Thoughts Thoughts Previous Thought Next Thought

Site Security: Making it Happen

It's hard not to feel overwhelmed by the idea of site security. After all, if huge corporations can't keep hackers out, what chance do you stand?


There’s good news. There’s plenty you can do.

Last week we talked about why even restaurant and mom-and-pop shops can be attractive to hackers. This week, we’re going to take a deep dive into a comprehensive list of steps that need to be taken to keep your site secure, either by yourself, your staff or your contracted tech partner.

5374200948_539b10fb1c_b

Keep the Site’s Platform Up-To-Date

This is the number one thing on the things-to-do list. At Paragon, we primarily build in WordPress (so you’ll see us reference it in this list, but the advice is true for every platform) and the upgrade process for both the platform and plugins is straightforward. Dedicate an hour out of a set day, every month, for site updates and put it on your calendar.

Keep Everything Backed Up

Back up your site and database immediately before making updates. Always. No really. I know you know this. You’ve heard about the wonders of backup. It’s all true. Don’t just nod. Back. It. Up.

WordPress is very dependable when it comes to automatic updates. They just work. However sometimes site developers may use a bit of WordPress’ functionality to create a feature unique to your site. If WordPress updates or removes this functionality, your site may not function properly and backups become necessary. A backup can be used to restore the site while you get this glitch fixed by your technology partner. Once the glitch is no more, get that site upgraded.

Use as Few Plugins as Possible

Plugins add great functionality at a great price. Many are free, some are paid, but they all are only as good as the developer who wrote them AND their ongoing efforts to keep the plugin secure. People often forget about this part.  Our advice is to use them sparingly, keep them up-to-date, and remove any plugins that are no longer in use.

 

The Current Theme Should Be The Only Theme

WordPress comes with themes out of the box. If you paid someone to build a WordPress site for you then your site is a combination of a theme, CMS configuration and possibly plugin functionality. Because a theme contains code, it is possible for the code to contain security flaws. Remove all inactive themes to eliminate the possibility of exploit by this unused code.

Do Not Allow Users to Update Code Through the CMS

Don’t. Ever. Allow. This… Ever.

With WordPress this can be prevented with a bit of code plopped into the wp-config.php file. Regardless of the platform, this is a terrible idea. If the CMS user account is ever compromised, a hacker can easily use this to inject anything they want into the theme and beyond.

 

20704737575_a7fb9de17b_b

How? They would edit a theme’s file (let’s say index.php) to add a bit of code that would allow them to upload a file to a given folder. They use this to upload an exploit (mybadcode.php), and then edit the theme’s index.php file to remove obvious traces of their presence. They can now interact directly with their code and you might not know for months.

Use a Security Monitoring Plugin

If you’re on WordPress, we recommend Wordfence. It is an excellent plugin that scans the WordPress platform, plugins, themes, uploads and more to look for common signatures of hacks. It can also help stop brute force attacks against login and password recover, monitor file system changes, offers 2 factor security, lock out IP addresses or entire countries, alert you of admin login attempts… you get the idea. It is great and it is free. Go for the $5/mo plan for all the features. A very small price to pay for what it gets you.

Do Not Use Your Web Server For Site Archives

Old sites have old, un-patched code. Moving them into a public directory called “archive” or “backups” is a common pattern and those urls could be probed to see if anything is in there. Additionally do not keep zip files of old sites in public folders. If they are found, they can be downloaded. The same is true for .sql database dumps.

Carolina Prysyazhnyuk

Carolina Prysyazhnyuk

Use Cloud Storage for Site Visitor’s Uploaded Files

If your site revolves around visitors’ files, store them in a cloud service like Amazon S3. They’ll be separate from your server and won’t present a threat if something unruly sneaks by. If files must be stored locally, check the file’s mime type and file extension before storing, isolate them from all other files, and do not allow direct access.

 

Collect Your Log Files

It might suck to go through them but log files can be invaluable when looking for attempts against the server, code or doing some forensics when an exploit is uncovered. Patching a hole is how you stop a leak. Understanding how the hole was found and what was done to game the vulnerability is how you prevent leaks.

 

Scan Your Backups

If you manually downloaded the files to your computer, scan them for viruses. Firewall/Virus software is almost commonplace these days for a user’s computer. All users, but especially developers, should have this on their systems. Regardless of what you use, have your software scan the backups and fix anything that pops up.

So there’s the breakdown. And I know it looks like a lot. But here’s the reality. Regular maintenance is absolutely critical to keeping your site secure and safe. Waiting until there is a problem before addressing security can you cost you time, money and users. All of which are hard to come by.

Avatar

Philip Joyner

Not only can the man stare down CSS code until it writes itself in sheer terror, but he is famous around 220 E. Hall St for what we like to call his “happy dance”. Few have seen it, and those who have can’t get enough.

Comments

Share