Cyber security is a shared responsibility: 7 tips to keep your website (and life) safe from attack

National Cyber Security Awareness Month

I was just talking with a friend this week who “almost” had her identity stolen and had credit cards opened up in her name. After spending countless hours of her time ridding her credit report of fraudulent data, she is finally back in the clear.

We’ve also had the highest number of sites hacked this year than in the previous five years combined. Granted, we also have more steady clients, but the number of security breaches is unprecedented.

This month is the 10th anniversary of National Cyber Security Awareness Month, which is a shared corporate and government initiative to promoting awareness and providing resources to help keep us all safer and more secure online. One thing that we have really taken note of this year is how we all contribute to the security of those around us. In at least two of the hacks we dealt with, the breach was made on a neighboring site – and not directly on the site that reported it to us. During one of those instances, our own site went down because of a less secure site that was sharing our server.

In the spirit of doing our part to keep things safe, we recommend conducting a security audit on your website:

1. Backup everything

You should backup your website as often as you update your website. This includes core website files, website assets (images, videos and other files) and database files. This ensures that you can quickly restore your site in the event it gets hacked.

2. Change your passwords

You should change your passwords regularly. Every 3 months is a good rule of thumb. This goes not only for passwords related to your website (admin dashboard, hosting account, domain registrar, database), but for your personal accounts as well (email, banking, utility accounts, credit card accounts). Many corporations now require employees to change their password on a regular basis, including preventing a password from being used more than once. There is a reason they do this. We agree it is annoying to change your password all the time, but not nearly as annoying as clearing up a breached credit report or dealing with a hacked website or stolen credit card.

3. Use strong(er) passwords

SplashData releases a list of the “worst” (meaning most popular) passwords every year. Their “Worst Passwords of 2012” included the same top five as the year before:

1               password                 Unchanged from 2011
2               123456                    Unchanged from 2011
3               12345678                Unchanged from 2011
4               abc123                     Up 1 from 2011
5               qwerty                     Down 1 from 2011

If you are using any of the passwords on the list, it is probably only a matter of time before you are hacked. Most hackers run automated “dictionary attacks” or “brute force attacks,” which are basically programs that try and guess your password by running through gigantic lists of commonly used passwords and sequences. A good password should contain a combination of letters (both capital and lowercase), numbers and special characters. It ideally should not contain any dictionary words, sequences or repeated characters, adjacent keyboard characters, or personal information (such as your kid’s name, phone number, birthday, anniversary).

Many applications, like WordPress, now have password strength checkers to help you create a strong, secure password. Microsoft also offers a free password checking tool on its website.

4. Vary your passwords

Don’t use the same password on multiple sites. If you do, and a hacker gets your password to one site, then they already have the key to all the others.

5. Don’t write your passwords down

This should be a no-brainer, but with dozens upon dozens of accounts these days, it can be next to impossible to remember them all. The trick is to use a password manager, like Dashlane. Although most modern browsers will remember passwords for you, as will Mac Keychain, a program like Dashlane can securely synch across all your devices AND log you in automatically.

(5b. Never, ever email or fax your passwords)

If you have to give them out, do it over the phone or by breaking them up into more than one message. I had one clever client tell me a website password in an email by creating a riddle out of descriptive phrases that only I would understand.

6. Regularly review your website logs

Your 404 crawl errors can alert you to SQL injection attempts on dynamic websites. Your raw access logs share information about who is visiting you and what they’re doing there, and whether password crackers are hitting your login page. If this is Greek to you, do yourself a huge favor and invest in managed website maintenance. We offer this service as part of our website maintenance plans. Contact us today to learn more.

7. Install a lockout system

If someone incorrectly tries to guess your website password more than 3-5 times, they should be locked out from trying again for a certain period of time. If a would-be hacker has to wait 5 minutes to try again, trust me that they’ll move on to a less secure site. Most automated scripts will move on automatically if they get locked out as well, after only a short period of time.

