December 7, 2018
Not a week goes by that we don’t read another news story about a company database or website that has been hacked. Regardless of the size of your organization, having your site hacked is not just inconvenient; it can be expensive. Nationwide, malicious cyber activity costs businesses billions each year. While the immediate financial impact for a smaller organization may be modest, a data breach or website hack can also wreak havoc on operations, require time-consuming and expensive efforts to rectify, and divert attention from more important work—not to mention the potential negative effect it could have on an organization’s reputation.
Practically speaking, it’s impossible for an organization to exist on the web and be 100% secure from hacking, but with a few relatively simple steps it’s possible to significantly reduce the likelihood of becoming a victim, as well as ease the process of recovery should an incident occur.
In this, our inaugural Perspective article, we’ll share a number of web security approaches we like to employ at Metric Media. These are practices we’ve employed and refined over many years and strive to implement for all our clients, but whether you’re a Metric Media client or not we’re happy to share this knowledge in hopes of making the web safer for all.
A number of the approaches discussed here apply specifically to WordPress, but many of them are relevant to any site, regardless of the platform it’s built on. And this article is by no means exhaustive. If you have a favorite security practice you’d like to share we invite you to let us know. We can include it in a future article.
Keep it up to date
According to W3Techs, WordPress now powers more than 30% of all websites. But being popular means WordPress is also a popular target for hackers, who work hard to find weak spots in core WordPress code and popular plugins. Fortunately the WordPress developer team is usually quick to come up with a security fix when a vulnerability is identified, and WordPress sites typically update themselves automatically to incorporate new security and bug fixes (although this automatic updating can be turned off, so it’s worth confirming that it is enabled on your site).
For WordPress plugins the process is a little bit different. Plugin developers typically respond quickly to security issues as well, but occasionally plugin updates won’t get along with each other or with the newest version of WordPress. We’ve found it safest to update plugins first in a test or “staging” copy of the website, and review to confirm nothing is negatively affected, before moving those updates to the live site. This is part of the regular WordPress + plugins update service we provide for many of our clients.
For those sites not built on WordPress, the need to stay up-to-date is no less important, though the frequency of required updates is often less. We work on many custom PHP/MySQL-based websites and we see that core libraries like PHP or jQuery often require updating to address bugs or security issues. The need for such updates may not be apparent unless a site is receiving security scans, which may be the case if the client is seeking to keep the site PCI-DSS compliant (more on that in a future article). We often work with a client’s IT provider or web host to bring these core technologies up to date.
One potential entry point for hackers is the network connection between a user’s web browser and your website. If a hacker is able to observe users connecting to your site, say via a poorly-secured public wifi network, they may be able to capture login credentials or other sensitive information in transit. Adding an SSL certificate to your site and enabling site-wide encryption secures the connection between browser and website, so personal information can’t be intercepted. A properly implemented SSL certificate results in the “https” you see in secure URLs, and the padlock icon that appears next to your browser’s URL bar.
Purchasing and installing an SSL certificate was once a complicated and expensive process but as the popularity of SSL has spread, cost and complexity has fallen. There are even free SSL certificates available on many hosting platforms thanks to Let’s Encrypt, a free service provided by the nonprofit Internet Security Research Group.
You’ve heard it before but we’ll say it again: use a strong password. This means one that can’t be easily guessed or is a simple word that might be found in a dictionary. The best passwords include a combination of upper and lowercase letters, numbers and symbols (like $, ?, # and so on). Luckily WordPress can (and does) generate particularly messy strong passwords for you if you ask it to. All you have to do is click “Generate Password” in your Profile and you’ll get something neither you nor anyone else could possibly remember.
Great – now your password is secure but how do you remember it? There are a number of possible approaches, including letting your browser remember the password (if you’re not on a public or shared computer) or using a password management tool such as LastPass or 1Password.
It’s also important not to reuse the same password (strong or otherwise) on different websites. If a hacker is able to obtain your password for one site they will often try the same password on other popular sites like Facebook, Google/Gmail, banking and financial sites and more.
Finally, it’s a good idea not to share WordPress administrator accounts. Give each user who needs to access WordPress their own account, with their own unique strong password and an appropriate administrator level (i.e. don’t make someone an “Administrator” if they will only be modifying content, and don’t need to manage other users’ accounts.) If each user has their own account it’s much easier to deactivate access for someone who leaves the company, or reset a password, without affecting other users.
Use a security plugin
At Metric Media we are fans of a security plugin called iThemes Security, which can monitor for modified files, block blacklisted IP addresses, enforce strong passwords, limit login attempts, enforce SSL connections and provide other important safeguards. WordFence is another popular security plugin that a number of our clients use.
A security plugin alone won’t keep a website safe, but it’s an inexpensive, powerful and easy-to-implement part of a broader security strategy.
Back it up
If a site does get hacked, having ready access to a recent backup of the affected files can help get the site back up and running quickly. Hosting providers usually offer a backup option for a small fee, but since it requires someone knowledgeable to enable it via the hosting account control panel, often this option is not set up by default. We highly recommend confirming that your site’s hosting account is being backed up. It’s also important to make sure that you can actually restore files from a backup should you need to. This means downloading a backup, unzipping it and looking at what’s there. Does the backup contain everything you need to restore your site’s file structure?
Backing up the files that make up a site does not mean the site’s database is also backed up. The database typically includes all the site’s content (except images and video), as well as many aspects of a site’s configuration like navigation. A variety of WordPress plugins are available that can handle database backup. Our preferred security plugin, iThemes Security, includes database backup in its standard suite of tools, or you can install a plugin like Updraft, Duplicator or BackupBuddy. Whichever approach you choose, we recommend both saving backups on the server (which will then be backed up by your hosting account backup) and emailing the backup to a trusted recipient.
The combination of site backup and database backup allows full recovery of your site in the event of a catastrophic hack or server failure.
Install a web application firewall.
A particularly effective tool in the battle against hackers is the web application firewall, or WAF. A WAF provides a layer between the internet and your website. Every connection to your site passes through the firewall, is logged, and is checked against a knowledge base of known suspicious entities and activities. If a user matches these criteria, their connection to the site will be blocked. If they attempt to upload a malicious file, the upload will be blocked.
A WAF is not necessary for many sites, but we feel it’s a must for any site engaging in e-commerce. The cost is modest and the extra peace of mind it provides is invaluable when the potential cost of a data breach is considered.
The WAF we most frequently recommend is Sucuri. In addition to the firewall, Sucuri also scans the site for malware and other security issues, and provides some performance boosts as a bonus.
There are additional steps that can be taken to make any site even more secure — for instance, if you are seeking PCI-DSS Compliance (as noted above) — but the steps presented here are relatively simple, inexpensive, easy to manage and provide a good level of protection for all but the most critical security situations.
If you have concerns about how well your site is being protected we’re always happy to chat and offer suggestions, or perform an audit of your current configuration and help implement any necessary changes. And if you have security-related thoughts of your own to share, please pass them along. We would love to include them in a future article.
(Note: Although we have provided links to various tools above, and regularly use many of them, we have no relationship to any of the associated companies or developers and are not specifically recommending any particular solution for a given site.)View All
…we’ll take a look at various security approaches we like to employ at Metric Media…practices we’ve refined over many years and try to implement for all our clients