We have built the website that our customers dream of. Don’t allow hackers to take over and turn it into a nightmare. The \
good But not all hackers are through the site. Although it is true, there is a problem here Most security threats are multi-layered. This means that no matter how much time, money and energy you spend safely building and hosting websites, web security will be threatened, and hackers will also destroy websites. Please look at this flow chart to confirm what I mean The security threat is multidimensional. The above is a summary version of the security threat classification model shown below Multi dimensional threats will affect website security. (source: sciencedirect.com, information system security threat classification.) As shown in the above figure, web security threats may come from any of the following aspects: The
External sources (such as unauthorized users and natural disasters) or internal sources (such as employees with administrator access to sites, servers, or network accounts). Adding human, environmental and technological agents with malicious or non malicious motives and accidental or non accidental intentions, the combination of these factors will further increase security threats. Simply put Web security is very complex! If a part of the system fails, the safety of the whole system may be threatened. Even if the network attacker is not directly related (such as natural disasters), these threats may damage the site and create a security corner that may lead to the following conditions: The
Destroy information – for example, delete important files or data. Information corruption – for example, corrupted database tables and files. Information disclosure – for example, disclosure of confidential data to unauthorized users or the public. Service theft – denial of service such as data theft or misuse, server resource theft – for example, distributed denial of service attacks (DDoS). Unauthorized privilege escalation – for example, malicious use of system vulnerabilities to obtain administrator privileges of websites or networks; illegal use – for example, using websites to attack other websites, spread viruses, perform fraud, embezzle identity, etc. To prevent the site from being attacked, damaged or interrupted by hackers, all the threat factors of this multidimensional security beast must be considered. The
It is difficult to cut off the security threat, especially when fighting with multi-dimensional beasts! Now that we understand what we are dealing with, let’s narrow down our approach to this web security beast. The focus is to solve the following areas to prevent the site from being hacked: Web security risk mitigation defense is the only attack plan that provides 95% protection against the vulnerability of hacker1. Reduce web security risks. Many mistakes occur outside the website, thus creating opportunities for hackers to enter the website. This includes: External services – processes and methods for building, protecting, and managing target sites and target sites for purchasing or outsourcing services, including hosting, plug-ins, themes, and other website developers. Human vulnerability – inadequate knowledge, understanding, experience and technical level of safety issues. The main service providers for WordPress developers include: The
Hosting companies and data centers. Third party plug-ins and theme developers. Integrated third-party platforms and software. Outsourcing developers, contractors and other data center web
Hosting companies typically own or lease space for servers in multiple data centers around the world. All hardware, data and information processing of the hosting company are carried out in the data center, so the data center must consider physical and digital security to mitigate all threats and risks of attack and damage, and ensure the security and safety of the host. The server that stores your web site and data. Most developers choose web hosting companies and web hosts choose data centers. However, both the hosting company and the data center have a common responsibility to ensure the security of the website. The
To ensure security, the responsibilities of the data center include: Environmental control – the heat generated by electronic equipment may cause failure, so it must be operated at a safe temperature. Backup power – the server must continue to operate even if the main grid is unexpectedly interrupted. Adopt advanced security methods – including monitoring systems and technologies, including the use of biometrics and trap file rooms with restricted security access, as well as monitoring systems and technologies that prohibit hardware and personnel from entering the center without approval, such as a single entrance and exit (only one person is allowed). Once), ensure that the server guardrail facilities such as sensitive data and equipment, metal detectors, etc. are used to protect and isolate the server – including the employment of security guards and bullet proof glass, the setting of high impact collision barriers, weather resistance, fire extinguishing systems and other protective measures. If you focus on areas such as server speed and stability, rather than putting the security of your hosting company in the first place, or recommend companies based on planned prices, partner fees and reseller incentives, your website may be at risk. The
Although performance factors and economic advantages cannot be ignored, it is also important to evaluate the host’s commitment to security. In 2016, 95% of the leaked records came from three industries, and technology is one of them (the government and the retail industry are the rest). Companies that store high-level personally identifiable information (PII) in their records are very popular targets. Therefore, it is important to understand how the hosting company stores data and the active and passive security measures taken to protect data. Some managed options are more secure than others. We have prepared detailed guidelines for various types of hosting, including which types are more secure and how to select the appropriate hosting type according to needs. The
It is also important to understand the network redundancy of the host infrastructure. What happens if the network server or router fails or components are invaded? How to isolate and protect the site from network accidents and service interruptions caused by security violations? When evaluating hosts, make sure that the hosting management and what security measures are in place on the server. Does the plan include security features for encrypting and transmitting data such as server-side firewall, SSL, SFTP and CDN to prevent malicious code from invading the network (such as WAF)? The
What about the security preparation area for file search, dedicated IP, level 2 authentication (2fa), nighttime backup and one click restore, client site development, maintenance updates, installing or testing new applications without making the website vulnerable? Exposed to attack? In addition, what type of security and support will the web host provide if the site is compromised by any security measures? For example, in wpmu dev, we not only provide a fast, safe, cheap and amazing managed word press, but also provide members with a dedicated help desk around the clock to help them solve all word press related problems (including security). Clean up hacked websites. It also provides a series of documentation covering all managed security features. The
If you are serious about protecting your site from hackers, you should expect the hosting provider’s full commitment to web security.
Risk mitigation from third-party sources WordPress is a secure platform, but it is difficult to avoid integration with third-party plug-ins, themes and other platforms. All vulnerabilities in third-party solutions may open the door to hackers and damage the website. To minimize the risk when using third-party solutions, please plug-ins only from trusted sources (and topics), integrate sites using the popular third-party platform, and always keep the WordPress site up to date. Before installing third-party solutions, the excellent resource to view is the national vulnerability database. For example, during the writing of this article, we quickly searched the database in \
As mentioned earlier, \
