Website Security

Web Security

Question: What is WordPress Website Security, and Why Do I Need It?

Website Security is a set of methods designed to protect your computer or web server from being controlled by others that you have not given permission.

WordPress is what is called a Content Management System – or CMS for short. Its job is to help you manage all of the content you want to share with your website visitors. WordPress is so good at what it does that it is #1 in the world.

However, many bad people – referred to as hackers or black hats – want to steal your data or take over your website for nefarious purposes. That’s where the Website Security part of what we do comes into play.

For the “techy” folks out there or the non-techy who want to become just a little more techie, please keep reading. I have more details on some of the key things we do to secure and protect your business website from the “big bad wolf” who wants to destroy or hold your business for ransom.

  • One, on our web servers, we do a process referred to as “hardening.” This is a documented process we go through each time we set up a new webserver to run our client’s website. It involves changing permissions on files to prevent hackers from gaining control of our web servers. It also involves renaming and moving files from their “normal” names and locations on the servers. These are just a few of the webserver hardening steps we take to protect our web servers from bad hackers.
  • Two, we run professional-grade security software on our web servers. This adds a layer of protection to our web server hardening process. The security software we use does way too many things to list here. However, it helps make our web servers, and therefore your website, safer from hackers.
  • Third, we use a Content Delivery Network – or CDN for short – as both a layer of protection and as a way to speed up the delivery of your content to your website visitors no matter where in the world they reside. A Content Delivery Network is a geographically distributed network of proxy web servers and their data centers. The goal is to distribute copies of your website geographically worldwide as close as possible to your website end-users to provide high availability and high performance.

 

This is why your website needs our Website Security Service.

Please keep reading to learn more about our Website Security Service features.

Website Security Features

SSL CERTIFICATE

We provide every one of our websites with an SSL Certificate as part of their Webcare Plan.

This certificate is issued by the well-known Let’s Encrypt  Certificate Authority.

Let’s Encrypt is a nonprofit Certificate Authority providing TLS certificates to 240 million websites.

An SSL certificate is a digital certificate that provides authentication for a website and enables an encrypted connection. SSL certificates provide a layer of security to your website. These certificates communicate to the client that the web service host demonstrated ownership of the domain to the certificate authority at certificate issuance.

24×7 SECURITY MONITORING

We use several tools to monitor the security of our client’s websites every minute.

For example, we use the well-known software security platform Wordfence

Wordfence includes an endpoint firewall and malware scanner that was built from the ground up to protect WordPress. Their Threat Defense Feed arms Wordfence with the newest firewall rules, malware signatures, and malicious IP addresses need to keep your website safe. Rounded out by a suite of additional features, Wordfence is the most comprehensive security option available.

For security reasons, we don’t divulge all of the tools and methods we deploy to protect our client’s websites’ security.

24×7 UPTIME MONITORING

Your website can only bring you customers if it is up and running properly.

We check our client’s website every 5-minutes to ensure that it is up and running. 

We accomplish this using what is known as a “ping” service. This ping is an electronic “knock on your front door” to see if you are home. If you respond with a “Yes,” then we know you are responsive and available. If you don’t respond, our service sends us a text and email to let us know something is amiss. Our team jumps in and manually checks on your website for issues and resolves any that are found.

SERVICE CRASH ALERT

If your website goes offline (down) for more than a few minutes, some clients want to know. 

Our Service Crash Alert Service informs you of any extended downtime so that you are aware and don’t get surprised by an email, text, or phone call from one of your customers. 

OFFSITE BACKUP

At some point, every website has some event that takes it down (off-line).

This is true of your personal and business computer, your iPad, and your Cell Phone.

For those of us who backup our devices to another computer, preferably not one in our home or business, this is not a total nightmare, only an inconvenience.

Offsite Backup is a service that we include in every Website Webcare Plan. 

ECommerce Websites we back up every hour to minimize the risk of any financial transactions being lost.

Business Website we back up weekly as changes to the website is less frequent.

Personal Branding Websites we backup at least once a month and usually weekly if the client is creating blog posts more frequently.

SECURITY SCAN

Even with all of the precautions, we take to protect your website, some hackers might find a way to put malicious code on your website.

