Having your private practice website hacked can be an extremely frustrating and violating experience. But there are many – often simple – ways you can secure your therapy website from various types of hacking attempts.
In this blog post we’ll discuss six simple steps you can take to keep your private practice website secure when using WordPress.
1. Limit how many times someone can try and log in
One way that hackers try and get access to your website is by doing what’s called “brute force attacks”.
This is where a hacker will use some code to repeatedly try combinations of usernames and passwords in hopes to finally land on the correct one.
One way you can stop this is by limiting the amount of times anyone can try logging in with the incorrect credentials.
I like to use a plugin called Limit Login Attempts.
This plugin lets you set the amount of times someone can try to log in. I keep mine set to five times.
If someone tries using the wrong username and password 5 times in a row, they’re locked out from trying again:
Be warned though, make sure YOU have the right login info so you don’t lock yourself out!
2. Your WordPress username should never be “admin”
Don’t make it easy for the bad guys to guess your username.
Often when setting up WordPress, it will set the default username to “admin”.
Pretty easy to guess, right? And hackers know this.
If you’re doing the WordPress installation yourself, make sure to change that to something much harder to guess.
I like to use iPage’s WordPress hosting services (affiliate link).
During their super-simple WordPress set up, they automatically set your username to your email address, which is a much better option.
Whatever you use for your username, just make sure it’s not “admin”.
3. Use a strong password
This one is pretty straight-forward.
Just like not using “admin” as a username, you don’t want to make it easy for hackers to guess your password.
It’s often tempting to use a password you can easily remember, such as a birthday, but it’s best to use something even YOU can’t remember.
You can use a website like Secure Password Generator to create a very strong password for yourself.
Use it when you set up WordPress, or log in and change your old, simple password in the User settings.
Then write it down, or save it in Evernote or someplace safe.
4. Back up your website regularly
This one is kinda like having insurance for your website.
Having a backup of your WordPress files, content and database information is good practice.
You’ll be extremely thankful for this if your private practice website ever does get overtaken and you can’t access it.
I like to use a plugin called UpdraftPlus.
What I like the most about this plugin is that I can sync it with my Dropbox account and set it to automatically backup my website files.
Every two weeks the plugin does it’s job and I have a new set of WordPress and database files in my Dropbox folder, which I can easily access.
5. Update WordPress regularly
Keeping your WordPress updated to the latest version ensures that you’ve got the latest security patches that their developers have released.
WordPress is updated regularly to fix bugs and to patch known holes in their code that hackers have tried to exploit.
Now, this can be scary, because sometimes plugins don’t play nice with new versions of WordPress. Nine out of ten times it’s usually fine, but sometimes it can cause conflicts and crash your website.
It happens.
This is where having a backup is important.
If this happens, don’t panic. Get your hosting provider on the phone and they should be able to reset your website to a prior date and time where it was working.
6. Use 2-factor authentication to log in
Want to add some extra protection to your WordPress login page?
You can use Google’s Authenticator to create a 2-step process for logging in.
Not only would the user need the correct username and password, but they’ll also need an extra set of randomly generated numbers to log in.
Check out the plugin Google Authenticator – Two Factor Authentication to set up this extra piece of protection.
Once installed, WordPress will ask for the Google Authentication code along with the username and password.
Then you’ll have to hop over to the Google Authentication app and grab your random code in order to enter the website.
The app will generate a new code every 15 seconds or so, which really limits the amount of time someone has to guess at it.
Having the extra step can be a little annoying if you’re in a hurry, but it’s worth having the peace of mind knowing that unauthorized users will be stopped for gaining control of your website.
Conclusion
I’ve had my own WordPress websites hacked before, so I can tell you, it stinks.
One time, the website I had built for my church got hacked and the deviants posted links to adult material. NOT COOL!
So, take the necessary precautions.
In the excitement of creating your private practice website, it’s easy to overlook the boring things like setting up backups and 2-step authentication.
But just by taking a few extra moments to get these plugins installed or take these extra measures can provide protection against many of the typical attacks.
Many of the suggestions outlined here you only have to set up once, and then you don’t have to do anything else.
Then you can rest-assured you’ve done what you can to keep your therapy website safe.
