Kevin Young

Making Your Website Secure is Too Hard, or is it?

punttim / Pixabay

If you are the average website designer or developer, the word ‘security’ gives you an unshaken feeling. I know it has for me, that is, until recently. I am by no means a security expert or novice. However, I want to do my best for my clients and myself. I am willing to learn a little if it means I will achieve better security.

Security Technologies Can Be Baffling

But where do you start? The number of resources and initialisms in IT and IS security is baffling. Here are just a few to scare you: DNS, DNSSEC, CAA, SMTP, STARTTLS, SPF, DMARC, DANE, HTTP, Cookies, SRI, TLS, PKI, CSP, HSTS, HPKP. Indeed, web designers and developers may know what some of these mean and how to set them up. And if you know them all, good for you. We should all be like you. But when I look at these initialisms and try to be honest, I can’t say that I know EVERY one of them or how to be 100% confident that what I know about setting them up is secure.

What You Need Is An Easier Way

How can we get all of this under more control? No one can promise a perfect solution, but I have been very pleased with the combination of technologies I currently use to protect my WordPress-based websites. I have been told that it is very important to have layers of security. So my security stack includes firewalls, antivirus, SSL, hardening, and email protection. Read on to see how my stack could help you.

Wordfence preventing security threatsA WordPress Security Stack You Can Handle

1) Get Viruses and Malware Quarantined

It is important that you are regularly scanning the files on your website with Antivirus software. On my websites, I use the free version of Wordfence. Not only does Wordfence provide basic antivirus protection, but the free version includes a firewall, brute force attack protection, manual IP blocking, live traffic monitoring, and other security tools.

Wordfence login security optionsNot adjusting the settings is not enough.

Don’t just go ahead and accept the default configuration, or worse yet, don’t just activate and forget it. Getting the settings right can protect your website.  On one website I was having problems with, I learned how important it is to look the settings over. With a small adjustment to the login policy, I single-handedly saved the day. The website was operating at a snail’s pace, and the client was getting angry because it looked like we had no idea how to fix the issue. It looked like we were bad web designers. Here, the website was being attacked by hackers trying to gain access. The website immediately started working perfectly by changing the login policy to block their IPs after too many wrong password attempts.

In addition to Wordfence, I install Jetpack and enabled its “Protect” module.  This is just an extra layer of protection against attackers, and it does not cost a thing.

2) Keep an Audit Log

Does something look wrong on your website? Which person messed it up and when? As you can see, having a log of what’s going on can help you figure out what happened and why. I like to use the WP Security Audit Log plugin to keep track of all the nitty gritty details. Why the log does not fix or prevent problems, it will help you do both.

Set the Mailgun API setting to true.3) Send Your Outgoing Mail Through a Secure API Instead of SMTP

For years websites have been plagued with email-sending issues. It always boils down to using SMTP to send emails. Web hosts are tired of getting black-listed and have been shutting down insecure ports. Why not avoid all the crap and headaches? That’s why I set up an account with Mailgun. I use the company’s official plugin and send emails over the HTTP API. I have great deliverability on my email and a log of each message, and I can keep those SMTP ports blocked and not send authentication details like passwords over the Internet, just waiting for an attack.

The Rest Of The Security Stack

Are you ready to know the rest of my security stack? You have your homework. Ensure you get your antivirus installed AND CONFIGURED, set up an audit log, and then switch your email-sending protocols to a secure API.

I look forward to having you back for the next article in this series.