Website Security Question

22 replies
Hello all!

A couple of days ago I came across a thread here where an unfortunate fellow warrior wrote that his websites had been hacked. I feel bad for him, and hope that he will get his situation resolved as quickly as possible, however the issue gave me an eye-opening jolt. It's so easy to take this matter for granted isn't it? I certainly am guilty, none of my sites are secured. I wonder how many others are just waiting to become the next targets of another hacker attack. So I started looking into a few website security providers. The prices vary a lot, I saw services delivered from 19.90$-147$ a month. It might sound a bit steep, but is it really worth overlooking? I for one will implement it as soon as I can afford it, but in the mean time, I was wondering if anyone would share what services you use, and if you know of any good ones that are free?

Thank you all in advance,

Alex
#question #security #website
  • Profile picture of the author cre8ifwealth
    Hi Alex,

    Can you give more details about your website. Is it build on wordpress?

    If wordpress, please install/activate WP Secure and Akismet plugin.

    These 2 plugins will make sure your site is secure.

    If your website is not on wordpress, please share some basics details about your website.

    Cheers,

    Gary Ganesan
    Signature

    I am Gary Ganesan, entrepreneur and online marketer, and I am excited to help you jumpstart your online business. My website, MonetizingInternet.com, contains a lot of information, as well as tips and tricks on the Internet marketing trade.

    {{ DiscussionBoard.errors[7183139].message }}
    • Profile picture of the author IM Alex
      Originally Posted by cre8ifwealth View Post

      Hi Alex,

      Can you give more details about your website. Is it build on wordpress?

      If wordpress, please install/activate WP Secure and Akismet plugin.

      These 2 plugins will make sure your site is secure.

      If your website is not on wordpress, please share some basics details about your website.

      Cheers,

      Gary Ganesan


      Hi Gary, thank you for the reply.

      I do run the sites on Wordpress, Askimet is already in place, as well as SI Captcha, looking into WP Security right now. I've had a look at some paid services, and so far SiteLock, WebsiteDefender and TrustGuard look promising. Thank you again for the tips
      Signature

      If you're in doubt, you're not in doubt.

      {{ DiscussionBoard.errors[7183384].message }}
      • Profile picture of the author Kingfish85
        Originally Posted by IM Alex View Post

        Hi Gary, thank you for the reply.

        I do run the sites on Wordpress, Askimet is already in place, as well as SI Captcha, looking into WP Security right now. I've had a look at some paid services, and so far SiteLock, WebsiteDefender and TrustGuard look promising. Thank you again for the tips
        Here's what I've posted a few times on other threads concerning security here in the forum.

        SiteLock and the others, are simply scanners so keep in mind they won't stop anything or be pro-active.

        Installing plugins help, but it's more of a mental thing than anything. I'll list a few tips below that will certainly help.
        • Keep Wordpress up to date
        • Update your plugins
        • Don't use plugins that aren't supported/developed any longer
        • Change admin username via the database, not the friendly name
        • Don't install plugins for simple tasks like adding Google Analytics
        • Use a 3rd party scanner such as SiteLock, GeoTrust etc (can help with alerting/checking for malware,xss etc.
        • Password protect your wp-admin directory at the server level - 2 separate usernames/passwords
        • If you value your websites, stop using cheap services that the spammers use
        • Use CloudFlare - they have a number of security tools, country blocking etc available
        • Be sure your host is not using an out of date or known exploited mySQL and/or php version
        • Move your wp-config file into the home/ directory
        • wp-admin/ & wp-includes/ should only be writable by your user account (as a few others under wp-content)

        By changing the permissions on some of the directories, it could possibly break the functionality of a few things so be sure to do your research first.

        Changing the table prefix & admin username help, but are not fool proof. Any malicious user that knows that they are doing can easily get the site to display errors that show the user, table prefix, paths etc. This is only security by obscurity. (out of sight out of mind kind of)

        Make sure YOU are taking regular backups. There's too many free or cheap backup services out there and there's no reason why you can't use one of them. Even if you can't pay for it, cPanel (if using cPanel) has a backup utility built right in that will package up your entire account. Your host may also offer backups that you can use.

        There's a few tips that will hopefully help some people out here. There's more, but I won't go into detail.
        {{ DiscussionBoard.errors[7183407].message }}
        • Profile picture of the author IM Alex
          Originally Posted by Kingfish85 View Post

          Here's what I've posted a few times on other threads concerning security here in the forum.

