SEOs wear many hats, from a general webmaster and site manager to a website security expert. Unfortunately, many SEOs forget that security is one of the easiest ways to get penalized, making it an absolute necessity in terms of organic SEO. If you’re not aware of the basics of website security – and it’s okay if you aren’t – then I recommend you read up on it ASAP. We’re going to cover WordPress security and some ways you can fortify your website’s walls.
Why is it important?
Above all else, your client’s website is your responsibility. Sure, it’s also the client’s, but how often do they actually understand the ins and outs of WordPress? That leaves the security part partially up to you. The last thing you want is for someone to hack into the website, deface it, and steal information. If it isn’t already, this should be your worst nightmare! Besides keeping your client’s business strong, which is essentially your job, the security aspect is absolutely essential for search engine rankings.
The minute your website has malware on it – or is suspected of malware – the site is immediately penalized by Google. In the past, this has happened to us first-hand. It’s not easy to recover from.
Would you click on a site that says it’s hacked? Doubt it! Google agrees and can drop your rankings a few pages instantly. The moment malware is detected, your site will seemingly disappear from search results. If you had a strong position at the #1 slot, you may only drop 3-4 spots. Basic SEO tells you none of this is good news.
Securing Your WordPress Website: Step 1 (logins)
The first step to any security venture is to secure the login. I know, you’ve heard this a million times in your life, but do you always actually do it? Well, think of it this way: would you secure your home deadbolts if neighbors were getting their homes broken into on a regular basis? Well, that deadbolt is your login. You can hide your valuables wherever you want, but the fact is once they’re in, they’re in for good. Your neighbors are other sites on the Web and according to a WhiteHat Security infographic 86% of all websites left their deadbolt unlocked by leaving serious vulnerabilities open on their site for an average of 193 days.
Your login consists of 2 stages:
Both require secure values. Your username should not be any of the following:
- Your name
- Your company name
- Your initials
All of this information is publicly available online the moment you register your domain. Don’t believe me? Take a look at Central Ops and type in your website and see what information you can find. Hackers use this information to “guess” usernames and passwords. You can prevent this by paying extra to protect your personal information.
Your password, similarly, should follow these requirements:
- Do not use “password”, “password1”, or any variation of “password”.
- Do not use “abc123”, “12345678”, “qwerty”, or any of these common passwords.
- Do not use your company name in any way, shape, or form.
- Use a password that consists of at least 1 uppercase letter, 1 number, AND 1 symbol.
- Do not use names – you, your family, friends, or pets.
Although not required, it’s recommended that you not use any word that can be found in the dictionary. Hackers can use what’s known as a “dictionary attack” to figure out passwords by running a script which tests your password against every word in the dictionary. Think that doesn’t take long? Most passwords, especially dictionary words, can be broken within a day or less. With the help of the computing power of Amazon’s cloud, this can be done in an hour or less.
Securing Your WordPress Website: Step 2 (Backdoors)
Your login is now secured. If they can’t login, they can’t do damage, right? Well, sometimes you don’t even need a login.
If you have updates, then it’s a good idea to at least check the details. These outdated plugins could result in a backdoor to your site that you didn’t even know about. (Now we’re locking our store’s deadbolt on the back door.) Example: Yoast’s WordPress SEO plugin is, in my opinion, a necessary plugin for any SEO campaign. However, they recently patched a vulnerability they describe as “possible CSRF and blind SQL injection vulnerabilities in bulk editor.” If you are using anything under version 1.7.4, you’re open to these attacks.
Sometimes, updates are just that: an update to the plugin. Colors may have been added, bugs fixed, and other features you may feel you don’t need. Because updates can cause crashes, you may not want to update them. How do you tell the difference? Click View version x.x.x details and read up on what’s changed.
Securing Your WordPress Website: Step 3 (Scans)
Google will tell you when your site has malware, but you don’t want it to get to that point. You want to catch these potential problems before they become a serious issue and stop them in their tracks. We recommend downloading one of these plugins (or both):
If you’re looking for a paid option and have been targeted in the past, then I recommend Sucuri’s SiteCheck. They also offer a free scan that you should certainly take advantage of! This tool will also let you know if you are on any blacklists. Check this if you notice you are penalized for unknown reasons!
Your clients’ security is crucial to the SEO campaign because it directly affects their rankings. It’s one factor that will never go away, so you can always count on the necessity of keeping the website secure. If you detect malware, be sure to clean it as soon as possible and use Google Webmaster Tools to request a review of your website’s security. You’ll see a message that states the site may be infected with malware under the list of sites you manage. If you see this and you believe you have sufficiently cleaned and secured your website, be sure to resubmit it for checking.
Lastly, be sure to:
- Create a secure username and password
- Keep your site up to date, especially if a plugin released a security update
- Scan your site to keep it clean