July 23, 2019


By:Ben Freda, President


Recently, one of our clients became concerned about the security of their site. They asked what a BFC Maintenance plan includes by default, and what additional options might exist for an advanced level of protection.

Well, I’m not one to let a good conversation go to waste. So here, in short, is how we handle security at BFC Support. And what to do if you feel you need special, advanced, security measures.

Base Level: Backups, Updates, Malware Scans

It may not seem obvious, but the best way to protect yourself from the effect of a security breach is to do something that doesn’t technically make your site more secure at all. It is to take regular, automated backups.

That way, when a hack or defacement occurs, you can roll back to an uninfected backup. Automated backups are included in every BFC Maintenance plan.

The second best way to keep your site protected is to keep it updated. Most of the time, when WordPress, Drupal, Joomla, and almost all other CMSes roll out updated versions, it’s because someone somewhere has found a vulnerability.

CMSes issue updates with patches to close these vulnerabilities. Quick application of these updates keeps you safer. Automated updates are included in every BFC Maintenance plan.

Add malware scanning, and you’ve hit the trifecta of measures that will keep 99% of sites humming along.

Our systems scan every website in our care every 12 hours for any sign of malicious code. This allows us to quickly fix the most common hack out there: code injection. This is when bots will attempt to add hidden links or meta tags into a site’s code in order to exploit your site to give SEO value to their site.

Since these methods are illegal, this is usually used to promote dodgy sites in unpoliced jurisdictions. Recently, a client’s site was infected with links to a site selling Viagra that was hosted in Cote d’Ivoire. We found the infection and cleansed it immediately. Malware scanning and cleansing are included in every BFC Maintenance plan.

These three methods — backups, applying updates, and malware scanning — are all that most of our clients need to worry about. We have them all covered.

Intermediate Level: DDOS Protection

On occasion, our clients sites may be caught up in a second, more serious, type of attack: a DDOS attack. “DDOS” stands for “distributed denial of service” attack. It means that some computer or network somewhere attempts to flood the site with traffic to crash the server it’s running on.

Rarely are our clients the target of such attacks. More often, our clients may share a network or a hosting provider with the subject of one of these attacks. When the server or network goes down, it takes our client’s website with it.

So how can you protect against this, short of paying for way more server power than you typically need? Just in case a DDOS attack happens to wander on by?

It’s actually quite simple: use a distributed cloud network. These networks — like Cloudflare, Amazon’s CloudFront, and others — take a copy of your website and spread it to thousands of servers across their network. Then, when a user requests your site, they pull it from whichever location is serving it most quickly.

This doesn’t make a DDOS outage technically impossible, but it will reduce the effects of an attack in the vast majority of cases.

There are a few technical hitches. For one, since cloud networks take a copy of your site and distribute it, they must be configured to find where to take the copy from, how often to update the copy, et cetera. But it’s doable. We tend to recommend this option if a client has experienced DDOS outages in the past or has reason to believe it may happen in the future.

We offer cloud network configuration as an optional add-on to BFC Maintenance plans for $15/month.

Advanced Level: Password Rotation, Two-Factor Authentication, IP Whitelisting

The hacks discussed above are all user-facing in nature, where the point is to change what users see when they view your site (or, in the case of DDOS, prevent them from seeing it at all).

A far greater risk, however, lurks for some sites, particularly ones that allow users to login and save some personalized data (like passwords, email addresses, even credit card information).

The great risk for sites like this is data extraction.

What is data extraction?

This is when hackers secretly gain access to your site somehow. This often occurs by a brute-force password attack to the administrator side of your site. Or by individualized targeting by an ex-employee, or an enemy organization, who tries and successfully guesses a password.

The great risk here is that they steal your information. Maybe they send unsolicited emails to your entire user base, or otherwise harass them online. Maybe they download privileged information that should only be available to authorized users, like strategy documents or membership rolls.

For sites at risk for this type of attack, there are several security augmentations we sometimes recommend. Each of these has a different level of security benefit, and different level of annoyance or effort required by legitimate admins to surpass them.

Protections against data extraction

One is an IP whitelist, which allows administrators to access the backend of the site only from a limited list of approved IP addresses. This means that users could only log in to access privileged information from your office, for instance, or from a home computer.

This doesn’t work very well, however, for organizations where site administrators travel or work remotely, because their IP address will often change.

Another option is two-factor authentication, which requires administrators to log in twice — first via a username and password, second using a six-digit code generated by an app on a phone or a tablet.

This works well for anyone wherever they are, but it adds an additional step to the login process that can become annoying if admins have to do it multiple times in a short period.

Finally, another option is a password policy plugin or module, which will require administrators to change their passwords every once in a while (we recommend every four weeks).

This doesn’t add much administrative burden, but admins often have favorite passwords they tend to use, and unless they use a password keeper, it can be difficult to remember a new password after it’s been changed a large number of times.

There are other options, of course, not listed here. None of these are included by default in a maintenance plan, but all are relatively simple to add to your site. Reach out to your Support Manager at any point for more information or for implementation.

2 comments on “Your Options for Enhanced Site Security

  1. olde hickory Tap room on

    Hello would you mind letting me know which webhost you’re utilizing?
    I’ve loaded your blog in 3 completely different web browsers and I must say this blog loads a
    lot faster then most. Can you recommend a good web hosting provider at a reasonable price?
    Cheers, I appreciate it!

    Reply

Leave a Reply

Your email address will not be published.