What’s there to worry?

It seems like much of my time these days involves dealing with WordPress vulnerabilities, network attacks resulting in websites being compromised, or worse, websites being taken offline.  The evolution of Content Management Systems (CMS) has made management of website content much easier but has made management of website code much more demanding.  It is imperative to maintain website and server code to the latest versions.  But just staying on top of updates is not always enough. How does one best insulate themselves from these vulnerabilities?  It starts with understanding the players in the mix.

1. Hosting Provider

There are at least several factors that a hosting provider manages that affect the likelihood your site will be hacked, or completely disabled.

  • Hosting Plan – Depending on your hosting plan, your exposure to hacking varies.  Shared hosting and virtual private server hosting (VPS) leave your site at the mercy of how well other sites on the server you’re hosting on are maintained.  Hosting providers may provide the service of updating your CMS software for you.  If not, then you must maintain your CMS code.  Other customers must be diligent too.  Dedicated hosting can limit vulnerabilities but it is then entirely up to you to maintain security updates on your dedicated server.
  • Server Software – Maintaining the latest security updates to server software is critical in insulating your site.  Configuring firewall rules to limit exposure to unwanted guests to your site is also important.
  • Network infrastructure – Hosting providers have to not only manage an infrastructure of servers and software, but also the network that allows people to access your site(s).  Networks can be targeted which result in servers being taken offline. It is important to know that any hosting provider is susceptible to attacks. Making sure you’re prepared when your hosting provider goes off line for an extended period of time is essential.
  • Expertise and support for your CMS – Many hosting providers tout their ability to host your CMS website, but few have expertise in the CMS you’re using.  Hosting providers with a singular CMS focus can greatly reduce your exposure to hacking, as well as greatly reduce your effort in cleaning up your website after an intrusion.

2. Website Platform

Server side scripting languages enable websites the ability to dynamically retrieve content from databases. Depending on the language your website is built on, your site may have a greater risk for being exploited.

  • WordPress – WordPress is the most targeted CMS because it has the greatest install base on the internet.  Depending on the plugins you’re using, you may increase your risk. Using regularly updated, widely used plugins on your site help to reduce risk.
  • Other CMS’s – Other CMS’s like Drupal and Joomla are only less prone because there is less of an install base and hence less of an appeal to hackers to attack. However, a similar approach to using widely used modules that are regularly updated help to reduce risk.
  • Static HTML – Building a site entirely on HTML means there is no code on the server to execute – code is rendered on the client side. It is perhaps the safest server ‘code’ to be using, but also the most limiting in terms of website functionality.

3. Internet Audience – local, national, global

The source of much of the website hacking on the internet comes from Asia.  This is not the only source, though.  But because of the prevalence of hacking from Asia, it’s important to know the origin of your target audience and consider limiting traffic to your site to just your audience’s origin.  If you’re running a business that only aspires to do business locally, then there is no need to be accepting traffic from Asia, or other continents for that matter.

Preparation and Prevention

1. CMS updates

Ensure that regular security related updates are being applied to your CMS code and server software.

2. Provider’s infrastructure is built to mitigate attacks

This is difficult to assess, but the main recommendation here is twofold – ensure that the hosting provider you’re using has a network in place designed to mitigate infrastructure as well as individual server attacks. Additionally, consider using a service to reduce exposure to malicious sources of internet traffic, as well as one to scan your site regularly for malicious activity.

3. Backup – onsite and offsite

It is essential to have daily backups running of content and database for your site. Most hosting providers include this capability as part of their hosting service. Not having backups in place is only inviting downtime for your website. Consideration should be given to having backups available offline, should your hosting provider not be accessible for an extended period of time.

4. Redundant Site

Lastly, consider deploying a redundant site. Depending on the tolerance you have of your site being offline for extended periods of time, it may be worth considering running a separate instance, on a separate hosting provider.