Not having your employees and users educated on cyber-security and best practices in cyber-security is considered reckless. Keeping your passwords on a publicly accessible Google sheet is plain stupid.
The severity of a cyber-crime situation such as ransom for domain theft, or hijacking of a website is serious. Handling such situations require experts and hiring highly skilled professionals. The costs associated with such situations are very expensive. Do not get yourself into these dark holes. Continuing training and proper access control is key in your success and security of your personal and organizational data and digital assets.
Using unsecured wireless internet connections or any unsecured internet connections are a very bad habit to have. A VPN is not considered a secured connection. Your device must be secured as well and the websites you visit outside of work with said device are a risk as well. Do not visit websites that are not related or websites that are unsecured. A website without an SSL connection is a risky website. Social media websites are also risky. Downloading files or installing applications on devices that are also used to access your website/s could pose a security risk.
Security Plugins Are Not Enough
A security plugin is usually a good idea but it is not enough. While it might be enough. It is usually not enough. Security plugins even if updated and are set up properly are only part of the puzzle. Using long and complicated passwords is crucial. Also, keeping them in secured locations is very important. Giving anyone access to your website who is NOT an experienced web developer with cyber-security experience is a security risk!
You must accept that and realize that employees, no matter how experienced could at any point post a security risk to your digital assets and website/s.
Using a server firewall is a MUST. The same goes for a network firewall. Automated security scans and automated backups are also MANDATORY. If you do not have these set up on your platform you assume all responsibility.
2FA & Password Security
As a business and website owner you must require everyone to use an authenticator app as it’s unanimously recommended by security experts. Make sure no one is using their workspace email on their phone unless proper security measures are enforced on the space including a workspace policy.
Using 2FA on their working devices and google accounts and operating system and browsers and any online accounts. Screenlocks with passwords are ideal. Recovery emails used should have the same security measures such as 2FA etc. You must make sure that everyone’s passwords are not reused.
For example, security checkup Google accounts and google chrome password checkup.
Why you should use password managers instead of saving your passwords on a Google sheet!
SMS 2FA is also NOT SAFE. Spoofing SMS is very possible!
Not using public networks
For example, Starbucks wireless networks and especially in airports by anyone who is working on the website and/or Google Drive/Gmail SHOULD NOT BE USED. Even if the location is empty. People can be on the same network with you from far away! So the rural empty diner is not safe either even if it’s in Alaska. Your special hacker that is looking for you could be on the other side of the planet.
A VPN does not help you!
For example, a website without an SSL using an unsecured HTTP connection is still exposed. Do not believe the hype about VPNs. They are a layer of encryption. Not a firewall. Not an antivirus. And WILL NOT protect your data or your website from being stolen.
Routers
The safest network is an Ethernet cable but DNS settings won’t be able to be set up if there is no router. So get a good router combo.
For routers it is best to use 1.1.1.1 for speed. However some home security cameras like Wyze wouldn’t work so people wouldn’t do that. 8.8.8.8 (Google) works for most. If that causes any issues revert to default.
When you work from home you don’t have the proxy or workspace wifi password protection you usually have.
Make sure your router username & password is not using the default setting of “admin” “admin”. Make sure you have a guest network for friends when they visit. Make sure the passwords are different and change them annually at the very least.
Your home computer is set to trust computers on the same network. Mobile devices too.
Be careful!
Do Not Use Browser Extensions!
A Good Hosting Provider Is NOT Enough
Changing and choosing a good hosting company is extremely important! Most hosts change over the years so sometimes it’s needed to change your web hosting. But this is not something that happens every year. More like a decade or two. Do your research.
A migration and a change of host, if done incorrectly or moved to the wrong server can cause serious problems such as domain and IP reputation issues which can hurt email deliverability and search engines rankings, for example moving to a different server that is not dedicated could end you being associated with a neighboring website that might be illegal or of pornographic content. So we must be able to manage your hosting to make sure that you are in the correct environment. Let alone the security risks that come with it.
VPS is the bare minimum but we would recommend a true dedicated server just because of the security and flexibility.
- WordPress | Google Cloud is a great solution that is relatively secure out of the box.
- AWS is a good option as well but is very expensive and is more geared towards larger entities and experienced developers.
- InMotion Hosting is a very good company with a lot of customization.
Your website’s safety depends on who maintains it and who is using it, including your employees, and also your hosting company and the system/web administrator. Whitelisting said users in some cases is needed but you should make sure that their IPs are static and update your lists regularly. YES, static IP addresses are not really static. They are just static for longer periods of time. Also, IP addresses are assigned via routers so if you are at an office, or a shared space, do not whitelist any IP addresses. This should only be done in houses with secured networks. Not Wireless networks you handed out the password to someone.
