Thursday this week was Computer Security Day. For me this past week has been Website Disaster Recovery Week. Last month I participated in WordCamp Baltimore, an event for the WordPress and blogging community. There I attended a talk on web security by Eve Land support engineer for the Sucuri company. She said that every website should have a disaster recovery plan. The question is not what happens IF my website gets hacked, but what to do WHEN it gets hacked.
Many websites are built using website builders on hosted platforms like Weebly, Wix and Hibu. You may think that since you are using that platform, your site is secure. Keep in mind that large organizations have been hacked like Yahoo emails, USA Democratic party email, Paypal and Disney movies. Website builders could just as easily be hacked. What if you were contacted by a company like Weebly saying “We are so sorry. Our servers were hacked and all data was lost. Please rebuild your site from scratch.” Would you know what colors you used, fonts, images on each page or what you wrote?
If you are using WordPress, it is fairly simple if you know what to do. The files and database for the website are available to the owner of the site through the hosting platform. Any site can be replicated on a subdomain or even on a desktop.
Why my little site?
I am often asked why hackers go for small websites? The reason is that they are an easy target. Frequently, security measures have not been implemented on small sites. It is like buying a house and leaving the front door open when you go out (.
The longer that you continue to ignore website security the more prone your site will be to attacks by hackers.
Some recent examples that I encountered of hacking include injection of content relating to a popular recreational drug on a site, known as Search Engine Poisoning (SEP) , malware injected into two sites and all that was visible was the site name. In the first case, the site owner contacted the hosting company who sanitized the site. In the second instance, the site was suspended by the hosting company. In the last case, a disaster recovery plan was in place and the site was functional within an hour. A bruteforce attack was also launched on the same site until I implemented further measures.
If you see that your site is down, contact your site administrator immediately because they may not know. Contact your hosting provider to check in with them.
If your site is on WordPress and you are managing the site yourself observing some web security basics can deter the hackers. There is no guarantee against hacking, so make sure there is a disaster recovery plan.
Run the website scanners located at the end of this post to check the status. This is for all sites.
Site security audit checklist (for WordPress)
- Have a local copy of the site files and database. Practice creating a new site (on a subdomain or local PC) using this data on a new install of WordPress.
- Delete all themes and plugins that are not being used.
- Delete migration plugins
- Have a cloud backup storage (I use Updraft Plus. Additional options are VaultPress, BlogVault, BackupBuddy or CodeGuard ). Automatically backup frequently.
- Backup the site and perform updates frequently.
- Install a Security plugin. I like Sucuri, but some people like Wordfence or iThemes.
- 2 Factor login (miniOrange 2FA ).
- Limit login attempts Some popular plugins that provide you with this feature include Limit Login Attempts, WP Limit Login Attempts and Loginizer
- Change passwords frequently. Users not currently active should be kicked out. New users should have minimal privileges necessary.
- Pre-Login Captchas : The Completely Automated Public Turing Test To Tell Computers and Humans Apart.(Captcha) feature is extremely useful at stopping automated bots from accessing your WordPress dashboard, as well as submitting unwanted spam through forms. (Popular plugins that add a CAPTCHA to your WordPress login page include Captcha and Really Simple Captcha.)
- Secure Socket Layer (SSL) allows a website to be accessed over HTTPS, which encrypts data. Encryption ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection or spoof your info.
SSL has become increasingly important in the past couple of years, not only for securely transmitting information to and from your website, but also to increase visibility, and decrease the chances of being penalized. SSL encryption is a ranking signal for SEO with Google and they are flagging non SSL sites that transmit credit card data.
Getting an SSL certificate for your WordPress website is not an issue. You can purchase through your hosting company. I get it for free from SiteGround.
- Subscribe to the Sucuri blog for updates regarding vulnerabilities and discontinued plugins that you might have on your site.
If you know how to manipulate your files via ftp or File Manager and are comfortable making changes, then you can configure the .htaccess file and wp-config.php file to harden the site.
Advanced website security check:
- Restrict login to an IP or IP address range. If your attacks are all coming from certain places, limit the access to the IP addresses that should have access to the site.
- Protect wp-config.php- – prevents users accessing the wp-config.php file that contains the heart and brains information of your site.
- Prevent directory browsing- prevent people from seeing the contents of your directories. For example, if you create a directory called “wordpress”, any user can see everything in that directory simply by typing http://www.mysite.com/wordpress/ in your browser. No password necessary.
- Prevent image hotlinking – prevent other browsers from using images hosted on your site.
- Block Includes
This rule blocks hackers from inserting malicious files into any of the four primary folders used for includes. This is where one of my hacks occurred in the tinymce include.
- Add scripts against cross site scripting, Click jacking and sniffing (via the .htaccess file)
- I like to change the login from wp-admin. The security plugin experts say there are ways around that and it really helped one of my sites that had a password guessing attack.
- Regenerate the salts in wp-config.php
- Contact the site admin
- Call the hosting company.
- Delete the compromised files and replace with the backup. However the security vulnerability that caused the hack is still there, so get a professional to take care of that.
- Change all passwords.
- Regenerate salts.
- Perform a webscan frequently for malware and vulnerabilities. Check log files.
Website vulnerability scanners
If you have someone managing your site, verify what security measures are in place and whether your plan includes disaster recovery. How often is your site being backed up? Is that sufficient for the activity on the site? Have you practiced your disaster recovery plan? (Recreate your website from your backup files.) It may be worthwhile to consider the paid version of Sucuri, WordFence or other security companies.
What do you do to keep your website secure?
Drop my a line in the comments or send me a tweet @shelleymagnezi
I recently learned that the WordPress PHP Code for posts plugin has been discontinued.