We here at Web & Moore have been reading up on and learning about several security vulnerabilities happening around the web lately, especially those targeting WordPress. Our Network Security personnel are always preventing attacks on our clients websites and servers, however, we are now offering an add-on module to help keep your WordPress site even safer! If you are interested in having us install and configure this new security module, please contact me at sam@webnmoore.com. I will briefly go over some of the modules new features, what it does, and why its important. I will also go over some required changes that we will be making in general, as well as educating you on our recommendations and procedures.
Use Strong Passwords for all Entry Points
I want our clients to be assured, that when we install and develop our WordPress websites, we use very strong, randomized passwords generated from a source (in which I will not mention). We also use the same level of security of passwords for the website databases, FTP, panel, and several other areas (also will not mention for security purposes). Our WordPress admin passwords are strong and secure, however we have noticed that some of our clients log in passwords are not as secure. We understand that its easier to log in if you can remember the password, or keep it short, HOWEVER, its important to understand that the vulnerability for hacking is there. If you feel like your password is not secure enough or safe, you can change it via your “USER” preferences within the dashboard, or contact us and we will help.
Access to the Server
For clients that are hosted on our dedicated servers, we want you to know that we go above and beyond for our server security. NO CLIENT has access to any panel on any server for any reason ever. Any ports that are not necessary for purpose, are shut off. That includes FTP. FTP ports are highly targeted, so we have those turned off at all times (and turn them on when we need to use FTP, then we turn it back off). This does not affect any clients at all, I just want it to be known so you can see how serious we are about the safety of our servers and client websites.
For clients who choose to host on shared servers such as GoDaddy, BlueHost, etc. Those servers have panels and access points and if we did not help you set them up, we are not sure how secure you have it. Shared servers are cheaper yes, but far more vulnerable to attacks and problems. If you would like to up your security, please contact us and we can come up with a custom security package for you.
Why you need the Website Maintenance Package and not just “hosting”…
We Update WordPress to the Latest Release
As new WordPress versions are released the security bugs for previous release becomes public information. WordPress could have vulnerabilities as a result of how the program is written that allow an attacker to pass HTTP arguments, bad URI strings, form input, etc, that could cause “Bad Things” to happen. So we make sure to always update your WordPress to the latest version to make sure that you are protected against any known security bugs. It is important that WE do this (included in your Website Maintenance Package) as we back up your site before the update just in case. If you do not have our Website Maintenance Package, then contact us for pricing and make sure your website is updated correctly.
We Backup Your Data
We can’t stress this enough… We always keep backups of all the important files. We constantly backup WordPress Databases and the WordPress files for all of our hosted websites in case of emergency. We back them up in several secure virtual locations, as well as manually, right here on a portable hard drive that is kept in a fireproof safe at all times.
Random Note:
Be careful when you upload something to your site
If/When you upload a script (example: a plugin, a theme or just a normal script) to your site you need to be extra careful as it can harm your site if it was designed to do so. Only upload authentic content to your site. Never download a plugin or a theme from file sharing sites. The content on these sites can be disguised as a plugin or a theme but it will harm your site when uploaded to your server.
So what does this new module do?
It does A LOT! But here are a couple neat features. For more specifics on the module, click here…
It adds a CAPTCHA on your WordPress Login page
Adding a simple captcha to your WordPress login page is another great way to minimize the chance of a bot/script gaining access to your site via a brute force attack (a brute force attack is a method of defeating a cryptographic scheme by systematically trying a large number of possibilities). This simple captcha in our module, sets up a simple math question, in which you need to enter the answer (ex. 2 times 4, or 19 plus 1). Its easy, yes, however it helps to prevent those brute force attackers who try every combination to get in. After 3 tries (missed attempts), you will be shut out for 1 hour. Brute force attackers that are logged trying more than that, are locked out for good and blacklisted from the site (thats a different story). This is a great thing to have whether you manage your site, or we do, either way, it keeps the attackers out of that access point.
It Protects the ‘wp-admin’ Directory
We use a .htaccess file in the ‘wp-admin’ directory to limit access to only certain IP addresses.
It denies access to your Plugins and other directories
A lot of website owners don’t protect access to their WordPress plugins directory. Many WordPress plugins can have vulnerabilities which the attacker can use to harm your website. So, its a good idea to block access to these directories.
It Doesn’t Show WordPress Version on Your Blog
You should not make the WordPress version that you are using visible to others for the same reason explained above. The specific WordPress version that you are using can give the attacker an upper hand in finding a way to break in.