For this reason, we run a weekly scan looking for any code that should not be there. If we find any malicious code, we remove it.

SSL CERTIFICATE CHECK

We use Let’s Encrypt SSL Certificates. Per their policy, we have to renew the certificate every 90 days.

To ensure that the SSL renewal process runs correctly, we check the timestamps on each website’s SSL Certificate regularly and update each website’s SSL Certificate before it expires.

MALWARE SCAN

Malware is code that has found its way onto your computer or web server. 

Although we have many processes in place to prevent this, no process is 100% perfect.

To uncover any malware that found its way into your website, we run a number of both real-time and monthly malware scans. If any malware is found, it is immediately removed.

FILE CHANGE ALERT

Malware is code that has found its way onto your computer or web server. 

One method we use to identify if malware has gotten onto your website is to monitor all of the files that make up your website.

If our file change monitoring software detects a file change, we investigate. If we determine that the file change was malware-related, we can revert the file to its original code with one click.

CLOUD PROXY FIREWALL PROTECTION

A key layer of protection for every website is to have a firewall. We run on Linux web servers and have a hardware firewall.

Additionally, we use a software firewall service named Wordfence. 

Wordfence includes an endpoint firewall and malware scanner that was built from the ground up to protect WordPress websites. The Wordfence Threat Defense Feed arms Wordfence with the newest firewall rules, malware signatures, and malicious IP addresses it needs to keep your website safe. Rounded out by a suite of additional features, Wordfence is the most comprehensive security option available.

Contact

Contact Us

FAQ

FAQ

“Website Security” is the work related to keeping your website and its data safe and hidden from those who should not be able to see it.

Every day that goes by, evil people and governments around the world (referred to as “Black Hats”) spend endless hours trying to break into (referred to as “Hacking”) websites, including yours, around the world. We’ve all heard about the very public breaking of Target, Facebook and too many others to list here. To protect your website you need a small army of highly skilled professionals (referred to as “White Hats”) to protect your website. Now to get you your “army” of “White Hats” to protect your website at a cost you can afford, we’ve combined the skills of our teams knowledge of knowing how to lock down and protect the web servers that store your website files, with a set of best-in-class WordPress Plugins to create the most impregnable security wall we know how to build. Our skills and these Security Plugins combine putting the right access permissions on all the files on your website, creating layers of firewalls directly on the hardware servers and a software firewall on the multiple instances of your website that we put o servers around the world to provide super fast page loads for your website visitors.

All of these things fall under what we call “Website Security”.

What happens if you don’t have best-in-class security on your website? Nothing good. Your website “gets hacked” and now both your confidential information and your clients are in the hands of criminals. Guess what? You may not even know for weeks or months that your website has been hacked! Do you know how most websites find out they have been hacked? They start getting emails and calls from their customers telling you that they’re suddenly getting a bunch of email spam – or worse – if you have an eCommerce Website, they’re asking you if you shared their credit card with anyone because a bunch of unauthorized charges showed up and they had to have a new card issued and the old one canceled. You suddenly have to hire a very experienced “White Hat” developer to check out your website, verify if you’ve been hacked, then fix it. It can cost thousands of dollars and the entire time you’re not selling online! On top of that, you could face lawsuits from the credit card companies or your clients. Now you have legal costs too. Yikes!

Now no one can promise you that a website can’t be hacked. We can’t and are not promising that either. But most websites that are hacked were gotten into for very simple to close open holes in the security of their website. We do our best to make sure that none of the open holes that most Black Hat Hackers use to break into websites are open to them. Most Black Hat Hackers looks for the “Easy Break-ins”. Every minute of every day we can see the Black Hat Hackers probing our client’s website. They find all the doors securely locked. They move on looking for another website that is not as secure to break into. That how criminals work.

The strength of your password directly affects how easy it is to guess that password or how long it takes a hacker to crack it. In many cases, hackers gain access to an account because the account’s owner set a weak password. To set a strong password, follow University password guidelines:
  • Create a longer password. The more characters you use, the harder the password will be to guess and the longer it would take to crack. UDelNet passwords must be between 12 and 30 characters long.
  • Never use a single dictionary word or name as your password.
  • Use a variety of characters, including uppercase letters, lowercase letters, numerals, and special characters like punctuation marks.
  • Never choose an obvious password like “password,” “password1,” “12345,” or “00000.”
If you have a hard time remembering passwords containing random characters, try using a passphrase, which is a string of words used as a single password. For example, “ClevelandChapelLovettAcademy,” or “CorrectHorseBatteryStaple” are both passphrases with 25 or more characters, but they can be easier to remember than randomly generated passwords even 15 characters long!

