Website Security – Really Needed?

Home Forums WordPress Website Security – Really Needed?

This topic contains 40 replies, has 1 voice, and was last updated by   Peter Wootton .

  • Author
    Posts
  • #4045

    Simon Chapman
    Member

    I get the SSL certificate needs, but what about website security. Is it a MUST on all sites? I am debating which sites really call for it.

  • #4046

    Peter Wootton
    Keymaster

    There are literally bots roaming the internet 24/7 trying to break into WP using known security holes, brute force methods, etc. So yes, all sites call for it.

  • #4047

    Peter Wootton
    Keymaster

    It’s free with LetsEncrypt, so there’s really no excuse for not having it other than laziness.

    • #4049

      Peter Wootton
      Keymaster

      Can I use this on both GoDaddy and Bluehost hosting sites? I have a few clients on Go Daddy and a few on Bluehost.

    • #4050

      Peter Wootton
      Keymaster

      Unfortunately you have to buy SSL certs for GoDaddy.

      Not sure about Blue Host.

      I’d not use either of them as hosting if possible.

  • #4048

    Peter Wootton
    Keymaster

    Don’t think he is talking about SSL. He he.

  • #4051

    Peter Wootton
    Keymaster

    Go for SiteGround, they provide a free SSL certificate

  • #4052

    Peter Wootton
    Keymaster

    so does A2 Hosting

  • #4053

    Peter Wootton
    Keymaster

    You can get a free SSL on GoDaddy. It’s hard work but I have managed to do it before.

  • #4054

    Peter Wootton
    Keymaster

    I have the SSL. Was wondering about the web security. I clearly need to rest as my words are getting all jumbled. Lol but thank you.

  • #4055

    Peter Wootton
    Keymaster

    It’s hard to believe how active the bots are until you see the reports from a security plugin. I have several sites I use for fooling around & figuring out how things work. In other words, no real traffic whatsoever. It is common to see 20-30 blocked attempts per DAY.

  • #4056

    Peter Wootton
    Keymaster

    Website Security should be from day 1. Not an afterthought.

    Think of the money you lose when there is a downtime.

    Calculate the manpower hours, the sales, time to get a professional trying to get the problem fixed.

    Time = money.

    • #4057

      Peter Wootton
      Keymaster

      Think of the lawsuits, if you lose personal information!

    • #4058

      Peter Wootton
      Keymaster

      That alone will be enough to terminate a SMB.

  • #4059

    Peter Wootton
    Keymaster

    Thanks. Which providers do you suggest?

  • #4060

    Peter Wootton
    Keymaster

    Hi, the SSL is not the same as website security. It encrypts the data when doing transactions and a few other pieces. Google is preferring these secure sites. It does not protect you from hackers. You also need security from those, and no matter how small your site is you will have attempts to intrude. If you have WordPress there are a few good plugins for that.

    • #4061

      Peter Wootton
      Keymaster

      Thank you. I knew the SSL was a bit different than web security. Now I’m on the hunt for the great plugins. Thank you so much.

    • #4062

      Peter Wootton
      Keymaster

      WordFence is one popular one.

    • #4063

      Peter Wootton
      Keymaster

      Is a site with forced SSL not more secure, than one without? You can pretty much eliminate Man-In-The-Middle attacks, as well as other cybersecurity problems. Saying it offers no protection against hackers is not exactly correct.

      It should be the first step in securing any website.

  • #4064

    Peter Wootton
    Keymaster

    I like WebARX & Malcare. I used iThemes security Pro in the past but left it behind for these two. I got both on AppSumo lifetime deals & don’t know how affordable they are at regular rates.

    • #4065

      Peter Wootton
      Keymaster

      Ditto, they rule the roost over all my sites now. Thanx AppSumo! Beforehand, I used Wordfence and iThemes – so much work though.

  • #4066

    Peter Wootton
    Keymaster

    I think the most important thing is to just get a security plugin loaded up. WordFence or iThemes are two of the most talked about, so I’d go with one of those just to get your site protected. You can worry about the (endless) debates later on which is better, etc. But both products will protect you at the free level. There are many others in the WordPress Repo for free, of course — choose any of them for now and readjust later

    • #4067

      Peter Wootton
      Keymaster

      ^^ I agree. WordFence or iThemes Security are the best known and do a great job. I also agree to pick one, get it set up. After that you can spend time researching if you want to upgrade or change to another. Great job getting on the right track! My own choice is iThemes Security Pro. I’ve used it for years.