          SiteLock and the others, are simply scanners so keep in mind they won't stop anything or be pro-active.

          Installing plugins help, but it's more of a mental thing than anything. I'll list a few tips below that will certainly help.
          • Keep Wordpress up to date
          • Update your plugins
          • Don't use plugins that aren't supported/developed any longer
          • Change admin username via the database, not the friendly name
          • Don't install plugins for simple tasks like adding Google Analytics
          • Use a 3rd party scanner such as SiteLock, GeoTrust etc (can help with alerting/checking for malware,xss etc.
          • Password protect your wp-admin directory at the server level - 2 separate usernames/passwords
          • If you value your websites, stop using cheap services that the spammers use
          • Use CloudFlare - they have a number of security tools, country blocking etc available
          • Be sure your host is not using an out of date or known exploited mySQL and/or php version
          • Move your wp-config file into the home/ directory
          • wp-admin/ & wp-includes/ should only be writable by your user account (as a few others under wp-content)
          By changing the permissions on some of the directories, it could possibly break the functionality of a few things so be sure to do your research first.

          Changing the table prefix & admin username help, but are not fool proof. Any malicious user that knows that they are doing can easily get the site to display errors that show the user, table prefix, paths etc. This is only security by obscurity. (out of sight out of mind kind of)

          Make sure YOU are taking regular backups. There's too many free or cheap backup services out there and there's no reason why you can't use one of them. Even if you can't pay for it, cPanel (if using cPanel) has a backup utility built right in that will package up your entire account. Your host may also offer backups that you can use.

          There's a few tips that will hopefully help some people out here. There's more, but I won't go into detail.

          Thank you for great tips and advices, will be sure to apply these
          Signature

          If you're in doubt, you're not in doubt.

          {{ DiscussionBoard.errors[7183438].message }}
        • Profile picture of the author damoncloudflare
          Originally Posted by Kingfish85 View Post

          Here's what I've posted a few times on other threads concerning security here in the forum.

          SiteLock and the others, are simply scanners so keep in mind they won't stop anything or be pro-active.

          Installing plugins help, but it's more of a mental thing than anything. I'll list a few tips below that will certainly help.
          • Keep Wordpress up to date
          • Update your plugins
          • Don't use plugins that aren't supported/developed any longer
          • Change admin username via the database, not the friendly name
          • Don't install plugins for simple tasks like adding Google Analytics
          • Use a 3rd party scanner such as SiteLock, GeoTrust etc (can help with alerting/checking for malware,xss etc.
          • Password protect your wp-admin directory at the server level - 2 separate usernames/passwords
          • If you value your websites, stop using cheap services that the spammers use
          • Use CloudFlare - they have a number of security tools, country blocking etc available
          • Be sure your host is not using an out of date or known exploited mySQL and/or php version
          • Move your wp-config file into the home/ directory
          • wp-admin/ & wp-includes/ should only be writable by your user account (as a few others under wp-content)

          By changing the permissions on some of the directories, it could possibly break the functionality of a few things so be sure to do your research first.

          Changing the table prefix & admin username help, but are not fool proof. Any malicious user that knows that they are doing can easily get the site to display errors that show the user, table prefix, paths etc. This is only security by obscurity. (out of sight out of mind kind of)

          Make sure YOU are taking regular backups. There's too many free or cheap backup services out there and there's no reason why you can't use one of them. Even if you can't pay for it, cPanel (if using cPanel) has a backup utility built right in that will package up your entire account. Your host may also offer backups that you can use.

          There's a few tips that will hopefully help some people out here. There's more, but I won't go into detail.
          "Use CloudFlare - they have a number of security tools, country blocking etc available"
          Just a quick note that our blocking option in threat control currently only challenges visitors from that region with a challenge page & is not a full block (that option may come in the future).
          Signature
          {{ DiscussionBoard.errors[7222761].message }}
  • Profile picture of the author Kingfish85
    And what exactly are they providing you? And who are the companies you're referring to? There's a lot of misconception of what "security" is & how to secure things. I'd suggest consulting with a seasoned programmer that is both familiar in programming & administering/securing servers.