Two-factor authentication (2FA) is a method of protecting your digital accounts from unauthorized access and use.

Normally you log in to any digital account by providing your username and password. This is a quick way to log in.

However, the downside is hackers can easily access your account if they steal or crack your password. But, if your account is protected by 2FA, then you will need to provide the standard username and password combination and then a second authentication factor (such as a temporary security code or the answer to a security question) to log in.

Even if hackers steal or crack the password to a 2FA-protected account, they still can’t log in to it without the second factor. 

You’re urged to enable 2FA protection for your sensitive accounts, such as your banking, credit card, tax filing, and investment accounts.

Malware is software designed to infiltrate or damage a computer system without the owner’s informed consent. It is also known as malicious software. To learn more about malware, check out this resource.

Very serious:

  • Nine out of 10 PCs connected to the Internet are infected with spyware.(1)
  • 88% of Spy Audit scans found some form of unwanted program (Trojan, system monitor, cookie or adware) on consumer computers.(1)
  • “About 10 million Americans have their personal information pilfered and misused in some way or another every year, costing consumers $5 billion and businesses $48 billion annually.” – Federal Trade Commission, June 21, 2005
  • Some form of spyware can be found on 87% of corporate PCs.(1)
  • “A hacker was able to access potentially 40 million credit card numbers by infiltrating the network of a company that processed payment data for MasterCard International and other companies.” – InfoWorld, July 17, 2005
  • 86% U.S. adult Internet users believe that spyware on their computers has caused them to suffer a monetary loss.(2)

(1)State of Spyware Report
(2)eMarketer, 2005

Even if you’re very careful, your web server or computer can pick up malware through normal Internet activities.

  • Visiting any media-supported Web site and you’re bound to get a tracking cookie.
  • Sharing music, files or photos with other users.
  • Installing software applications without fully reading license agreements.

Your computer may be infected if you recognize any of these symptoms:

  • Sluggish PC performance.
  • An increase in pop-up ads.
  • Mysterious new toolbars you can’t delete.
  • Unexplained changes to homepage settings.
  • Puzzling search results.
  • Unidentified toll charges on your phone bill.
  • Frequent computer crashes.
  • Just say “No!” to free software.
  • Increase your browser security settings.
  • Update your security patches regularly.
  • Avoid questionable Web sites.
  • Be suspicious of email and IM.
  • Use public or multiple-user computers with extreme caution.
  • Beware of peer-to-peer file-sharing services.
  • Use a firewall.
  • Use anti-virus protection.
  • Use the Mozilla Firefox browser.
  • Use a good anti-spyware product, not a free one.

Adware is any software application that has the ability to display advertisements on your computer. Some adware can track your surfing habits to display targeted promotions on your Web browser in the form of pop-up, pop-under and banner ads.

Adware watches as you surf the Internet to collect information about your behavior. Next, adware disrupts your browsing by popping up context-related promotions right on top of your screen, causing you to second guess your next online move.  Also, Adware runs quietly in the background of your computer, observing your every move. Adware logs your online activities and personal information to create a user profile and sends it to a data collection site. From the data collection site, your data is used to evaluate your surfing habits and send you targeted advertising.

The first step is to start with the use a spy scan program designed for spyware detection to see if you’re infected. Next, after you know your infection level, you will be able to take back control of your computer.

The second step is you can try to remove the spyware manually, but removal is a difficult and complicated process for even the most experienced computer user. Without recognized, top-quality anti-spyware software, spyware removal will be incomplete at best.

The third step is to choose a spyware protection solution. A complete anti-spyware software package includes anti-spyware software, anti-virus protection, and a firewall. Look for these qualities when selecting an anti-spyware software solution:

  • Provides frequent version and definition updates to combat the latest threats. 
  • Consistently wins awards from industry-leading publications.
  • Has a dedicated, round-the-clock research team devoted to tracking spyware evolution.
  • Is backed by an innovative company with a solid business reputation.

