First off, in an effort to avoid this post morphing into a long list of boring stats, let me just say this; website security is more crucial now than ever. If however, like me you enjoy the stats, I recommend some of the data provided by Wordfence which makes for very sobering reading. However it is enough to inform you that if you own or manage a wordpress website you are likely in the corsshairs of individuals with malicious intent. Hacking is a business, and a profitable one at that.
Secondly this is not a tutorial but more a guide as to what measures you can take to deter or slow down hackers. I will outline the methods that we use at Je Suis Design, methods which are avaliable to all wordpress users and easy to implement for the most part.
Prevention is better then cure
In the past decade hosting prices have fallen dramiatically and today you can host a wordpress website for less then €4 per month, but what do you get for your money? Shared hosting is exactly what is says on the tin, you are sharing server space with thousands of other websites, websites that may not have security concious owners, and if their sites are penetrated the attackers have the potential to access other sites on the same server, making all of your efforts null and void. Yes the hosting company have a vested interest in protecting the server, but they cannot defend against the individual whom leaves their password at the default “pass”.
At JSD we host our sites on a Virtual Private Server (VPS) from a reputable provider, this is the middle ground between cheap shared hosting and a dedicated physical server (very expensive), and means we can offer our clients a cost effective hosting solution whilst remaining in control of the sites that are hosted on the server. We do not resell hosting, we only host sites that we build and manage. While this is a little more expensive (approx €150-200 /yr per client) it is a much more secure option then shared hosting.
For people seeking to build and host their own site I think you need to look within this middle ground. Providers such as wp-engine can offer you a managed hosting option which includes security and back-ups for a reasonable price.
SSL – Get Encrypted
Did you ever notice that some sites have a little green padlock in the address bar of your browser, or sometimes it is a long bar with the company name? That’s SSL and it is important!
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. Back in the day an SSL cert was expensive and only big businesses could really justify the expense, but that is no longer the case and today anybody can avail of a free SSL cert.
AT JSD all of our hosted sites are certified via Comodo however a rapidly growing list of hosting providers will now allow you add a cert via Lets Encrypt for free. If you going solo with your build ask your hosting provider for a free SSL cert, if they tell you they do not provide free certs or suppport Lets Encrypt I would suggerst that you look elsewhere as there are many providers who do.
As an added incentive Google now ranks sites with a cert higher in search then those without. Win Win!
Don’t be the weakest link
We are the weakest link – by we I am referring to the humam element. The vast majority of times a security breach can be traced back to human error, whats more when you look at brute force stats it is clear that a combination of the url of your login page and weak passwords are responsible for millions of penetrations each month.
In the heat of the moment we can all fall prey to poor password selection. You are being asked to come up with a password and your brain plucks out your default password “catsname1234”, before you know it your are tapping it in! Now you are vulnerable.
In the past the only viable option to combat this was to have a spreadsheet or text doc filled with passwords. This worked fine for a while but nowadays we need access to our sites on the fly and trying to make sense of a spreadsheet on your phone is no joke, enter the online password vault.
While there are a number of options avaliable in terms of password storage, at JSD we a big fans of Lastpass. This simple application allows you to store all of your passwords in an online encryted vault, is accessible from any device, will generate secure passwords for you and it is free!
With added functionality of 2 step authentication and the abilty to share passwords securely we advise all of our clients to avail of this fantastic service; and not just for their websites but also for email, social media and so on. For the Developers out there, the paid version of Lastpass allows you to add team members to the account who can then access the sites without ever seeing the password, meaning, if that person leaves your employ you do not need to go through the process of changing all of the passwords they had access to. Pretty awesome.
Toughen up with – iThemes
So your site is on a solid hosting platform, you have an SSL cert and your passwords are strong; good start. Now we need to ‘Harden’ the site. This is where the iThemes plugin comes in. iThemes is an all in one security plugin and does a fantastic job of hardening and securing your site. However at JSD we use this plugin for it’s hardening properties only, for example changing the login url, 404 detection, database back up and two factor authentication.
iThemes provide detailed documentation on their recommended settings and there is alos a plethora of tutorials out there on how to use specific functions for example here is guide on changing the URL slug for the login page.
