Whether you use WordPress, ExpressionEngine, or something else to power your website, you need to keep it updated. As a business owner, you may not have the time or ability to deal with it yourself. If that’s the case, hire somebody to do the job for you. It’s another expense, but it’s better than getting hacked.
I recently cleaned up an ExpressionEngine installation that was hacked. The software version was older, which was likely the source of the hack. Interestingly, the hack was aimed at WordPress. The damage was minimal, and perhaps due to the unfamiliar application structure, the hackers moved on. Here are a few basic steps to keep your website secure.
Keep the software up to date. Apply any theme, plugin, or WordPress updates as soon as you see them. If you hired a developer who is keeping track of your site with version control, you may want to check with the developer for the best workflow.
If your website is built with ExpressionEngine, hire your developer to keep the software up to date. Also have your developer update any add-ons as necessary.
Use secure passwords. Avoid dictionary words, use numbers, special characters, upper and lower case characters. Create a password with a decent length. I recommend using a password manager so you don’t have to worry about remembering passwords or coming up with secure ones. I use 1Password, and it works very well.
With ExpressionEngine, move the system folder above the web root. This moves application files out of the area used for your public website. Remove any unneeded add-ons. Disable member registration if you do not need it.
For WordPress, don’t install themes or plugins unnecessarily. If you don’t need a plugin, remove it. I also recommend avoiding themes that do it all (layout builders, multiple image sliders, etc.). Code used within these themes may have vulnerabilities that become a security hole if not patched quickly.
Review your website user accounts and remove any that are no longer active. Make sure permission levels are appropriate.