Site Security Basics
Security can be a tricky subject because there’s really no “ceiling” in terms of what can be done. Part of the trick is making sure you have measures in place, without going too far overboard given the size and function of your site. The first thing to know is that there are two different types of security and two different places that security measures can be taken.
The first type of security concerns user data entered through your site, for example when a visitor fills out a form or processes a payment. The second type concerns site security, so an intruder is not able to modify your site files or redirect users to a different site.
The two places where security measures can be taken are your website and the server your website is hosted on.
As part of the fjorge Managed Service plans we perform routine security updates to the site, and to the server when hosted through us. We scan the site for malware/malicious code, monitor and renew SSL certificates, and ensure content is being served securely. Because 100% security is impossible no matter how many protocols you put in place, we also have an Emergency Action Plan.
This article briefly discusses each of the above.
The top reason for having a CMS Managed Service plan is to ensure your site’s CMS core, plugins, and PHP are up to date. Your CMS is the platform your site is built on (ie WordPress, Drupal, Craft, etc). Plugins are applications that allow for additional functionality on your site, such as forms, sliders, image galleries, etc.
Think of the CMS core as the operating system on your smartphone and plugins as the apps. Every now and again you’ll get notified about a new iOS version (for iPhones) or that your favorite app has an update available. These updates help to improve functionality, introduce new features, and often include a security update. The same is true for the CMS core and plugin updates on your website.
- Craft CMS
Like your CMS core and plugins, PHP releases security updates. Also like your CMS core and plugins, outdated versions of PHP become unsupported and therefore do not release new security patches. If your site is running on an unsupported version of PHP, your site and server are vulnerable.
As of December 2018 both PHP 5.6 and PHP 7.0 versions reached their end of life and are therefore no longer supported. If your website is running on PHP 7.0 (or any of the 5 generation versions) it needs to be updated to a newer version. The update itself can be completed in a couple hours, but requires a thorough QA of your site plus time for repairing any breakages due to incompatible code. For this reason, we generally estimate 5-10 hours depending on the size of your site and how outdated the versioning is.
Your server is the computer where your site files are being hosted. In addition to making sure your site is actively updated, you should have a partner who is properly managing your servers as well.
fjorge uses AWS cloud servers to host our client websites, and have a dedicated Systems Administrator (SysAdmin) who’s sole responsibility is monitoring, updating, and resolving server-based issues. Our SysAdmin also monitors server CPU usage to make sure sites are on the correct size servers, and to identify any unusual patterns of activity that could indicate possible attempted intrusions.
You may be familiar with malware scans as it relates to your computer. A malware scan looks for files that may contain malicious code, and because your website contains both files and code, routine malware scans are recommended. Doing so will help to identify and remove possible security risks.
SSL Certificate Monitoring
A Secure Sockets Layer (SSL) is a protocol that authenticates and encrypts links between computers. This protocol meets the first type of security discussed: user information. As of July 2018, Google requires validated SSL protocol on all sites, and takes it into consideration when establishing search rankings. Now, it’s not only security best practice – it’s critical for your SEO.
All major browsers (Chrome, Safari, Firefox, etc) have also jumped on board. The URL bar of your browser will show a closed lockset if a site has a valid SSL Certificate. Sites that do not have a valid certificate will display an opened red lockset or similar warning, sometimes accompanied by an alarming warning page that the “site is unsecure.” Needless to say, if your website is the revenue hub for your company, this is bad for business!
SSL Certificates are added at the server level, so adding, monitoring, and renewing your site’s SSL certificate is something your server administrator can help you with. If you have a fjorge CMS Managed Service plan, server hosting with SSL monitoring and certificate renewal is included as part of our plan levels.
Emergency Action Plan
As mentioned before, there is no ceiling for steps that can be taken to optimize site and server security. Nonetheless, it’s impossible to reach 100% security.
Our beloved internet is an ongoing security battlefield. Technology is constantly changing, in part because the bad guys are looking for new ways to crack the code, while the good guys are thinking of new ways to prevent it from happening.
Whoever your development partner is, they should take basic security measures to monitor your site and servers, provide sound recommendations to enhance your security levels, and have a solid Emergency Action Plan just in case. Below are the 5 steps fjorge takes for our Emergency Action Plan:
- Take Routine Backups: When hosted on fjorge servers, databases are automatically backed up daily, site files are backed up weekly, and we use Version Control processes during development. If your site is compromised, we have a previous versions of your website and database that can replace your compromised site while we quarantine and repair it. In other words, your users won’t notice a difference, so long as we have a copy of your site without the offending vulnerability.
- Use a Monitoring System: We monitor site activity using a variety of tools, including StatusCake, and receive alerts if any activity indicates a site could be down or compromised.
- Take Immediate Action: If there is any indication of an intrusion, the entire CMS Managed Service team is “all hands on deck” until the cause and source of the compromise has been identified. Once identified, a developer, our SysAdmin, and Project Manager become the 3-person team who works on the site until the compromise has been mitigated.
- Quarantine the Compromised Site: When a compromise has been confirmed, the first step is to quarantine the compromised site on our dedicated Quarantine Server, then put up a clean backup of the site, or publish a temporary splash page with client approved messaging if a clean backup of the site is not available.
- Have a Dedicated Action Team: The 3-person Action Team then splits up responsibilities to troubleshoot and repair any site files, scripts, or codebase associated with the compromise, plus identify and patch the source of the intrusion, then relaunch your repaired site. Their other responsibilities are delegated or put on pause until the site is in a stable condition.
This process could take hours or days, depending on how extensive the intrusion and how long the vulnerability has been on the site. The most common sources of vulnerabilities are outdated core, plugins or PHP versions, which are easily preventable by having a consistently up-to-date site.
fjorge has a dedicated CMS Managed Services team with several plan options available. Our priority is the security and sustained functionality of your site. Plans are month-to-month and can be upgraded or canceled at any time. If you’re looking for a development partner to service your website, you’ve come to the right place!