How we keep your WordPress website safe

4 Mar 2017

30,000 web sites hacked a day — Over 3 quarters of them run on WordPress.

Forbes published above figure in 2013. Though it’s been couple of years since, we can assure you the number hasn’t changed much.

Here’s an even more interesting fact reported by internet security expert, Sucuri: In 2016, Over 3 quarters of websites hacked run on WordPress. This makes sense because WordPress powers about a-third of websites in the world today. The more popular it is, the more likely it becomes prime target by hackers.

We are not sharing this with you as a bad news. We are not telling you to stop using WordPress. Fact is, this actually means WordPress is still the most popular CMS in the world (probably the best, too!)

“If it’s the best, how come so many of WordPress websites got hacked?” You ask.

Well, as we have shared briefly in our previous post (Why Did We Start Wp Sifu?) — Almost all had got to do with website owners’ negligence. Which also means, it can be easily dealt with so long all website owners start to pay more attention to security.

But of course, when you leave your WordPress website with us, the security of your website becomes our top priority.

How do we keep your WordPress website safe?

We’ll start with the disclaimer: we are not making the claim that your website is 100% safe with us. No one should make this claim. But what we can claim is, we are doing our 110% to prevent mishap from happening. And should it ever happen, what measures do we have in place for dealing with recovery. So let’s dive in!

Before a contact is established

By this, we mean before a website user, be it friendly or hostile, can reach your website, the user’s request is routed through our favourite cloud-based firewall — CloudFlare. This alone would have effectively filtered out half of the potential threats. The firewall is intelligent enough to detect if the user comes from an IP or zone that has previously identified as “risky”. This happens before the bad guys can even come close to your website!

Hardware wise, we use WP Engine‘s server, who partners with Sucuri who provides malware scanning right out of the box. It scans your website files from time to time and alert us when anomaly is detected.

Contact established

Lets just say, the hostile user manages to get pass the firewall. For example, he may be using Internet connection from a “safe zone”, eg computer in public library, or even proxied through a public IP, etc. He is at your WordPress website’s login page. His next step is likely to start employing what commonly known as “brute force attack” — the simplest kind of method to gain access to a site by trying different usernames and passwords over and over again. Bad news if your login credentials happen to be “admin” and “password1234”. But we wouldn’t have let this anyway because the first thing we do, as soon as we take over your WordPress website, is to change your username and strengthen your password. Then, we set a pretty low limit for number of tries before we lock the user out either temporary or permanently for repeat “offenders”.

It’s worth mentioning that your website will automatically get the free SSL (Secure Sockets Layer) upgrade. In other words, your website URL will changed from “http” to “https”. Which means to say, your users will see the green padlock in front of your website address, assuring them that your website is secure, that, any interaction between them and your website is encrypted so no one can steal their data. Thus, chances of having their login credential stolen is down to zero.

Somehow, sh*t still happens

Since we have already established beforehand that we can’t guarantee 100% that mishap will not happen. Say for example, you leave your laptop unlocked at Starbucks while you visit the washroom. The guy who sits next to you takes the opportunity to steal your login information. Things like this, we term it “ID-Ten-T error”. And the bad news is, no technology in the world can help prevent it (maybe some education?) But, lets just say, it somehow happened (I’m not judging you!) What do we have in place to deal with such disaster? Well, there is the Daily Backup — our managed hosting plan covers daily backup for your WordPress website. So when sh*t happened, we can easily rollback your website to previous clean state. There may be situation where you could lose some recent data, but it’s the price worth paying for.

As soon as we have restored your website, we first make sure everyone who’s currently logged in get “kicked out” from the system, then we reset your password. This should clear the sh*t up.

So, there we have it! A brief overview of how we keep your WordPress website safe when you leave it with us. You would have realised by now, what we are doing is really no rocket science. These are the things you can do it yourself too, provided you are willing to invest in those time. But should you ever decide you had better off use your time for something more important, eg running your business, you know where to find us!