Bonus: remember Darwin

It’s survival of the fittest. If a good thief every really wants in, they will find a way in. But the idea is to make it as annoying and time consuming as possible to break into your website. A thief won’t want to waste precious time disabling your alarm, cutting out your steering wheel lock and worrying about whether you have LoJack when the next car is just sitting there unlocked with a set of keys “hidden” in the visor. The more you protect your site, the stronger it will be, lessening your chances of becoming an easy prey.


Security Audit and Maintenance Plans

Contact us for a security audit and to signup for an ongoing maintenance plan. You wouldn’t drive without insurance, so don’t leave your website investment to chance. We’ll review your site for any security holes, review your logs and conduct regular checkups and backups.

3 compelling reasons to update and secure your WordPress website

Wordpress Website Hacked Stamp

Your WordPress website needs regular maintenance to perform optimally. The WordPress core application is constantly being updated, and along with it are WordPress themes and plugins. Keeping your installation up-to-date is extremely important – especially since so many updates contain security fixes and patches that will prevent potential exploits of the vulnerabilities of your WordPress website or blog.

Due to its widespread popularity, WordPress-based sites are a constant target of hackers and spammers. The WordPress developers continually monitor this and create patches to fix any potential security holes, leading to regular updates that will keep your WordPress installation clean and safe. If you do not keep your WordPress installation current, you risk becoming a victim to malicious attacks that would otherwise be easily prevented.

Additionally, WordPress is known to be something of a “memory hog” and frequent posts and visitor discussions can quickly take up space and increase bandwidth.

Maintaining WordPress is more than simply updating the core, themes and plugins. There are numerous WordPress maintenance tasks that should be performed regularly in order to keep your site running optimally and securely. You should also conduct a security audit to make sure you are following the latest protocols.

The following examples outline three real life examples of WordPress maintenance-related issues. Each highlights the importance of keeping your WordPress installation updated, maintained and backed up.

1. Outdated WordPress site hacked; infects entire server

We used to host client sites on our server. We ran into one instance where one of these clients neglected to update their WordPress installation for quite some time. Needless to say, they got hacked, falling victim to a widespread hack attack on WordPress sites across the globe. Once these hackers got in, they were able to navigate through and infect every single site on our server. Our personal site went down, along with several development sites and a few live client sites. Thankfully we had recent backups of everything, but it was still quite a mess to untangle. Lesson learned.

This wasn’t the first time we’ve seen WordPress sites get hacked, and it certainly won’t be the last. As of the time of this posting, we had another client contact us just yesterday explaining that his site was hacked and flagged as “unsafe” by Google. It was, however, the first (and only) time our own WordPress install was hacked. Although our site itself was secure, we were hacked by another insecure site on our server. This just serves to show that even though you may think your site is secure, there may still be vulnerabilities elsewhere that still pose a risk. Make sure you not only secure your site, but that you also know your hosting environment and, just as importantly, have a backup. If you’re not 100% sure you can handle all of this, our maintenance plans will handle the burden for you.

2. Outdated plugin crashes WordPress site

One client of ours initially refused the maintenance package, intending to update his website on his own. After all, WordPress provides simple “update” buttons that enable users to easily update the application, most plugins and many WordPress themes at the click of a button. One time, however, this client called us in a panic. He updated his WordPress site and it crashed. His site was nothing but an error page and he had no idea what to do. He also had not backed up his site in some time and was concerned he would lose data.

We tracked the error to a WordPress plugin that was incompatible with WordPress 3.0, a major release of the platform that included several new enhancements and features. The issue was that the plugin relied on WordPress code that was depreciated and no longer supported by the platform. So when the client updated WordPress, the plugin generated a major error: as in nothing else would work. Lucky for the client, we were able to roll back WordPress to an earlier version and then replace the outdated plugin. Not all plugin developers maintain their code, so even though a plugin is “free” – it may end up costing you more than you think! This client has since subscribed to our maintenance plan, which provides “insurance” against crashes like this.

