Why is Website Security Essential?

Why is Website Security Essential?

Thursday this week was Computer Security Day. For me this past week has been Website Disaster Recovery Week. Last month I participated in WordCamp Baltimore, an event for the WordPress and blogging community. There I attended a talk on web security by Eve Land  support engineer for the Sucuri company. She said that every website should have a disaster recovery plan. The question is not what happens IF my website gets hacked, but what to do WHEN it gets hacked.

Many websites are built using website builders on hosted platforms like Weebly, Wix and Hibu. You may think that since you are using that platform, your site is secure. Keep in mind that large organizations have been hacked like Yahoo emails, USA Democratic party email, Paypal and Disney movies. Website builders could just as easily be hacked. What if you were contacted by a company like Weebly saying “We are so sorry. Our servers were hacked and all data was lost. Please rebuild your site from scratch.” Would you know what colors you used, fonts, images on each page or what you wrote?

If you are using WordPress, it is fairly simple if you know what to do. The files and database for the website are available to the owner of the site through the hosting platform. Any site can be replicated on a subdomain or even on a desktop.

Why my little site?

I am often asked why hackers go for small websites? The reason is that they are an easy target. Frequently, security measures have not been implemented on small sites. It is like buying a house and leaving the front door open when you go out (.

The longer that you continue to ignore website security the more prone your site will be to attacks by hackers.

Some recent examples that I encountered of hacking include injection of content relating to a popular recreational drug on a site, known as Search Engine Poisoning (SEP) , malware injected into two sites and all that was visible was the site name. In the first case, the site owner contacted the hosting company who sanitized the site. In the second instance, the site was suspended by the hosting company. In the last case, a disaster recovery plan was in place and the site was functional within an hour. A bruteforce attack was also launched on the same site until I implemented further measures.

Bruteforce

If you see that your site is down, contact your site administrator immediately because they may not know. Contact your hosting provider to check in with them.

If your site is on WordPress and you are managing the site yourself observing some web security basics can deter the hackers. There is no guarantee against hacking, so make sure there is a disaster recovery plan.

Run the website scanners located at the end of this post to check the status. This is for all sites.

Site security audit checklist (for WordPress)

  1. Have a local copy of the site files and database. Practice creating a new site (on a subdomain or local PC) using this data on a new install of WordPress.
  2. Delete all themes and plugins that are not being used.
  3. Delete migration plugins
  4. Have a cloud backup storage (I use Updraft Plus. Additional options are VaultPress, BlogVault, BackupBuddy or CodeGuard ). Automatically backup frequently.
  5. Backup the site and perform updates frequently.
  6. Install a Security plugin. I like Sucuri, but some people like Wordfence or iThemes.
  7. 2 Factor login (miniOrange 2FA ).
  8. Limit login attempts Some popular plugins that provide you with this feature include Limit Login Attempts, WP Limit Login Attempts and Loginizer
  9. Change passwords frequently. Users not currently active should be kicked out. New users should have minimal privileges necessary.
  10.  Pre-Login Captchas : The Completely Automated Public Turing Test To Tell Computers and Humans Apart.(Captcha) feature is extremely useful at stopping automated bots from accessing your WordPress dashboard, as well as submitting unwanted spam through forms. (Popular plugins that add a CAPTCHA to your WordPress login page include Captcha and Really Simple Captcha.)
  11. Secure Socket Layer (SSL) allows a website to be accessed over HTTPS, which encrypts data. Encryption ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection or spoof your info.
    SSL has become increasingly important in the past couple of years, not only for securely transmitting information to and from your website, but also to increase visibility, and decrease the chances of being penalized. SSL encryption is a ranking signal for SEO with Google and they are flagging non SSL sites that transmit credit card data.
    Getting an SSL certificate for your WordPress website is not an issue. You can purchase through your hosting company. I get it for free from SiteGround.
  12. Subscribe to the Sucuri blog for updates regarding vulnerabilities and discontinued plugins that you might have on your site.

If you know how to manipulate your files via ftp or File Manager and are comfortable making changes, then you can configure the .htaccess file and wp-config.php file to harden the site.

Advanced website security check:

  1.  Restrict login to an IP or IP address range. If your attacks are all coming from certain places, limit the access to the IP addresses that should have access to the site.
  2. Protect wp-config.php- – prevents users accessing the wp-config.php file that contains the heart and brains information of your site.
  3.  Prevent directory browsing- prevent people from seeing the contents of your directories. For example, if you create a directory called “wordpress”, any user can see everything in that directory simply by typing http://www.mysite.com/wordpress/ in your browser. No password necessary.
  4.  Prevent image hotlinking – prevent other browsers from using images hosted on your site.
  5.  Block Includes
    This rule blocks hackers from inserting malicious files into any of the four primary folders used for includes. This is where one of my hacks occurred in the tinymce include.
  6.  Add scripts against cross site scripting, Click jacking and sniffing (via the .htaccess file)
  7.  I like to change the login from wp-admin. The security plugin experts say there are ways around that and it really helped one of my sites that had a password guessing attack.
  8. Regenerate the salts in wp-config.php

Disaster Plan

  1. Contact the site admin
  2. Call the hosting company.
  3. Delete the compromised files and replace with the backup. However the security vulnerability that caused the hack is still there, so get a professional to take care of that.
  4. Change all passwords.
  5. Regenerate salts.
  6. Perform a webscan frequently for malware and vulnerabilities. Check log files.


