In addition to world-class WordPress web design, SuperPage offers the following FREE security essentials for all of our new and existing clients. Our optional Premium Security goes further by: 1) installing a secure certificate (SSL) on your server; and 2) providing a thorough review/update of all of your files, the result of which will be a “Secure” designation (a lock icon next to your URL). Our goal is to keep the bad guys away from your site. SuperPage’s tools and our skills with these tools enable us to seek out and destroy the bad stuff that the bad guys “think” they’ve hidden in there. Thing is, we’re pretty clever too, and we know how and where to look. Both our free and Premium Security protocols are designed to keep your site free from hackers.
We perform an initial scan of your site and send you the results. This gives you a baseline so that you’ll know what we’ll be doing for you going forward. If we find anything, we’ll fix it and let you know what we found and what we did.
We host our WordPress sites on a Linux operating system with the Apache web server, the world’s number one web server. Apache uses a preconfiguration file called “.htaccess”. This file specifies rules that determine how and to whom your website should be sent from the server to the world. For example, .htaccess could be used to stop users from viewing certain pages, or redirect users to a specific page when they request a webpage that is under construction.
However, the .htaccess file can be vulnerable to attack. Using the .htaccess file, hackers can redirect your visitors to another website. Hackers can inject malicious lines of computer code in .htaccess files. This code can infect website visitors and create pandemonium across the site. Amazingly, the vast majority of web designers don’t think to protect .htaccess. But we do. SuperPage inserts airtight code at the very beginning of every WordPress .htaccess file, which effectively locks hackers out.
Administrator login protection
One of the main entry points for hackers is your login. First, they’ll try “admin,” “administrator,” “password,” your email address, all the obvious ones, but they also have robots that will try thousands of combinations of usernames and passwords until they hit on a match. These are called “brute force” attacks. To prevent a brute force attack, our administrators use only randomly generated passwords, with combinations of caps, lowercase, numbers, special characters and symbols, and we change them frequently.
However, if you decide to set your own password, we will insist on the following, at a minimum:
Your password MUST be at least 8 characters long.
Your password MUST contain at least one symbol and one number.
Your password MUST NOT relate in any way to your email address. That is, you CANNOT use anything to the left of “@” as your password.
Better to just use a randomly-generated password, which will will set up for you.
SuperPage builds sites in WordPress, the most powerful and widely supported open-source development platform. One of the very best — and worst — things about WordPress is plugins. What is a plugin? The WordPress codex says it best:
“Plugins are ways to extend and add to the functionality that already exists in WordPress. The core of WordPress is designed to be lean and lightweight, to maximize flexibility and minimize code bloat. Pluginsthen offer custom functions and features so that each user can tailor their site to their specific needs.”
There are over 49,000 WordPress plugins, but therein lies the problem. Some plugins are highly reputable, some aren’t. Plugins that are sloppily made and rarely (if-ever) updated are prime targets for hackers. In fact, poorly designed and maintained plugins are the principal means by which a hacker will gain access to your site. SuperPage only uses reliable, reputable, frequently updated, and highly-rated plugins, and we never install more plugins than absolutely necessary. Further, we auto-update plugins if the plugin offers it, but if not, we regularly scan your site for updates. Finally, if a particular plugin is either no longer necessary, or becomes out of date, we delete it and find you a better one.
Each time a hacker attempts entry into your site, we’re notified. To us, these notifications are high-tech interpretations of Little Richard’s classic rock-and-roll song, “You Keep-A-Knockin’ But You Can’t Come In.” In some cases with popular sites, hackers from everywhere, Lithuania, Moscow, Singapore, Guongdong, Las Vegas, etc., will “keep-a-knockin” hundreds of times a day. We make note of all attempts, and we permanently block the bad guys’ IP addresses.
Special attention to uploads
Often, web designers forget to assign permissions for the WordPress media folder, so attackers can use it to store backdoors, etc., sometimes hidden inside image files. That’s why we always use the “disable code execution in the uploads directory” option (see Wordfence, below). This option means that even if a hacker were able to upload something to this directory, which should only have media files in it in the first place, they will not be able to execute the code they put there. And we reject any plugin that uses the media folder for files.
Only the most reliable themes
A theme is a series of compatible graphical layouts with code. A theme gives a site it’s look and feel. Similar to plugins, themes are offered as third party structural components for a WordPress site. And much like plugins, some are better than others, and the bad ones are susceptible to hackers. Out of date and/or unreliable (buggy) themes are prime targets. SuperPage builds and maintains it’s own themes, and we only use the latest versions of third party themes that are proven reliable and well-supported.
We don’t mess around when it comes to protection, no way. Therefore, we install Wordfence ™, the most powerful WordPress security, on all of our sites. In addition to being the number one security plugin for WordPress, Wordfence provides the best protection available for your website, much safer than cloud-based firewall services. Powered by the constantly updated Threat Defense Feed, the Wordfence Firewall locks hackers out. Our Live Traffic view gives us real-time 24/7 visibility into traffic and hack attempts on your website, especially spam (fake pages), malware (malicious files), and database injections (deeply buried invisible code, very serious). A deep set of additional tools round out the most complete WordPress security solution available. Headquartered in Seattle, Wordfence is a widely respected and trusted organization, feared by the bad guys worldwide.
Backups and scans
Prior to performing any significant update to your site, e.g., updates to WordPress, plugins, themes, a new page, significant content changes, etc., we backup everything. This gives you that assurance that you can always go back to a previous version and nothing will be lost. If we get a notice that an issue has occurred on your site, critical or non-critical, we fix it immediately. Your SPI site is always up-to-date and clean as a whistle. Sorry, bad guys!
What if you’ve been hacked?
Although that’s highly unlikely if you’re a SuperPage client, if your site has indeed been hacked, we’ll go into deep code search and destroy mode on your behalf. We figure out how the bad guys actually got in. We dig deeply into the database and destroy every possible malicious file, including spam pages, malware, database injections, and more. After everything bad has been purged from your site, we send you a report with recommendations and guidelines to protect against future attacks. In addition, we upgrade Wordfence to the premium version and include a one year license ($99 vlue) as part of the fee. Finally, we pay special attention to your site to make sure it stays clean.
When a page is rendered on your site, php and mysql are used. Therefore, the system needs RAM and CPU to render it. If many visitors come to your site, or even if a few visitors are viewing your site simultaneously, the system uses lots of RAM and CPU, so the page is rendered more slowly. Our cache system generates a static html file and saves it. This decreases load times significantly by reducing the need for re-generation of php and mysql. When a new page or post is published, all cached files are deleted, which assures your visitors of the most recent information. When SuperPage creates your site, you’ll get the fastest possible page load times.