Basic Security Features of Your New Site You Need to Know

Security on the web has been a huge topic of conversation for the past several months, if not years, though our last election cycle has seemed to really spotlight it for the general population. More people than ever have been exposed to a conversation that business owners and IT professionals have been engaged in for years which is trying to find the best ways to protect sensitive data from malicious attackers. The security of your customers and visitors is also of the highest importance. So, what do you need to know to get your new site up to speed as far as standard security protocols?

 

There are a few settings and features to be aware of as you explore the backend environment of your new VPS in an effort to bolster your security. This is a good point to throw in some caveats when we talk about the security of any website. There are no guarantees. Hacking attempts continually get more sophisticated and things can happen despite one’s due diligence. What the following is meant to do is to inform you of some best practices that will help keep your site more secure, but is it in no way a definitive guarantee that nothing will happen to your site if you do “X” things. Taking preventative steps is better than taking no action, of course, so use this information to your advantage.

 

Once you’ve logged into the hosting environment of your VPS, here are some things to keep an eye out for.

 

CSF/LFD

 

The good news about a lot of the terms and acronyms that are going to be coming your way is that they refer to things that are (or should be) already installed on your server. If they’re not, you can contact customer service to get it remedied. So, you won’t have to worry too much about making sure all of these things are in place yourself. Let’s start with CSF and LFD.

 

ConfigServer Security & Firewall (CSF) with Login Failure Daemon (LFD) is a security application that can be accessed through cPanel, which will already be established for you when you log in. CSF/LFD does a few things. It is a Stateful Packet Inspection (SFI) firewall and login and intrusion detector. CSF/LFD sends notifications in the event that something with some importance is potentially happening. That’s to say, getting an alert doesn’t mean you’re in the midst of an attack. But, something worth your attention is occurring.

 

LFD has a variety of useful features built into it that we’ll touch on briefly here. You can read more about these features and examples of the kinds of notifications you’ll receive at our wiki.

 

LFD will automatically perform IP blocks based on reasons that can be configured by the user. By default, you receive notifications each time an IP is blocked. Whether or not you want to disable this is up to you. Depending on your traffic and your filters, you might be getting alerted to things constantly, which would be a distraction. Make sure you’re confident in your configurations before doing this.

 

LFD “keeps an eye out” for things like too many failed login attempts within a short period of time, too many connection attempts being made from a single IP address, certain email issues as they pertain to volume, and successful login attempts through a variety of methods including cPanel or SSH.

 

SSL

 

Secure Sockets Layer (SSL) is maybe a bit more familiar to people because of its general acceptance as a must have for many sites, especially e-commerce sites where you’re handling sensitive customer information.

 

To explain the technology in brief, having an SSL certificate is important because it signifies you’ve put certain protections in place to ensure the safety of your customers’ information. SSL encrypts the path between the server and the client. When customers type in their credit card information to make a purchase on your site, for example, that information is transmitted securely thanks to encryption instead of the plain text it is transmitted as without SSL. Because one method of stealing information is intercepting it as it is transmitted, SSL is more or less a must have these days.

 

You’ll have to install your SSL through cPanel. To do this, you’ll need to generate a Certificate Signing Request (CSR) in cPanel which you can do by following our guide. The signing authority you purchase your SSL from will need that CSR to complete your certificate. You can then install the signed SSL certificate through cPanel. You can typically tell if a site has an SSL right from the address bar in your browser. There may be a lock next to the URL to indicate security, or you can look for https:// to precede the site’s address. The key detail there is the S as the unsecured http:// delineates no SSL. If you’re unsure that your SSL has been installed, there are sites online where you can type in your domain name and it’ll tell you.

 

User Decisions

 

Moving along from server issues to issues that are more user based, it’s important to be smart with your content management system (if you’re using one) as well. Popular CMSes like WordPress often find themselves targets of malicious actors because of how widely used they are. It’s important to do your due diligence and ensure that you are regularly updating your CMS’ core software as updates are released. The nature of open source software is such that updates come out frequently because the user base is always inspecting the code. Vulnerabilities can also come from that same public knowledge of the code. It’s important to be on top of those updates because they almost always include security and bug fixes. This need for vigilant updates also applies to plugins, extensions, and whatever other additional modules that your CMS allows you to install to expand functionality.

 

Additionally, if you have multiple users with access to your site, be sure to restrict access to the bare minimum so that they can perform their job. The fewer people that have full administrator access, the better. Passwords should also be complex, a random assortment of characters greater than ten, and not a duplicate of any other password you use for any other service. Password breaches are still one of the most common methods of unauthorized entry to a site. Most of the time it’s because the user was either phished or the password was something relatively easy to guess.

 

Finally, backups are critical. Your host may perform backups for you, but you should still manually save things yourself on a local drive whenever possible just to be doubly sure you always have your information in the event of something going wrong. As a best practice, one backup of something is never enough.

