Tag Archives: Security
Why Your Website Security Matters Now More Than Ever
Cybersecurity, hacking, data breaches — these are the words that every business dreads. A report earlier in the year, by cybersecurity firm Shape Security, revealed that 80%–90% of the login attempts made on retailers’ websites are hackers using stolen data. No wonder business owners like you are wearier and more aware of website security than ever before.
According to a study by KPMG, 19% of consumers would stop shopping at a retailer altogether following a breach; 33% would take a break from shopping there for an extended period. With these stats, online retailers can’t afford to take a relaxed view towards website security, especially with Black Friday and Cyber Monday coming up.
Your customers value security: to trust your brand, they need to feel safe when browsing your products online. Just as they need reassurance, we want to reassure you that you can easily achieve website security and safety.
5 Ways We Ensure Our Clients’ Website Security
1) iThemes Security Pro
The security of the websites we manage on behalf of clients is underpinned by the reliable WordPress Security Plugin, iThemes Security Pro, designed by WordPress security experts.
The powerful tool boasts features such as malware and harmful files detection, lockouts of malicious IP addresses, who may be generating a lot of 404 errors by using a bot to scan your website for vulnerabilities, and limits on the number of failed login attempts permitted per user with WordPress brute force protection.
2) Nightly Website Backups
It would be a nightmare if you were to suddenly lose all your valuable website content. That’s why we make backups every night. In the highly unlikely event that anything should go wrong, we can restore clients’ websites with the previous night’s backups.
We provide further peace of mind with our state-of-the-art cloud hosting platform. It is incredibly resilient and therefore very rarely takes client websites offline.
3) SSL Certificates
Now an industry standard, businesses shouldn’t underestimate the value of the reassuring padlock next to the ‘https://’ bit of your website URL — a.k.a. an SSL certificate. Without an SSL Certificate, your website is likely to be labelled ‘Not Secure’. I don’t know about you, but that would deter me from browsing a website any further!
We can set up SSL certificates, enabling customers and website visitors to trust our clients’ brands online. You can read more about the benefits of SSL certificates, which include warranty protection for online transactions, increased online safety and higher conversion rates here.
4) Strong Random Passwords
Gone are the days where you could use the same password again and again — despite it being easier to remember! We take the time and make the effort to use randomly generated passwords that are impossible to guess. Such passwords include a random combination of upper- and lower-case letters, numbers and symbols.
Password manager and digital wallet, LastPass, has a great password generator which you can find here.
5) Two Factor Authentication and Strong Logins
For an added layer of security, we don’t just have unique usernames and randomly generated strong passwords. We also either have codes emailed to us or temporary access codes generated in real-time by the Google Authenticator app on our phones. We need these codes, as well as usernames and passwords, each time we log in to work in the ‘back-end’ of a client’s website or add a blog post.
What’s more, the ‘nicknames’ we use, which appear as the ‘authors’ of blog posts, differ from our login usernames. This makes it harder for hackers to guess them and gain access to client websites.
Secure Your Customers Trust by Protecting Them on Your Website
If you would like to enhance your website security, or you have any concerns, contact us on 01484 290 100 and we’ll be happy to help!
As hacking becomes more commonplace, it is becoming more and more important to increase security on your own website to protect your own personal details and your website.
Security is not just about strong passwords. There are lots of things you can do to help keep your WordPress website secure.
Here are some tips on how to increase your WordPress website security (and some cheesy stock photos to go with it!).
Choose a good host.
Some hosting companies are more secure than others. Your host should maintain and manage a lot of things you don’t want to or don’t know how to do yourself. For example, keeping your website’s PHP version up to date will help with reliability and reduce the vulnerability of your site. To run WordPress it is recommended (at the time of writing) that your PHP version if 5.6 or greater and MySQL version is 5.5. If that means nothing to you, ask your host!
Choose quality software.
If you install your own plugins are you picking ones that are developed by a security conscious developer? Always check star ratings of plugins and the number of reviews it has received. Checking the support section is also a good indicator as you can see whether the plugin developer regularly answers questions or acknowledges bugs and is working to fix them.
Free computer software can also affect your website by adding hidden software to your computer. This hidden software can slow your computer down, modify your security settings and occasionally steal passwords saved onto your computer to sell onto third-party companies, including your website login. Always check your software is coming from a reliable source; avoid installing ‘bundled’ software – where the install screen asks you to install other programmes as well as the one you want; and don’t click on popups about your computers performance!
Use a password manager.
A good password manager, like KeePass, makes it far easier to have long, random passwords. You should have different passwords for all your applications and any websites you sign up to, including your website. Many password managers include a random password generator (although WordPress has its own) so you don’t have to think of a new one each time.
Use two-factor authentication.
More and more websites are using two-factor authentication to increase security. Two-factor authentication is a process that uses two bits of information before allowing you to log in to your website. Some need you to enter your password and username and then complete an extra step on your phone or tablet before you can log in. Others will require you to enter a personal pin number in addition to your password and username.
It does make the login process slightly longer but it makes a big difference to security. Unless you have a high-profile site with millions of visitors a day, hackers and bots trying to access your site will likely give up if they can’t break in right away.
