For any website that is more than a simple blog or thought catcher, I would recommend finding the best and most secure “shared hosting” plan that you can find. You can find these everywhere for around $6-8 per month, and there are beginner/novice web builder platforms you can even use for free (Wix, Squarespace, Weebly, Blogger etc). For anyone looking to build an actual business and take it all to a whole new level…then you’re going to have to have a VPS (Virtual Private Server) or a Dedicated Server. Period.
Both VPS & Dedicated will give you root access, which is critical for playing in the big game, but I have found that for most of my clients – building their site on our VPS is more than adequate. A Dedicated Server on the other hand, if you need this level of construction, is the ultimate in website security and flexibility. But it’ll cost you!
Regardless of which platform you decide to pay for, VPS or Dedicated, you’ll be miles further down the security path than your competition, which is likely hosting their site on a swiss-cheese like security nightmare shared hosting plan for $6 a month.
My quick recommendation: Don’t be THAT GUY! Cleaning things up once you’re hacked and compromised is expensive business.
With all this behind us, let’s turn our attention to the most ubiquitous open CMS platform in use today, WordPress.
Far and away the most used website development platform in action today, is the WordPress CMS framework. It’s a free downloaded bundle, which includes the all the necessary PHP files, graphics, HTML & CSS that you’ll need to set up a basic website. Most of the FREE WORDPRESS THEMES offered today, are even responsive/mobile optimized (which means they automatically adjust the CSS to fit the device you’re on) for the myriad of devices in use: desktop, laptop, smartphone, tablet, etc., so that will save you from needing to hire someone to set things up right – for the nearly 80%+ of traffic/visitors that will search your site from a mobile device.
Now this all sounds pretty good, and it is to some degree…save one major thing: security!
WordPress CMS sites get hacked all the time, because malcontents with less than noble intentions, have found easy access portholes to get in, steal and completely booger up your site from far away places. Once that happens, it can be extremely difficult to get things back in to working order, especially given that most people have no idea how to lock down their site for the future…and even many of the I.T. people they’ve hired don’t know how to really do it.
I’ve identified __ major focus areas in the WordPress framework, as well as your hosting environment setup, that need DEFCON 2 priority status RIGHT NOW (or preferably, before you launch your site)! Knowing most sites are hosted on shared servers (sigh..), I’ll start with those in mind, and what you can do now. By the way, make sure all site files and database are backed up FIRST, before you move any further!
- Ask your developer to change the WordPress Database name in MySQL Databases, inside your hosting cPanel, and have them establish an iron-clad naming convention from this point on. If they don’t know what you’re talking about, email me! If they’ve already done this, thank them.
- Change your database password and username, to the new naming convention rules setup earlier. If your dev doesn’t know how to do this, email me. If they already did this, hug & thank them this time!
- Now you’re ready for the wp-config.php file changes. Have your dev change the database name, username and password to the new naming convention.
- In this same wp-config file, change the line that reads, $table_prefix = ‘????_’; to a more robust and secure set of characters. WordPress by default is set to wp_, and hackers know this all too well.
- One last change in this wp-config file while we’re here. Have you or your developer copy and paste this URL into your browser: https://api.wordpress.org/secret-key/1.1/salt/ – and hit the browser refresh a couple times to stir up the salt. Copy ALL THE RESULTS YOU SEE…and place that new salt on line 45-52 in the wp-config file, and hit save.
If you/your developer have established a strong and secure naming convention, followed all the steps and performed everything correctly in all the locations and files, then you have just taken your shared hosting website to a significantly more robust level of security. Granted you/your developer keeps the new password, username and database info safely, then it will be very unlikely you’ll ever get hacked again. In fact, there’s only one way to virtually guarantee you’ll never get hacked: Implement my “hacker/reverse engineer” strategies on a VPS or Dedicated server environment, and become BULLETPROOF!
Yeah right, like I was going to give you the scripts and code to make that happen…for free. Besides, what I just gave you for free is enough to secure most websites you’ll ever build, and keep you happy for a long long time.
It’s only when you plan on moving thousands of dollars, or even millions of dollars through your e-commerce website…that you’ll want to implement my VPS/Dedicated server-side code. For that, you’ll have to reach out to me…and we’ll discuss the heavy stuff over a dram or two of a heavily peated Scotch. (nudge, nudge…I prefer Laphroaig 10 Year Cask Strength, if you’d like a discount on services…