WEBSITE SECURITY

WEBSITE SECURITY SERVICE
◼︎WEBSITE SECURITY SERVICE

WEBSITE SECURITY

Website Security is a set of methods designed to protect your computer or web server from being controlled by others that you have not given permission.

WordPress is what is called a Content Management System – or CMS for short. Its job is to help you manage all of the content you want to share with your website visitors. WordPress is so good at what it does that it is #1 in the world.

However, many bad people – referred to as hackers or black hats – want to steal your data or take over your website for nefarious purposes. That’s where the Website Security part of what we do comes into play.

Website Security Details for the “Techies”

For the “techy” folks out there or the non-techy who want to become just a bit more techie, please keep reading. I have more details on some of the critical things we do to secure and protect your business website from the “big bad wolf” who wants to destroy or hold your business for ransom.

Website Security Step One: 

On our web servers, we do a process referred to as “hardening.” Hardening is a documented process we go through each time we set up a new webserver to run our client’s website.

Hardening involves changing permissions on files to prevent hackers from gaining control of our web servers.

When we harden a website, it also requires renaming and moving files from their “normal” names and locations on the servers. These are just a few of the website server hardening steps we take to protect our web servers from evil hackers.

Website Security Step Two:

We run professional-grade security software on our web servers. Security software adds a layer of protection to our web server hardening process.

The security software we use does way too many things to list here. However, it helps make our web servers, and therefore your website, safer from hackers.

Website Security Step Three:

We use a Content Delivery Network – or CDN for short – as both a layer of protection and as a way to speed up the delivery of your content to your website visitors no matter where in the world they reside.

A Content Delivery Network is a geographically distributed network of proxy web servers and their data centers.

The goal is to distribute copies of your website geographically worldwide as close as possible to your website end-users to provide high availability and high performance.

FAQ

FAQ

“Website Security” is the work related to keeping your website and its data safe and hidden from those who should not be able to see it.

Every day that goes by, evil people and governments around the world (referred to as “Black Hats”) spend endless hours trying to break into (referred to as “Hacking”) websites, including yours, around the world.

We’ve all heard about the very public breaking of Target, Facebook, and too many others to list here. To protect your website, you need a small army of highly skilled professionals (referred to as “White Hats”) to protect your website. 

Now to get you your “army” of “White Hats” to protect your website at a cost you can afford, we’ve combined the skills of our team’s knowledge of knowing how to lock down and protect the web servers that store your website files, with a set of best-in-class WordPress Plugins to create the most impregnable security wall we know how to build. 

Our Skills

Our skills and these Security Plugins combine putting the right access permissions on all the files on your website, creating layers of firewalls directly on the hardware servers, and a software firewall on the multiple instances of your website that we put servers around the world to provide super-fast page loads for your website visitors.

All of these things fall under what we call “Website Security.”

What happens if you don’t have best-in-class security on your website? Nothing good. Your website “gets hacked,” and now both your confidential information and your clients are in the hands of criminals. 

Guess what? 

You may not even know for weeks or months that your website has been hacked! Do you know how most websites find out they have been hacked? They start getting emails and calls from their customers telling you that they’re suddenly getting a bunch of email spam – or worse – if you have an eCommerce Website, they’re asking you if you shared their credit card with anyone because of a bunch of unauthorized charges showed up. They had to have a new card issued and the old one canceled. 

You suddenly have to hire a very experienced “White Hat” developer to check out your website, verify if you’ve been hacked, then fix it. It can cost thousands of dollars, and the entire time you’re not selling online! On top of that, you could face lawsuits from credit card companies or your clients. Now you have legal costs too. Yikes!

Our Promise

Now no one can promise you that a website can’t be hacked. We can’t and are not promising that either. But most websites that are hacked were gotten into for very simple to close open holes in the security of their website. 

We do our best to ensure that none of the open holes that most Black Hat Hackers use to break into websites are open to them. Most Black Hat Hackers look for the “Easy Break-ins.” 

Every minute of every day, we can see the Black Hat Hackers probing our client’s website. They find all the doors securely locked. They move on, looking for another website that is not as secure to break into. That how criminals work.

