Nobody is Immune!
The Situation
Almost daily we warned of new potential online security threats. Because WordPress is an exceptionally popular website development platform (for good reasons), it is also a popular target for hackers who look for vulnerabilities within WordPress itself, as well as within popular WordPress plug-ins and themes. In a recent security release, WordPress issued the following statement:
“This is also a good time to remind everyone that all software will have bugs and some of those bugs will inevitably lead to security vulnerabilities, such is the life we live in. This applies to plugins, themes, webservers, CMS’s and basically anything that is written by people and based on code. As much as developers try to minimize them and deploy secure coding principles, mistakes will inevitably still happen. We just have to be prepared and find ways to minimize the effect of any vulnerability in your environment”
This is not an indictment against WordPress. If you follow the news at all, you know there have been numerous security breaches across all kinds of software platforms. The fact is that hackers are always looking for ways to wreak havoc. WordPress is STILL one of the best platforms for website development. But like almost every other pierce of software (even software used by the U.S. military), it has its vulnerabilities.
To address the security issue, here’s a list of what should be done:
- Make sure all themes and plugins are up-to-date (do a site backup before any large-scale updates, just in case)
- Run a security scan against the updated website to make sure no identified threats remain
- Verify site functionality (make sure the updates didn’t “break” anything)
- Install a security plug-in on the website and configure to enable the most important security features
- Set up website notifications to alert you when attention is needed for updating WordPress and/or plug-ins, or to address identified security issues detected by the security plugin
- Monitor your emails and website for any of those alerts
All of the above (with the exception of #4 and #5) should be done on a regular basis. Updates should be made as-needed, and a site check should be run once a month to identify any issues that can only be found that way.
You may, of course, choose to do these things yourself. Or you can leave it to the experts.
DigitalProminenceSM Security & Maintenance Service for Websites
Each level of the DigitalProminenceSM Security & Maintenance Service includes all 6 of the items noted in the list above, plus additional features/functions depending on the service plan level.
Each service plan includes some level of site functionality testing to verify that site operation has not been broken by plugin and/or theme updates. The extent of verification testing varies for each plan. If you’re a DSAMS subscriber, fixing anything that gets broken due to plugin and/or theme updates, or outdated plugins is free. If you’re NOT a DSAMS subscriber, those fixes will be billed at my standard hourly rate. Depending on the extent of the problem, costs to repair could be significant.
Breakage Insurance
In addition to handling the technical details of the security and maintenance tasks, each DSAMS Service Plan comes with “Breakage Insurance”. With the thousands of plugins and themes available, the specific combination of plugins and theme used on your site is likely to be about as unique as a fingerprint. There’s no way that plugin and theme developers can possibly test every combination. As plugins and themes get updated by their developers, those updates get applied to your website. In the case of plugins, sometimes developers simply stop updating their plugins (for any number of reasons, including winning the lottery and giving up the development business), which increases the odds of the plugin getting out of sync with the rest of the WordPress world. The point is this: occasionally conflicts can arise between plugins and/or WordPress themes that cause them to stop “playing nice in the sandbox”, and something on your site stops working the way it should.
NOTE: Breakage Insurance does NOT cover identifying and implementing replacement plugins or website design changes resulting from abandoned plugins (plugins which have been abandoned by their developers). Replacing abandoned plugins will be charged at the regular hourly rate of $75.
Service Plans
Level 1
The Level 1 service plan includes the 6 items listed above, PLUS:
- Continuous, Dynamic Protection via the Wordfence Firewall
- What is the Wordfence Web Application Firewall?
- The Wordfence Web Application Firewall is a PHP based, application level firewall that filters out malicious requests to your site. It is set up to run at the beginning of WordPress’ initialization to filter any attacks before plugins or themes can run any potentially vulnerable code.
- Powered by the continuously updated Wordfence Threat Defense Feed, the new Wordfence firewall protects WordPress site owners from the latest threats even if they are running a vulnerable plugin or theme.