    EDIT: Also, the post above me is helpful, but don't give the OP the perception that installing 2 plugins is going to fix security issues. Half of these so called "security" plugins can and have already been exploited.
    {{ DiscussionBoard.errors[7183359].message }}
    • Profile picture of the author IM Alex
      Originally Posted by Kingfish85 View Post

      And what exactly are they providing you? And who are the companies you're referring to? There's a lot of misconception of what "security" is & how to secure things. I'd suggest consulting with a seasoned programmer that is both familiar in programming & administering/securing servers.

      EDIT: Also, the post above me is helpful, but don't give the OP the perception that installing 2 plugins is going to fix security issues. Half of these so called "security" plugins can and have already been exploited.

      Will most def have a talk with a seasoned programmer/admin about it, I myslef know very little about the topic unfortunately. I've had a brief look and so far SiteLock, TrustGuard and WebsiteDefender stick their necks out the most, but again, I wouldn't know which one actually would deliver quality service and which one wouldn't at the moment...
      Signature

      If you're in doubt, you're not in doubt.

      {{ DiscussionBoard.errors[7183413].message }}
  • Profile picture of the author Tom Brownsword
    There is no magical solution to security. Security is all about identifying risks, then taking steps to minimize them (i.e. mitigate). You will always have some residual risk that you have to accept. With WordPress, you should always be using the latest version, keep plug-ins and themes up-to-date (and don't use the ones that don't offer support, no matter how cheap or convenient they are), etc. And don't forget the backups (wp-db-backup is the one I use -- I think... Just set it up to email the backups to a Gmail account, set up a filter to send it to Trash, and you'll always have 30 days of your WP database backed up and ready). Lots of other good tips in this thread, too. Insofar as "secure hosting" goes: Most hosting companies are going to keep their software and servers updated, but they won't manage YOUR files. You'll either have to do that yourself or pay somebody to do it. HTH, Tom
    Signature

    Tom Brownsword, CISSP®, GCIA, ITILv3
    Certified Computer Security Pro
    http://ProtectorSupport.com
    http://BusinessActionSteps.com
    ------------------------------

    {{ DiscussionBoard.errors[7183496].message }}
    • Profile picture of the author IM Alex
      Originally Posted by Tom Brownsword View Post

      There is no magical solution to security. Security is all about identifying risks, then taking steps to minimize them (i.e. mitigate). You will always have some residual risk that you have to accept. With WordPress, you should always be using the latest version, keep plug-ins and themes up-to-date (and don't use the ones that don't offer support, no matter how cheap or convenient they are), etc. And don't forget the backups (wp-db-backup is the one I use -- I think... Just set it up to email the backups to a Gmail account, set up a filter to send it to Trash, and you'll always have 30 days of your WP database backed up and ready). Lots of other good tips in this thread, too. Insofar as "secure hosting" goes: Most hosting companies are going to keep their software and servers updated, but they won't manage YOUR files. You'll either have to do that yourself or pay somebody to do it. HTH, Tom

      thanks a ton, will make sure to put all those great tips to good use
      Signature

      If you're in doubt, you're not in doubt.

      {{ DiscussionBoard.errors[7183858].message }}
  • Profile picture of the author so11
    Hello,

    this topic has been discussed so many times...

    Keep in mind, that security is more than just a plugin, or an addon... It is a set of practices, tools, awareness, minding, etc...

    I've written many posts on this forum answering your question. Just search "security" and you'll have a lot of info.

    I also recommend a couple of articles that I've written beyond this forum. You are more than welcome to read it:

    Beyond security plugins. Part 1 - Identifying risks | ITadvices.com

    Beyond security plugins. Part 2 ? Taking action | ITadvices.com

    Preventing personal information and identity theft | Security | ITadvices.com

    regards,
    Signature
    www.groupesoloviev.com
    We help businesses manage cyber risk and compliance requirements.
    {{ DiscussionBoard.errors[7183892].message }}
  • Profile picture of the author IM Alex
    My thanks, I'll be sure to read them. I wasn't looking for a simple one-push button plugin solution, but to learn the correct and proper steps and methods to secure my websites as best as possible. I admit, I should have used the search, I normally do, but this topic is somewhat, well, off topic to a degree, in a forum about marketing and money making, I didn't think I'll actually find anything abou it.. I'll dig deeper and see what I can find, thanks again
    Signature

    If you're in doubt, you're not in doubt.