The strength of your password directly affects how easy it is to guess that password or how long it takes a hacker to crack it. In many cases, hackers gain access to an account because their owner sets a weak password.

To set a strong password, follow University password guidelines:

  • Create a longer password. The more characters you use, the harder the password will be to guess and the longer it would take to crack. UDelNet passwords must be between 12 and 30 characters long.
  • Never use a single dictionary word or name as your password.
  • Use various characters, including uppercase letters, lowercase letters, numerals, and special characters like punctuation marks.
  • Never choose an obvious password like “password,” “password1,” “12345,” or “00000.”
Remember:

If you have a hard time remembering passwords containing random characters, try using a passphrase, a string of words used as a single password. For example, “ClevelandChapelLovettAcademy,” or “CorrectHorseBatteryStaple” are both passphrases with 25 or more characters, but they can be easier to remember than randomly generated passwords even 15 characters long!

Two-factor authentication (2FA) is a method of protecting your digital accounts from unauthorized access and use.

You usually log in to any digital account by providing your username and password

However, the downside is hackers can easily access your account if they steal or crack your password. But, if 2FA protects your account, then you will need to provide the standard username and password combination and then a second authentication factor (such as a temporary security code or the answer to a security question) to log in.

Even if hackers steal or crack the password to a 2FA-protected account, they still can’t log in to it without the second factor. 

You’re urged to enable 2FA protection for your sensitive accounts, such as your banking, credit card, tax filing, and investment accounts.

Malware is software designed to infiltrate or damage a computer system without the owner’s informed consent.

It is also known as malicious software. To learn more about malware, check out this resource.

Very serious:

  • Nine out of 10 PCs connected to the Internet are infected with spyware. (1)
  • 88% of Spy Audit scans found some form of the unwanted program (Trojan, system monitor, cookie, or adware) on consumer computers. (1)
  • “About 10 million Americans have their personal information pilfered and misused in some way or another every year, costing consumers $5 billion and businesses $48 billion annually.” – Federal Trade Commission, June 21, 2005
  • Some form of spyware can be found on 87% of corporate PCs.(1)
  • “A hacker was able to access potentially 40 million credit card numbers by infiltrating the network of a company that processed payment data for MasterCard International and other companies.” – InfoWorld, July 17, 2005
  • 86% of U.S. adult Internet users believe that spyware on their computers has caused them to suffer a monetary loss. (2)

(1)State of Spyware Report
(2)eMarketer, 2005

Even if you’re very careful, your web server or computer can pick up malware through normal Internet activities.

  • Visiting any media-supported Web site and you’re bound to get a tracking cookie
  • By sharing music, files, or photos with other users
  • Through the installation of software applications without thoroughly reading license agreements

Your computer may be infected if you recognize any of these symptoms:

  • Sluggish PC performance.
  • An increase in pop-up ads.
  • Mysterious new toolbars you can’t delete
  • Unexplained changes to homepage settings.
  • Puzzling search results.
  • Unidentified toll charges on your phone bill
  • Frequent computer crashes

Yes!

Malware is code that has found its way onto your computer or web server. 

Although we have many processes in place to prevent this, no method is 100% perfect.

To uncover any malware that found its way into your website, we run a number of both real-time and monthly malware scans.

Any malware found is immediately removed.

  • Just say “No!” to free software.
  • Increase your browser security settings.
  • Update your security patches regularly.
  • Avoid questionable Web sites.
  • Be suspicious of email and IM.
  • Use public or multiple-user computers with extreme caution.
  • Beware of peer-to-peer file-sharing services.
  • Install a firewall.
  • Use anti-virus protection.
  • Use the Mozilla Firefox browser.
  • Install a good anti-spyware product, not a free one.

Adware is any software application that can display advertisements on your computer.

Some adware can track your surfing habits to display targeted promotions on your Web browser in the form of a pop-up, pop-under, and banner ads.

Adware watches as you surf the Internet to collect information about your behavior.

Next, adware disrupts your browsing by popping up context-related promotions right on top of your screen, causing you to second guess your next online move. 

Also, Adware runs quietly in the background of your computer, observing your every move. Adware logs your online activities and personal information to create a user profile and sends it to a data collection site. Your data is used from the data collection site to evaluate your surfing habits and send you targeted advertising.

