Five Tips to Keep Your WordPress Site Secure This Cybersecurity Awareness Month

WordPress

October is National Cybersecurity Awareness Month.  This is a time to draw awareness for everyone to be aware of cybersecurity threats and have general refreshers on best practices to keep yourself, your identity, your computer networks and your website as safe as possible.  To that end, here are 5 quick tips on how to keep your WordPress website safe and secure, and how CU*Answers Web Services helps.

1. Use Strong Passwords.

The bad guys know when your website is using WordPress (or any other content management system) and they will attempt to brute force guess your passwords.  They also have access to leaked password lists of passwords you have used on other services.  As a publisher on your WordPress site you should always use a strong password, and the longer the password the better.  You should also not reuse passwords across multiple services.   Make your password unique to each service you use and use a Password Manager so you do not even have to remember them.

2. Protect Against Repeated Attacks

Even though you have a unique, strong password on your site.  The bad guys are still going to do repeated guesses (often called a brute force attack) on your login page.  CU*Answers Web Services sees this traffic and has implemented several layers of protection to keep the bad guys out, and also make our websites less attractive to target.  The WordFence security plugin, which is a required plugin for all our hosting clients, offers brute force protection.  It will block repeated attempts to guess passwords on your site.  Likewise, at the server level we have similar systems that will block the offending IP addresses for periods of time.  This slows down attackers and makes our sites less desirable to probe.  The side effect of these systems is sometimes they accidentally lock valid users out, but all you need to do is give CU*Answers Web Services a call and we can get you unblocked.  The inconvenience of a temporary block is worth the tremendous problems caused by a compromised site.

3. Use a Web Application Firewall

A Web Application Firewall (WAF) is a piece of software that protects your site against attacks.  In this case, CU*Answers Web Services has you covered too.  We use a WordPress specific WAF on each site through the WordFence security plugin.  Again, this plugin is required on all our hosting client sites.  In addition, we use a general purpose WAF at the server level that has a wide range of rules to protect the entire server and underlying operating system.  Occasionally, these do block legitimate traffic which can be inconvenient.  The most recurring issue we see if use of the word “union.” Since most hosting clients are credit unions this word gets published quite often.  Unfortunately, “union” is also a word from SQL that can be used in SQL injection attacks, so it does cause unintended blocks from time to time.

4. Back Up Your Website

CU*Answers Web Services and Network Services has you covered here.  Our shared hosting servers are backed up nightly through our automated systems.  While not fool-proof, having a backup from last night gives us a fallback in case something drastic happens to your website.  In addition, clients with access to the CU*Answers Web Hosting Control Panel have access to create on demand backups also.

5. Keep your WordPress and Plugins Current

This is the one security principle that gets repeated over and over again.  Keeping your WordPress core and Plugins — or really any software — up to date protects you against security issues.  Sure, new ones might be introduced, but over time the security of software should continue to improve.  CU*Answers Web Services has built special shared hosting servers specifically for WordPress.  We have protocols in place that update WordPress core and all plugins every Sunday night.  This keeps all of our sites on current releases.  We track this information in a couple of dashboards and can see what updates are pending in case we suspect a conflict of some kind.  Finally, our infrastructure also allows us to deploy updates as needed in case there is a critical update that needs to go out immediately.

There is no such thing as a 100% secure website, but hopefully these tips and your understanding of how CU*Answers Web Services  is working to keep all of our sites protected gives you confidence in your choice of hosting and website management providers.  If you have any questions or concerns, certainly reach out to the CU*Answers Web Service team.

 

 

 

 

Website Alerts and How We Do Them

WordPress

You’re not going to guess what the Web Services Team did a lot of this week.  Maybe you are.  This past week we published a bunch of alerts on credit union websites about this virus thing everyone is talking about.  A people virus, not a computer virus.

Luckily, CU*Answers Web Services was prepared for this.  We’ve published special alerts on credit union websites before for things like weather related closings, power outages or telephone troubles at branches.  If your credit union website is on our WordPress with SiteControl platform, we have the ability to turn on Notifications Bars.

ChiPhone website screenshot with Notification BarNotification Bars appear at the very top of your website to highlight an important notice for your members.  These notification bars are highly customizable and mobile responsive.  Here’s a screenshot of a site with a live notification bar enabled:

If you have a need for an alert to your members on your site — and who doesn’t this week? — let us know.  We can enable this feature and the content is manageable in your WordPress dashboard.  Also we’re happy to add the content for you, just let us know what you would like it to read.

Questions about Website Security

Accessibility

CU*Answers Web Services recently received some questions about website security. This client was concerned about the recent defacement of a Credit Union website in Montana and asked about how this would be handled at CU*Answers. We thought they were some good questions, so we wanted to share our answers with everyone. Here they are:

Who do we contact by phone to completely shut down our website? And does that include weekends and afterhours?
During M-F 8-5 business hours, call the Web Services Team 616-285-5711 x275
After hours, call Customer Support 800.327.3478 where someone is on call 24/7 to engage the appropriate team for response.
If something odd occurs does CU*Answers provide a diagnostic or forensic analysis of what happened?
We analyze our logs regularly to determine the source and method of attacks in order to mitigate attempts proactively. In the case of a successful “hack” we would do our due diligence to learn and prevent further abuses. We don’t have a formal plan to provide you with a report of those findings, but we’d be happy to share any findings deemed beneficial.
Does WordPress receive the same attention to updates and monitoring for security as our site?
I’m not sure I understand this question, your site does use WordPress, which we monitor and update continuously and update both the WordPress core software and plugins, this is one of the benefits of hosting with us. We also use several WordPress plugins to monitor security and log admin logins and changes on your site. Furthermore, Network Services has several protections in place at the network level including firewalls and intrusion detection systems – to name a couple – to assist in mitigating attacks.
Lastly, would CU*Answers automatically post a temporary site or link to take members to a “safe” site – bypassing the unwanted component – to access their information?
Yes, we would absolutely respond with necessary action to protect your members from any security incident. This response would depend on the severity of a compromise, ranging from removing the threat by redeploying your site from a version we keep in our code version control system, to potentially redirecting requests to your site directly to your online banking URL until the risk was mitigated.

Hosted WordPress Sites Updated to 3.9.2

WordPress

Hosted WordPress sites have now been updated to version 3.9.2. This is a security release update improving a few things under the hood. For more information, check out the release notes.

New Website for New Horizons Credit Union

CU*Answers Web Services is excited to announce the launch of a new website for New Horizons Credit Union in Ohio. This new website is built on our WordPress with SiteControl platform enabling consistent content and search engine optimization right out of the gate. In addition, New Horizon’s new website theme was built to use CU*Answers Web Services’ and CU*Answers’ Marketing standard banner sizes so that New Horizons can leverage collaborative pricing and electronic banners.

Please visit their New Horizons’ new website.

Onaway FCU Rebrands to Awakon FCU

awakonfcu.net

We are excited to announce the launch of the new awakonfcu.net! Onaway Federal Credit Union, based in northern Michigan, recently expanded beyond their Onaway footprint and needed to rebrand to reflect their expanded field of membership. As part of their name change to Awakon Federal Credit Union, they needed a new web site. Enter CU*Answers Web Services. Designed, built, tested, and launched to coordinate with the rest of the rebranding deployment, awakonfcu.net uses WordPress with SiteControl, 950×250 rotating banners, a lovely background photograph, search functionality, electronic contact forms, and simplified navigation.