Steps to Keep Your Site Clean

Date aired: May 14, 2019

Join us as we discuss the ins and outs of website security. Using good security practices as a website owner helps keep the entire web environment as clean and safe as possible.

Jen Fisher

Product Support Analyst

Jen has been providing support to Sucuri customers via chat, email, and phone for nearly four years! When not glued to a computer screen for work or gaming purposes, she can be found camping, dining out, or watching terrible movies with friends on beautiful Vancouver Island, Canada.

Questions & Answers

Question #1: How would you recommend we send credentials to people who needs access to our sites (e.g. web developers)?

Answer: Password managers commonly allow sharing between users of the same password manager service. This is likely going to be the simplest option if you’re already using a password manager. Alternately, you could consider an encrypted messaging platform. For situations where the password is related to a specific user account, you could also consider just asking the user to follow available password recovery steps to set a new password for themselves without the need to transmit that info between individuals at all.

Question #2: How to protect XMLRPC from brute Force POST attacks? without losing its functionality/working?

Answer: Our blog contains a post about just that subject here! The recommendations there are still relevant—block access to xmlrpc.php if at all possible. If you’re using a plugin that requires access, consider blocking system.multicall requests instead. As you posed the question in a way that suggests you’ve tried a few things (without success) it’s also worth noting that there are a few plugins that will make that change for you. It’s also worth mentioning that many firewall services will block those actions automatically without requiring any changes to your site files.

Question #3: My site uses managed hosting, do I still need to be concerned about security?

Answer: Managed hosting platforms (like Managed WP) eliminate several access points for you, but you'll need to speak with your hosting provider to fully understand what is secured and updated for you. It's still going to be important to be conscious of password security and general online security regardless.

Question #4: Can you speak to reasons why a site might be a target?

Answer: If it's on the internet and it has any vulnerabilities, it may be a target. Malware distribution methods don't typically sort sites based on size, visitor numbers, or business objective. Directly targeted attacks can and do occur, but they're much more rare than automated exploit attempts. Your site security level and the risks of you being targeted are directly related.

Question #5: Do you have any recommendations for a good firewall plugin?

Answer:In general we try to avoid making specific recommendations, but personally I would really recommend a web application firewall (WAF) over any sort of plugin offering! A plugin is applied to your files, and "protects" the site by creating some internal rules to control access, but a WAF stands between your site and visitors to block access. WAFs will nearly always have a cost, but if you're going to spend on only one security element a web application firewall would be my recommended pick.

See all Questions & Answers



Jen Fisher:Today we're going to be talking about how to keep your website clean. I'm coming to you from Victoria, BC and I can actually see Washington, the US, from my window here. So if you're joining us from America, hello, we'll wave to you. What we're gonna be discussing today is going to be pretty broad. For a lot of these subjects we could do an entire webinar on just a few elements, so check out our other webinars or the Sucuri blog if you want more information. But we're aiming today to approach website security for those who either aren't very familiar or are just getting their feet wet and want a few more tips. I've been with Sucuri for four and a half years, thereabouts. I think a little longer actually. So I've been dealing with front facing email chat and phone support. I have a lot of experience with, let's say customer awareness levels. Oftentimes there's a big discrepancy between what people think websites security means and what it is when it's actually applied. As well as what the responsibilities of the website owner might be. We're going to discuss what website security is and how to approach the subject when making a plan for your own site. We're going to talk about the various access points that most websites have. Simple ways to approach website security. Excuse me. These are free, easy to use, pretty easy to set up. They're elements that everyone can apply to elevate their website security in very simple ways. We're also gonna discuss some intermediate ways to approach website security and though I love the technical elements and I don't want to disappoint anyone here, we're not going to get into how to apply too many things to your code because not all of these elements are going to be usable with all websites. Every website is a little unique and I don't want to arm you with information and have you go off and end up getting 403 errors on your site or something based on a code change. So do check out our other content if you're interested in how to secure your code further. But today we're going to talk pretty broadly about the security subject. We're also going to discuss a few ways to increase your general security online. The web is an environment, every user is a part of that, and if you can elevate your own personal security when you're accessing the internet, that's going to help to reduce your risk and reduce the spread of infection and the general security of that website environment. So why is website security important? You're here, so you probably know that it's at least interesting to you. In 2018 WordPress sites comprise roughly a third of the Internet. They'd been holding steady on that point for a number of years. But also in 2018, 90% of the many, many thousands of sites that Sucuri cleaned were WordPress sites. A lot of CMS options, content management system like WordPress options, are very user friendly. They provide a user interface that allows users to easily set up and manage a lot of content, but that means there's a lot going on in the back end that people don't see or don't interact with in their daily interactions with their website.