The first step is to start using a spy scan program designed for spyware detection to see if you’re infected.

Next, after you know your infection level, you will be able to take back control of your computer.

The second step is to remove the spyware manually, but removal is a complicated and challenging process for even the most experienced computer user.

Without recognized, top-quality anti-spyware software, spyware removal will be incomplete at best.

The third step is to choose a spyware protection solution.

A complete anti-spyware software package includes anti-spyware software, anti-virus protection, and a firewall.

Look for these qualities when selecting an anti-spyware software solution:

  • Provides frequent version and definition updates to combat the latest threats
  • Consistently wins awards from industry-leading publications.
  • Has a dedicated, round-the-clock research team devoted to tracking spyware evolution
  • Is backed by an innovative company with a solid business reputation

“Being hacked” means that someone has gained access to your website files without your permission.

A hacker wants to perform a malicious activity like injecting spam, stealing data, or enabling a more comprehensive hacking attack. 

Yes!

Every single website is at risk of hacking. No website can be 100% safe.

Any hosting provider should (hopefully) have at least a basic level of security on their server.

However, most hosting providers do not maintain your WordPress website on your behalf (unless you have a Managed WordPress Hosting LINK:https://www.elegantthemes.com/blog/resources/all-the-top-managed-wordpress-hosts-compared). So it is up to you to keep your website safe and secure.

Of course, we do that for you with our WebCare Plan.

Browser hijacker spyware resets your homepage, so each time you launch your browser, you land on the hacker’s website.

Homepage hijackers use this method to force hits to their websites since most sites have ads. More hits mean higher costs for advertising and ultimately more money for the spyware-toting villain.

Browser hijackers are more than just annoying:  The spyware they carry can cause irreparable damage to your files and programs as well as jeopardize your personal information and identity.

There are a few easy things you can do right away to help prevent further spyware infection and reclaim your homepage:

  • Update your operating system regularly.
  • Avoid questionable Web sites.
  • Practice safe email protocol:
  • Don’t open messages from unknown senders.
  • Immediately delete messages you suspect to be spam.
  • Avoid free software and file-sharing applications.
  • Use anti-virus protection and a firewall.
  • Get anti-spyware software protection.

Yes!

Malware is code that has found its way onto your computer or web server. 

One method we use to identify if malware has gotten onto your website is to monitor all of the files that make up your website.

If our file change monitoring software detects a file change, we investigate. If we determine that the file change was malware-related, we can revert the file to its original code with one click.

Even with all of the precautions we take to protect your website, some hackers might find a way to put malicious code on your website.

For this reason, we run a weekly scan looking for any code that should not be there. If we find any malicious code, we remove it.

It’s usually quite an intensive job to fix a hacked website.

The skill to fix a hacked website is why we recommend hiring a professional.

  • Always keep WordPress and your plugins and theme updated to the most recent versions
  • Have a security plugin such as Wordfence installed
  • Backup your website frequently

You should keep your website backed up. If anything wrong was to happen, a saved version could be restored.

Our standard backup procedure is now daily backups for eCommerce sites with 31 days of backups stored off-site.

Business websites are backed up weekly with 4+ weeks of backups stored off-site.

Personal-Branding websites are backed up weekly with 4+ weeks of backups stored off-site.

If the update is for a security issue, you should update immediately.

Indeed, plugins and themes need to be checked weekly.

We use Wordfence as one of our security firewalls. You can configure Wordfence to notify you via email when a plugin or theme needs updating.

We update plugins and themes for security issues as soon as we become aware. Non-security updates are updated weekly.

Spam is an unsolicited email. It’s sent, usually in high volume, through “open-relays” to millions of people.

Spam is cost-shifted advertising. Spam takes a toll on Internet users’ time, resources, and Internet Service Providers’ resources (ISP).

Recently, spammers have begun to send advertisements via text message to cell phones.

To minimize or stop spam, use a spam filter or gateway to scan inbound messages. A simple way you can prevent spam damage is to practice safe email protocol:

  • Don’t open email or text messages from unknown senders.
  • Immediately delete messages you suspect are spam.
  • Avoid get-rich-quick offers, porn, or too-good-to-be-true messages.

