Tag - Security

Keeping WordPress Secure

Keeping WordPress Secure

Occasionally I'll get a question from a client asking if WordPress is secure. If properly maintained and monitored, WordPress is one of the most secure CMS (Content Management System) platforms available. With that being said, if not properly maintained and monitored WordPress is currently the most popular target for hackers. WordPress powers over 30% of the ENTIRE internet and 60% of CMS powered websites use WordPress. For hackers it's simply a game of numbers.

WordPress MUST be Updated on a Regular Basis

If you don't update your WordPress website on a regular basis, or monitor its security, there's a good chance it will get hacked. I update my clients WordPress plugins on a daily basis. A little tool called MainWP makes that an easy task for me since I manage a lot of WordPress websites. I'm able to login to one place, scan my managed websites and update everything with the click of a button. Plugins are a source of many security vulnerabilities within WordPress installations. WordPress plugin updates often contain security-related fixes. When a plugin developer discovers a security flaw and pushes an update to fix it, the hackers take note. Hackers use scripts that are constantly scanning the internet for known vulnerabilities.

WordPress Security Monitoring

My favorite tool for monitoring the security of my WordPress websites is Wordfence. Wordfence is a great firewall with a ton of options and also has a malware scanner. I always like to show my clients their "Live Traffic" feature that shows every single IP address that tries to access your website, what they were trying to access and where their IP address is located. In the past 24 hours, I had IP addresses from the Philipines, Hong Kong, Russia, France, Turkey and India try to probe my website for various vulnerabilities. This happens 24 hours a day, 7 days a week.

The WordPress Login Page is the Most Popular Target

The WordPress login page located at /wp-login.php is the most popular target for hackers. There are numerous ways to combat this. Wordfence allows you to limit the number of login attempts before blocking an IP address. I set that number to 2. They also allow you to immediately block any login attempt with an invalid username. It's important to create a username that can't be easily guessed (and NEVER use admin). Once a hacker has your username they will use a brute force attack that will keep trying to login to WordPress with different passwords. In addition to using Wordfence, I limit access to the /wp-login.php page by IP address. If your IP address doesn't belong to me or my client, it will get blocked. This can cause some issues when trying to login from a new place, but I've found that minor inconvenience is overshadowed by the high level of security it provides.

Is Your WordPress Website Secure?

Is your head spinning yet? I just touched on the basics of WordPress security. If your website is not being properly managed or maintained contact me today and I can get you back on the right track.

Read more...
Google reCAPTCHA v3

Google reCAPTCHA v3 – Keeping Forms Safe From Bots

Today I upgraded all forms on my clients websites with Google reCAPTCHA v3. If you aren't familiar with reCAPTCHA it's a tool to help prevent form spam by either having users type displayed text into a box (reCAPTCHA v1), check a box (reCAPTCHA v2), or now with reCAPTCHA v3... NOTHING! reCAPTCHA v3 can detect abusive traffic on your website without user interaction by analyzing multiple factors to prevent malicious bots from spamming you with contact form emails. 

All of my clients know how big of a fan I am of Google. This is just another example of how Google remains on the forefront of technology and constantly strives to make the web easier to use while maintaining security. If you want to learn more about reCAPTCHA v3 check out the links below.

Read more...
Website Backups Using Amazon S3 Cloud Storage

Website Backups Using Amazon S3 Cloud Storage

Recently I have implemented another layer of protection for my clients websites, backing up everything with Amazon S3 Cloud storage. My hosting provider Namecheap has a 99.9% guaranteed uptime. The longest any of my websites has been down was roughly one hour over the past 5 years. In addition to this Namecheap has automated backups for all their customers data in nearly real-time. Although this is excellent I have to be prepared for the worst and can't assume someone else will backup my customers data. In 2012 GoDaddy was attacked by hackers causing 52 million domains and 5 million websites to go down for over 12 hours. Fortunately GoDaddy was able to stop the attack and preserve their customers data, but it could have been much worse. To prevent loss of data I've implemented multiple layers of protection for all my clients websites.

Google Drive - First Layer of Protection

I have a Google Apps for Work account that gives me unlimited storage with Google Drive, which is another cloud backup platform. I use this to backup everything I have related to my clients websites, graphic design files, old website files, personal data and anything else they have ever sent me for their website. The problem is some websites are updated on a daily basis. Take an eCommerce website for example. They have orders, new products, price changes, and software updates constantly. This creates an issue if a website goes down and I don't have a recent backup.

Server Backups - Second Layer of Protection

For quite a few years now I've been using a plugin for Wordpress called UpDraftPlus. The great thing about UpDraftPlus is I can set automatic backups for my websites, as often as daily if needed. I used to store these files on the server I have with Namecheap. This allowed me to have a recent backup without having to lift a finger. For my static websites (not using a CMS platform like Wordpress) I would manually backup the files using Google Drive. A potential issue could arise if Namecheap were to come under an attack, or somehow the files were compromised on the server. I could theoretically lose the website AND the backups. Not good. I needed a better solution.

Amazon S3 Cloud Storage - The Ultimate Layer of Protection

This is where Amazon S3 Cloud storage became essential. UpDraftPlus is able to automatically send backup files to my Amazon S3 Cloud server rather than saving them on my server. In a worst case scenario if all Namecheap servers went down for an extended period of time like GoDaddy did, I have everything ready to be transferred to another server immediately. Using two cloud backup solutions prepares me for that worst case scenario I discussed.

Is Your Website Safe, Secure and Backed Up?

I take pride in every website I develop or manage for my clients. My clients expect that their data is safe, secure and backed up. Some may call me paranoid, but I look at it more as prepared. My experience as a Firefighter and Paramedic has cemented this mentality. You should ask your web developer how often and where your files are backed up. Hopefully they're prepared for the worst. If you need reliable hosting or a new website make sure to contact me today.  
Read more...