maintenance of your site, there are companies that can help. Companies like WP Site Care, 13Core, and WP Buffs can help you with updates and backups so you don’t have to.
The EU’s GDPR (General Data Protection Regulation) is coming up pretty quick. May 25, 2018 will be here before you know it. This law was actually approved back in April 2016 however had a grace period of two years before it went into full effect. Trying to understand all of the information out there is about like trying to understand tax laws with its 11 chapters and 99 articles. Most of the time it leaves you cranky and your head throbbing.
The quick rundown of GDPR
- Identifiable data is protected. Any data that can be used as identifiable for a visitor falls under the GDPR. This includes and not limited to name, email address, sex, race, age, address, phone number, and birth date.
- It requires that consent is given. If you have the opt-in box checked by default, you need to change it so it is unmarked by default.
- Parental consent will be required to process any and all personal data of children under the age of 16, can vary per member state in the EU (country) but it will not be below the age of 13.
- It gives the visitor the right to know what information is being stored about them and why it is being stored.
- It gives visitors the right to have their information to be removed at their request.
- If any data is ever lost, stolen, accessed without permission, the authorities must be notified within 73 hours of the breach becoming known along with every single person whose data was accessed.
- Any new site must be made with privacy in mind. Data requests should be strictly controlled and only given when required.
- Data can only be used for the reason it was given at the time it was given. Then it must be securely deleted when the data is no longer needed.
- A visitor can request their information at any time, transfer that data, or have it removed.
- It also allows national authorities to impose fines on companies breaching the regulation.
While this is an EU law, it affects every single person on the web in one way or another. For all of us in the United States who feel that the DGPR does not apply to them, the first thing you need to know is that if your site has a form, e-commerce, blog subscription, comments, or even a contact me, you will need to have your site GDPR compliant. If your site can be reachable by someone in the EU and it is collecting any type of information, that means you! Also, please do not consider just blocking EU IP addresses as that does not really work either. With the help of VPN’s, your site can still be accessible to the EU and still falls in the realm of the GDPR regulations. If you fail to comply, the EU can still fine you up to €20 million per infringement or up to 4% of the annual worldwide turnover. That can put a small site/business out-of-order.
What you can do to become GDPR Compliant
If you have any opt-in boxes or forms with boxes, you must ensure that they are UNCHECKED by default.
Another item that all sites will need is a Data Viewing and Removal option for visitors. You can find mine on the GDPR Personal Data page. A visitor to your site will now be able to remove their data from your site at any given time.
If you have questions, talk to a lawyer. Find one that is well versed in GDPR. In the long run, it is always better to pay a lawyer a few hundred dollars than possibly millions in fines.
Tools to make compliance easier
In my research of how to handle the GDPR changes for my clients, I have found two options to assist in being GDPR compliant.
Both plugins are free in the WordPress plugin repository and easy to configure. Please do your due diligence before choosing any option to become GDPR Compliant.
TL;DR: Get your website ready for GDPR. If you have questions, ask someone. Don’t just sit back and do nothing. It could become a very costly issue.
DISCLAIMER: Using my guide does not guarantee compliance to GDPR. This post gives you general information and ideas, but is NOT meant to serve as complete compliance package. Compliance to GDPR is a risk-based ongoing process that involves your whole business. Can’t Speak Geek is not eligible for any claim or action based on any information or functionality provided by this post or this website.
Michele got the chance to talk Beginner’s WordPress Security at WordCamp Montreal this weekend. WordCamp Montreal is always a great camp to go to and always has a great lineup of speakers.
Here are the slides from Michele’s talk.
Can’t Speak Geek decided to make a donations page and at first thought it would be best just to use a PayPal button and call it a day. Then Devin Walker from WordImpress said I should try Give. Since I will give almost any plugin at least one shot, I decided to give Give a try. [Read more…] about Plugin Review: Give