    • #4068

      Peter Wootton
      Keymaster

      Yes, the great security debate reminds me of the great speed debate — of which plugin will shave off a second here and there in your GTmextrix score, and so on. The reality is most small site developers have clients with far more pressing basic marketing needs and the clients don’t even know their web person is stressing about so much of these things in the background (and likely not being charged either), but it’s easy to get caught up in the hype that other pros tell you what is best. I am a longtime WordFence fan, but recently have stopped paying for the pro subscription for my client sites, and am now experimenting with lighter weight alternatives in the WP Repo. use iThemes for everything but security currently, and am trying them out as well. But in general, just getting back to the basics and trying to stop chasing idealism in security & speed.

  • #4069

    Peter Wootton
    Keymaster

    BlueHost and GoDaddy. Wow. Terrible reputations for secure systems.

  • #4070

    Peter Wootton
    Keymaster

    Google has publicly stated that SSL is now a ranking signal in Google’s search algorithm. This means that a website with SSL enabled may outrank another site without SSL.

    That’s exactly why anyone who owns or operates a website should start taking the steps to secure their website with an SSL certificate, in addition to a few other security measures. Businesses that don’t take care to protect visitors’ information might see significant issues, garner unwanted attention, and dilute customer trust.

  • #4071

    Peter Wootton
    Keymaster

    Ok, my website opened last week. I have already had TWO attempts to hack it. I have the free version of I themes security and it not only stopped them but added the users up addresses to a block list. So yes, you need security.

  • #4073

    Peter Wootton
    Keymaster

    Without a security plugin, you are much more vulnerable to malware. Then Google plasters a huge red square in place of your home page warning site visitors that you’re site is infected. Then you have to either pay someone to remove the junk (which might affect some functionality) or completely delete your site and database and re-install a backup that, hopefully, is free of the malware or you’ll need to to that all over again with a still older backup. Once handled, you will need to alert Google to re-crawl your site and verify that the malware is gone so they will remove the giant red square warning.

    Or, you can make a decent attempt at preventing all the above, saving yourself tons of wasted time and stress that you certainly don’t need and Murphy’s Law dictates will happen at the absolute worst time, by installing the iThemes Security or WebARX plugin.

    The malware bots are indiscriminate and will attack the little, obscure sites just as aggressively as they would a well-known site. Nothing is 100%, but why roll the dice completely when you can take very good free/low cost defensive steps? Good luck and don’t delay!

    • #4074

      Peter Wootton
      Keymaster

      This is spot on advice

  • #4075

    Peter Wootton
    Keymaster

    I did a talk last weekend at a conference here in Australia about the mistakes beginners make when setting up their website and one of them was not having security in place from the start.

    There is no excuse not to have a plugin like WordFence installed on your website.

    Just remember that it’s only a preventive solution, you also need to make sure you keep All your plugins up to date, core files, use robust passwords, get better hosting, etc. etc.

  • #4076

    Peter Wootton
    Keymaster

    For WP sites there are 3 security plugins you can find in the WP repository I use on my personal sites as well as client sites: Rename wp-login.php; WordFence; & mini-orange 2 factor. For backup/recovery consider UpdraftPlus… regardless of the security/defensive route you take.

  • #4077

    Peter Wootton
    Keymaster

    Short answer – yes, both SSL and a good security plugin set up correctly are a must on all websites. Make sure you also have super secure passwords and are not using ‘admin’ as a user login.

  • #4078

    Peter Wootton
    Keymaster

    WordFence seems to cause certain performance issues, Sucuri is very solid.

    • #4079

      Peter Wootton
      Keymaster

      Can you elaborate on these performance issues?

    • #4080

      Peter Wootton
      Keymaster

      High memory usage, can slow your site.

    • #4081

      Peter Wootton
      Keymaster

      Are you using free Sucuri or paid?

    • #4082

      Peter Wootton
      Keymaster

      I’ve had the opposite experience, maybe how the servers are setup, hosting firewalls, etc..

    • #4083

      Peter Wootton
      Keymaster

      Just turn off real-time scanning for Wordfence and the high CPU usage will go away.

    • #4084

      Peter Wootton
      Keymaster

      I know that WF has a setting if using on shared hosting.

  • #4085

    Peter Wootton
    Keymaster

    From WordCamps I learned you need a security plugin, WAF and malware scanner for best security measures. Good password and login and update plugins as mentioned above too.

  • #4086

    Peter Wootton
    Keymaster

    Ecom site & google ads word must have ssl cert

You must be logged in to reply to this topic.