It’s a post-summer-holiday Sunday morning and instead of planning a leisurely, family day out, we are woken to the sound of security alerts pinging in.
The messages inform of un-authorised users logging into a clients website and then we get…
Web integrity monitor alert.
Warning for site: *******.com
*Domain blacklisted by Bitdefender.
Luckily for the client, they are covered by our maintenance plan which includes malware detection AND removal, as well as blacklist monitoring and tidy up. Over the next 16 hours our external security specialist removes the malware, we tidy up some other areas that were effected and work out what/who was the cause.
Cutting a long story short, the shared hosting server the client had their website on was compromised by another account/user on the same server. This account contained a website that was hacked (through a vulnerability in an out-of-date plugin) by a religiously-motivated hacking group – which then gave them the scope to hack over 40 other websites on the same server.
Unfortunately many people and businesses on that shared hosting server weren’t taking their own backups and didn’t have malware/blacklist monitoring, so they weren’t automatically covered to get ‘cleaned up’. Indeed a few days later some websites were just removed by the hosting provider, so they wouldn’t represent a further threat to other sites on the hosting server.
Over the past 12 months we’ve observed a growing trend: The cyber threat landscape of websites continues to get more complex and more intense, with attacks happening against websites on a daily, if not hourly basis.
So we thought it might be useful to cover what we are doing for you in terms of security and what you can do!
Protecting You – what we are doing
We often use the car analogy in describing the steps of looking after your website: you take your car to a mechanic for regular services, it has a car alarm, you take out insurance to protect against theft and accident and you need to lock the doors when you are not in it.
Likewise, the website for your business requires a similar approach. Your site should have a regular service, security needs to be comprehensive and you need to have arrangements in place should you need to restore your website if anything goes wrong.
In addition to taking a daily backup and storing it on a secure cloud server, there are 5 specific steps we are taking to protect you.
1. Keeping your WordPress website up-to-date
Keeping your website as up-to-date as possible is a key way in making sure that there aren’t any ‘security holes’ in your website structure, as this can be an easy way that hackers can gain access to your website and details contained therein. The updates we do for you include upgrading the core WordPress files and WordPress themes.
2. Plugin Updates
Plugins are probably our primary security concern – making sure they are up-to-date with any security patches and that plugins that are installed come from a trusted and secure plugin developer.
Using an external security specialist, Sucuri Inc. we scan your website every few hours for malware and check blacklists for any potential problems.
4. Brute force attacks
Over the past month we have been working our way through client sites and deploying anti brute-force attack technology. Essentially this technology uses a network-strategy to protect against orchestrated and systematic attacks by hackers to gain access to your WordPress website by guessing usernames and passwords.
5. Keeping track of key website changes and activities
We’re also installing technology by a leading security firm that monitors for spurious behaviour and alerts us to activities that might indicate a possible intrusion, or attempt to hack your site.
What you can do.
It’s over to you – this is a two-way thing! Here are 5 steps you can take:
1. Have a strong password
Have a strong password – make sure your password for your WordPress site is strong (in fact you should keep all passwords strong). If you want to create a strong random password you could use http://www.random.org/passwords/
2. Keep login details safe
– Keep passwords and credentials safe
– Don’t give usernames and passwords to others
3. Plugin Installation
Talk to us about plugin installation. If you want to install new plugins – that’s fine and depending on your maintenance plan we can do this for you, free of charge. But even if you want to install a plugin yourself, please, please talk to us before you do so to check that the plugin a) comes from a trusted source and b) isn’t considered to be a security problem
4. Get some antivirus
If you use an operating system that is prone to virus or malware infection then make sure you have a suitable anti-virus software installed.
5. Review your hosting
This single event highlighted the down side of certain types of shared hosting. As a business we have our portfolio of websites spread across different hosting providers – to reduce the risk.
As a business you may want to look into the details of your own hosting service, in particular how shared hosting works on your hosting provider’s servers, their security setup and their history of ‘being hacked’.
If you’d like some recommendations or have questions, get in touch and we’ll send you some details.
I’m pleased to say it’s not all doom and gloom!
We wanted to share this with you because it’s important for you to understand whats happening ‘out there’, but rest-assured, working with good hosting providers we are doing all we can to keep you as safe as possible, mitigate risk and be able to recover as quick as possible should there be a problem.
We’ll continue to keep you informed with the latest updates, as they happen, but if you do have any questions in the meantime please do get in touch with us.