Website Security
Website Security is an issue website developers as well as website owners are threatened and occasionally challenged with. With the sophistication of today’s hacking and phishing tactics, you want to make sure your hosting package includes maintenance and support as otherwise the threat of losing a lot of time, nerves and money is a very real one and the chance to get hit is just a matter of time. It happens to all of us. So what do you do?
Website Security
There is the 100% safe solution: total Website Security. It means that you are closing yourself off to a maximum. In website terms you could do this:
1. Disallow comments
2. Have no forms on your website
3. Don’t run any complex plugins.
4. Especially don’t link to Social Networks!
5. Don’t feed!
6. And watch out how you communicate with Google!
Here’s the secret tip: If you go on Private – so that you’re never listed – you won’t ever have a problem! Why? Because nobody can find you anyway!
Is this what you want? Not communicate at all? I don’t think so… maybe you want to have some additional security to your Akismet plugin, perhaps BulletProof Security – that should do the trick.
BulletProof Security Plugin
As said above, sooner or later we’re all a victim of a hack – in one way or another. One of our dear clients just went through this trauma – thank heavens she had wisely invested in an all-inclusive hosting pack as this was not a simple story, this was serious and sorting things out took lots of time and effort.
Additionally, I just installed a BulletProof Security Plugin to close some more doors… We will have to observe things over the next weeks and see whether this slows us down or causes any conflict. Hopefully all will go well as we’re on a WP based Semiomantics XO script. While there is lots to read and study, here are a few tips on how to instal and activate the plugin in the settings panel in your dashboard.
1. Security Modes
Click on Create secure .htaccess File (this is a Master Access File) … and let things happen.
See: POPUP green SUCCESS (on yellow background) right at the top.
2.
To activate Master Access File go to Activate Security Modes below
Tick BulletProof Mode and ACTIVATE.
See green note at the top of the page confirms we are now protected… and then it says “IMPORTANT! BulletProof Mode for the wp-admin folder MUST also be activated….
3.
Go now to the next: Activate Website wp-admin Folder .htaccess Security Mode
Tick BulletProof Mode and ACTIVATE.
See green confirmation at the top on yellow.
4.
Go down again to Activate Deny All htaccess Folder Protection For the BPS Master htaccess Folder.
Tick and ACTIVATE.
It’s optional –but let’s use it.
5.
Now go down to the last one: Activate Deny All htaccess Folder Protection For the BPS Backup Folder.
Tick and ACTIVATE.
Once we are done with that one, we go back to the Security Status and you will see now that it will say – on the bottom right in RED – that you haven’t backed up your root, etc yet.
And on the top left everything is fine.
Now:
6. Go to Backup & Restore
Here we want to backup the current htaccess files… so TICK (underneath CAUTION) on Backup .htaccess Files and click on Backup Files.
7.
Once you did this, you see further down also Backup Your BPS Master .htaccess Files
So TICK and Backup Files here as well
So the second we don’t do because that’s a restore button.
And now you see everything GREEN underneath.
And go back to Security Status: everything is green except your admin name if you’re using ADMIN.
8.
No let’s have a look at our System information.
When you’re moving to another server you can see here what your server configuration is that you have here.
It seems the BulletProof is increasing the use of memory.
9. Go to Edit-Upload-Download
One could backups here, instead of backups on server. One could also lock some pages… if one wanted to.
10. Go to Maintenance Mode
Here one could insert a message to tell visitors if the site is on maintenance mode
and activate the Maintenance Mode accordingly at the bottom.
11. Go through the rest for interest but that’s all we need.
BulletProof may slow you down and can cause conflicts. In that case check which plugins need to be disabled … disable all and then reintroduce one after the other and check behaviour. Where it stops working that’s the one that’s causing the trouble.
Don’t load a cache plugin. If they are not updated it’s the worst.
While editing don’t run caching plugins as you always have to empty the cache to see what you modify on the site.
Plugins and Security
The htaccess file security we now created works a little like a firewall. The htaccess files are our doorkeepers. They filter stuff coming in or being kept out.
When you’re installing a plugin, you basically allow that plugin to run on your website. This means you allow this plugin to open doors and to sneak through the htaccess file. Some of these plugins write to your htaccess file when you set them up, automatically. Like this one here.
When you’re using these plugins, they alter the htaccess file, and here is a source of errors. What happens when you’re deleting the plugins from FTP – then you have deleted the plugin, but not the modification the plugin may have made on htaccess files. So the door remains open – but the door guards that are constituted by the plugin itself – they are gone. So you can sneak in through those.
It is therefore important that when you’re deleting a plugin that you do it properly and that you delete it from the back office if possible as most modern and good plugins will erase at least the information that allows people to come through. It will not erase their advertising information etc in most cases though, but at least they will shut down the doors and erase also what they might have done to your wp-config file or to your htaccess files.
If you have to delete a plugin from FTP then you should delete it from there, come back, reinstal it and then uninstal it properly from the back office. Otherwise you have to go into the documentation of the plugin and see what kind of files it creates and database entries.
Database entries
All the information you enter into these form fields go to the database. So if amongst those settings you have allowed this and that, then you understand that if the plugin is not properly uninstalled then this stuff will remain in your database.
The same applies to your social network plugins which are probably the worst.
Testing plugins is important. Do so on a separate blog to test and experiment. Don’t clutter up your database with a lot of entries… get 36 databases instead of 11. Make sure that when you kick plugins out that whatever they have created on the database goes as well. This is important to avoid the problem of ‘open doors’!
That’s for security! Remember: the more doors you close, the more you shut yourself off – and that’s possibly not what you want. It’s a matter of careful choice…
Most importantly: invest in a hosting pack that includes Maintenance and Support!
