Security Essentials With All SuperPage Sites
In addition to World-Class WordPress web design, SuperPage offers the following security essentials for all of our new and existing clients. Our optional Premium Security offers several a la carte options, including Wordfence Premium, Login Masking, Two Factor Authentication (2FA), .htaccess for your business, and more, all designed to keep the bad guys out, totally. Essentials or Premium, our goal is to eliminate the potential for attacks altogether. SuperPage’s tools and our skills enable us to seek out and destroy the stuff that the bad guys “think” they’ve hidden in there. Thing is, we’re pretty clever too, we know how to look and where to look; we’re protecting your precious content.
Initial review and report
We perform an initial scan of your site. This gives us a baseline so that we’ll know what we’ll be doing for you going forward. If we find anything, we’ll fix it and let you know what we found and what we did.
We host our WordPress sites on a Linux operating system with the Apache web server, the world’s number one web server. Apache uses a preconfiguration file called “.htaccess”. This file specifies rules that determine how and to whom your website should be sent from the server to the world. For example, .htaccess could be used to stop users from viewing certain pages, or redirect users to a specific page when they request a webpage that is under construction. However, the .htaccess file can be vulnerable to attack. Using the .htaccess file, hackers can redirect your visitors to another website. Hackers can inject malicious lines of computer code in .htaccess files. This code can infect website visitors and create pandemonium across the site. Amazingly, the vast majority of web designers don’t think to protect .htaccess. But we do. .htaccess protection is a standard security feature on your SuperPage site.
We don’t mess around when it comes to protection, no way. We install Wordfence ™, the most powerful WordPress security, on all of our sites. In addition to being the number one security plugin for WordPress, Wordfence technology is based on an “Endpoint” firewall system, which is the best protection available for your website, and much safer than cloud-based firewalls (e.g., Cloudflare, Sucuri). Powered by the constantly updated Threat Defense Feed, the Wordfence Firewall locks hackers out. Our Live Traffic view gives us real-time 24/7 visibility into traffic and hack attempts on your website, especially spam (fake pages), malware (malicious files), and database injections (deeply buried invisible code, very serious). A deep set of additional tools round out the most complete WordPress security solution available. Wordfence is a widely respected and trusted organization, feared by the bad guys worldwide.
Unfortunately, the vast majority of web sites that begin with HTTP (hypertext transfer protocol) are fundamentally insecure, vulnerable to third party attack. On the other hand, a secured site, indicated by an HTTPS, as opposed to HTTP, contains an impenetrable “key,” a certificate that we install on your server. Installing this key is the first step in protecting your site against hackers, and it comes with all SuperPage sites. To the right, we’ve embedded a google presentation, entitled, “Real Talk About HTTPS.” A bit geeky, true, but worth watching. Just watch just the first few minutes and you’ll understand why HTTPS is important for all sites, including yours. SuperPage also conforms to Google’s HSTS Preload Service. We follow their guidelines and will correctly submit your domain, therefore, browsers will never connect to your domain using an insecure connection.
Review and Update All Files
To achieve a truly “Secure” designation (the padlock icon next to your URL), HTTPS is not enough. Every file, including images, videos, PDFs, etc., must also be served by HTTPS. Even the simplest sites with just a few pages can have as many as 200 vulnerable HTTP files, and securing every one of them is the only way for your site to get a Secure designation. Why is a Secure designation so important? Not only is a totally secure site necessary to keep the bad guys away, but Google and others favor totally secure sites in search results. With a Secure designation, your site will be moved up the list, but if your site isn’t secure, it will be moved it down the list toward oblivion, i.e., a waste of your investment. Although plugins can solve some of the problems, but not everything. For example, “mixed content” (e.g., an insecure image), often requires access to the source code for updates. Tricky stuff, but SuperPage has the tools and the know-how to find, review, and secure everything, thus thoroughly protecting your web presence, and getting you that padlock.
Administrator login protection
One of the main entry points for hackers is your login. First, they’ll try “admin,” “administrator,” “password,” your email address, all the obvious ones, but they also have bots that will try thousands of combinations of usernames and passwords until they hit on a match. These are called “brute force attacks.” To prevent a brute force attack, our administrators use only randomly generated passwords, with combinations of caps, lowercase, numbers, special characters and symbols, and we change them frequently.
