Back in ancient times, 2014, I wrote the article, Is Your Mom Missing Her BUMM? which included a simple to remember acronym along with a fun little video presenting practical WordPress security planning.
Since then, I’ve learned a thing or two about security planning and preparation.
Today’s Security Reality
Website security in our open source coding environment is more about preparation and less about prevention.
While it’s true that good password management and security plugin, if you are using WordPress, and even a distributed denial (DDoS) protection service are reasonable things to do, none of these will prevent your website from being compromised; any more than bars on your home’s windows will prevent a burglar from breaking in to steal your stuff.
Guarding against malicious bots or people, like your home, requires both preparation and vigilance.
So let’s discuss website security planning.
Start by preparing your website against catastrophe by creating and maintaining a Backup.
Your backup is the first line of defense against both accidental or malicious damage to your website files and databases. An external cloud backup is key. Your backups should be stored “offsite” every 2 weeks for a month or more, with database backups saved every day for at least five days.
Over 80% of all WordPress hacking incidents are caused by a failure to Update plugins or themes.
Maintaining a regular update policy is key to securing your site against PHP exploits. Modern content management systems provide notification when updates are available. Reviewing your website at least monthly for update notices and updating accordingly will greatly reduce the potential your website becomes a victim of cyber crime.
Possibly the most overlooked aspect of website hosting relates to Maintenance of PHP scripts.
The average lifespan of a web designer’s project commitment is less than two years. That said, it’s become common for web designers to install staging sites for clients, or even experiment with different content management systems during the development of a new website.
Sadly, the story often goes like this, the client pays a web designer to create a website. Then once the project is completed, ongoing interactions between client and designer essentially stop. The Web designer, needing to the pay the bills, moves on to a new client, leaving old PHP scripting or staging sites in place.
This all to common problem leaves behind a ripe opportunity for random web bots or would-be hackers searching for exploits within commonly used directories like /demo, /test and /old. Multi-year old PHP scripts are often exploitable and should be either archived or deleted if not required.*
* The situation becomes exponentially more complicated in a non-segregated shared hosting account – I’ll discuss segregation a bit later.
A periodic maintenance review can be as simple as visually reviewing a website’s files directory, noting odd directory names, like the aforementioned /demo, /test and /old, then asking a web designer whether the directories are required for the site to function.
For WordPress websites, periodic maintenance should include the deletion of inactive themes and deletion of inactive plugins. Think of your WordPress plugins list like your bedroom. WordPress can be like a nicely made bed with clean sheets and pillowcases. Keep your “bed” clean and tidy and you’ll be less likely to get bed bugs.
Without active Monitoring in place, security breaches can turn from an inconvenience into near catastrophe.
Monitoring both the external and internal content of your website can be easily accomplished with free applications. With WordPress, many plugins are available to monitor for malware, unexpected changes to files, Administrative logins, and even monitor activity within your WordPress dashboard. Externally, free tools like changedetection.com and Google Alerts can monitor for changes to your home page or specific page content.
Monitoring for changes and establishing regular website content and database backups are essential parts of a solid website disaster recovery plan.
The Segregation of web applications will prevent mass-compromise situations.
Stories of shared web hosting disasters are rampant on the Internet. Hosting companies have offered unlimited websites hosting for many years now. Sadly, because websites added within a single shared hosting account are not segregated, a single command run through a single exploitable PHP script could wipe an entire account clear of data in seconds (or worse).
Segregation of web applications and associated FTP account access have become the new standard in website security planning.
B U M M S
“Your BUMMS are your best protection”
BUMMS – Website Security Preparation for Today
And a kind thank you out to a few folks who helped me in reading and editing: Sarah Dilks, Mike Dudas, Joyce, Abey Vettor, et al.