Two-factor authentication is fairly easy to add to WordPress. There are many plugins that are available, all offering different two-factor authentication options. Google Authenticator is popular, as is Clef and Duo WordPress.
Back up your website!
By far the most important thing to do! WordPress is the most popular platform for websites and so it is very attractive to hackers. Despite putting all these security measures in place, it is still possible to be hacked so make sure that your website is backed up on a regular basis, either through a plugin or by asking your host to do it for you.
In June, I attended WordCamp Vienna, a huge conference that focuses on everything WordPress – not just an excuse for a holiday! It’s a fantastic conference for everyone from the casual WordPress user to core developers. I learnt lots of new things, some of which I hope to share through our blog and on LinkedIn.
One of the first talks I went to was by the wonderful Maurizio Pelizzone, an Italian WordPress Developer who whizzed through ten tips in ten minutes for hardening WordPress. After working through what Maurizio said and tweaking some of the code so it works better for us, below is what we found.
Disclaimer! Some bits require adding code to the .htaccess, wp-config.php and functions.php files of WordPress. If you don’t know how to do this, ask your web developer (or — shameless plug — call me at Pivotal Web Solutions J).
Why harden WordPress?
All systems are vulnerable. No matter what. And because WordPress is used by over 25% of all websites on the web (July 2016), it is by far the biggest platform to attack. There are five main dangers that could put your website in danger:
- Human errors. These are things we forget to do (because we’re human after all!). Removing the admin username, forgetting to add a strong password and forgetting to update to the latest version of WordPress are some of the most common.
- Exploitation. Attackers find an unpatched vulnerability in a plugin or theme and access your site this way.
- Social engineering. This is when hackers collect personal information from your website and using it against you.
- Brute force attack. A trial and error method used by bots that attempt to decode passwords and usernames to access your website.
- Write & execution permission. When permissions are left open it leaves a back-door for attackers.
Before you even launch a WordPress site make sure you have a good host that will protect your server from attacks. Once you have done that, harden your WordPress website using the ten tips below.
Ten Tips for hardening WordPress against attacks
Before we even start the technical bits, ALWAYS keep your site updated. WordPress is constantly fixing security patches so having the latest version is a necessity.
1. Test your backup
You should be taking regular backups of your website. Make sure you test these occasionally before disaster strikes. This means you will be able to recover quickly if anyone does access your website. There are many plugins available to help you with your backup (for example, UpdraftPlus and VaultPress) or you can do this manually.
2. Prevent user enumeration
Deter hackers by removing username information. User Enumeration is a process WordPress uses to create author pages (visit http://mysite.co.uk/?author=1 on your WordPress site and see where it directs you to). It doesn’t take long to be able to find the actual username in Page Source even if you are using a nickname.
3. User permissions
Limit the number of users and the permissions they have to an absolute minimum. This means if hackers do manage to get into your Dashboard, they will not have full access to your site.
4. Hide your login
Move your login to a custom login page so the /wp-login and /wp-admin pages are unavailable. The plugin Custom Login URL plugin works well for redirecting the pages.
5. Don’t show errors & unnecessary info
Remove login errors, WordPress version and readme files to limit the amount of information provided to hackers.
6. Deny PHP execution
If hackers get access to your website, they can hide PHP files in folders that they should not be able to. For example, most access files disguise themselves in the /wp-content/uploads/ folder. By disabling PHP execution in this folder you will improve your security. To do this, you need to create a brand new .htaccess file to put into the contents folder.
7. Remove inactive plugins
Remove any useless or inactive plugins. If you have the knowledge you could integrate plugins functionality inside your child themes. In terms of plugins, less is more. The more plugins you have, the more you are relying on a third-party source to remove any vulnerabilities or problems that will allow hackers a backdoor into your website.
If you work on a website that has a few users, you can easily disallow front-end plugin and theme updates and installations to limit any problems.
8. Use a secure password
Everyone says this, but there really isn’t any excuse! Don’t be lazy, use a very strong password. You could use a password manager such as Keypass to keep them safe or use a method that is logical to you to remember them. For example:
Phrase + numbers + symbol e.g.:
- My son likes playing with his red ball = mSlPwHrB
- Addicted to WordPress = @ddic3d.2.WordPr3ss
9. Custom directory structure
WordPress comes in a standard structure (obviously) which you rarely see on the front-end of your website. The standard file structure is:
However, by applying your own custom structure, you can not only make it look nicer but it also means brute force attacks will fail. For example:
10. Set a black hole trap
A WordPress black hole adds a hidden link to your website’s robots.txt file that forbids bots from following the hidden link. Bad bots that ignore the robots.txt rules will fall into the trap and be denied access to the rest of your website. You can also choose to receive information about the blocked bots via email. I’d recommend using Blackhole for Bad Bots plugin for this but if you fancy a challenge, or don’t want to add an extra plugin, you can follow these instructions on Perishable Press.
So there you have it. By using these methods, you can harden your WordPress site against attacks. If you don’t know how to edit your .htaccess, wp-config or functions.php files that are mentioned above, ask a web developer. Changes to these files can bring your website down if not implemented correctly. If you have any questions about it, or you know of other ways to harden WordPress please share in the comments.
For more chatter about WordPress, follow me on Twitter @KarysPivotal. Thanks!