3. Spikes in server load due to bot attack causes bandwidth crash

One of the common methods hackers use to attack WordPress websites are brute force attacks on the login page, trying to guess the admin password.  These automated scripts cause huge spikes in server load and the increased bandwidth can be enough to take your site offline. This has happened to a few sites that we manage, resulting in phone calls from clients in a frenzy. Fixing this usually involves working with your website hosting company’s support team, asking the “right” questions and then implementing one or more fixes depending on the source of the problem.

Our experience in dealing with this type of issue helps get your site back online quickly and patches the source of the problem. Our maintenance plan includes tasks that help minimize this risk as well as covers the repair.


WordPress Maintenance Plans

Because proper WordPress maintenance can be an arduous task, Agua Web Design has created a suite of WordPress maintenance plans. Our plans all focus on keeping your WordPress installation up to date, clean, secure and running optimally. They also include regular backups and restoration services. Each maintenance plan offers the same helpful features – the difference is the update frequency. Contact us today to find out which package is the best fit for your WordPress website.

7 WordPress maintenance tasks you should perform on a regular basis

Update WordPressWordPress is a simple, yet feature rich platform. Although it has a small learning curve (like any new application), it is pretty easy to get a site up and running. There are tons of free themes and plugins that make it easy for even a website novice to develop a fully functioning WordPress website or blog. But, like anything, it requires the occasional tuneup in order to continue running optimally. Even the fanciest luxury vehicle needs to go to the shop every once and a while.

The following seven tasks should be performed on a regular basis to ensure your WordPress website continues running smoothly and securely.

1. Update WordPress

Since it’s inception, WordPress has blossomed from a simple blogging application into a fully blown Content Management System (CMS). It’s used to power some of the most popular websites in the world, including Forbes, Best Buy and Jay Z. It seems that each new release brings new features and enhancements that make the application better and better. However, the growing popularity of WordPress websites is also the application’s biggest vulnerability, as it continues to be a target for hackers. Regularly updating your core WordPress application enables you to take advantage of all the latest features while also helping to maximize security.

Helpful Tip: Take care to backup your site before every upgrade, to ensure you can roll back in the event you run into problems.

2. Update and audit your plugins

This includes not only updating plugins to the newest version on a regular basis, but also includes replacing out of date plugins with newer, more regularly maintained alternatives. There are tons of free plugins out there, but some still cost you in other ways, including increasing your risk of being hacked or crashing your site. In addition to updating them, make sure your plugins are regularly updated by their developers and that they are not causing conflicts with other plugins. If a plugin is not being updated, then at some point it is very likely to start causing problems.

Another important task is to regularly assess the value of your plugins. Although they add functionality and useful features, they also can weigh your site down and affect your site’s performance. Many simple features can be achieved by adding a very small amount of code to your functions.php file and don’t necessarily require the heavy load of a plugin. Review them regularly and ditch any you can live without.

If you aren’t sure which WordPress plugins you can replace or get rid of, contact us to learn more about how to conduct a plugin audit and assessment.

3. Update or upgrade your WordPress theme

Many free and premium WordPress themes receive automatic updates, but definitely not all. If your theme does not receive automatic updates then you will want to check with the developer to see if they provide manual updates.

Manual updates require FTP access. Make sure you backup your site before updating your theme (unless you are using a child theme, in which case it is always safe to update the parent).  Many theme updates will overwrite any customizations you create to the theme files, including functions.php and the style sheet. The theme developer should lend any support in this area.

If your theme does not have any updates available, or is not regularly updated by the developer, then you may want to look at finding a new theme.

We highly recommend switching to a framework, if you have not already done so. We used to build our own themes from scratch to maximize customization. But the trade off was having to manually update and essentially redevelop the themes when they became outdated. Then we discovered – and fell in love with – WordPress parent/child frameworks. After initially working with the Thesis framework, we started developing child themes for the Genesis framework by Studiopress. Genesis is an excellent framework for many reasons, not least because it updates at the click of a button.

4. Purge unused assets

Unused images and other media files take up space and needlessly increase bandwidth usage. And old, inactive plugins and themes are also a huge security liability (with the sole exception of the default WordPress themes, which are critical for bug testing and should never be deleted).

