Five Tips to Keep Your WordPress Site Secure This Cybersecurity Awareness Month

WordPress

October is National Cybersecurity Awareness Month.  This is a time to draw awareness for everyone to be aware of cybersecurity threats and have general refreshers on best practices to keep yourself, your identity, your computer networks and your website as safe as possible.  To that end, here are 5 quick tips on how to keep your WordPress website safe and secure, and how CU*Answers Web Services helps.

1. Use Strong Passwords.

The bad guys know when your website is using WordPress (or any other content management system) and they will attempt to brute force guess your passwords.  They also have access to leaked password lists of passwords you have used on other services.  As a publisher on your WordPress site you should always use a strong password, and the longer the password the better.  You should also not reuse passwords across multiple services.   Make your password unique to each service you use and use a Password Manager so you do not even have to remember them.

2. Protect Against Repeated Attacks

Even though you have a unique, strong password on your site.  The bad guys are still going to do repeated guesses (often called a brute force attack) on your login page.  CU*Answers Web Services sees this traffic and has implemented several layers of protection to keep the bad guys out, and also make our websites less attractive to target.  The WordFence security plugin, which is a required plugin for all our hosting clients, offers brute force protection.  It will block repeated attempts to guess passwords on your site.  Likewise, at the server level we have similar systems that will block the offending IP addresses for periods of time.  This slows down attackers and makes our sites less desirable to probe.  The side effect of these systems is sometimes they accidentally lock valid users out, but all you need to do is give CU*Answers Web Services a call and we can get you unblocked.  The inconvenience of a temporary block is worth the tremendous problems caused by a compromised site.

3. Use a Web Application Firewall

A Web Application Firewall (WAF) is a piece of software that protects your site against attacks.  In this case, CU*Answers Web Services has you covered too.  We use a WordPress specific WAF on each site through the WordFence security plugin.  Again, this plugin is required on all our hosting client sites.  In addition, we use a general purpose WAF at the server level that has a wide range of rules to protect the entire server and underlying operating system.  Occasionally, these do block legitimate traffic which can be inconvenient.  The most recurring issue we see if use of the word “union.” Since most hosting clients are credit unions this word gets published quite often.  Unfortunately, “union” is also a word from SQL that can be used in SQL injection attacks, so it does cause unintended blocks from time to time.

4. Back Up Your Website

CU*Answers Web Services and Network Services has you covered here.  Our shared hosting servers are backed up nightly through our automated systems.  While not fool-proof, having a backup from last night gives us a fallback in case something drastic happens to your website.  In addition, clients with access to the CU*Answers Web Hosting Control Panel have access to create on demand backups also.

5. Keep your WordPress and Plugins Current

This is the one security principle that gets repeated over and over again.  Keeping your WordPress core and Plugins — or really any software — up to date protects you against security issues.  Sure, new ones might be introduced, but over time the security of software should continue to improve.  CU*Answers Web Services has built special shared hosting servers specifically for WordPress.  We have protocols in place that update WordPress core and all plugins every Sunday night.  This keeps all of our sites on current releases.  We track this information in a couple of dashboards and can see what updates are pending in case we suspect a conflict of some kind.  Finally, our infrastructure also allows us to deploy updates as needed in case there is a critical update that needs to go out immediately.

There is no such thing as a 100% secure website, but hopefully these tips and your understanding of how CU*Answers Web Services  is working to keep all of our sites protected gives you confidence in your choice of hosting and website management providers.  If you have any questions or concerns, certainly reach out to the CU*Answers Web Service team.

 

 

 

 

Website Alerts and How We Do Them

WordPress

You’re not going to guess what the Web Services Team did a lot of this week.  Maybe you are.  This past week we published a bunch of alerts on credit union websites about this virus thing everyone is talking about.  A people virus, not a computer virus.

Luckily, CU*Answers Web Services was prepared for this.  We’ve published special alerts on credit union websites before for things like weather related closings, power outages or telephone troubles at branches.  If your credit union website is on our WordPress with SiteControl platform, we have the ability to turn on Notifications Bars.

ChiPhone website screenshot with Notification BarNotification Bars appear at the very top of your website to highlight an important notice for your members.  These notification bars are highly customizable and mobile responsive.  Here’s a screenshot of a site with a live notification bar enabled:

If you have a need for an alert to your members on your site — and who doesn’t this week? — let us know.  We can enable this feature and the content is manageable in your WordPress dashboard.  Also we’re happy to add the content for you, just let us know what you would like it to read.

Wordfence Launches New Security Feature: Real-Time IP Blacklist

WordFence

We are happy to report that Wordfence has just launched a new security feature for its premium customers – real-time IP blacklist! This new feature will work to block thousands of malicious IPs from hacking your WordPress website. This will significantly cut the risk of your site being hacked and will lighten your website load times and improve site performance as well.

