Website Security: This Excites me!
Sitting trying to find my php.ini for my local WordPress multi-install, and getting frustrated that I know I found it, and I changed the value I needed to change, but it isn’t show up as changed, I get an en email. It only contains one thing, but a beautiful thing:
Dear Site Admin,
A host, 22.214.171.124, has been locked out of the WordPress site at http://pureheartcenter.com due to too many attempts to access a file that does not exist.
Then I sit back and reflect a little on why I am busting my ass doing this work. All the training, all the classes, and all the reading. On top of that trying to find new clients. All whist dealing with being at the end of a horrendous Chemo and Radiation treatment for Cancer, (did I get the medal yet?) Then the Universe shows up with this. It may not mean a lot to most of you readers, but it means the world to me. It means that I am learning a little about website security, and the things I am implementing are paying off. Happy days.
I had two such emails yesterday for a client site, and I had no problems sharing it with them. I enjoyed letting them know that they are now protected. This particular client had been hacked badly, her site had been down for 2 months, and she was losing money before she found us. So we fixed her up, and now she can rest assured that things are working on her behalf, and she can get on with focussing on her own stuff, and leave the running of the website to us.
The client in question is hosting with a notoriously bad host that a lot of people use because they appear to be cheap up front, and they are a popular domain registration website as well. So heck, why not do everything in the one place, right? This host has been getting some real bad press lately about it’s inability to stop spammers and hackers, but why would that be an issue for them since they have a product they can sell you for that should such an event occur, mmmmmmm.
There are a few ‘too big to fail’ companies out there doing the very same thing. That is why small personal touch companies such as BarbApple Studios need to band together, and work a little harder at getting through to these clients to show them that there is a better, smarter way to take care of their website.
This hacker was thwarted by two plug-ins, two not so measly plug-ins with I will cover in a minute. A plugin that was correctly installed and configured. Hey that’s what you pay us for, and this is proof that your money is well spent right? It is the desire to do something well, and to keep at it that should drive us. If what you are doing sucks, then do something else. If you can’t stop doing what you are doing, then do that something else at the same time until you can transition over to it.
The plug-ins in question are Wordfence, and iThemes Security, and these are in my ‘recommended plug-ins’ article. These are a must install in my humble opinion on every website. They match all 5 of my 5 Step Criteria as to when to install a plug-in. I will post the 5 step below so that you don’t have go to another article to read them.
There are other things I look for, but these are my top 5. Don’t be shy about leaving a comment on what you think is important for a plug-in. I am open to new things.
BarbApple Studios 5 Step Criteria for the Installation of a Plug-in
- Do you really need it
- Sometimes we do install plugins for a reason other than necessity. That reason, and we all do it, is just because it’s cool. I have nothing against have these cool plug-ins on a website as long as they don’t break my 5 rules. Even a plug-in that I feel my site really needs is not implemented unless it passes the tests.
- Does it rate high
- This doesn’t help newer plug-ins.
- Those ones that have just been born and look like they are going to grow up into something really useful.
- This is where you make a choice as to whether or not you think it is worth.
- If it works then go and rate it so you can contribute to the rating portion of the 5 Step Criteria.
- Is it updated on a regular basis
- Does it say “Not tested with your particular version of WordPress” when you look at the details portion of the plugin?
- Do they offer a decent free version and a paid version
- Does the free version actually have enough features turned on to check out what it can do properly?
- Does the paid version offer enough of a change, and add something you can use that would enhance your site even more?
- How fast is their technical support
- Send an email to support and see how fast the get back to you
- Sometimes this can go back to number 4. Maybe the fast technical support is only in the paid version. I have seen that in some plugins.
But even the basic configuration of these plug-ins will help you slow down any attempt at malicious entry into your website. Nothing is perfect, and I am sure there are those of you out there that could do a better job, but what we do here at BarbApple Studios works, and works well. It doesn’t take long to read their installation and configuration documentation anyway if you wanted to tweak them further. So take the time with these plug-ins an you won’t be disappointed with the results.