Securing WordPress from malicious actors
In 2016 WordPress is undoubtedly the most successful content management system. Right now it claims an incredible 27% market share, almost a quarter of all internet sites run on WordPress. It has the most amount of developers contributing to its development than any other technology project, fomenting its ecosystem of frameworks, themes and plugins. It’s open source nature has propelled it to the top of the internet.
All this success comes at a price though, when you have the most amount of sites using the platform, bad actors target you. The sheer quantity of websites running WordPress guarantees that there will be a big amount of sites that are not properly setup, configured and maintained. Similar to how virus makers target Windows PC, bad actors target WordPress users, it’s a numbers game. So that’s why you need a host and support partner like DistroServer that protect your sites in the various ways black hat hackers target WordPress apps. You invest a lot in time and money for your website, join with a partner that will proactively protect you.
Distributed Denial of Service Attacks
A Denial of Service attack is when a bad actor tries to bring your site down and make it offline by sending hundreds of thousands of request to visit your website. The server serving your WordPress app overwhelms with so much visits beyond it’s capabilities, chokes and crashes. When this happens your site goes offline.
There are many ways a bad actor can achieve this, controlling a huge bot network of virus infected PCs, from other websites already hacked or from services that sale such capabilities in online black markets. The first D from DDoS comes from the Distributed nature of it, many attacking IPs against your one website IP. Under this stress most sites go down.
We at DistroServer employ a double layer of DDoS attack mitigation at the server level and at the domain name level. The latter tries to deflect attacks to your site even before they hit your server and in case they do make it through the DNS level, there’s the second protection layer at the server level. The end result is that it’s very unlikely your website will go down from a DDoS attack.
Encryption For Everyone
Once upon a time SSL encryption used to be a racket controlled by entities called Certificate Authorities, they are in charge of issuing digital certificates. While there’s a cost for running a CA, they pretty much controlled the prices artificially, pricing out most of the regular people trying to protect their websites. Certificate prices go for hundreds of dollars still today in what will be last days of a dying industry. Why? Because encryption should be afforded by everybody, in computing- encryption is the basis of everything, there wouldn’t be a Google, there wouldn’t be an Amazon, there wouldn’t be online banking if it wasn’t for encryption.
Thankfully there’s a group of cyberpunks, that are being sponsored by companies like Google, Mozilla, Akamai and others, who are pushing for encryption in an open source way. Similarly how WordPress itself started, and thanks to their effort we at DistroServer provide free encryption for everyone of our customers, even for people on the free plan.
SSL itself refers to an old encryption method that has been already phased out. SSL was a great proponent of the early days of the internet but now we have a better encryption method called TLS which is an order of magnitude more safer and faster than SSL ever was, and all websites hosted on DistroServer gets to use it if the client so chooses to. According to Google https improves a website’s SEO scoring.
One of best reasons to choose WordPress for your projects is because of its extensibility with the plugin system. With plugins there’s no limit to what you can create. Most of the plugins in the WordPress ecosystem are free of charge generously developed by volunteers in an open source manner. With volunteers there’s no obligation for them to provide support or continue the development of the plugin.
Over time, for whatever reason, a plugin can become vulnerable, either a hack gets discover for it that makes the whole website hackable or it becomes incompatible with the latest version of WordPress. If a plugin doesn’t get updated or a person chooses not to update WordPress core to keep compatibility with an old plugin, that’s where 99% of the hacks to WordPress sites happen. That’s why at DistroServer we scan daily your website for vulnerable plugins and themes, update them right away when there are available updates and immediately disable a vulnerable plugin that haven’t receive a patch to fix it’s vulnerability. Everyday, multiple times a day.
Multi Level Backups
A proper backup plan is the most important thing for a website. Computers are computers and no matter how great and stable a system is, there’s a always a chance the computer can crash or corrupt, or worse a natural disaster can occur at the server location. In case of crash or corruption, to minimize such thing happening in the first place we use the latest Intel E5 CPUs with enterprise grade memory and drives. Newer hardware creates a more stable system.
In the rare case something does happen we keep multiple full backups of your site files, databases and settings. We do this at multiple levels, at the system wide level and at the application level. At the application level we use multiple methods, within and outside of WordPress. Backups are stored in multiple locations online and locally. Additionally we keep an active copy of your website in a staging developing environment locally. You can be sure we have your back.
Second Factor Authentication
Bots and bad actors will try to break in to your website through the easiest method there is: the front door. Lots of hacks to WordPress are not hacks at all, intrusions happen because of weak user passwords, or reuse of a password from others sites with the WordPress admin user.
Simple passwords like 12345abc are very easy to guess and bad actors will try to guess them in order to break in to your site. When reusing password among different online services, when that service gets hack your password attached to your email gets exposed, and bad actors will try to login with the same password credentials to other online services including to your WordPress app. This happens all the time to big internet brands, eventually one service you use will get breached and your password will get exposed.
It’s a simple fact that users reuse passwords, or are not technical enough to properly safeguard a password. We understand it, it’s human nature. To help mitigate from this ever happening we use various technical behind the scenes methods such as whitelisting admin IPs and logging intrusion attempts at the login entry point, but we also employ a more human approach. It’s called 2 Factor Authentication, that is, using a device to verify a pin code to allow you entry on the site, the device or second factor in this case can be your email or smartphone. 2FA is one the best security practice being employed currently in the internet by security conscious sites. The fact that you need the second device that acts as a physical key to be able to login protects your website from ever being hack through the front door.