Inactive plugins should be deleted from your server, including plugins you use on an occasional basis. As a general rule, if a plugin is not actively doing something on your website, delete it. You can easily add it back in to use when you need it. Hackers are familiar with which plugins have security holes, and can easily scan your site to see if any vulnerable plugins are installed (even if they’re “inactive”) and use them to break in.

Outdated themes pose a similar risk to plugins, though not as widespread. Any non-default themes should be removed when not in use. Default themes (the ones that come with WordPress) should not be deleted, but make sure you keep them updated. Depending on which version of WordPress you are running, the default themes for your version should include Twenty Twelve and/or Twenty Thirteen.

5. Fix broken links

Little is more annoying to a site visitor than clicking a link and getting an error page. When linking internally, keep in mind that a link to a post or page may change if you alter the post slug, category, parent, or site URL. If you change anything that could affect a post URL, then you should also update any links on your site that refer to that post or page. Using the “link to existing content” section of the link tool in the WordPress editing window, or the page/post link window on the menu dashboard, can help minimize internal linking issues as links will be updated automatically. But if you manually type or paste in your link URLs into a post, menu or widget then you may encounter linking issues when you move things around.

Further, even if none of your internal links are broken, you may be linking externally. As we learned above, websites occasionally change their permalink structure, and sometimes go offline altogether, rendering certain URLs obsolete.

It’s a good idea to use Google Webmaster Tools or a reliable broken link checking plugin to scan your site for broken links on the regular, and then update or remove them as needed.

Helpful Tip: If you use a plugin to check for broken links, you should ideally deactivate and delete it when not in use (see #4 above).

6. Optimize and clean up your database

Your WordPress database gets junked, like a storage garage, and needs purging every so often.

  • WordPress by default stores every post and page revision, meaning every single time you hit the Publish button, WordPress saves a copy in your database. This makes it easy to roll back to a previous version at any time – especially helpful if you made a mistake – but it also starts to eat up space. You can limit the number of revisions in your config.php file, but it is not retroactive. The only way to delete already-saved revisions is to purge them directly from the database.
  • WordPress also collects comment spam, storing it in your database for a rainy day. And why would it do that? So you can recover a comment incorrectly marked as spam, or so you can review spam comments to identify and block repeat offenders. Unless you are running a script to delete your comment spam, it is probably clogging up your database.
  • When plugins are installed, most will create database entries in your wp-options table.

We recently cleaned out a client’s database, which was full of old post revisions, archived comment spam and options from deleted plugins. This single task cut the database size by more than half, reducing it from more than 50MB to less than 20MB. This not only freed up space on her server, it also sped up her site

7. Backups

Your site should be backed up according to the frequency in which you add new content, enabling you to quickly restore it to a working condition in the event of an attack or bug. If you aren’t regularly adding new content (although if you want to boost your SEO you should be), then you only need a backup when something is changed. If you are blogging or adding new content on the regular (and making the search engines, and your visitors, very happy) then you should update often. If you post daily, then you may want to schedule daily backups. Some hosts offer this for a nominal fee. If you are updating a handful of times each week, then weekly backups are probably fine.  If you update several times per month then make sure you backup once or twice a month.

WordPress essentially consists of three components: the core application, the database, and your content files. As of the time of this posting, the WordPress application is approximately 15MB. If you’re always updating to the latest version (as you should be), there is no need to backup these files. If you are running an older version for compatibility reasons then save a copy of the version you are using and you can then exclude it from your regular backups.
What you will want to back up are your database and your WordPress content files, including plugins, themes, and uploads (images, documents and other media files), which are all concentrated in a directory named wp-content.


WordPress Maintenance Plans

Agua Web Design offers a suite of prepackaged maintenance plans that covers all of the above – with varying levels of guarantee. Our packages are available with monthly, semi-weekly or weekly service. For sites that are updated infrequently, we can modify the plan to meet your needs, including quarterly, semi-annually or even once a year. Save yourself the stress and headache and contact us now to find a plan that meets your needs.