Website security is an ever evolving challenge. As new hacks and other “black hat” type schemes arise, strategies to block and protect against them must be implemented and revised. It is an unfortunate but necessary part of having a web site. Microsoft, Twitter, Facebook, NBC and Forbes have all recently been hacked. Dealing with a hacked website can be stressful, time consuming and costly. It’s never fun so being vigilant regarding website security and site backups is important.
I provide ongoing administration for the sites I have designed and developed. The sites represent a variety of business’s and organizations and are generally medium sized sites similar in scope to my own site. They are hosted at a number of different web hosting providers including Inmotion, HostGator, Bluehost and GoDaddy. The admin services I provide include any content updates that are requested, Google Analytics reporting and implementing and monitoring of security scanning and backups.
Hacks/malware come in many flavors and cause a wide variety of problems. When Google crawls a site I manage, if any known malware files are found, I will receive notification through my Google Webmaster Tools account. If not fixed and resubmitted Google will display the site in its search results with a “This site may be hacked” message attached and may de-list the site. People generally will not click the links and visit sites with such warnings attached. Google Webmaster Tools does not necessarily catch all hacks and it’s best to block and remove any malware before Google finds it. I have had experience with two websites that were hacked using the same method. Webmaster Tools alerted me to one of them but not the other. It’s possible I fixed the not alerted one before the Google crawler found the malware. Other scanning tools discussed below also send email alerts to the site administrator.
Scanning
Standard HTML/CSS Sites
For standard websites that are built using HTML/CSS coding I recommend that, at a minimum, SiteLock Find be added to the web hosting account. SiteLock is pretty ubiquitous and available through almost all web host providers in several progressively more expensive plans. For the sites I admin SiteLock Find – $25/year or SiteLock Fix – $90/year are the most realistic choices. The next level up is Prevent – $500/year. With SiteLock Find, daily scans are made of the site and an alert is sent if malware is found. After that I can try to fix it and have been successful doing that. Otherwise SiteLock charges up to $500 to fix. With the Sitelock Fix package they scan and remove without extra cost. Another highly regarded and more comprehensive website security service is Securri starting at $200/year. It’s less expensive and I believe it’s a better choice than SiteLock Fix.
The only site I have ever had an alert from SiteLock on was a site with an integrated WordPress Blog. The alert was involving a file attached to a WordPress Blog Post. SiteLock sent out a very frightening set of messages and insisted that they be hired to fix the site for $500. I was able to find and delete the offending file attachment and we did not pay the $500. There were more details to this episode but my take away from this was that SiteLock does not necessarily work that well with WordPress and dealing with them was not a good experience. I was disappointed enough to stop recommending SiteLock and I dropped it from my site.
Although I have never had a standard HTML/CSS site hacked, due to recent experiences, I have revised my position and now recommend SiteLock Find as a minimum requirement. SiteLock does provide some security and is the least expensive option. I’ve reinstated Sitelock Find on my own site. For more enhanced service, I recommend Securri.
WordPress Sites
WordPress sites require a different strategy. WordPress is much more targeted and vulnerable to hacks than standard HTML/CSS sites. The sheer number of WordPress sites (approx 20% of all websites run on WordPress) make them an attractive target. All of the components of WordPress have unique vulnerabilities and security holes. The third party Themes and Plug-Ins are constantly being exploited. Theme and Plug-In developers send out an endless progression of updates/patches to fight these hacks as they become identified. Having the most current up to date version of WordPress and all of the Themes and Plug-Ins your site uses is critical. Allowing older versions of WordPress, Themes and/or Plug-Ins to exist on a site constitutes an open invitation to be hacked. Any older legacy WordPress sites that have been replaced by new sites should not be left on the web host server/account. Folders with older legacy WordPress sites are typically not updated and thus are gateways for hackers to infect your entire account.
For WordPress sites I recommend using the free WordPress Plug-In “Wordfence” . Wordfence provides comprehensive scanning of the WordPress components. Wordfence sends an automated email alert to the site administrator if any updates for WordPress, Themes or Plug-Ins are available. WordFence also notifies of any malware and more. As these notices come in to my email box, I log on to the WordPress site and preform the updates and scans.
I have had experience with two sites that were hacked through a WordPress Plug-In. Wordfence was able to identify the malware and I was able to delete it and get a clean scan result. In my opinion Wordfence is a must have security requirement for WordPress sites.
Hybrid Sites
Many of the sites that I admin, including my own, are hybrid sites. These sites are primarily standard HTML/CSS sites but include an integrated WordPress blog. This post is made using an integrated WordPress blog. Hybrid sites need to employ both SiteLock (or Securri) and Wordfence.
Back Ups
Keeping reasonably current backups of sites is another critical part of website security. Some redundant methods are typically employed. Web hosting services all offer site back up options and I strongly recommend these be included in all web hosting accounts. For example Fatcow offers Site Backups and Restore – $17/year and HostGator offers Cloud Backup – $20/year. All sites should include one of these basic back up services.
The web host services only store a limited number of back ups. Older backups are over written by newer backups. If a site is hacked and the hack is not discovered in time, the web host backup my be contaminated. For this reason, periodic offline back up copies of the entire site should also be made. Making periodic offline backups is part of the site administration I provide.
Standard HTML/CSS Sites
The web host backups service should be included/subscribed to as part of the hosting account.
Periodic offline backups should be created. Offline backups of standard HTML/CSS sites are usually very simple and easily accomplished. Not much to discuss here.
WordPress Sites and Hybrid Sites
The web host backups service should be included/subscribed to as part of the hosting account.
A WordPress backup Plug-In should be used. I use the popular UpdraftPlus plug -in. This makes scheduled backups of all of the WordPress components and the MySQL database file. A limited number of successive backups are stored on the sites web host server. Older back ups are overwritten by newer ones. One click, on demand, backups can and should be made before updateing of WordPress, Themes and Plug-Ins is undertaken.
Periodic offline backups should be created. Creating off line backups of WordPress sites involves a number of steps and is somewhat time consuming. First, all of the WordPress components should be updated to the most current versions. The entire wp-content folder needs to be backed up along with the associated MySQL database file. It is not enough to simply store these files offline. A working version of the site should be created offline. This involves importing the MySQL database file and re-addressing it from the http://www.yourdomain.com name to http://mylocalhost/yourdomain/. This is a simplified explanation of a somewhat technical and advanced process. The point is, it can take 1-2 hours to create a functional offline backup of a WordPress site.
Summary
Website hacking is a constant threat. If you aren’t vigilant about your website security, it’s not a question of if but when your site will get hacked. This is especially true with WordPress.
Standard HTML/CSS sites should subscribe to and implement malware scanning as part of the web host account. SiteLock Find is the lowest cost but provides the least amount of service. It scans and alerts but does not fix. I use SiteLock Find on my site.
WordPress sites should use the Wordfence Plug-In. I use the Wordfence Plug-In on my site.
Hybrid sites should employ both of the above malware scanning strategies. That’s what I have set up for my site.
All sites should subscribe to and enable web host backups. WordPress sites should also use a back up Plug-In. I’m using the UpdraftPlus plug -in.
Even if the web hosting company runs daily backups, it is critical that periodic backups of your website are made and stored offline.
That’s it for now. More than you ever wanted to know….. and more than I ever wanted to write about website security!
Here’s a good article about this stuff.