 

Conclusion

 

At KnownHost, we value customer satisfaction. That’s why we want to set you up for success. Whether it’s needing faster hosting solutions than you’re already using, you have questions about security, or you’re looking to establish a web hosting reseller business, we’re available to help. Contact our team today and we’ll get you setup with the hosting that you need.

Read More

wordpress.org and wordpress.com

Is WordPress Secure? A Guide for those Considering the WordPress Platform

WordPress security is a big issue and you need to know that the platform you are using is safe. We are going to show you the full readout when it comes to how safe this platform really is.

See Also: How to Set Up a WordPress Blog with Knownhost in less than 30 Minutes

Is WordPress Secure

Recent Attacks

There have been a number of recent attacks made against the WordPress platform. These have raised considerable concern over whether it’s still capable of defending websites against the modern threats presented by hackers and other malicious attackers.

Global Brute-Force Attack of 2013

In early 2013, we saw a global brute-force attack hit WordPress all over the world. Botnets carried out the attacks. These infected computer networks were all set to attack vulnerable websites at the same time.

Mass Hacks of 2014

That next year 162,000 attacks were made against vulnerable WordPress websites. The Cnet report said that,

Hackers were able to get more than 162,000 legitimate WordPress-powered websites to mount a distributed-denial-of-service attack against another website.

Reasons Why WordPress is Still Number One

This news likely already has you heading for the hills. Two major attacks in two years may make you believe that this is a platform you should stay away from. In this section, we are going to demonstrate why WordPress is actually the best platform you could use.

Thousands of Sites are Attacked Every Year

WordPress has a comparatively low number of attacks when compared to other platforms. No platform can 100% protect websites. It’s simply impossible.

Open Source Software Vulnerabilities

Some people say that WordPress’s open source position makes it open to threats. WordPress, Drupal, and Joomla are all free to use and anyone can use the underlying software code. The argument is that hackers can study this code and learn where the vulnerabilities are.

To put it simply, this isn’t a problem. WordPress evolves at a far faster rate than hackers can handle. That’s what makes it secure.

WordPress vs. Proprietary Platforms

WordPress is superior to most proprietary platforms because it has a team of thousands who are constantly on the clock finding bugs and fixing them. Compare this with a small in-house team where resources aren’t infinite.

Companies like this simply can’t compete with the WordPress system.

See Also: What can you do with WordPress?

WordPress vs. Other Open Source Applications

According to diagrams and images shown by the National Vulnerability Database, there’s research that proves WordPress is safer than other open source platforms, such as Drupal and Joomla.

Research also shows that because WordPress is regularly updated and simple to use its exposure to risk is therefore lower. More people equal more natural security.

Hacks aren’t Always the Fault of WordPress

This is what so many people struggle to deal with. A hack attack is often the fault of the website owner. The WordPress CMS can only do so much. For example, if a hacker steals your password there is nothing the platform can do to stop the person from getting in.

It’s no more the fault of your front door for theft if a thief manages to steal your keys.

Why Your Own System is No More Secure

Let’s say you don’t want to use WordPress and you would rather use a security system you can control. Here’s why this doesn’t always make you safer:

  • No platform is 100% safe from security threats. You have to keep your software updated to the minute. Only WordPress can do this.
  • It doesn’t account for users not doing their part to enhance security.
  • You can’t constantly monitor your platform without a 24-hour team, which is incredibly expensive.

WordPress Security is Top Notch

The research is clear. WordPress security is the highest level of security you can have without becoming a government agency. You won’t find better anywhere else, but the safety of your site largely relies on you the user.

Here are some security tips to ensure you are doing your part to keep your WordPress site safe.

Update Your WordPress

It may be annoying to have to update your WordPress platform so often, but it’s essential. It’s updated so regularly to outsmart the hackers, who would then have to begin their efforts all over again.

Choose the Right Host

Find the right host. Your web host is responsible for the FTP route into your website. If this isn’t covered, a hacker can bypass the WordPress platform and break into your website.

Use Best Practices

You should always use the best practices to protect your website from harm. In other words, you should:

  • Use strong passwords.
  • Change your passwords regularly.
  • Keep your anti-virus system updated.

You may even want to initiate a security audit.

The Bottom Line

The bottom line is that WordPress is a superior option for websites. Many top companies use it, and it’s among the most secure platforms on the web. See what it has to offer today!

Read More

What is the best way to secure a wordpress blog?

how to keep a wordpress blog secure

Over the last couple of months we outlined in our posts the importance of security for online shops and websites in general. While the hosting provider plays a very important role in keeping your website secure, there are measures you can take as well to protect your website from hackers and unhappy surprises.

Since a lot of our customers are running wordpress we made this post closer to this platform but the tips and principles are applicable for all websites and platforms.

(more…)

Read More