An ounce of prevention is worth a pound of cure
– Benjamin Franklin.
At the end of the day every business takes on some degree of liability and all you can really do is mitigate the bad things as best you can and accept that it is a part of doing business. We certainly don’t claim to be security experts (in fact we rely on other partners that specialize specifically in just that), but there definitely are some basics you should think about if you are the proprietor of an online enterprise, whatever it may be. So here, in a nutshell, are just a few basic security considerations you might take into account. Note: We cannot stress enough the fact that we are not security experts and strongly advise you to consult qualified security personnel before making any changes to your configurations.
1) Use a trusted security plugin to secure WordPress.
Depending on your platform of choice it is good to become familiar with the configuration of a tried and trusted security plugin. There are many out there that work well, with the likes of iThemes for WordPress floating to the top. Such security plugins are relatively easy to use, inexpensive to purchase and come with an ever increasing body of security knowledge. For example, with a few simple (but careful) configurations you can obfuscate (fancy word for “hide”) your admin login, thus making unauthorized access more difficult. If you can’t find it, you can’t hack it (although there are probably many skilled hackers out there that still can!).
2) Don’t overuse plugins.
Without question, plugins are becoming more secure and more well-maintained as platforms like WordPress become mainstream. However, with any publicly available plugin where the code is accessible to everyone, there is greater opportunity for hackers to study the structure, find vulnerabilities, and determine ways of using a plugin as a means of penetrating your site. If you create your own code, then hackers don’t have the same level of visibility to the code as they do say on a plugin available for cheap or free in the WordPress plugin repository.
The rule of thumb for plugins is …
1) Check reviews online for plugins you use.
2) Where possible only use plugins that have been verified by your platform of choice. e.g. WordPress has it’s own vetting system for plugins submitted to its’ repository.
3) When possible, custom code the functionality you are looking for. Custom built code, although not foolproof either, is less likely to have a structure familiar to hackers.
3) Beware of generic templates.
One of the methodologies hackers use is to use previously existing patterns. So for example if a hacker knows a certain platform has folders in certain places, he/she might be able to blindly “fish” for and manipulate that folder by manipulating the browser URLs. This is why purchasing generic templates online (in an attempt to make things less expensive) can end up costing you more – publicly available templates are available to everyone to see and access … including hackers.
4) Lock your server down like someone just told you: “You are being hacked.” Do it yesterday.
It is important to have a discussion with your hosting provider and whomever is responsible for server maintenance, and examine ways of securing the server (to secure WordPress) on which your site is hosted. There are several quick fix things you can do that can shut down a large proportion of security holes. For example, FTP is a fairly common point of access for many compromised servers, and you would be surprised how many shared hosting providers make it difficult for you to turn FTP off. Simply turning FTP off when it is not in use is an easy to way prevent hackers from accessing your site.
Are you able to in some way lock down cPanel access? Is it feasible for your company to only use Secure Shell, or SSH access? Check your live server permissions. Check that you have permissions set to 755 for folders and 644 for files (Of course every server is different and again you should consult with a qualified security expert before making any such changes). The reality is that every setup is different and it might not be feasible for everyone to be super security conscious or paranoid about hack prevention. Nonetheless, server security is something to keep in mind.
5) If you can afford it, use virtual private servers or dedicated servers with managed hosting.
There are oodles of very affordable shared site hosting options out there many of which work really well and have really skilled support teams managing them. Unfortunately by the nature of shared hosting you are sharing the same server with many other companies also hosting their sites on that same server. With a greater number of websites comes greater risk that at least one of these other companies has unknowingly left some vulnerability in their site. Shared hosting providers also need to try and offer services at lower costs, so they can’t necessarily afford to apply the highest quality of support 24/7.
A virtual private server (VPS) has the added benefit of giving you not only more control over your server, and thus greater control over both the security of the server, but also greater control of having more dedicated skilled, managed support people watching over it. A dedicated server, although more expensive, is probably the best choice of them all. Dedicated servers can be expensive, but if you get enough of a critical mass of sites on there, or have an important enough stand alone site that can pay the bills, then it might be worth it. Dedicated servers don’t share with others, and as the name suggests, are dedicated specifically to you.
6) Don’t be predictable.
An ounce of prevention is worth a pound of cure. It is much easier to live care free if you put in some relatively simple configurations to how your site and server are set up. After building the site, there are several things your server/hosting administrator can do to enhance general security. For example, moving temp folders out of the usual/default locations or hiding log folders outside of public_html can make hacking more difficult. Use your htaccess file to further batten down the hatches. You could also modify your robots.txt to have the following to prevent your admin page from being indexed by search engines:
User-agent: * Disallow: /wp-admin.php/
Try not to use common login names such as “admin” or common superuser database IDs. Remove any phpinfo.php server config display files when possible. Delete unused templates and files in general, in case old templates have known security vulnerabilities.
7) Scan for vulnerabilities.
For the more hard core amongst us, there are a few server scanning tools that will allow you to review common security holes and hopefully make fixes and tweaks without too much pain. ScanMyServer.com is an example of a service that seems to be used by a few better known sites out there. They even allow you to add a little secure badge to your site signifying you have passed their test. It is also associated/built by this company. BeyondSecurity offers a low priced one-time solution as well as a monthly one.
8) Ongoing security solutions.
Once you have done all you can to secure your website, you can look at ongoing security options too. The following companies offer ongoing solutions that continuously monitor your server for you. They range in price from $200 to $2400 per year.
sitelock.com – complete monitoring, cleanup and patching per site.
unhack.us – complete monitoring, cleanup and patching. (iTheme creators) per site.
sucuri.net – complete monitoring (Firewall + Antivirus), cleanup and patching per site.
9) Recover well from hacks.
When you host a website, you take on the responsibility of ensuring the site remains hack free. Unfortunately it is next to impossible to prevent all exploits. Not only is it important to have a plan in place should your site be hacked, but also to have a strategy for making sure that once you have closed the hole, that you have also done all you can to clean the site from malware already hidden within by the hacker. The following companies offer pretty affordable one time fixes (assuming the issue is not an extremely serious/unusual hack).
10) Listen to Google and Bing.
Sign your sites up for Webmaster tools and watch/manage reports. This is a good baseline and simple to do. Among other things, including a host of SEO tools, Webmaster tools can help monitor and resolve malware or spam issues so your site stays clean and healthy.