Hey TPT sellers ready to seek growth in your business, you’re in the right place. Welcome to the savvy teacher seller. I’m Kristen Doyle. And I’m here to give you no fluff tools and strategies that will really make an impact on your sale. Let’s get started y’all.
As a TPT seller, your website is one of the few pieces of your business that you really own. But have you ever stopped to think about what would happen if it got hacked? Now I know you are probably thinking, who on earth would hack my little website? But I’m here to tell you that it is happening more and more lately, especially in the teacher seller community. In fact, I have cleaned up more hacks in the last two months than I have in three years of maintaining websites for teacher sellers like you.
Typically, these hacks are done by bots. So they really do not care who you are or how big your site is, they are just out there to cause destruction and havoc in your life, so anyone can be a target. Fortunately, there are a lot of things that you can do to try and prevent these haps. And it is important not only for protecting your valuable asset, but also for protecting your customers and their personal data if you have a shop on your website.
In today’s episode, I’ll share seven easy steps you can take to secure your site. Now this might not sound fun or exciting, but I promise you it is way more fun than waking up to a hacked website and having to figure out where to go from there.
We’ll start with step number one, which is building a strong foundation when it comes to your user accounts. You’ll want to make sure that you are reviewing who has admin access to your website. The only people who should currently have admin level access to your website are people who are currently working in your website on a regular basis, and truly need admin level access.
So if you have any old admin level users, maybe a previous web designer or a support person from your hosting account, or from a plugin or someone has logged in as an administrator to provide some support, you’ll want to make sure to delete those old user accounts so that those do not serve as kind of a backdoor for hackers to be able to get into the site.
The other thing you should do is evaluate if everyone who is currently on your team and accessing your site really needs admin level access, or if they would be able to do their jobs with editor level access or something lower. And we’ll drop a link in the show notes to the descriptions of each level of access on WordPress so that you can determine the right level for each person who is on your team.
You’ll also want to make sure that everyone on your team who has a user account, whether it’s admin level, editor level or something else, is using a strong username and password for their account. Avoid using any common usernames like admin, your first and last name, or the name of your website, because those are commonly used by bots to try and hack into your site by guessing your password and using those common usernames.
In addition to avoiding common usernames, you’ll want to create a complex password. This is one that includes a mix of letters, numbers and symbols. That doesn’t include any common words things again, like your name, or parts of your name, or your website name. And it should be a password that you’re not using anywhere else. Treat your username and password on your website, just like a bank account login, give it that same level of security and take it that seriously.
Now, the last part of securing your user accounts applies if you have a WooCommerce store, there is an option in the WooCommerce settings that allows users to create a customer account on the My Account page. And I highly recommend that you turn that off so that customer accounts can only be created by those people who are actually making a purchase.
The reason for that is a lot of times hackers or bots will try and flood your website with fake customer accounts in an attempt to hide the actually malicious things that they are doing in the slew of notifications so that you don’t notice what’s going on on your site. So definitely go into the customer accounts section of the WooCommerce settings and uncheck the box that allows buyers to create an account on the My Account page.
Step number two is to make sure that you are choosing a reliable host. See, believe it or not, your host has a whole lot to do with your website’s security, you’ll want to make sure you’re choosing a reputable hosting provider, and one that offers regular backups and prioritizes server level security measures. We’ll talk about security measures to take on your site in this episode, but those server level security measures are all about choosing a high quality host.
My recommendations for quality hosts do change from time to time. So instead of sharing them in this episode, I will link in the show notes below the episode to my current recommendations.
Step number three is to make sure that you are keeping everything on your site up to date. This means you need to be updating the WordPress core, your themes and plugins on a regular basis. See many of those updates are providing security patches and bug fixes that address vulnerabilities in your plugins. And most of the time, hackers get into your site via one of those plugin vulnerabilities.
So you’ll want to keep an eye on the number of updates you have in the very top of your admin bar and make sure that you are updating WordPress, all of your themes and your plugins on a regular basis. I would recommend updating them at least once a week in order to make sure that your site is protected.
When it comes to paid plugins, I’ve heard the advice floating around the TPT community that if you want to use a paid plugin, you can purchase it one time, install the plugin and then cancel your subscription and leave the plugin installed. And while technically, you can do that, I would highly recommend that you not because when you are no longer paying for that plugin, you will no longer get the necessary updates to fix these security issues and vulnerabilities.
And that can open your site up to security vulnerabilities for bots and hackers to get in. So make sure that you either continue paying for those plugins so that you’re getting those updates, or you delete those plugins from your site and find an alternate plug in for that functionality.
Speaking off deleting plugins that is step number four in our process today, you’ll want to run a little bit of an audit to clean up your site and remove any unused plugins or themes. One of the ways that hackers love to sneak into your website is by injecting some malicious code into a plugin or a thing that you’re not actually using.
So it is really important that if you decide to switch from one plugin to another for a certain feature, or you’re just not using a feature anymore, then instead of deactivating the plugin and leaving it on your website, you go ahead and deactivate and delete that plugin so that you are not running into any security risks there.