Over the past year, the developers at Wordfence have heavily monitored, collected, and analyzed data from malicious hacking attempts on WordPress websites. They were able to use these results to build a new security feature that will immediately find malicious IPs and block them instantly.

When a potential attacker is blocked from the website that is using Wordfence, this is what they will see:

If a legitimate visitor gets blocked, they are able to report the false positive by clicking on the “Report Problem” button and then copying & pasting the encoded text into the report. The Wordfence response team receives the report and responds quickly to record and fix the false-positive.

This new real-time IP blocking feature enhances Wordfence as it works to prevent attacks. If an IP that is on the blacklist attempts to get access to your site, it becomes blocked from your site permanently and immediately. This means the malicious attacker can’t access anything on your site or use site and server resources.

Keeping your website secure is one of our top priorities and we couldn’t be happier with this new feature from Wordfence!

Michigan Legacy Launches New Design!

Michigan Legacy Credit Union Website Screenshot

Congratulations to Michigan Legacy on the launch of their new website! This new responsive website accommodates all web browsing devices from mobile to desktop.  In addition, this redesign features Google Maps API integration to assist members in contacting the closest branch in the greater Detroit area.  Michigan Legacy Credit Union has a strong commitment to community and these activities are highlighted on a special Community Spotlight news page, this was an important component in the site’s redesign.

Check it out here: https://michiganlegacycu.org/

Is Your WordPress Website Secure? It is With Us!

WordPress

In the previous article we posted from Credit Union Times that addressed whether or not WordPress websites are secure, they noted the following:

“At its core, WordPress is extremely secure (see wordpress.org/about/security). In fact, when compared to competitors, WordPress is probably the most secure content management system on earth. While the popularity of WordPress does mean more people are trying to hack it, WordPress has been remarkably successful at resisting attacks. If you study the history of WordPress security, you’ll see that WordPress software is NOT the security issue you should be worried about (source: managewp.com/is-wordpress-secure). The security threat you should be worried about is yourself. WordPress users are the security issue, not WordPress.”

They made a list of best practices to follow for making your WordPress website secure and here’s how we have responded:

Keep Your Website Updated

We do this automatically! As part of our hosting platform, we schedule regular weekly updates to the WordPress core software and plugins. It is why we specialize in WordPress!

Host Your WordPress Website on Secure Servers

We’re not the cheapest hosting option around and we know that. But we’ve built hosting architecture and network security specifically for Credit Unions!

Create Unique Usernames and Passwords

Each website account is created with unique usernames and passwords. We wouldn’t trust it any other way.

Limit Login Attempts & Use a Premium WordPress Security Plugin

Our number one goal is to keep your website secure, which is why we have installed and configured the Wordfence security plugin on all of our sites.  Wordfence helps manage login attempts and auto-bans unknown users who try to attempt access to the site by dispensing brute force attacks.

Use Trusted Third-Party Plugins Only

We properly vet each and every third-party plugin that is installed on all of our credit unions’ websites. We don’t as a rule, install or activate untested or low-scoring plugins.

Did you know that out-of-date plugins can pose a potential security risk?

This is why we issue regular plugin updates along with the WordPress core software. This ensures that your plugins are always up to date and helps keep your site safe from hacking attempts.

Back up Your Website Every Day

All of our credit union websites are on a regular back-up schedule. We believe in having a solid disaster recovery plan in place for life’s unexpected occurrences.

In addition to all of these great recommendations from Credit Union Times, we also go above and beyond this:

  • 24-hour automated monitoring
  • Proactive server management
  • Layered levels of security at the network level, the server level, and the application level
  • All websites are hosted on servers that are housed in a SSAE16 Certified Data Center
  • Soon to be announced free SSL certificates for any sites hosted with us
  • As an added bonus, the leader of the Web Services team has written a book on WordPress Design, Development and best practices!

We understand the unique needs of our clients and strive to always be pushing forward with the latest best practices in website security, design and development.

 

 

Is WordPress Secure for Credit Union Websites?

WordPress

From Credit Union Times:

WordPress is the most popular content management system on the planet: 27% of all websites are built on WordPress. But does WordPress have security issues? Let’s talk about website security and eight practices to make WordPress secure for a credit union website.

People often judge a credit union by its website. Your website is your biggest branch and most frequent touch point with members. If your website gets hacked, relationships will be compromised. For these reasons, choosing a secure content management system is extremely important.

There are many CMS alternatives. At the forefront of these alternatives is WordPress because it’s 10 times more popular than any other CMS on the planet (source: w3techs.com). Compared to other CMSs, WordPress has the most plugins, themes and developers, as well as the largest community of users helping users. But does the popularity of WordPress come at a price? Does popularity also mean more hackers and vulnerabilities?

Read More »