September 18, 2019
by Lori Shecter

Secure your website and payments from hackers

W

Over 72 million websites are being run using WordPress CMS and WordPress plugins.  In today’s world, there are a gazillion ways that the “bad guys” can hack into your website, your website server, or even your payment gateway.  Here are ways to help keep those bad guys out. This is a lot to do, but saving yourself from hacking save you time and money in the end. Nothing is foolproof.  Even Amazon gets hacked, but these things will help secure your digital efforts whether you are a non-profit or a business.

5 Ways you can be hacked

1:  Your domain:  

Your URL can be hosted by a variety of different companies, including Go Daddy, HostGator, Network Solutions, etc.  Make sure your passwords and user names are very secure. For a user name–upper and lower case letters, numbers and symbols.  For example: L0r1Sh3c!3r (Lori Shecter). All passwords should be random number generated. If possible, implement two-factor authentication.  You will receive a text message each time someone tries to log-in to your domain. If you are hacked, the bad guys can set up redirects to your domain causing your website to link to sites that you want nothing to do with. 

If it happens, call your domain hosting company as soon as possible and have them secure your URL and delete redirects.  They may have to reenter the IP address of your correct website.  

2:  Your WordPress Website

Unfortunately, the good news about WordPress is also the bad news.  The good news: WordPress can have very robust website functionality because of all the plugins that offer amazing functionality.  The bad news: Those plugins are often the target of hackers, and so, the plugin developers are constantly having to update their code to prevent hacking.  Steps to secure your WordPress website: There are SO MANY ways to protect your website that it is impossible to list all the services here, but here are the minimums you should consider:

  1. Install an SSL certificate
  2. Update plugins at least twice per month.  You can easily see what plugins are updated due to security reasons on your WordPress dashboard
  3. Implement the  WordPress plugin WordFence
  4. Implement a security subscription service such CloudFlare.  Cloudflare has free and paid options — the free option will also give you access to an SSL certificate.
  5. Username and password:  DO NOT use ADMIN as your user name.  Use random generated Password as passwords.  Make your login have captcha and/or double authentication (a text every time someone logins).  The route to the login panel should be changed as well. Do not use: www.website.com/wp-admin.
  6. Have backups made of your websites monthly or more often if you change content frequently to have a copy in case your website needs to be redeployed.  For example, your database (that holds all your content) should be backed up daily. Your website code, once per week.

3:  Your Hosting Company

If you host on a shared server, you are much more vulnerable to DDoS attacks.  Those are attacks that make so much traffic hit your server, the server crashes.  Hosting options:

  1. Use a VPS server – virtual private server offers you more control, but higher cost
  2. Make sure your server has a firewall and 5 layer security
  3. Have your website server backed up daily
  4. Block all other country IP addresses other than your web development team and the country you live in.
  5. Do not use PORT 22.  Don’t ask me to explain this — your hosting company will know what this is!
  6. Have double-authentication set up for your host admin panel.

4:  Payment Gateway  

  1. Yup, those bad guys can also hack your payment gateway admin panel.  Payment gateways include, among others, Stripe, PayPal, Authorize.net and more.  So, you need to secure your payment gateways:
  2. Make your username and password very secure (as noted above).  Don’t use your name or ADMIN. Use a randomly generated password
  3. Use double authentication so you must get a text when you log in
  4. Contact your gateway to see if they offer notifications or shutdown for multiple low $$ amount charges to your credit card.
  5. Set up security (which might cost more, but will ensure that the payment gateway checks the CC information with the users’ address.

5:  E-commerce or Donation Pages

Hackers will even use your page to test out the stolen credit card numbers that they have generated.  Take these steps:

  1. Don’t have an OPEN donation amount.  Set your donation amount to a minimum of $10.  If people want to donate less, have them contact you.
  2. Install a captcha
  3. Check all donations daily
  4. Make sure that users have to enter their snail mail address as well as credit card info
  5. Always use a payment gateway. NEVER have your website collect and save credit card numbers!

Taking these steps will help keep your websites and payment options safe.  Remember nothing is perfect, but you can certainly improve where you are now.  Don’t hesitate to contact us if you need assistance!