Security Plugins Are Not Enough
A security plugin is usually a good idea but it is not enough. While it might be enough. It is usually not enough. Security plugins even if updated and are set up properly are only part of the puzzle. Using long and complicated passwords is crucial. Also, keeping them in secure locations is very important. Giving anyone access to your website who is NOT an experienced web developer with cyber-security experience is a security risk!
You must accept that and realize that employees, no matter how experienced could at any point post a security risk to your digital assets and website/s.
Using a server firewall is a MUST. The same goes for a network firewall. Automated security scans and automated backups are also MANDATORY. If you do not have these set up on your platform you assume all responsibility.
Plugins
Decrease the number of plugins on the website, and not for performance reasons alone.
Make sure the site is comprised of plugins that are from legit authors and are updated regularly.
A plugin’s minimum review score for installation should be 4.5 and above. Try and contact the developer and time the response. If it takes longer than 48 hours don’t install it.
WordPress
If you are using WordPress make sure WordPress themes, platform, and PHP versions are up to date. Having outdated versions are a security risk. On any platform.
Authenticity
Do not install sketchy plugins on the website. No pirated themes. No templates managed by 3rd parties. No plugins that require unnecessary permissions such as contacts etc
Set up snapshots and/or Backups
- Usually only available with VPS, also known as Cloud hosting plans.
- Back up with Google Drive if possible.
- Back your stuff up on your machine locally as well
- Back up with your host’s recommended provider
- If your server is compromised the snapshots are gone too – it is a local backup
ImunifyAV
This is a great free tool that you can install on your server for free. A paid version is also available that has some automation. Check out Imunify360.
Port Blocking
3306 is the port for remote SQL, and the one that usually needs to be blocked. 3360 is simply a port that isn’t commonly used, so it was already closed.
There are more ports you should block but it depends on your specific case. We also recommend blocking FTP.
Whitelisting
Using whitelisting for any access to your websites and server should be implemented. If you are not whitelisting properly you are opening the door for more attackers and possible cyber attacks.
Be careful when whitelisting routers or subnets. It would be ideal if the whitelisted IP is static and is not connected to a wireless connection. Ethernet is best.
cpHulk
cpHulk offers the ability to block or whitelist by country. Once it is enabled you will see a tab for country management that allows you to select any country you want to ignore, blacklist, or whitelist. It is very easy to turn on cpHulk and configure servers.
Enabling cPHulk on Dedicated Servers – InMotion Hosting Support Center
*Enabling cPHulk on Dedicated Servers: DNSSEC Settings should be disabled.
Resources
- https://www.inmotionhosting.com/support/website/using-the-ip-deny-manager/
- https://www.inmotionhosting.com/support/product-guides/vps-hosting/snapshots/
- https://www.inmotionhosting.com/support/edu/cpanel/setup-scheduled-cpanel-backups/
- https://www.inmotionhosting.com/support/amp/amp-security-how-to-enable-two-factor-authentication/
- https://www.solwininfotech.com/blog/wordpress/wordpress-security-best-practices/?wpam_id=323
- https://www.hostgator.com/help/article/what-security-measures-are-used-to-protect-my-server#personal-security
- https://wpcerber.com/using-ip-access-lists-to-protect-wordpress/
- https://wpcerber.com/cloudflare-and-wordpress-cerber/
- https://wpcerber.com/wordpress-login-security/
- https://wpcerber.com/recommended-security-settings/
Terms of Service
- I understand that not following our security guidelines or terms of service will result in an immediate transfer of my data without notice which might include a network transfer at an additional fee on top of the current rate. Failure to pay the additional fee will result in the termination and deletion of all of my data.
- I understand that when a service agreement with SEO Jokers is in place, only SEO Jokers representatives are permitted to make any changes to my server, website and data. Failure to follow this requirement will result in a breach of terms of service and will result in immediate termination of our hosting services immediately and without any notice.
- I understand that it is my responsibility to make sure that I, my employees, contractors, and subcontractors strictly follow all of our security guidelines.
- I understand that any security breach or concern will result in an immediate transfer of my data without notice which might include a network upgrade.
- I understand that when the storage limit is reached the hosting plan will automatically upgrade with a billing rate increase.
- I understand that SEO Jokers reserve the right to retain exclusivity to conduct development efforts on my website(s) for which the hosting agreement is set.
- I understand that SEO Jokers is hosting with InMotion Hosting.
- I understand & agree to InMotion Hosting Terms of Service.
- I understand that managed web hosting is only available with a service plan.
- I understand that SEO Jokers only provides migration services to its own servers.
- I understand that I am responsible for migrating my data in case of cancelation.
- I understand that SEO Jokers will not perform migration services in case of cancelation.
- I understand that SEO Jokers does not offer refunds. Ever.
- I understand and agree to SEO Jokers’ Terms of Service.