However, if you decide to set your own password, we will insist on the following, at a minimum:
- Your password MUST be at least 8 characters long.
- Your password MUST contain at least one symbol and one number.
- Your password MUST NOT relate in any way to your email address. That is, you CANNOT use anything to the left of “@” as your password.
Better to just use a randomly-generated password, which we will set up for you.
Only the Most Reliable Plugins
SuperPage builds sites in WordPress, the most powerful and widely supported open-source development platform. One of the very best — and worst — things about WordPress is plugins. What is a plugin? The WordPress codex says it best:
“Plugins are ways to extend and add to the functionality that already exists in WordPress. The core of WordPress is designed to be lean and lightweight, to maximize flexibility and minimize code bloat. Plugins then offer custom functions and features so that each user can tailor their site to their specific needs.”
There are over 49,000 WordPress plugins, and therein lies the problem. Some plugins are highly reputable, some aren’t. Plugins that are sloppily made and rarely (if-ever) updated are prime targets for hackers. In fact, poorly designed and maintained plugins are the principal means by which a hacker will gain access to your site. SuperPage only uses reliable, reputable, frequently updated, and highly-rated plugins, and we never install more plugins than absolutely necessary. Further, we auto-update plugins if the plugin offers it, but if not, we regularly scan your site for updates. Finally, if a particular plugin is either no longer necessary, or becomes out of date, we delete it and find you a better one.
Database Cleanup, Caching, Performance
After pages, plugins and/or themes have been updated, we routinely clean up the database for “transient” entries. Then, we clear the cache so that all changes will be visible on all browsers, worldwide. If we notice a slowdown, which has not been determined to be the fault of the ISP (which it usually is), we run performance tests to bring your site to the quickest possible load time. Here’s more info:
- Rendering. When a page is rendered on your site, php and mysql are used, so the system needs RAM and CPU to render it. If many visitors come to your site, or even if a few visitors are viewing your site simultaneously, the system uses lots of RAM and CPU, so the page is rendered more slowly. If there’s a coordinated attack from bots around the globe, your site can shut down altogether, regardless of whether or not the bad guys get in. Caching generates a static html file and saves it. This decreases load times significantly by reducing the need for re-generation of php and mysql, it effectively allocates resources, and it can keep your site online even under severe conditions. When a new page or post is published, all cached files are deleted, which assures your visitors of the most recent information.
Each time a hacker attempts entry into your site, we’re notified. To us, these notifications are high-tech interpretations of Little Richard’s classic rock-and-roll song, “You Keep-A-Knockin’ But You Can’t Come In.” In some cases with popular sites, hackers from everywhere, Istanbul, Moscow, Singapore, Guongdong, Las Vegas, etc., will “keep-a-knockin” hundreds of times a day. We make note of all attempts, and we permanently block the bad guys’ IP addresses.
Special attention to uploads
Often, web designers forget to assign permissions for the WordPress media folder, so attackers can use it to store backdoors, etc., sometimes hidden inside image files. That’s why we always use the “disable code execution in the uploads directory” option. This option means that even if a hacker were able to upload something to this directory, which should only have media files in it in the first place, they will not be able to execute the code they put there. And we reject any plugin that uses the media folder for files.
Only the most reliable themes
A theme is a series of compatible graphical layouts with code, call it a “framework.’ A theme gives a site its look and feel. Similar to plugins, themes are offered as third party structural components for a WordPress site. And much like plugins, some themes are better than others, and bad themes are susceptible to hackers. Out of date and/or unreliable (buggy) themes are prime targets. SuperPage only uses the latest versions of third party themes that are proven reliable and well-supported, and we go to extra lengths to keep them up-to-date on your behalf.
Backups and scans
Prior to performing any significant update to your site, e.g., updates to WordPress, plugins, themes, a new page, significant content changes, etc., we backup everything, on both cloud and local servers. This gives you that assurance that you can always go back to a previous version and nothing will be lost. If we get a notice that an issue has occurred on your site, critical or non-critical, we fix it immediately. Your SPI site is always up-to-date and clean as a whistle. Sorry, bad guys!