How to protect your small business website in 2017

I have been a small business owner since 2003. My wife and I own several small businesses and are always busy. WordPress website security was never an issue we thought about until our landscape design website was hacked in 2008. In the years that followed I had to learn WordPress and WordPress security from the ground up; that led us to create Capital District Local Search to help other local business owners. Let me tell you briefly what happened and what I learned from that experience and how to protect your small business website in 2017.

Most small business websites are now using WordPress, the most popular content management system. It is excellent at providing SEO (search engine optimization) results so people can find your business online without you spending enormous sums of money on advertising. However WordPress is a double edged sword. A typical WordPress installation is a complicated jigsaw puzzle of plugins (think of them as addon programs as you would add Word and Photoshop to a Windows installation) written by many different people. Any of these can be a security risk and WordPress, since it has become so popular, is now a huge target for hackers.

My site that was hacked was done by a professional WordPress developer. I learned enough to edit the site but did know enough to update what I needed to update and to do backups and add a security system. I always thought “Who would bother hacking my site?”  Well the truth is hackers do it to steal your server space for spamming and probably just for fun. Being a typical small business owner, I was always busy and if it wasn’t broke, I didn’t fix it.  Then one day it happened; my website had a hacked message by Algerian hackers and, I learned later, was being used by dozens of scammers to send spam. I contacted my developer who also provided hosting (which I think the budget host he used contributed to the hack) and he eventually recovered the site but it was limping along and needed to be redone.

The first thing I did was to find a secure WordPress host. Money was an issue so I had to choose a shared hosting provider. This means you “rent” space on a server with other customers and have a set amount of storage, visits to your site per month, etc.

I ended up at Siteground Hosting  and have not had any complaints, ever. Their support has been phenomenal and I really needed it; I learned WordPress and CPanel and still learn new things every time I work on a project. I would heartily recommend choosing their Go Geek plan that offers integrated backups of your entire account from which you, your developer, or the Siteground support staff can restore exactly what’s needed in a few clicks. If something goes wrong, contact support, and the site is restored. It’s that easy. If you account for the cost of a premium WordPress backup plugin yearly that money would be better spent with the Go Geek plan. They update the WordPress core automatically (all plans) which resolves many of the issues that hackers exploit. Site ground also has a Site Scanner service available to check for malware on your site. However I would not bother with the Site Scanner if you follow my next recommendation below.


Web Hosting


OK, you’ve got a safe place to get your website going. After setting up my new site on Siteground I tried various security plugins: Bulletproof Security, IThemes Security Pro, and Wordfence. I am not showing links for these since I don’t believe in a real review article posting links for multiple products. Many bloggers do this to gain additional affiliate clicks. All of these plugins are of good quality but are extremely hard to set up and monitor. I remember getting dozens of email notifications of hackers testing my new WordPress admin username and password, trying to get in. It was very distracting to my conducting business and they did not offer a solution in the event someone got through.

Sucuri is a specialized web security company which is in the front line against hacking of all types of sites, not just WordPress.  Their product names have changed since I installed their firewall and scanning solution, back then it was called CloudProxy.  Now it is called:

Website AntiVirus + WAF

I am not going to drone on about the technical aspects of the service; let’s go over the key points for busy business owners:

  • Their firewall prevents all manner of attacks and exploits.
  • They monitor your site for evidence of malware, ransomware, or a complete hack.
  • The firewall actually caches your website content and speeds loading times, potentially increasing organic search results.
  • If something gets through, they clean it up, no extra costs involved.

I have not had a breach since the firewall went up 3 years ago. The current pricing for the basic plan is $199.99 a year, which I think is perfect for the majority of local small businesses. Right now I have 2 sites protected and the price dropped to $149.99 a year per site. Their support will set up the firewall for you and get you going. The dashboard is definitely intimidating at first glance and should be left to your developer (if you have one) or the Sucuri team. Remember if you are in Albany’s Capital District we’d be happy to set up a new site with security for you.

As small business owners we don’t have the time to deal with unnecessary fires to put out. The money spent on a secure WordPress host with backups and a security solution is money well spent, don’t you agree?