There’s good news. There’s plenty you can do.
Last week we talked about why even restaurant and mom-and-pop shops can be attractive to hackers. This week, we’re going to take a deep dive into a comprehensive list of steps that need to be taken to keep your site secure, either by yourself, your staff or your contracted tech partner.
Keep the Site’s Platform Up-To-Date
This is the number one thing on the things-to-do list. At Paragon, we primarily build in WordPress (so you’ll see us reference it in this list, but the advice is true for every platform) and the upgrade process for both the platform and plugins is straightforward. Dedicate an hour out of a set day, every month, for site updates and put it on your calendar.
Keep Everything Backed Up
Back up your site and database immediately before making updates. Always. No really. I know you know this. You’ve heard about the wonders of backup. It’s all true. Don’t just nod. Back. It. Up.
WordPress is very dependable when it comes to automatic updates. They just work. However sometimes site developers may use a bit of WordPress’ functionality to create a feature unique to your site. If WordPress updates or removes this functionality, your site may not function properly and backups become necessary. A backup can be used to restore the site while you get this glitch fixed by your technology partner. Once the glitch is no more, get that site upgraded.
Use as Few Plugins as Possible
Plugins add great functionality at a great price. Many are free, some are paid, but they all are only as good as the developer who wrote them AND their ongoing efforts to keep the plugin secure. People often forget about this part. Our advice is to use them sparingly, keep them up-to-date, and remove any plugins that are no longer in use.
The Current Theme Should Be The Only Theme
WordPress comes with themes out of the box. If you paid someone to build a WordPress site for you then your site is a combination of a theme, CMS configuration and possibly plugin functionality. Because a theme contains code, it is possible for the code to contain security flaws. Remove all inactive themes to eliminate the possibility of exploit by this unused code.
Do Not Allow Users to Update Code Through the CMS
Don’t. Ever. Allow. This… Ever.
With WordPress this can be prevented with a bit of code plopped into the wp-config.php file. Regardless of the platform, this is a terrible idea. If the CMS user account is ever compromised, a hacker can easily use this to inject anything they want into the theme and beyond.
How? They would edit a theme’s file (let’s say index.php) to add a bit of code that would allow them to upload a file to a given folder. They use this to upload an exploit (mybadcode.php), and then edit the theme’s index.php file to remove obvious traces of their presence. They can now interact directly with their code and you might not know for months.
Use a Security Monitoring Plugin
If you’re on WordPress, we recommend Wordfence. It is an excellent plugin that scans the WordPress platform, plugins, themes, uploads and more to look for common signatures of hacks. It can also help stop brute force attacks against login and password recover, monitor file system changes, offers 2 factor security, lock out IP addresses or entire countries, alert you of admin login attempts… you get the idea. It is great and it is free. Go for the $5/mo plan for all the features. A very small price to pay for what it gets you.
Do Not Use Your Web Server For Site Archives
Old sites have old, un-patched code. Moving them into a public directory called “archive” or “backups” is a common pattern and those urls could be probed to see if anything is in there. Additionally do not keep zip files of old sites in public folders. If they are found, they can be downloaded. The same is true for .sql database dumps.
Use Cloud Storage for Site Visitor’s Uploaded Files
If your site revolves around visitors’ files, store them in a cloud service like Amazon S3. They’ll be separate from your server and won’t present a threat if something unruly sneaks by. If files must be stored locally, check the file’s mime type and file extension before storing, isolate them from all other files, and do not allow direct access.
Collect Your Log Files
It might suck to go through them but log files can be invaluable when looking for attempts against the server, code or doing some forensics when an exploit is uncovered. Patching a hole is how you stop a leak. Understanding how the hole was found and what was done to game the vulnerability is how you prevent leaks.
Scan Your Backups
If you manually downloaded the files to your computer, scan them for viruses. Firewall/Virus software is almost commonplace these days for a user’s computer. All users, but especially developers, should have this on their systems. Regardless of what you use, have your software scan the backups and fix anything that pops up.
So there’s the breakdown. And I know it looks like a lot. But here’s the reality. Regular maintenance is absolutely critical to keeping your site secure and safe. Waiting until there is a problem before addressing security can you cost you time, money and users. All of which are hard to come by.