Nobody is Immune
UPDATE: In late January, 2017, WordPress announced: “WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. As anticipated, attacks onn websites are increasing, and security is becoming a more critical focus every day.
UPDATE: On February 29, 2016, Wordfence released a blog post on “Scary Data – Trends in Malware, Phishing, Site Cleaning and Bad Networks”. This post emphasizes the ongoing and increasing problem of website security. Things are NOT getting better. Read the post for more info.
UPDATE: on September 15, 2015, WordPress issued security release 4.3.1. As discussed below, you should NOT expect this type of threat to diminish over time. The trend will very likely be just the opposite. Take your own action or sign up for the service, but please don’t ignore the threat.
Almost daily we warned of new potential online security threats. Because WordPress is an exceptionally popular website development platform (for good reasons), it is also a popular target for hackers who look for vulnerabilities within WordPress itself, as well as within popular WordPress plug-ins and themes. In a recent security release, WordPress issued the following statement:
“This is also a good time to remind everyone that all software will have bugs and some of those bugs will inevitably lead to security vulnerabilities, such is the life we live in. This applies to plugins, themes, webservers, CMS’s and basically anything that is written by people and based on code. As much as developers try to minimize them and deploy secure coding principles, mistakes will inevitably still happen. We just have to be prepared and find ways to minimize the effect of any vulnerability in your environment”
This is not an indictment against WordPress. If you follow the news at all, you know there have been numerous security breaches across all kinds of software platforms. The fact is that hackers are always looking for ways to wreak havoc. WordPress is STILL one of the best platforms for website development. But like almost every other pierce of software (even software used by the U.S. military), it has its vulnerabilities.
To address the security issue, here’s a list of what should be done:
- Make sure all themes and plugins are up-to-date (do a site backup before any large-scale updates, just in case)
- Run a security scan against the updated website to make sure no identified threats remain
- Verify site functionality (make sure the updates didn’t “break” anything)
- Install a security plug-in on the website and configure to enable the most important security features
- Set up website notifications to alert you when attention is needed for updating WordPress and/or plug-ins, or to address identified security issues detected by the security plugin
- Monitor your emails and website for any of those alerts
All of the above (with the exception of #4 and #5) should be done on a regular basis. Updates should be made as-needed, and a site check should be run once a month to identify any issues that can only be found that way.
You may, of course, choose to do these things yourself. Or you can leave it to the experts.
DigitalProminenceSM Security & Maintenance Service for Websites
Each level of the DigitalProminenceSM Security & Maintenance Service includes all 6 of the items noted in the list above, plus additional features/functions depending on the service plan level.
Each service plan includes some level of site functionality testing to verify that site operation has not been broken by plugin and/or theme updates. The extent of verification testing varies for each plan. If you’re a DSAMS subscriber, fixing anything that gets broken due to plugin and/or theme updates, or outdated plugins is free. If you’re NOT a DSAMS subscriber, those fixes will be billed at my standard hourly rate. Depending on the extent of the problem, costs to repair could be significant.
In addition to handling the technical details of the security and maintenance tasks, each DSAMS Service Plan comes with “Breakage Insurance”. With the thousands of plugins and themes available, the specific combination of plugins and theme used on your site is likely to be about as unique as a fingerprint. There’s no way that plugin and theme developers can possibly test every combination. As plugins and themes get updated by their developers, those updates get applied to your website. In the case of plugins, sometimes developers simply stop updating their plugins (for any number of reasons, including winning the lottery and giving up the development business), which increases the odds of the plugin getting out of sync with the rest of the WordPress world. The point is this: occasionally conflicts can arise between plugins and/or WordPress themes that cause them to stop “playing nice in the sandbox”, and something on your site stops working the way it should.
The Level 1 service plan includes the 6 items listed above, PLUS:
- Continuous, Dynamic Protection via the Wordfence Firewall
- What is the Wordfence Web Application Firewall?
- The Wordfence Web Application Firewall is a PHP based, application level firewall that filters out malicious requests to your site. It is set up to run at the beginning of WordPress’ initialization to filter any attacks before plugins or themes can run any potentially vulnerable code.
- Powered by the continuously updated Wordfence Threat Defense Feed, the new Wordfence firewall protects WordPress site owners from the latest threats even if they are running a vulnerable plugin or theme.
- When first installed, the Wordfence Web Application Firewall is in “learning mode”. This allows Wordfence to learn about your site so that it can understand how to protect it and how to allow normal visitors through the firewall. The Wordfence Firewall is scheduled to be in Learning Mode for one week, after which it will be automatically enabled to protect.
- What it Protects Against
- The Wordfence Web Application Firewall protects against a number of common web-based attacks:
- SQL Injection: Unsanitized SQL code that can compromise a database system.
- Malicious File Upload: Unsanitized files containing malicious code that can be uploaded to and executed by the web server.
- Directory Traversal: Unsanitized path names that can be used to trick the web server into serving files containing credentials or other potentially sensitive information.
- Local File Inclusion: Unsanitized path/file names that can be used to execute potentially malicious code available to the web server’s file system.
- External Entity Expansion (XXE): A “feature” of XML that can be used to trick the web server into serving files containing credentials or other potentially sensitive information.
- Regular site backups to a directory on your own website’s servers:
- Weekly full site backups
- Daily database-only backups
- Additional full site backups prior to any major updates (see #1 above)
- Site functionality verification
- Each page (not post) of the website is accessed via the main navigation menu to make sure the page looks and acts as expected by ensuring visual components are properly formatted and operating (sliders, etc.), and that no raw data is showing (shortcodes, PHP, etc.).
- If the site also contains posts (in a blog or elsewhere), a random selection of up to 5 posts is checked for visual & operational accuracy
- Link Check
- We will check for any identified “bad links” (links within the website that point to content that doesn’t exist) and provide a list of these in the DSAMS report. At that point, you can decide to address the broken links yourself, or authorize us to fix them at our standard project rate. Fixing broken links will improve overall search ranking.
- During the process of site functionality verification, if we see anything that looks like it needs addressing (from a content or enhanced functionality perspective), we will add to the “Observations/Suggestions” section of the DSAMS report.
- Gravityscan Daily Security Monitoring With Trust Badge
- Gravityscan is a malware and vulnerability scanner that works on any website. It carefully examines your website’s WordPress installation to find out if there are any vulnerabilities. It even detects the extensions/plugins installed as part of your website’s functionality and checks them for vulnerabilities. Gravityscan also performs a comprehensive scan for malware on your site. ou can read more about Gravityscan here.
- Until recently, Gravityscan scans had to be launched manually. These scans have been part of the regular DSAMS service for DSAMS subscribers. As of late July 2017, Gravityscan implemented a free daily scan option which also provides a “trust badge” that can be included on websites to reassure website visitors about website security, as well as boosting search engine results. Read more about this Gravityscan feature here.
Monthly subscription cost is reflected at the top of the sidebar to the right.
More service plans will be available in the future
(Service Plans are currently only available to DigitalProminence website development clients)
NOTE: we are continually evaluating security & maintenance tools to implement those which we feel are the best tools for the job(s). Your monthly security & maintenance reports may look different if we have upgraded any of the tools whose output is part of your report. The most critical of the Service Plan tools is the security component. Currently, our chosen security module is:
If you don’t want to sign on for the website security & maintenance service, then please address the issues yourself. But don’t ignore them or you could end up with much more serious problems down the road. Hackers don’t quit.