Being hacked means that someone has gained access to your website files without your permission. This is because they want to perform a malicious activity like injecting spam, stealing data or to enable a wider hacking attack. 

Yes!

Every single website is at risk of hacking. No website can be 100% safe.

Any hosting provider should (hopefully) have at least a basic level of security on their server.

However, most hosting providers do not maintain your WordPress website on your behalf (unless you have a Managed WordPress Hosting LINK:https://www.elegantthemes.com/blog/resources/all-the-top-managed-wordpress-hosts-compared). So it is up to you to keep your website safe and secure.

Of course, we do that for you with our Website 100% Care Plan.

Browser hijacker spyware resets your homepage so each time you launch your browser you land on the site it wants you to.

Homepage hijackers use this method to force hits to their websites since most sites have ads. More hits mean higher costs for advertising and ultimately more money for the spyware-toting villain.

Browser hijackers are more than just annoying:  The spyware they carry can cause irreparable damage to your files and programs as well as jeopardize your personal information and identity.

There are a few easy things you can do right away to help prevent further spyware infection and reclaim your homepage:

  • Update your operating system regularly.
  • Avoid questionable Web sites.
  • Practice safe email protocol:
  • Don’t open messages from unknown senders.
  • Immediately delete messages you suspect to be spam.
  • Avoid free software and file-sharing applications.
  • Use anti-virus protection and a firewall.
  • Get anti-spyware software protection.
It’s usually quite an intensive job to fix a hacked website. So this is why we recommend hiring a professional to make sure that it is completely cleaned and any underlying issues are dealt with.
  • Always keep WordPress and your plugins and theme updated to the most recent versions
  • Have a security plugin such as Wordfence installed.
  • Backup your website frequently

You should keep your website backed up so that if anything bad was to happen to it then an earlier version can be restored and any vulnerabilities dealt with.

Our standard backup procedure is now daily backups for eCommerce sites with 31 days of backups stored off-site.

Business websites are backed up weekly with 4+ weeks of backups stored off-site.

Personal-Branding websites are backed up weekly with 4+ weeks of backups stored off-site.

If the update is for a security issue, ideally as soon as an update is released for a plugin or theme.

Certainly one needs to check for updates on a weekly basis at least.

We use Wordfence as one of our security firewall. You can configure Wordfence to notify you via email when a plugin or theme needs updating.

We update plugins and themes for security issues as soon as we become aware. Non-security updates are done at least once a week.

Spam is unsolicited email. It’s sent, usually in high volume, through “open-relays” to millions of people.

Spam is cost-shifted advertising. Spam takes a toll on Internet users’ time, their resources, and the resources of Internet Service Providers (ISP).

Recently, spammers have begun to send advertisements via text message to cell phones.

To minimize or stop spam, use a spam filter or gateway to scan inbound messages. A simple way you can prevent spam damage is to practice safe email protocol:

  • Don’t open email or text messages from unknown senders.
  • Immediately delete messages you suspect are spam.
  • Avoid get-rich-quick offers, porn or too-good-to-be-true messages.

Think of a biological virus – the kind that makes you ill. Human viruses are nasty, keeping you from functioning normally and often requires something powerful to get rid of it.

A computer virus delivered over the Internet is very similar. Designed to relentlessly replicate, viruses infect your computer programs and files, alter the way your computer operates or stop it from working altogether.

Take the steps below to fortify your computer against viruses:

  • Use anti-virus protection and a firewall.
  • Update your operating system regularly.
  • Increase your browser security settings.
  • Avoid questionable Web sites.
  • Only download software from sites you trust.
  • Practice safe email protocol:
  • Don’t open messages from unknown senders.
  • Immediately delete messages you suspect to be spam.
  • Avoid free software and file-sharing applications.
  • Get anti-spyware software protection.

Phishing is an online con artist game played by tech-savvy  identity thieves. These con artists use spam, malicious Web sites, email and instant messages to trick you into divulging sensitive information, like bank account passwords and credit card numbers.