Think of a biological virus – the kind that makes you ill. Human viruses are nasty, keeping you from functioning normally, and often requires something powerful to get rid of them.

A computer virus delivered over the Internet is very similar. Viruses infect your computer programs and files, alter the way your computer operates or stop it from working altogether.

Take the steps below to fortify your computer against viruses:

  • Use anti-virus protection and a firewall.
  • Update your operating system regularly.
  • Increase your browser security settings.
  • Avoid questionable Web sites.
  • Only download software from sites you trust.
  • Practice safe email protocol:
  • Don’t open messages from unknown senders.
  • Immediately delete messages you suspect to be spam.
  • Avoid free software and file-sharing applications.
  • Get anti-spyware software protection.

Phishing is an online con artist game played by tech-savvy identity thieves.

These con artists use spam, malicious Websites, email, and instant messages to trick you into divulging sensitive information, like bank account passwords and credit card numbers.

Take the steps below to minimize phishing scams:

  • Do not provide personal information to any unsolicited requests for information.
  • Only provide personal information on sites with “HTTPS” in the web address or have a lock icon at the browser’s bottom.
  • If you suspect you’ve received phishing bait, contact the company that is the email subject by phone to check that the message is legitimate.
  • Type in a trusted URL for a company’s site into your browser’s address bar to bypass the link in a suspected phishing message.
  • Use varied and complex passwords for all your accounts.
  • Continually check the accuracy of personal documents and deal with any discrepancies right away.
  • Avoid questionable Web sites.
  • Practice safe email protocol:
  • Don’t open messages from unknown senders.
  • Immediately delete messages you suspect to be spam.
  • Use anti-virus protection and a firewall.
  • Get anti-spyware software protection.

There are three overlapping types of risk:

  1. Bugs or misconfiguration problems in your Web server that allow unauthorized remote users to:
    • Steal confidential documents not intended for their eyes.
    • Execute commands on the server host machine, allowing them to modify the system.
    • Gain information about the Web server’s host machine that will allow them to break into the system.
    • Launch denial-of-service attacks, rendering the machine temporarily unusable.
  2. Browser-side risks, including:
    • Dynamic content that crashes the browser damages the user’s system, breaches the user’s privacy, or merely creates an annoyance.
    • The misuse of personal information knowingly or unknowingly provided by the end-user.
  3. Interception of network data sent from browser to server or vice versa via network eavesdropping. Eavesdroppers can operate from any point on the pathway between browser and server, including:
    • The network on the browser’s side of the connection
    • The network on the server’s side of the connection (including intranets)
    • The end-users Internet service provider (ISP)
    • The server’s ISP
    • Either ISPs’ regional access provider

“Secure” browsers and servers protect confidential information against network eavesdropping. Without system security on both browser and server sides, personal documents are vulnerable to interception.

As a Webmaster, system administrator, or are otherwise involved with the administration of a network, the single most important step you can take to increase your site’s security is to create a written security policy.

Your security policy should succinctly lay out your organization’s policies concerning:

  • who is allowed to use the system
  • when they are allowed to use it
  • what they are allowed to do (different groups may be allowed different levels of access)
  • procedures for giving access to the system
  • procedures for revoking access (e.g., when an employee leaves)
  • what constitutes acceptable use of the system
  • remote and local login methods
  • system monitoring procedures
  • protocols for responding to suspected security breaches
Your Policy

This policy need only be a concise summary of how the information system work, reflecting your organization’s technological and political realities. There are several benefits to having a written security policy:

  • You will understand what is and is not allowed on the system. If you don’t have a clear picture of what is allowed, you can never be sure when a violation has occurred.
  • Others in your organization will understand what the security policy is. The written policy raises the level of security consciousness and provides a focal point for discussion.
  • The security policy serves as a requirements document against which technical solutions can be judged. The security policy helps guard against the “buy first, ask questions later” syndrome.
  • The policy may help bolster your legal case should you ever need to prosecute for a security violation.

