How we ensure our customer’s websites are protected – our website security checklist in 2023
We get asked a great deal from clients and prospective clients how we ensure their websites stay secure. This is especially important for the many we help with WordPress websites that include e-commerce, selling online and any authenticated areas with private content. The following security checklist includes measures we take in our web design processes as well as our ongoing maintenance plans.
While nothing can ensure your website is 100% free from a hacker, we strive to provide a secure and privacy-friendly environment for our clients so that both they and their customers can feel more at ease using their websites.
Why is website security important?
If you are here you likely already realize it! But ok, here are some important reasons:
- Prevent reputation damage – Users don’t trust websites that show security warnings or have been clearly hacked. A secure site gives visitors peace of mind and creates credibility and trust.
- Improve SEO rankings – Poor website security puts SEO rankings at risk. Google and other search engines punish exploited websites with lower rankings.
- Avoid traffic and sales loss – Vulnerabilities in a website’s code, plugins or other core features usually result in the site becoming inaccessible, loss of traffic and a drop in sales.
Secure website hosting
It really starts with our hosting. We have partnered with SiteGround to offer an exceptional fully managed hosting service that includes the following security measures.
- All Clear Moon Studio clients are now on dedicated cloud hosting on isolated servers that are not shared with other SiteGround customers. This reduces the effects of other websites which may not be properly maintained on a shared hosting environment. This also gives us SiteGround’s most experienced DevOps who configure and manage our hosting environment.
- An SSL certificate is included with every domain we host.
- By default, we have set all servers to use the latest PHP version with the latest security fixes.
- We are running Apache in a chrooted environment with suExec to reduce security risks in running private programs.
- We have sophisticated IDS/IPS systems which block malicious bots and attackers (Intrusion detection/prevention systems).
- ModSecurity is installed on all of our shared servers and we update our security rules weekly, thus protecting our customers from the most common attacks.
- Smart AI anti-bot system analyzes all servers, websites and traffic, and blocks illegitimate website requests, or shows a CAPTCHA when it’s not 100% sure the requests are legitimate. Our AI anti-bot system also takes care of brute-force attacks.
- We strive to keep the versions of all the software that is providing database services (FTP, SMTP, IMAP/POP3, HTTP, HTTPS) up to date with the latest security patches.
- We are constantly monitoring for vulnerabilities in the most popular applications and modules and whenever possible we develop virtual patches in the form of WAF rules (Web application firewall).
- We ensure that users’ data is accessed only by trusted personnel on request by following strict policies and we keep detailed records for such access.
- 24/7 server monitoring of the servers by our experienced system administrators to prevent security attacks, mitigate DDOS, and react in a timely manner against any known or unknown threat.
Website maintenance measures
Unfortunately, doing everything mentioned thus far is not always enough. Most web applications require constant attention and updates to remain safe from the latest security vulnerabilities. The #1 reason a WordPress site gets hacked is the software not being updated in a timely manner. For customers on our website maintenance plans, we employ additional measures:
- WordPress core versions, themes and plugins are monitored daily against the latest known vulnerabilities and immediately patched if a vulnerability is detected. All software is all also updated weekly to the latest stable versions.
- The website is monitored daily for online threats such as malware, viruses, and suspicious links. We are alerted of any detected threats so we can react in a timely manner. A domain status check is also performed to ensure it is not blacklisted.
- The website is monitored 24/7 for uptime to alert us of any issues.
- Daily website backup and restore points are set, along with on and off-site backup locations that are geographically distributed to have your data safely available at another location, in case something happens to your server and data centre.
- Monthly reports are provided to detail the work done to keep your site secure, updated and performing optimally.
Additional website security measures
In addition to the above, there are more things we do with some websites we host depending on their needs. There are also shared security responsibilities we have with our customers and we encourage them to adopt security best practices.
- On some sites we may hide the WordPress version – Often, hackers scan for specific vulnerable WordPress versions, preparing for mass attacks. We hide your WordPress version from your site’s HTML code by default so you no longer fall under these attacks.
- Disable Themes & Plugins Editor – Editing code through the WordPress plugins and themes editor poses direct security risks from a potential elevation of privileges and errors made by a regular site administrator. To help you avoid that we will disable the themes and plugins editor by default.
- Disable RSS and ATOM feeds – RSS and ATOM feeds allow for content scraping when bots extract content and data from a site, which can be used in attacks on your website. We can disable this functionality if this is not needed.
- Delete the default readme.html – Your readme.html file can be used by attackers to compile lists of potentially vulnerable sites which can be hacked or attacked. We delete the default readme.html file that comes with your WordPress core files and contains information about your website.
- Lock and protect system folders – Attackers often try inserting and executing PHP files in public folders to add backdoors and compromise your site. We do not forbid the upload of files, but out of the box, we stop PHP files and malicious scripts from being executed and causing problems for your site.
- Disable XML-RPC – The XML-RPC is an old protocol used by WordPress to talk to other systems and many are using it for exploiting vulnerabilities, starting DDOS attacks and other malicious activity. That is why we disable this open access line to your WordPress application by default. If you use Jetpack and/or mobile apps you may want to enable the protocol from the plugin’s interface since those are valid users of the XML-RPC protocol.
- Advanced cross-site scripting (XSS) protection – The cross-site script vulnerability, known as XSS, allows different apps and plugins to access information in your WordPress that they shouldn’t. By default, we enable protection against XSS by adding headers instructing browsers not to accept JS or other code injections.
- Login access – By default, your WordPress login page can be accessed by any IP address or in other words by anyone. If desired we can limit access to specific IPs or a range of IPs in order to prevent brute-force attacks or malicious login attempts.
- Limit login attempts – We set a limit to the number of times a given user can attempt to log in to your wp-admin with incorrect credentials.
- Two-factor authentication for admin and editors – Two-factor authentication is one of the easiest and most secure ways to protect your data against hacking and identity theft. We work with you to start using a second password generated by an application on your smartphone in addition to your regular username and password.
- Disable common usernames – Using common usernames like ‘admin’ often leads to unauthorized access. We disable the creation of common usernames by default and if you already have one or more users with a weak username, it will ask you to provide a new one(s).
- Encourage strong passwords – We set the system to encourage strong passwords for all accounts.
- Activity log – We keep a log of all activity events on your website for the past 12 days. These include but are not limited to human visits, bot crawls, registered users’ activity, login attempts, and more. Monitoring the activity log can help you better understand your site’s audience and recognise suspicious visitors or activities. This logs all unknown visitors, such as bots or humans who have not authenticated as registered users of your site, registered visitors, and blocked visitors. Additionally, from this page we can block or unblock any IP you decide.
- Force password reset – If you believe that a user’s password has been compromised, we can instantly log out all active users. Once users try to log back in, they will be asked to change their password.
- Log out all users – We can quickly log out all active users without asking them to change their passwords, thus preventing any user from performing any more actions on your website.
- Protect downloadable files – By default all WordPress files are publically available. We can lock these files down so that only logged-in users can access them.
User privacy for your website
When we speak of security, especially for your company’s reputation, user privacy also becomes important. In addition to the above we can provide the following:
Website security is of paramount importance in today’s digital age, where cyber threats continue to evolve and become increasingly sophisticated. By implementing our website security checklist, we take several proactive steps to safeguard our customers’ sensitive data, maintain their reputation, and avoid costly data breaches.