Take the steps below to minimize phishing scams:

  • Do not provide personal information to any unsolicited requests for information.
  • Only provide personal information on sites that have “https” in the web address or have a lock icon at bottom of the browser.
  • If you suspect you’ve received phishing bait, contact the company that is the subject of the email by phone to check that the message is legitimate.
  • Type in a trusted URL for a company’s site into the address bar of your browser to bypass the link in a suspected phishing message.
  • Use varied and complex passwords for all your accounts.
  • Continually check the accuracy of personal documents and deal with any discrepancies right away.
  • Avoid questionable Web sites.
  • Practice safe email protocol:
  • Don’t open messages from unknown senders.
  • Immediately delete messages you suspect to be spam.
  • Use anti-virus protection and a firewall.
  • Get anti-spyware software protection.
There are three overlapping types of risk:
  1. Bugs or misconfiguration problems in your Web server that allow unauthorized remote users to:
    • Steal confidential documents not intended for their eyes.
    • Execute commands on the server host machine, allowing them to modify the system.
    • Gain information about the Web server’s host machine that will allow them to break into the system.
    • Launch denial-of-service attacks, rendering the machine temporarily unusable.
  2. Browser-side risks, including:
    • Active content that crashes the browser, damages the user’s system, breaches the user’s privacy, or merely creates an annoyance.
    • The misuse of personal information knowingly or unkowingly provided by the end-user.
  3. Interception of network data sent from browser to server or vice versa via network eavesdropping. Eavesdroppers can operate from any point on the pathway between browser and server including:
    • The network on the browser’s side of the connection.
    • The network on the server’s side of the connection (including intranets).
    • The end-user’s Internet service provider (ISP).
    • The server’s ISP.
    • Either ISPs’ regional access provider.
Even “Secure” browsers and servers are only designed to protect confidential information against network eavesdropping. Without system security on both browser and server sides, confidential documents are vulnerable to interception.
As a Webmaster, system administrator, or are otherwise involved with the administration of a network, the single most important step you can take to increase your site’s security is to create a written security policy. Your security policy should succinctly lay out your organization’s policies with regard to:
  • who is allowed to use the system
  • when they are allowed to use it
  • what they are allowed to do (different groups may be granted different levels of access)
  • procedures for granting access to the system
  • procedures for revoking access (e.g. when an employee leaves)
  • what constitutes acceptable use of the system
  • remote and local login methods
  • system monitoring procedures
  • protocols for responding to suspected security breaches
This policy need only be a succinct summary of how the information system work, reflecting your organization’s technological and political realities. There are several benefits to having a written security policy:
  • You yourself will understand what is and is not permitted on the system. If you don’t have a clear picture of what is permitted, you can never be sure when a violation has occurred.
  • Others in your organization will understand what the security policy is. The written policy raises the level of security consciousness, and provides a focal point for discussion.
  • The security policy serves as a requirements document against which technical solutions can be judged. This helps guard against the “buy first, ask questions later” syndrome.
  • The policy may help bolster your legal case should you ever need to prosecute for a security violation.

Some good books to get are:

A source of upd-to-date information, including the discovery of new security holes, are the CERT Coordination Center advisories, posted to the newsgroup comp.security.announce, and archived at:

ftp://ftp.cert.org/pub/cert_advisories/

An SSL certificate is a major part of website security as it encrypts the data communication between the website and the website visitor.

If you take online payments, or have an online form, or if your website has a password protected area (i.e. EVERY SINGLE WORDPRESS WEBSITE!) then you must have an SSL certificate.

Web browsers are now marking websites without an SSL certificate (addresses that start http instead of https) as NOT SECURE.

Google search results are starting to do the same.

Will visitors think twice about clicking on your website if it says NOT SECURE on Google?

Yep!

A DoS is when a large number of requests are made on a particular website to overload the server and therefore take it offline.

A DDoS is when these requests are coming from a variety of sources (making it more difficult to block).

Firewalls can either be in the form of hardware or software.

Firewalls are used to block dangerous and suspicious activity. They can also be used to block access from countries, regions or individual domains that are not in a targeted sales market. 

No. Digital attackers are attacking Macs as well as Windows and Linux computers now. 

It’s Easy!

Look for the Button “Choose Your Hosting – Maintenance – Security – Support Plan”

OTHER SERVICES