“Time spent securing, is better then time spent recovering”
Secure with Wordfence
While many of features that Wordfence provides can also be found in iThemes, in our experience, Wordfence is the superiror of the terms of firewall, brute force blocking and threat identification.
Spend some time over on the wordfence blog and after a while you will begin to realise to just how passionate these guys are about wordpress security. The stats and figures they provide are outstanding, as is there community engagment. On the free version of this plugin alone you have in place a firewall which filters out known threats and is updated regularly as new threats are identified, rater limiting to defend against DDOS you also have what we consider to be the best in Brute Force Protection safe guarding your site.
The paid version goes further still with country blocking, spamvertising and blacklist checks.
This combination of iThemes hardening and Wordfence protection is, for us, the perfect marriage of WordPress security.
Plugins – Choose wisely & Update often
OK so having Snow fall down the screen of your website at christmas time looks great (if your into that type of thing) but when was that plugin last updated? How clean is the code? Ultimately what are the security implications of this wintery spectacle?
These are the questions to ask of every plugin. The individual who created the plugin may have done so with good intentions,. however for hackers every plugin has the potential to exploit your site and if the plugin is not regularly updated inline with wordpress it may become a back door.
We employ a very strict plugin policy at JSD, we research every plugin we use from speaking directly with the developer to reading other trusted user reviews. But you can garner alot from a few simple checks such as when a plugin was last updated. If it has been 2 years since it saw an update maybe give it a miss! Check ratings on the plugin directory and read the reviews, they can offer some keen insights and if in doubt, leave it out!
Free – does not mean that there is not a cost. There are some free plugins out there that are fantastic and a well managed, Contact Form 7 is a good example of this, however there are alot of free plugins out there that have the potential to allow hackers in and therefore carry a huge cost.
PAY FOR PREMIUM – if you find a plugin that offers you the functionality you require, is well managed and has good reviews, put your hand in your pocket a pay up. If you find a plugin that has the functionality you require but is not well managed and is known to cause issues, dont risk it, get a good developer involved to build the functionality into the site for you.
Finally in this section keep everything up to date, that goes for the WordPress install itself, to themes and plugins. Don’t leave your site idle for 6 months at a time, updates are often in response to identified security threats and by ignoring them you are again putting your site at risk. Set regular reminders to log in a check everything is running smoothly.
Finally – Back it all up
The best advice I can offer, is always assume someone is trying to hack your site, and accept that you are at some point going to be hacked! You may think that sounds defeatist, but organisations much larger then yours and with massive securtiy budgets get hacked everyday so it is inevitable in my eyes.
In that vein it is important to prepare for the worst and that involves backing everything up. At JSD we backup at server level, and back up to another server as an extra precaution, however there are a number of plugins that will back up your entire site. On the rare occassion that we build a site on a client server, we install updraft.
Updraft backs up your entire site and related files to Amazon S3 on a scheduled basis either 4/12 hourly, daily, weekly or Monthly.
Summing it all up
Security is the most crucial aspect of your website. You can have the most beautiful, functional, interactive and responsive site possbile, but it is not worth a damn if it vulnerable to hackers. We live in a space now where anybody can build a website from scratch and host it on a cheap server, however it is not without it’s responsibilities and it is up to you or your developer to ensure that things are kept up to date and secure.
Time spent securing your site, is better then time spent recovering a hacked site, not to mention more cost effective. If you are hacked you will likely be forced to pay a service like Wordfence to clean your install and ensure that there is nothing left behind such as back doors to your server allowing the hacker access at any time in the future.
Furthermore if you have clients accessing you site to purchase goods or services, you run the risk of losing credibility and income if they rock up to your site only to be greeted by a spam webpage playing earpiercing music and inviting them to buy the latest in erectile dysfunction medication.
What I have layed out above is how we do it, but there are a multitude of other plugins and measures to take. If you only use this post as a kicking off point then this was time well spent. Thank for reading.