- When first installed, the Wordfence Web Application Firewall is in “learning mode”. This allows Wordfence to learn about your site so that it can understand how to protect it and how to allow normal visitors through the firewall. The Wordfence Firewall is scheduled to be in Learning Mode for one week, after which it will be automatically enabled to protect.
- What it Protects Against
- The Wordfence Web Application Firewall protects against a number of common web-based attacks:
- SQL Injection: Unsanitized SQL code that can compromise a database system.
- Cross Site Scripting (XSS): Unsanitized HTML or JavaScript code used to hijack a user or administrator’s browser session and perform actions as the user.
- Malicious File Upload: Unsanitized files containing malicious code that can be uploaded to and executed by the web server.
- Directory Traversal: Unsanitized path names that can be used to trick the web server into serving files containing credentials or other potentially sensitive information.
- Local File Inclusion: Unsanitized path/file names that can be used to execute potentially malicious code available to the web server’s file system.
- External Entity Expansion (XXE): A “feature” of XML that can be used to trick the web server into serving files containing credentials or other potentially sensitive information.
NOTE: the firewall cannot account for every possible intrusion, as hackers continue to develop new threats. It will defend against known potential attacks, and will be updated by Wordfence as new threats become known. If a website does become infected, Wordfence offers a fee-based site cleaning service to remove the infection. If this becomes necessary, Digital Prominence will coordinate and manage the site cleaning project with the Wordfence team. Implementation of the Wordfence team’s recommendations will be billed out at the regular rate of $75 per hour.
- Regular site backups to a directory on your own website’s servers:
- Weekly full site backups
- Daily database-only backups
- Additional full site backups prior to any major updates (see #1 above)
- Site functionality verification
- A selection of sample pages from the website are accessed via the main navigation menu to make sure the pages look and acts as expected by ensuring visual components are properly formatted and operating (sliders, etc.), and that no raw data is showing (shortcodes, PHP, etc.).
- If the site also contains posts (in a blog or elsewhere), a random selection of up to 5 posts is checked for visual & operational accuracy
- Google Search Console
- We will check Google Search Console for any identified website issues and provide a list of these in the DSAMS report. At that point, you can decide to address the issues yourself, or authorize us to address them at our standard project rate. Maintaining website health via Google Search Console will improve overall search ranking.
- Observations/Suggestions
- During the process of site functionality verification, if we see anything that looks like it needs addressing (from a content or enhanced functionality perspective), we will add to the “Observations/Suggestions” section of the DSAMS report.
- Gravityscan Daily Security Monitoring With Trust Badge
- Gravityscan is a malware and vulnerability scanner that works on any website. It carefully examines your website’s WordPress installation to find out if there are any vulnerabilities. It even detects the extensions/plugins installed as part of your website’s functionality and checks them for vulnerabilities. Gravityscan also performs a comprehensive scan for malware on your site. ou can read more about Gravityscan here.
- Until recently, Gravityscan scans had to be launched manually. These scans have been part of the regular DSAMS service for DSAMS subscribers. As of late July 2017, Gravityscan implemented a free daily scan option which also provides a “trust badge” that can be included on websites to reassure website visitors about website security, as well as boosting search engine results. Read more about this Gravityscan feature here.
Monthly subscription cost is reflected at the top of the sidebar to the right.
More service plans will be available in the future
(Service Plans are currently only available to DigitalProminence website development clients)
NOTE: we are continually evaluating security & maintenance tools to implement those which we feel are the best tools for the job(s). Your monthly security & maintenance reports may look different if we have upgraded any of the tools whose output is part of your report. The most critical of the Service Plan tools is the security component. Currently, our chosen security module is:
Wordfence Security
If you don’t want to sign on for the website security & maintenance service, then please address the issues yourself. But don’t ignore them or you could end up with much more serious problems down the road. Hackers don’t quit.