    {{ DiscussionBoard.errors[7184068].message }}
    • Profile picture of the author so11
      Originally Posted by IM Alex View Post

      My thanks, I'll be sure to read them. I wasn't looking for a simple one-push button plugin solution, but to learn the correct and proper steps and methods to secure my websites as best as possible. I admit, I should have used the search, I normally do, but this topic is somewhat, well, off topic to a degree, in a forum about marketing and money making, I didn't think I'll actually find anything abou it.. I'll dig deeper and see what I can find, thanks again

      Risk management process should be a part of your business. And it is an important part of information security.

      No security = no business = no MONEY !!!
      Signature
      www.groupesoloviev.com
      We help businesses manage cyber risk and compliance requirements.
      {{ DiscussionBoard.errors[7184139].message }}
  • Profile picture of the author sunray
    I'd like to add that not always will you know instantly when your site is hacked. Hacker may be "polite", and just enter a few backlinks that are not visible to human visitors. Then they sell it to an SEO company. You are lucky if such backlinks are not to a blacklisted site that gets your site blacklisted as well, and you just loose some linkjuice.

    To prevent this, you just have to take a look at the source code from time to time. Log out of your adminitrator account, go to your website, rightclick, and select "view source", and there look carefully where all those <a href strings lead to.

    And yes, do regular backups. When choosing a host, choose a host that does it regularily for you.
    Signature

    Use these laws and make the Law of Attraction work
    QuantumMindSuccess Learn how to live a happy, healthy and abundant life.
    {{ DiscussionBoard.errors[7184516].message }}
    • Profile picture of the author so11
      Originally Posted by sunray View Post

      I'd like to add that not always will you know instantly when your site is hacked. Hacker may be "polite", and just enter a few backlinks that are not visible to human visitors. Then they sell it to an SEO company. You are lucky if such backlinks are not to a blacklisted site that gets your site blacklisted as well, and you just loose some linkjuice.

      To prevent this, you just have to take a look at the source code from time to time. Log out of your adminitrator account, go to your website, rightclick, and select "view source", and there look carefully where all those <a href strings lead to.

      And yes, do regular backups. When choosing a host, choose a host thad does it regularily for you.
      Hello,

      thats a good advice... But, normally nobody should be able to add code (links) to your code. If thats the case, it means that there is something wrong with your security. For example, you need to check who has write/edit permissions in your directory.

      It is often happens with plugins...as they might add new users and user permissions while/after installation.

      regards,
      Signature
      www.groupesoloviev.com
      We help businesses manage cyber risk and compliance requirements.
      {{ DiscussionBoard.errors[7184598].message }}
      • Profile picture of the author sunray
        Originally Posted by so11 View Post

        Hello,

        thats a good advice... But, normally nobody should be able to add code (links) to your code. If thats the case, it means that there is something wrong with your security. For example, you need to check who has write/edit permissions in your directory.

        It is often happens with plugins...as they might add new users and user permissions while/after installation.

        regards,
        Be assured, there is no website that a really professional hacker cannot break in if they really spend enough time on it. Maybe simple static HTML files are the safest, but even then a trojan virus can steal your FTP password.

        As for Wordpress, they know it inside and out because it's so popular. Why do you think there are those countless "security updates"? Behind each one of them there is a series of hackings. Hackers first discover a way to get in, thousands of sites get hacked, and then the hole is patched (in the case of a security update, update your site as fast as possible!). It usually happens with hackings when a "free Palestine" or some other stupid political message is inserted, and site owners discover it right away. But a hacker keeping low profile, and sneakily putting his links on site... You see, they are very hard to detect. You may discover the links after 2 years--and how are you supposed to know where to look at in the log files? You have no idea how the hacker got in.
        Signature

        Use these laws and make the Law of Attraction work
        QuantumMindSuccess Learn how to live a happy, healthy and abundant life.
        {{ DiscussionBoard.errors[7184957].message }}
        • Profile picture of the author so11
          Originally Posted by sunray View Post

          Be assured, there is no website that a really professional hacker cannot break in if they really spend enough time on it. Maybe simple static HTML files are the safest, but even then a trojan virus can steal your FTP password.