Some good books to get are:

A source of up-to-date information, including the discovery of new security holes, are the CERT Coordination Center advisories, posted to the newsgroup comp.security.announce, and archived at:

ftp://ftp.cert.org/pub/cert_advisories/

SSL CERTIFICATE

We provide every one of our websites with an SSL Certificate as part of their Webcare Plan.

An SSL certificate is issued by the well-known Let’s Encrypt  Certificate Authority.

Let’s Encrypt is a nonprofit Certificate Authority providing TLS certificates to 240 million websites.

An SSL certificate is a digital certificate that provides authentication for a website and enables an encrypted connection.

SSL certificates provide a layer of security to your website.

These certificates communicate to the client that the web service host demonstrated ownership of the domain to the certificate issuance certificate authority.

An SSL certificate is a significant part of website security as it encrypts the data communication between the website and the website visitor.

If you take online payments or have an online form, or if your website has a password-protected area (i.e., EVERY SINGLE WORDPRESS WEBSITE!), you must have an SSL certificate.

Web browsers are now marking websites without an SSL certificate (addresses that start HTTP instead of HTTPS) as NOT SECURE.

Google search results are starting to do the same.

Will visitors think twice about clicking on your website if it says NOT SECURE on Google?

Yep!

Yes!

We use Let’s Encrypt SSL Certificates. Per their policy, we have to renew the certificate every 90 days.

To ensure that the SSL renewal process runs correctly, we check the timestamps on each website’s SSL Certificate regularly and update each website’s SSL Certificate before it expires.

A DoS is when many requests are made on a particular website to overload the server and therefore take it offline.

A DDoS is when these requests come from various sources (making it more difficult to block).

A Firewall can either be in the form of hardware or software.

Firewalls block dangerous and suspicious activity.

A Firewall also blocks access from countries, regions, or individual domains not in a targeted sales market. 

A fundamental layer of protection for every website is to have a firewall. We run on Linux web servers and have a hardware firewall.

Additionally, we use a software firewall service named Wordfence. 

Wordfence includes an endpoint firewall and malware scanner built from the ground up to protect WordPress websites.

The Wordfence Threat Defense Feed arms Wordfence with the newest firewall rules, malware signatures, and malicious IP addresses need to keep your website safe.

Rounded out by a suite of additional features, Wordfence is the most comprehensive security option available.

At some point, every website has some event that takes it down (off-line).

For those who back up our devices to another computer, preferably not one in our home or business, this is not a total nightmare, only an inconvenience.

Offsite Backup is a service that we include in every Website Webcare Plan. 

E-Commerce Websites are “backed up” every hour to minimize the risk of losing any financial transactions.

Business Website we back up weekly as changes to the website is less frequent.

Personal Branding Websites we backup at least once a month and usually weekly if the client is creating blog posts more frequently.

No.

Digital attackers are attacking Macs as well as Windows and Linux computers now. 

Your website can only bring you customers if it is up and running correctly.

We check our client’s website every 5-minutes to ensure that it is up and running. 

We accomplish this using what is known as a “ping” service. This ping is an electronic “knock on your front door” to see if you are home.

If you respond with a “Yes,” then we know you are responsive and available.

If you don’t respond, our service sends us a text and email to let us know something is amiss.

Our team jumps in and manually checks on your website for issues and resolves any that are found.

SERVICE CRASH ALERT

If your website goes offline (down) for more than a few minutes, some clients want to know. 

Our Service Crash Alert Service informs you of any extended downtime so that you are aware and don’t get surprised by an email, text, or phone call from one of your customers. 

Yes!

We use several tools to monitor the security of our client’s websites every minute.

For example, we use the well-known software security platform Wordfence

Wordfence includes an endpoint firewall and malware scanner built from the ground up to protect WordPress. Their Threat Defense Feed arms Wordfence with the newest firewall rules, malware signatures, and malicious IP addresses need to keep your website safe. Rounded out by a suite of additional features, Wordfence is the most comprehensive security option available.

We don’t divulge all of the tools and methods we deploy to protect our client’s websites’ security for security reasons.

It’s Easy!

Go to the navigation bar at the top, and under “Website Services,” select “Website Care Plan & Pricing.”

HAVE SOME QUESTIONS?
READY TO ORDER?