DigiSage Website Security Practices

According to Google, the number of hacked sites increased by approximately 32 percent in 2016 compared to 2015, and each week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. Cyber security is a real (and growing) issue, which is why DigiSage takes the security of the websites we develop so seriously.

Common Types of Website Compromises

Websites can be hacked in a variety of ways and for a variety of reasons. Common hacks include:

  • Content Spam: most common. Spammers inject content into a legitimate website to drive traffic to a malicious or deceptive site.
  • Malware: software with the intent of doing harm to data, devices, or people.
  • Credit Card Skimming: affects e-commerce platforms. It can also be considered as one of the most dangerous compromises for consumers as credit card data is stolen.
  • Botnets: A botnet is a network of computers infected with malicious software and remotely commanded and controlled by cybercriminals called botmasters. Botnets steal your resources in order to do malicious things like crack passwords or crack other sites.

Why Should You Care?

Business owners and webmasters should be very concerned with the security of their websites, for a number of reasons:

  • Google’s algorithm penalizes hacked sites in the search engine results pages (SERPS)
  • Users may not be able to access your site
  • You and your users’ data may be compromised
  • Your brand’s reputation will be affected
  • Fixing a hacked site can be difficult (and expensive)!

DigiSage’s Website Development Platform of Choice: WordPress

We develop the majority of our websites on the open source platform WordPress (wordpress.org). WordPress is a widely adopted and highly trusted website development platform: currently, 29% of the web uses WordPress—that’s over 1 in 4 websites online today! Security in WordPress is taken very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren’t taken. DigiSage understands the importance of keeping the sites we develop secure, which is why we utilize multiple layers of security to ensure our sites remain safe.

Data Center Security and Redundancy

  • Third-party SOC3 report for Liquid Web is available.
  • State-of-the-art private data center facilities in Lansing, MI and Phoenix, AZ
  • 24/7/365 staffed facilities
  • Redundant network connections and hardware
  • Redundant power feeds & HVAC
  • Battery & diesel backup
  • Building security including secure entrance with Access Card System
  • Remote monitoring by 3rd Party Security Company
  • Entrances Secured by Mantraps with Interlocking Doors
  • SSAE-16 & HIPAA Compliant, Safe Harbor Certified

Server Level Security

  • Apache’s Mod_Security Web Application Firewall
  • Intrusion Detection coupled with firewalling
  • Antivirus
  • Regular Data Backups: daily backups on-server and off-site
  • Enforced TLS connections

WordPress Platform Security

Since its inception in 2003, WordPress has undergone continual hardening so its core software can address and mitigate common security threats, including the Top 10 list identified by The Open Web Application Security Project (OWASP) as common security vulnerabilities. Learn more about the WordPress core software development and its related security processes, as well as an examination of the inherent security built directly into the software, here.

What else makes the WordPress platform highly secure? WordPress is the most widely-used CMS software in the world and it powers more than 29% of the top 10 million websites, giving it an estimated 58% market share of all sites using a CMS. Additionally, there are hundreds of thousands of WordPress developers. Due to the large number of users, issues with open source platforms like WordPress are often discovered, publicized, and addressed faster.

Individual WordPress Website Security

  • Use of custom theme reduces attack surface: rather than using a commercial theme which may stop being supported or come with extra features (i.e. multiple sliders, contact forms, etc.) that are unused, we produce custom themes which include only the features required for the specific website.  Reducing the amount of unused code makes the attack surface smaller and the site more maintainable.
  • Anti-brute force: by using software which monitors login attempts we are able to throttle repeated attempts to reduce the amount of password guesses per second, as well as block an IP number when too many failed attempts have been made.
  • Web Application Firewall (rules, malware signatures, malicious IP lists): by using a web application firewall we are able to apply rule sets to incoming requests and block them based on known bad request signatures, known bad IP numbers, and known attack patterns.
  • Access controls:
    • Secure password rules enforced: by enforcing more stringent password rules we can stop users from setting an easily-guessed password and avoid compromise by password guesses.
    • Appropriate Access Controls: by providing a unique username and password per website administrator we are able to ensure access is revocable at any time.
    • Logging of user actions: by logging actions taken by users we are able to reconstruct changes to content, installation and upgrade of plugins, and login history, etc.
    • Multi-Factor Authentication: multi-factor authentication adds a second factor to user login which enhances login security by requiring the user to provide something they know (their password) as well as something they have (their cell phone) to authenticate.
  • Regular Data Backups: daily backups using VaultPress
  • Continuous monitoring for suspicious activity and anomalies using WordFence (free or premium versions available) & Vaultpress

Active Monitoring and Maintenance

Security patches for WordPress are widely published and readily available; many updates are automatically installed, while DigiSage actively and quickly plugs exploitable vulnerabilities by applying appropriate patches for items that don’t auto-update.

Core Updates: Starting with version 3.7, WordPress introduced automated background updates for all minor releases, such as 3.7.1 and 3.7.2. The WordPress Security Team can identify, fix, and push out automated security enhancements for WordPress without the site owner needing to do anything on their end, and the security update will install automatically.

Plugins: We only use vetted, supported, well-established, and widely-used plugins. Additionally, when a plugin vulnerability is discovered by the WordPress Security Team, they contact the plugin author and work together to fix and release a secure version of the plugin. If there is a lack of response from the plugin author or if the vulnerability is severe, the plugin/theme is pulled from the public directory, and in some cases, fixed and updated directly by the Security Team.

On our WordPress maintenance plan, we utilize special software that checks for updates multiple times per day—we monitor this daily; we also monitor the WordPress announcement list and the WordPress security lists and install updates whenever needed.

Posted in: Blog