          As for Wordpress, they know it inside and out because it's so popular. Why do you think there are those countless "security updates"? Behind each one of them there is a series of hackings. Hackers first discover a way to get in, thousands of sites get hacked, and then the hole is patched (in the case of a security update, update your site as fast as possible!). It usually happens with hackings when a "free Palestine" or some other stupid political message is inserted, and site owners discover it right away. But a hacker keeping low profile, and sneakily putting his links on site... You see, they are very hard to detect. You may discover the links after 2 years--and how are you supposed to know where to look at in the log files? You have no idea how the hacker got in.
          I completely agree with you. The only point Im trying to make is that you CAN take direct actions to prevent these known and common issues.

          regards,
          Signature
          www.groupesoloviev.com
          We help businesses manage cyber risk and compliance requirements.
          {{ DiscussionBoard.errors[7185089].message }}
  • Profile picture of the author dengkane
    In addition to looking for security solutions, I suggest you backup your sites regularly, and backup the files on your own compueter.
    {{ DiscussionBoard.errors[7184693].message }}
  • Profile picture of the author DubDubDubDot
    WordPress is the most hacked internet application in history. It has never been secure and never will be secure. The hacking of many plugins only compounds the matter.

    If your sites are a vital source of income, it's a good idea to explore a custom CMS that does only what you need it to do. WordPress was never meant to be a CMS. It was just a simple blog script that people added on to. The end result isn't pretty.
    {{ DiscussionBoard.errors[7185255].message }}
  • Profile picture of the author IM Alex
    Excellent advice and eye-openers from everyone, I'm ashamed that I haven't thought of all this before and placed my business in jeopardy so nonchalantly! I will be sure to dig deeper and educate myself properly about all this, and do the best I can to minimize the risks. As so11 said it so well;

    No security= No business= No MONEY!

    Thanks again everyone
    Signature

    If you're in doubt, you're not in doubt.

    {{ DiscussionBoard.errors[7186228].message }}
  • Profile picture of the author zicer
    Signature
    WHY WOULD YOU BUY TWITTER FOLLOWERS. GET THEM FREE
    Visit My Blog, who knows maybe you find something interesting :)
    {{ DiscussionBoard.errors[7186982].message }}
  • Profile picture of the author Igal Zeifman
    Originally Posted by IM Alex View Post

    Hello all!

    A couple of days ago I came across a thread here where an unfortunate fellow warrior wrote that his websites had been hacked. I feel bad for him, and hope that he will get his situation resolved as quickly as possible, however the issue gave me an eye-opening jolt. It's so easy to take this matter for granted isn't it? I certainly am guilty, none of my sites are secured. I wonder how many others are just waiting to become the next targets of another hacker attack. So I started looking into a few website security providers. The prices vary a lot, I saw services delivered from 19.90$-147$ a month. It might sound a bit steep, but is it really worth overlooking? I for one will implement it as soon as I can afford it, but in the mean time, I was wondering if anyone would share what services you use, and if you know of any good ones that are free?

    Thank you all in advance,

    Alex
    No 2 WP plugins will make your website secure.

    Kingfish85 provides a very good WP focused Checklist (I think I said so already said that on the other treads but I don't mind saying it here again... and again, as needed)

    I don't think every site needs payed security solutions, although I would suggest investing a few dozen bucks into it, if it's a commercial website.

    It doesn't have to cost you a +100$ either. Toady you can get a PCI DDS compliant WAF (VERY high end solution - a Web Application Firewall of the highest security standard) for just under 60$ and it will come combined with CDN acceleration, Caching, Spam/Scraping protection and so on...

    If you want to go Free, you can do that too by getting behind free Bad Bot protection services.

    People tend to overlook that but this security solution is actually very effective because:

    A. some attacks, including DDoS will be initiated by Bots.

    B. and this is IMPORTANT. Most attacks (especially on SMB sites) will start by a visit from a vulnerability scanning bot that will try to identify your weak spots for the attack to come.

    Blocking that bot will prevent the attack even before it starts.

    Think about it, there are over 500M documented websites, unless you really Big or have some really determent enemies, no hacker will target your personally or manually test your sites for all existing vulnerabilities.

    Sooner or later he/she/they will be forced to use an automatic process (which means bots).

    Blocking these bots = blocking the future attack.
    Signature

    Igal Zeifman
    ----------------
    Community Manager / SEO @Incapsula - Cloud Security and Acceleration | DDoS Protection

    {{ DiscussionBoard.errors[7190119].message }}

Trending Topics