Backup, Security and Performance Services

Description

The need

Fundamentally, security is not about perfectly secure systems. Security…is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture — reducing the odds of making yourself a target and subsequently getting hacked. WordPress Security Codex

WordPress powers more than 37.6% of all websites on the internet. With hundreds of thousands of theme and plugin combinations in the WordPress ecosystem, it’s no surprise that security vulnerabilities exist and hackers seek to exploit them. However, there is also a very strong community that supports the WordPress platform to ensure these vulnerabilities get patched as quickly as possible. As a result, weekly plugin and theme updates — as well as uptime and security monitoring — are vital to keeping your website safe and functioning properly, especially in light of the recent increases in “brute force” and other attacks. To learn more, visit: https://www.wordfence.com/blog/.

No site is completely immune from being hacked (as we have seen from recent news stories and wikileaks revelations), however, our job is to make it difficult for hackers so they move on to someone else’s site. And if your site does get hacked, we’ll know about it instantly and be able to remove the malicious code and restore the site.

Why hackers do what they do:

How hackers exploit WordPress sites:

How do you know you’ve been hacked?

Clear indicators of a hack include:

• Website is blacklisted by Google, Bing, etc.
• Host has disabled your website
• Website has been flagged for distributing malware
• Readers complaining that their desktop AV’s are flagging your site
• Contacted that your website is being used to attack other sites
• Notice behavior that was not authorized (i.e., creation of new users, etc…)
• You can visibly see that your site has been hacked when you open it in the browser: Examples:
  • Defacement – digital graffiti is found on your site
  • Links on your site that take you to another site

 Potential Repercussions

It depends on which of the above has happened, and if your site actively sells goods or services or not. If you make a living from your site, it can be very costly. At minimum, it’s a nuisance. It takes time and therefore money to remove the offending software/hack — sometimes upwards of 5-10 hours to root out all problems.

What we will do

1. Daily and Weekly Backups: Backups are extremely important – not only in case your site is hacked but also to protect against errors caused by updates to the WordPress core software, plugins and themes. If your site was created by BentonWebs, we already do weekly backups to your hosting account but you also need a daily backup. And these backups need to be stored somewhere other than the same server that is hosting your website – in case your host’s server goes down or they inadvertently delete your site (which we have had happen previously). We’ll do that for you using Dropbox and we’ll keep 4 weeks of weekly backups.

2. Weekly WordPress Core, Theme and Plugin updates: All these various forms of software are updated regularly to add additional features/functionality and to patch security holes. Hackers look for and often exploit vulnerabilities in the WordPress core code and within plugin and themes. Fortunately, WordPress developers and external security experts discover these vulnerabilities and notify the appropriate parties so they can release updates. However, your site needs to be updated as soon as possible after the patch/fix is released. These updates are now happening so frequently, that unless your site is being updated weekly, you are at much higher risk of being hacked. We will update your site to the newest versions of these apps on a weekly basis. We perform these updates on your production/live site and test. If there are issues, we roll back to a previous backup. Then we create a staging site where we investigate the issues, so we can then perform the updates on the production/live site.

3. Security Hardening: We’ll install the leading WordPress security plugin – WordFence  – and tune it to make your site less vulnerable to potential hackers. This plugin features a variety of tools to harden your site: brute force attack (robots trying to guess passwords) prevention, firewall, etc. We’ll also set it up to scan for files that are not in the existing repository of WordPress core and plugin files so that if a hacker inserts malicious code (malware, spamvertizing, etc.) we’ll know about it and be able to remove it right away.

4. Support, troubleshooting and removal of problems: This not only includes being hacked, but also unexpected issues that arise as a result of WordPress, Plugin or Theme updates. For example, one of our client’s site pages were turned into random illegible characters by an update to one of the plugins. Whenever this happens, it takes time to figure out what happened and fix it. We’ll do that as part of your monthly fee. We’ll also fix forms not working and other maintenance-related issues.

5. Add SSL/TLS (https://):
   Using a secure connection is an important part of WordPress security. If your site starts with ‘https://’ and is green (in most browsers) or has a lock icon, that indicates it is using SSL/TLS. Signing in via HTTPS and having your visitors complete forms via SSL/TLS insures that your login information is sent encrypted across the network and that someone listening in can’t steal your or your clients’ username and password or data. Google and Firefox started giving a warning if someone fills out a form and the page is not SSL/TLS. If your site isn’t already SSL/TLS, we can install one for free using Let’s Encrypt. This setup is included in the $99 one-time setup fee.

6. Performance and Security Optimization: The performance of your site – how fast your pages load – is very important. If people find your site, but it takes too long to load, your visitors are going to give up and go on to something else. Google knows this and therefore now includes site speed as one of their ranking factors. So, how do you speed up your site? By using a Content Delivery Network (CDN). A CDN speeds up your website by loading static resources (images, javascript files, html, stylesheets, etc.) from a data center nearest to your user, instead of from your web hosting server. Physical proximity has a very real effect on load times, so this can drastically improve your page load times. But it’s not just about speed – using a CDN also frees up your bandwidth by handling the transfer of most of your large files. A CDN also protects itself and all the data it stores as well as a website’s origin from any data breaches or internet hackers. The most common data threat are various forms of distributed denial of service (DDoS) attacks. A CDN has proper techniques for preventing, detecting and correcting different forms of DDoS attacks. Prevention measures such as HTTP load balancing have an always-on approach, making sites less vulnerable to attacks. Detection systems within a CDN look for suspicious behavior and highlight the need for additional investigation and action. An example of a detection might be a traffic surge in which case the CDN provider has systems in place to automatically notify those responsible for the website. Corrective measures such as secured DNS will block out unwanted requests while continuing to allow trustworthy requests to continue being served. Finally, if your server goes down, Cloudflare will serve your website’s static pages from their cache. We will set up the Cloudflare free plan for your website. Cloudflare is one of the top 5 CDN’s and has a free plan that covers many of the basics. We will tune it using the same settings we use for our own site.

7. Uptime monitoring: We’ll add your site to our updown.io account, which provides monitoring of your website’s uptime and it will notify us if your site goes down so we can investigate and get it back up.