At LimeCuda, we approach the security of our client websites very seriously.
After a client had a security breach with their Point of Sale system, they reached out to us to find out what security measures we take to ensure the same didn’t happen to their web presence. Below is our detailed response to that question:
There are quite a few layers in place, including firewalls at two different parts of the equation. The below details are what is included in the services we provide. Depending on the layer, the scanning is either as-traffic-is-received, daily, or even more frequent.
- It starts with the site DNS which goes through CloudFlare (free level). This service sits between visitors to the site and the website’s server. It blocks bad traffic and stops suspicious activity. It also does a lot for speed as well.
- For your particular site CloudFlare reports: 264 malicious requests blocked or challenged in the last month.
- The site traffic is also encrypted TLS (https) so the communication between a site visitor and CloudFlare and the website server can’t be intercepted and used.
- Not that your users submit particularly sensitive information using contact forms but this also helps ensure if a site admin logged in at McDonalds, their traffic can’t be snooped on.
At the server level there are lots of things going on. We use dedicated servers through one of the absolute top WordPress hosts for enterprise-level sites, WPENGINE.
- More can be found here and this overview in particular
- Continual malware scanning, active security watchlist monitoring,
- We limit disk write privileges, allowing only authorized users to write files on your server.
- Site backups are stored offsite and encrypted at rest.
- The primary way WordPress sites are compromised is through outdated plugins, themes, and the core software. This is where we come in and do a lot of proactive work. We maintain a very active schedule of updating sites at a minimum weekly but most days we are pushing updates out. With some updates that are non-security related we use our best judgement and if we suspect a conflict we don’t update but for most updates that are released we patch quickly.
- We review and update plugins monthly and commonly perform dozens of updates per month.
- We receive alerts as any vulnerabilities are discovered and published in the ecosystem and take action if-needed.
- We have uptime and security monitoring tools that let us know if there is an issue. One of those security monitoring services is Google Search Console which is a good early warning if something is amiss on the site.
- The other common way WordPress sites are compromised is through weak passwords. The site forces very strong passwords and there are brute force detections in play to make sure bots can’t just site and guess at logins.
- Passwords are not sent within email but rather a link to trigger a reset is sent.
- Passwords require a minimum length of at least seven characters and contain both numeric and alphabetic characters.
- We adhere to the “Least Privilege” principle
- Access to the various levels of the hosting environment and the WordPress backend is tightly controlled.
- As a final precaution, the site is backed up off-site every morning and if there was some issue discovered we could roll back to any of the last 30 days and very quickly be back in business.
Note: not all our clients run their DNS through CloudFlare. They do have a great free plan and we DO highly recommend it.
What kind of security measures are in place for your website? Reach out to us if you would like to have more confidence in the security of your WordPress website.