Website vulnerability scanners
Gravity Scan

Sucuri

If you have someone managing your site, verify what security measures are in place and whether your plan includes disaster recovery. How often is your site being backed up? Is that sufficient for the activity on the site? Have you practiced your disaster recovery plan? (Recreate your website from your backup files.) It may be worthwhile to consider the paid version of Sucuri, WordFence or other security companies.

What do you do to keep your website secure?

Drop my a line in the comments or send me a tweet @shelleymagnezi

 

Reference:
https://sucuri.net/guides/wordpress-security

NOTE:
I recently learned that the WordPress PHP Code for posts plugin has been discontinued.
https://wordpress.org/plugins/php-code-for-posts/

Zen Rabbit – Networking Strategies for The Quiet People

Zen Rabbit – Networking Strategies for The Quiet People


Ignore mom’s advice. Talk to strangers!

     –Lori Saitz

 

Lori Saitz of Zen Rabbit  is an unusual person. When I interviewed her she told me that she  used the failure of her gratitude cookie business, Zen Rabbit Baking company, to jump start her current business of helping quiet people build networking connections.

(more…)

Lydia Elle – Mindset and Business consultant

Lydia Elle – Mindset and Business consultant


To catch a thought before it becomes a feeling that determines an action is the skill of a lifetime.

My mission is to teach women these skills.


Lydia Elle

Lydia Elle is a mindset and business consultant and multipreneur. Her best-selling product is her book, “And So I Prayed…: The First 40 Days: Special Edition” available from Amazon in print and on Kindle.
(more…)

Mari Geasair – More Clients, Less Stress

Mari Geasair – More Clients, Less Stress

To business that we love we rise betime,
And go to’t with delight.


Antony and Cleopatra, IV.iv

Meet  Mari Geasair with More Clients, Less Stress and AuthenticTherapyMarketing.com. Mari serves clients who are service-preneurs such as therapists, healers, creatives, and other service providers who seek to make the world a better place through their unique talents.
(more…)

Nannette Minley – Marketing Strategist

Nannette Minley – Marketing Strategist

This week I attended a Meet Up where a person spoke about SEO (Search Engine Optimization). The talk had some interesting tips and insight; however the speaker did not fail to mention that his authority was based upon the fact that he has 10,000 followers and had written a book on the psychology of marketing. He invited us 3 times during the talk to email him and get his white paper without an opt-in.

According to my understanding this is the opposite of what Nannette Minley does. She coaches entrepreneurs trying to make an impact with customized marketing strategies for their business. The focus is on their vision and clarity rather than determining success in terms of 10,000 followers or the six figure slogan.

(more…)

Kathy Miller Wilson – WELA Workshops

Kathy Miller Wilson – WELA Workshops

Whilst talking to Kathy Wilson of WELA (Workplace Etiquette Leadership Academy) Workshops I felt the deep commitment that she has of bringing leadership experience gained in the workforce to young adults entering the workforce, teams and individuals  ‘building people to become the best versions of themselves’.

What impressed me about Kathy that is not included in her list of services is how she as an individual felt motivated to expand her job description from Budget Director into something that inspired and fulfilled her. Coworkers who understood her talents would approach her for help and advice. She loved grooming staff for greatness, revealing their strengths and weaknesses, passions, unique talents and gifts.  She loved seeing that light bulb come on when they “Got It”, and moved from awareness to growing with intention into their purpose, and eventually soar into their destiny.

(more…)

Sharon Khen – Life Coach

Sharon Khen – Life Coach

I immediately fell in love with Sharon Khen, a warm, empathetic and skillful Life Coach who has a universal love of all people.

Sharon specializes in:

  • Family Coaching, such as parenting and empowering parental authority, and building healthy family relationships.
  • Working through life transitions for situations like divorce, marriage, becoming parents and relocation. Turning overwhelming feelings of chaos into an opportunity for empowerment and to gain a new sense of control over one’s life.
  • Confidence Coaching, using proven strategies to create a healthy self image and help build self-confidence.
  • Stress Management Coaching, using practical strategies to take control of the stress and how to cope with it .

 

 

(more…)

Patricia Eubanks – M.O.T.H.E.R.

Patricia Eubanks – M.O.T.H.E.R.

Meet Patricia Eubanks from M.O.T.H.E.R. (My Opportunity To Help Everyone Resource).

Johan Sebastian Bach is now generally regarded as one of the greatest composers of all time. The turning point in his life was a tragedy that occurred when his first wife died unexpectedly. Suddenly the gates of inspiration opened and his greatest and most productive musical creations occurred following her death. Pat Eubanks may be compared to Bach since her greatest creativity and ingenuity occurred as a result of her misfortune.

(more…)

Jennifer Moore – The Sage Assistant

Jennifer Moore – The Sage Assistant

Jennifer Moore offers professional Virtual Assisting Services both remotely and on site in the District of Columbia, Maryland, Virginia, and Eastern Panhandle of West Virginia. As a creative person, Jennifer can easily handle assignments such as:

  • Writing,
  • Editing,
  • Writing and posting blog entries,
  • Web copy,
  • Web data entry,
  • Business profiles,
  • Short form articles,
  • Copy editing,
  • Proof reading,
  • Ecommerce support,
  • Line editing, and
  • Traditional administrative tasks.

The aim is to free up her client’s time for more important tasks. She is always willing to expand her skill set and take on new challenges.
(more…)

Page 1 of 3123