In the wake of the recent WannaCry ransomware attack, cyber security is at the top of everyone’s mind. The computer virus, dubbed “WannaCry” by its black hat programmers, ended up encrypting data on over 230,000 computers and holding the data in return for a ransom, and it left many businesses and individuals wondering how to prevent ransomware from happening.
WannaCry was not the first computer virus of its kind, nor was it the most destructive, but it was exceptionally pervasive. Within hours, it had spread to dozens of countries and taken over the data for major hospital networks like National Health Service, a public health service in the UK. One of the main mechanisms that allowed the ransomware to spread as quickly as it did was a vulnerability that was easily patched with a simple update.
Regarding cyber security, many of these common threats to our internet security can be entirely sidestepped with something as simple as a software update. Securing and maintaining your website can often be just as simple. In this blog post, we’ll discuss the final step of our 3-step recommended security approach:
Let’s start quickly with what a security plan is. A security plan is an overarching strategy for how your organization, company, or website will handle all things security-related. There are two basic categories that these fall into: immediate and ongoing. The immediate points are things you can (and should) do right now to increase the security on your website. The ongoing principles involve learning more about cyber security in general and applying those principles to your organization. Your security plan should be a living document; one that gets regular attention with regular audits to ensure it still fits your organization’s needs.
Immediate actions to take:
- Create strong passwords that you share securely or not at all. 1
- Don’t use default passwords or usernames. If you use admin, administrator, root, or a blank username, change them immediately to something unique to your organization or website. Using defaults gives hackers and bots one less step in compromising your website.
- Manage your website user permissions and roles closely. If you have a social media manager who’s only website interaction is updating blog posts, be sure to set permissions appropriately to an editor or contributor. Generally, permissions should be granted at the minimum level required for regular use, or minimally permissive settings. Admin privileges should be granted only to those users who absolutely need it.
- Update your team on best practices and have a dedicated password manager who knows who should and shouldn’t have access to accounts. This can minimize the chances of a social engineering attack.
- Consider changing the location of your login from wp-admin. The suffix of /wp-admin/ or /wp-login.php/ are well known within the hacker community and create a guaranteed entry point to your website. Changing or obscuring it can greatly decrease the chances bots and hackers from even knowing your login location. (A great option is the Better WP Security plugin)
- Use two-factor authentication on all of your accounts to prevent logins from unauthorized parties. This won’t always be available, but always opt-in to using it when it is.
- Use a plugin or software to limit brute-force login attempts. Brute force attacks can happen at an alarming rate with today’s tech. If you can limit the number of times a password can be guessed, you’ll greatly decrease the chances of that type of attack being successful.
- Choose a great host that’s focused on website and WordPress security (not sure how to do that? Read our blog post about it)
- Choose a great add-on security provider to fill in any gaps in your website security plan (not sure what that means? Read our blog post about it)
Update: Our friends at Cloudwards have developed a new tool to help generate secure passwords and test your existing password strength in a secure environment. It’s definitely worth checking out.
Ongoing principles to follow and educate your team on:
- Check your FTP settings regularly to ensure no one can read or write to sensitive folders or files
- Update your passwords every 3-6 months.
- Avoid sending login credentials via permanent means like an email or a text message. Use a service like Privnote that will self-destruct the note upon reading, or transfer credentials through a phone call.
- Anticipate and stay up to date with all WordPress and e-commerce platform updates. WordPress and plugin updates often address known exploits found through bounty programs or error reports. Your WordPress website should be fully updated at least once a month, if not more regularly.
- Consider employing a white hat security company to use penetration testing to test your security on multiple levels.
- Vet your developers to make sure they’re using best practices in security while developing or editing your site. Not sure how to do this? Drop us a line and we can help.
In addition to this three-step approach, an essential part of any e-commerce site is an SSL implementation. When capturing and transmitting sensitive payment information, end-to-end encryption via a reputable SSL provider is necessary to protect customer data. Most add-on e-commerce solutions will require an SSL in order to function, but any other data transmitted can easily be protected with free or low-cost SSL options. Some hosting providers even offer free SSLs as part of your hosting package.
If you’ve never considered website security, you might be a little concerned after reading this. Internet security is racing to keep up with the latest in technology and development, and it’s moving quickly. The good news is that you don’t have to worry about it alone. If you’re not sure where to go from here, we have a team of digital professionals who are passionate about digital security who are ready to help!
Looking to develop a new website? Contact Us to get a more individualized assessment, call us at 972.488.1660.
We are a Dallas advertising agency with extensive expertise in website development.