Now, it is fine to deactivate a plug in for a short time knowing that you’re going to reactivate it later. What I am referring to is leaving plugins on your site for an extended period of time that you aren’t using and don’t plan to use again in the future.
Likewise, you’ll want to make sure that you are also deleting any plugins that are not being actively maintained by their developer. If you have a plugin that hasn’t been updated in more than a year or two, if it says it is untested with your current version of WordPress, if you have plugins that are just out of date like that, and the developer seems to have abandoned them. Or even worse, if you have a plugin that is no longer available to download in the WordPress plugin repository, you need to delete those plugins and find an alternate solution for whatever functionality they were providing on your website.
It simply is not safe to have those plugins installed on your site when they’re not being actively maintained by the plugin developer because it can create some serious security risks. You should also delete any extra themes that you have installed on your site that you’re no longer using. Ideally, the only things you should have on your site are your active WordPress theme. If it is a child of another theme, then you may need that parent theme installed as well. And it will tell you that when you click on your active theme, and you should have one day default WordPress theme, the current one is just called 2023. One default WordPress theme installed just in case you need to use it for testing purposes. But there should be no other themes installed on your website that you are not using.
Step number five is to protect your website with a security plugin. You’ll want to have a high quality plugin, I recommend one like wordfence, or I themes that offers features like scheduled malware scanning, firewall protection and login security. These plugins will help to monitor your site for anything that is going wrong. But those firewalls will also help to block any kind of attacks before they even start. These plugins will send you notifications. So you can usually go in and set those notification settings up so that you’re not getting overwhelmed, you can set them up to only notify you every so often.
My recommendation is that you leave those notifications on though, and that you take your security plugin notifications seriously. I know if you have gotten tons of notifications from your security plugin that seemed to be totally benign, things like oh, your plugin needs an update or something like that, it can be really easy to tune out and not pay any attention to them when those come in.
Or maybe you’ve even created a filter in Gmail that sends those right to the trash or to your archive. If you have take that off and make sure you’re opening every one of those emails, because sometimes one of those emails will be alerting you that your malware scan has discovered some malicious code on your website. And that is the first way that we typically are able to find out that a website has been hacked. And it is so important in these cases to take immediate action to restore the site and fix the problem. Because a lot of times, the faster you take action, the more damage you can prevent.
Step number six is to strengthen your login process. And the first way that you can do that is to implement two factor authentication on your WordPress security plugin. I know two factor authentication is not fun, no one likes to have to go through the extra step of grabbing your phone and entering a code in order to log into your website. But this does add an important extra layer of security so that someone who is not you isn’t able to hack into your website.
You can also use a plugin, like limit login attempts. This is a plugin that essentially just restricts the number of failed login attempts that someone can have before they are blocked. This can help you to stop what’s called brute force attacks. And these are the ones that I was talking about earlier, where a bot either knows your admin username, or they are guessing at your admin username. And then they are using some technology to try and guess your password by just trying multiple passwords over and over on your site.
So if you’re getting a lot of emails from your security plugin that says that you have had these brute force attacks, then you may want to install a plug in like limit login attempts to add an extra layer of security there.
Last but certainly not least, number seven is to make sure you are taking regular backups of your website. This is more about being able to recover your site in the event that it is hacked, then it is about protecting your site from getting hacked. But let me tell you having those backups is such a lifesaver in the event that something happens. It also can help you if you update a plugin, and it causes some sort of conflict that breaks something on your website because it’s very easy. Then to roll back to the previous version of the site before that plug in.
You want to make sure that you are taking regular backups of your website files, I recommend doing that daily, and that you are taking backups that are stored somewhere off site in a secure location. So your website host may provide daily backups or monthly backups of your website. But they are storing those on your website files, which means if your site gets hacked, there is a high likelihood that those backups won’t be useful anymore.
So you’ll want to make sure that you are storing them somewhere else. You can use any number of plugins for this. One that a lot of WordPress users recommend is called Updraft Plus it integrates with Dropbox or Google Drive to store your backups. So you’ll want to make sure that you’re doing something like that to have those backups in the event that you have had a problem and there is no way to 100% prevent hacks from happening on unfortunately.
But these steps can go a long way toward preventing them and helping you recover in the event that your site does get hacked. So I would encourage you this week to take some immediate action to prioritize your website’s security. Specifically, go through and do a little audit of your admin users, and your plugins and themes. Make sure you don’t have anything on there that could leave your site open to hackers, and vulnerable in that way.
Make sure you share this episode with your teacher seller friends who have WordPress sites so they can protect their websites too. By the way, if all of this has you feeling overwhelmed or you just want some extra peace of mind, check out our WordPress care plans, where we’ll handle the day to day website security and maintenance and give you a trusted expert that you can rely on if anything does go wrong. I’ll put the link for all of the details in the show notes. Thanks for tuning in, and I’ll talk to you soon.
I hope you enjoyed today’s episode. If you did, please share it with another teacher seller who would also find it helpful. For more resources on Growing Your TPT business. Head to Kristendoyle.co/TPT. Talk to you soon.
