The Biggest WordPress Security VulnerabilitySeptember 28, 2016
The Best Investment in Website SecurityOctober 12, 2016
We may be wading into technical waters here, but we want to give you a brief overview of the things we do to protect your website if you use our managed WordPress hosting service. We protect each WordPress website with various security plugins and we have implemented multiple security precautions on the server to prevent access to hackers.
WordPress Security Plugins
The first plugin we always use on WordPress sites is by Sucuri. You’ll hear a lot about Sucuri from us when we talk about security because they truly do an amazing job at protecting websites, not just WordPress sites. We use them for our website firewall service, which we’ll talk about more in depth in another post. Sucuri offers a free plugin that protects a website on multiple fronts. The first way is to log all changes made to files and to notify us if anything is amiss. It also shows us a history of all the people who have logged in and from where they were coming. It will stop an intruder from getting to the login screen for the administration panel for WordPress if they’ve tried too many incorrect passwords. The plugin will also scan website files to see if there are any compromised files. There are many more services this plugin performs, but suffice it to say, it is a great plugin for proactively and retroactively protecting a WordPress website.
We also implement a plugin that works together with the server firewall. A server firewall is like a really tall wall made of brick that keeps people out, but there’s a gate that allows people access if they are welcome visitors. This accepting and denying visitors is done using IP addresses. An IP address is like someone’s home address. If you give someone your home address, people can plug it into their map app and find where you live. An IP address is similar in you can determine where someone is located based on the IP address transmitted to the server. However, IP addresses can be faked or hidden so they aren’t a perfect indicator of where someone is located and they can change from time to time. Sometimes, a server can tell based on IP address if the person is a welcome visitor or not. Other times, the firewall needs to learn who is welcome and who is not. We use a plugin that determines if someone has tried too many times to login to WordPress with an incorrect username or password. Once a threshold is hit, the plugin notifies the server firewall to block all access to that IP address. This may mean that legitimate traffic gets blocked such as a client who has forgotten their password. When this happens, our clients simply email or call us and we get the block cleared within a few minutes. When a new client starts to host with us, we get their IP address so we can add them to the safe list in the website firewall to prevent blocks from happening.
Basically, with any WordPress security measure we implement, we are trying to ensure people who want to hack the site are locked out before they get the chance to succeed.
We’ve already talked about the server firewall, but it’s important to note that while we use a WordPress plugin that communicates with the server firewall, the firewall also operates on its own devices. For example, logging into webmail is separate from a WordPress website login so the firewall will also block too many incorrect login attempts for webmail. Currently we have 3000 IP addresses in our deny list for the server firewall! We also lock down who can use FTP (file transfer protocol) to upload and download files to the server. We run three different security solutions on the server to scan files for compromise, block IP addresses and look for strange behavior patterns. We don’t allow certain actions such as uploading PHP scripts via forms, which hackers can use to exploit websites. In short, we have used multiple best practices on our server to protect our clients’ websites from attackers.
We hope you found that information useful and not too boring. We do believe it’s important that every website owner understand the security risks of having a website. Our goal is to take this responsibility off your shoulders and protect your website as best as we can. That leads us to the final posting we’ll do next week on using a website firewall by Sucuri as our first layer of security as it is the first point of entry for all traffic coming to the website.
Want to learn more about our managed WordPress hosting services? Read more on our managed WordPress hosting services page.