SMEs are also targeted by cybercriminals.
Over the past two years, there have been quite a few reports of companies whose websites have been “taken down” by cybercriminals. Only after paying hefty sums was the company in question able to reach its customers again. Most recently a chain of dental practices and in the spring Artis in Amsterdam. In both cases, the impact was enormous. Business is completely disrupted at such a time.
“My company is too small to make anything”
Many business owners will think this and, as a result, things can actually go wrong. This is because cybercriminals look for the path of least resistance and only then see what, if anything, they can extract. Even if the ransom with ransomeware is not too bad and you are back up and running quickly, you just have to wonder what will be done with the customer information stored in the website’s database.
Security is more important than a low monthly fee for hosting
By SME entrepreneurs, there is often a reasonable investment in developing a good website. Only too often this involves choosing cheap hosting to keep recurring monthly costs down. A great example of how cheap turns out to be expensive in the end.
What are the key security issues in hosting?
When it comes to (WordPress) website security, there are several things that need to be properly taken care of:
- Secure updates to templates, plug-ins and WordPress core itself;
- Regular server-level malware scans;
- A software- and hardware-based firewall;
- Additional DDoS protection;
- Use of the latest PHP version (HardenedPHP);
- Regular external backups.
At the bottom of this blog you can read what this point by point means
But surely every hosting provider offers this?
If only that were true. You would think it would go without saying that all hosting companies offer this by default. Unfortunately, this is not so! The reason hosting companies don’t take these actions is:
- It takes more resources (and therefore money) to set up and maintain malware scans, backup servers and routines;
- Additional backups also require additional server space that they prefer to sell to hosting customers.
- Tailoring firewall/modsecurity specifically to individual websites takes more time
- Not every hosting company specializes in WordPress
In addition, some of the work is offered as an option or left out of the subscription so that hosting can be offered inexpensively.
Managed WordPress Hosting offers a solution
So both end users and Web site developers have a lot on their plate when it comes to security. For the former it comes at the expense of entrepreneurship and for the designer at the expense of his or her creativity. For exactly that reason, in 2015 we started offering
Managed WordPress hosting
. Offering as a full-service service all the things that we ourselves as developers had been running into since 2009, but wanted to get right for my clients.
Always personal contact
WP Provider was thus born out of personal need for ultimate hosting and personal contact when it comes down to it. By and for WordPress enthusiasts. And the latter remains manageable by offering this service only through web designers. We focus 100% on the hosting and the designer on the design for his client. Have questions about this. If so, feel free to call sometime to discuss the possibilities.
For the foodies…
As promised, below is another explanation of the six key points for a secure Web site:
Malware stands for “malicious software” It is an extended term for malicious code that hackers use to gain unauthorized access or do damage to your WordPress website. In most cases, a bot or hacker will exploit a security vulnerability. If a plugin is no longer supported by the developers and thus updates are no longer released for it, it is important to take active action on it.
You definitely want to prevent your website from getting an SEO penalty by Google, which is why we perform various scans at the server level including our WP eXploit scanner tool that actively scans files when they are uploaded to the server by means of FTP or via WordPress directly, for example. It can detect suspicious files on the server and prevent most (with the exception of zero-days (the unknown exploits) from being uploaded or executed on the server.
Software & hardware based firewall
Through our firewall solution, unused ports are closed, access to certain services is protected and logs are continuously scanned for suspicious activity such as a suspicious number of login attempts to WordPress or the email boxes. IP addresses and ranges are blacklisted so that the attack is stopped. It recognizes many different attacks such as port scans, SYN floods and brute-force attacks.
If it is a Ddos attack, sometimes this is not enough and the Ddos protection shield is enabled. Our proactive, real-time monitoring capabilities effectively detect and eliminate high-volume attacks. When we face a DDoS attack, DDoS Shield separates clean traffic as the attack is redirected to our DDoS scrub center. We also have Modsecurity active by default for your account which ensures that suspicious requests are immediately filtered out.
HTTP security headers are, in my opinion, a fundamental part of website security. By enabling appropriate server- or application-level (WordPress) headers, you can improve the CMS’s resilience against common attacks, including cross-site scripting (XSS) and clickjacking.
When a user visits a site through their browser, the server responds with HTTP Response Headers. These headers tell the browser how to behave while communicating with the site. By applying the right security headers, you are taking a good step toward a more secure website.
WordPress recommends that the latest PHP version always be used (and so do we). Of course, this is not possible in practice because, for example, custom plug-ins are written for an older PHP version or plug-in developers have not yet rewritten their plug-in for the latest PHP version. If an update to the PHP version is then performed anyway, the worst case results in a fatal error making the website inaccessible. For this reason, we use HardenedPHP, a way to continue using older PHP versions without compromising security.
Very popular versions of PHP, used in nearly 85% of all PHP sites, are no longer supported by the PHP.net community. HardenedPHP secures old and unsupported versions of PHP – 4.4.9, 5.1, 5.2, 5.3, 5.4, 5.5, 5.6, 7.0, 7.1, 7.2.
HardenedPHP secures old, and unsupported versions of PHP. In those old versions, including the widely used 7.2, 7.1, 7.0 and 5.6, vulnerabilities, even if discovered, are not patched by the PHP.net community. HardenedPHP takes care of all this.
PHP represents more than 79.2% of all server-side scripts. Because of this wide application usage, PHP is constantly being exploited by hackers, leaving sites vulnerable.
HardenedPHP keeps your clients and servers safe by patching all PHP versions against known vulnerabilities – even those versions not supported by the PHP.net community. More than 100 vulnerabilities were discovered, many of which were critical, for unsupported versions of PHP. They have all been patched by CloudLinux.
If something does happen don’t be alarmed, we can restore a backup for you immediately. In addition to total snapshots of all servers on the platform (against ransomware), backups are also made of the WordPress installations. Because we advocate backups of backups, they are also additionally backed up off-site in another data center.
What if something does happen?
By default, we make daily backups of your WordPress website. At worst, we can go back in time to when the website was fully functional.
What if something happens to the backups?
We’ve thought of that, too. Always make backups of your backups.
In addition to full snapshots, we also export our backups off-site to another secure location in another data center.
“Securing a Web site is like riding a bicycle. To keep your balance, you have to keep moving.” This is how Albert Einstein’s famous bicycle quote would have looked if he had been a cyber security professional. Fortunately (or not) he wasn’t. But to keep the analogy with the bicycle: you can’t stop pedaling. The moment you do, the bike slows down and you just end up falling over. And that’s exactly what we want to avoid. But when it comes to cycling, not all pedal strokes are the same. Some are smooth, some are hard, some make you cover shorter distances, while others take you longer.