Website Security 2019


We implement quite a number of forms of security to protect and optimize the websites we manage. There are certain specific and simple ‘settings’ style security measures that seem to mitigate a lot of issues. Below we discuss common security-related issues, a lot of which we find users and business owners do not think about or normally associate with security. We also list most of our ‘standard’ security measures. Bear in mind that security is a constantly moving target when it comes to the internet. So treat this as a good guideline, but not necessarily a complete and up-to-date list.

Of course, there is no such thing as 100% protection…

Security can be a pretty big subject.

Background

In the past, we have had a number of clients’ sites come under attack and have had to take drastic measures to help them protect their business. These attacks have varied from pretty aggressive, but non-niche-specific, DDoS (30,000 concurrent attacking servers) through to pretty blatant multi-level targeted negative SEO. We recommend business owners have at least some insight into common forms of security risks. Below are some of the more recent forms of attack.

  • Disgruntled ex-employee accusations that resulted in a hosting company removing a site without notice.
  • We have even seen key-phrase-orientated trademark infringement intimidation. We recommend our clients’ protect their brand with a trademark, as in “Holistic Web Presence®.”
  • Another and more recent form of attack is negative reviews. To reduce the impact of this, we strongly recommend our clients make a big effort to get a stream of positive reviews. We have seen clients’ lead rates double due to a stream of positive reviews and or their lead rate drop by half with just a small quantity of negative reviews.
  • A common, and probably the biggest security hole, is the clients themselves using easy-to-hack passwords. For example, they keep their passwords in their browser and malware finds them. And or they email login details, but their email has an easy-to-hack password. To mitigate this, we recommend clients use complex passwords and a password manager like RoboForm or LastPass.
  • Emailed solicitations. How this works is simple. As a client’s website ranks, it inherently becomes more visible and therefore more of a target. The owner will receive all kinds of offers, here is an example, “We found your website, and it has an excellent design. However, we notice that it is not ranking for a number of your top key phrases. We specialize in SEO and can help you get ranking on Google page one for just $150”. The owner does not realize that this is just an automated email that has been sent to thousands of website owners.
  • Negative SEO. This is a whole subject in and of itself, see Is Negative SEO Real? Does Google Care? for further insight into this fascinating subject.

 

Our Standard Security Measures Check List

  1. Local Brute Force Protection
  2. Network Brute Force Protection
  3. Hidden Login URL
    • This helps because a lot of automated attacks target known login URLs
    • If the login URL is changed the bots cannot find the front door
  4. Banned list users (blacklist feature)
    • IP is banned after too many incorrect login attempts
    • Reduces probability of Bot running through password variations
  5. Enforce Passwords (12 character alpha-numeric)
    • Probably the simplest and most effective security measure
    • It is amazing how many websites still use simple, easy to crack, passwords
  6. Removed ‘admin’ user
    • The second most simple security measure, using the default “admin” as a login name is asking for trouble
  7. Non-obvious usernames and passwords
    • When changing from a username such as ‘Admin’, it is important not to replace it with something obvious such as the website name or owners name
    • Cliché usernames like “pa$$word123” are also asking for trouble
  8. Change database table prefix
    • In fact, changing every setting from the default improves security tenfold
  9. WordPress Firewall
  10. WordPress Security Scanner
  11. Weekly Activity Report
  12. Email Alerts
  13. Daily Database Backup
  14. Monthly Full Site Backup
  15. SSL
  16. Spam Protection
  17. GSC monitoring

Our Standard Security Related Plugins

  • iThemes Security
  • Wordfence Security
  • BackupBuddy
  • Akismet Anti-Spam
  • Contact Form (Google Recaptcha)

When Things Get Out Of Hand

  • Sucuri

Useful Basic Insights