Jen Fisher:It's also important to note that only 11% in 2018 of sites that were infected were flagged by blacklisting agencies. So just because your site looks safe, it doesn't necessarily mean that it is. And we like to avoid fear here at Sucuri whenever possible, but it is important to not rely on other companies to tell you when your site is safe. It's also important just to touch on the point that malware is on the rise. Malware distribution. It's sort of an arms race. As security elements get more intricate, those who are looking to compromise websites also increase their approaches and the sophistication of those approaches. So, it's important to secure your site and start at the ground level while you're able to. And as things advance, you can then advance with them. So what is website security? Again, we could do a number of presentations on any couple of these points, but we're going to be pretty broad here. Website security is applied very functionally to your site content via restrictions. Either permissions or access code or .htaccess code restrictions, things like that. It's also environmental. It relates to the security of the devices and panels that are connected to your website. For instance, your home computer or your hosting server. It's tangential in the sense that it's related as well to the security of things that can access those panels. Like if you have WordPress or any other CMS, you probably have password recovery options. So we need to consider securing things like email accounts. It's also flexible and I don't want to tell you that failing to secure website won't cause any problems for you. It is very important to to take some of these things into account. But there's sort of a Venn diagram to be imagined where website security your interest in applying that to your site, maybe you have a blog and it doesn't really matter to you if you're hacked, and the amount of time you have to dedicate to that, comes together in the center to form what websites security will mean for your own website. It's also active. We at Sucuri know this more than anyone maybe. It's a matter of being aware of what you're clicking on, how safe you're being when you're sending information. Just considering every action that you're taking in the lens of security to ensure that you're taking as few risks as possible. So can't I just buy a service? I wanted to approach this subject because when I started with Sucuri, while we were growing, my team was the team that handled a lot of those very difficult conversations. Someone pays a lot of money, in some cases, or whatever their approached to the finances are, for website security and thinks that their site is just going to be safe. And in our realistic world, that's just not the case. There are a lot of elements that paid services can secure for you, but there are some elements that are just going to be your responsibility as a site owner or administrator. There is room still, though, for the discussion about paid services in this conversation and website security paid services might be for you if you don't have a lot of time to dedicate to the matter, but it's still very important to you. That's gonna elevate where you have to start taking responsibility for your own site.

Jen Fisher:It might also be for you with brand reputation management is very, very important. If you're a company that sells security services or really sells anything online and can't stand to have your users' information compromised, a paid service is really going to help to both elevate where you start from and give you assistance quickly and simply if anything does happen. A paid service might also be something to consider if you're just starting with the subject, if it's important to you and you want a company behind you that's going to be able to have conversations about your site and what security needs to mean for you and give you tips and support along the way. So with that being said, we're going to approach the subject assuming you haven't purchased a service. Most websites have multiple points of access that we need to consider. The CMS panel is one of them. CMS is our content management system, like WP admin. We need to also consider access securing through the hosting account, the control panel, if you have that set up. We need to manage connections like SFTP or SSH accountants and usage. We also need to consider that access by the Internet publicly might be a concern. So if I have a very secure site from the perspective of my content management panel, but there are some elements in the backend that I don't know about or haven't taken the time to secure, that might also be exploitable. In addition to these points of access, we also need to consider the ways that those elements can be potentially accessed. For instance, email for password recovery purposes. We need to secure our accounts and use strong passwords on those panels. Your computer device and the security there, these are again tangential, but if my computer's infected and I'm working on website files, there is a potential for malware to spread between even platforms. We need to consider the browser used on your computer device. This isn't going to secure your website content, but it's going to ensure that your environments are kept safe. We also need to look at the way data's being sent. That's something that not a lot of people consider very often. Encryption is important when you're sending logins or passwords and just generally for your users. If anyone's using your site in an unencrypted fashion, you want to apply something to fix that. So we'll discuss that. The security of the server on which your content is stored is also important and most often your hosting company is going to take care of this for you. But it's worthwhile to note that a conversation might be in order just so you can understand what they're applying and what your responsibilities are from their perspective. The number one cause of a hacked sites, compromises, is a lack of updates. When security releases are provided, those are analyzed by the people looking to compromise websites and they can find the security holes and then target your site. So updating is important, but it's not only important to update your CMS, your WordPress version. We also need to consider updating plugins, themes, extensions, and any server side platforms insecurity. It might sound a little simplistic, but often people neglect, don't even know what's in place. So making note of those and ensuring that everything's updated every month or a couple months, whatever's appropriate for your site is a good idea. It's also worth noting that even if your site is updated, there may be elements, as we discussed in the backend, that you're not aware of or not using often that are potential risks. So keeping a clean site environment and monitoring access is going to be very important. We want to avoid pirated plugins and themes. Anything you install on your website needs to be from a reputable source. It's also possible to connect with malicious or ad networks serving malicious content, so you want to be careful of those as well. Remove content that isn't in use. Quite often, every day, many times a day, we connect to websites to clean things up and there's a lot of files there that aren't active on the website at all. It's also more likely if something is not in use on your site that you won't think.

Jen Fisher:To update it, or manage security for it. So, in the hosting environment the only things we want to have there is what needs to be active to make the site function in the way that it's currently running. Everything else can be backed up. You can still keep your files, but it doesn't need to be in that hosting environment where it can be accessed publicly. Limit, monitor and audit access regularly. If you have FTP accounts out for eight people, but only two of them need to be using those accounts this month, or this year remove the other points of access. Every individual that has access to your site is also going to pose a potential security risk. Not that they're going to be irresponsible necessarily, but there's really no reason to have access available to people who don't need to use it in the moment, or in the week, whatever timeframe it is that you're working with. Use two factor authentication wherever possible. I'm a big proponent of two factor authentication. For any one of those tangential elements that we're talking about: email accounts, cPanels, if two factor authentication is available to you I recommend using it. That's going to place an extra layer of verification between yourself and the login panel, and ensure that even if your passwords are leaked, or stolen, intercepted that they can't be used because only those who have been verified and have a time sensitive code are going to be able to proceed to the login panel. Strong random passwords. Please, I love our client base, but this is one point that I have seen probably more than any other in the course of the day at Sucuri. Passwords should be strong. I use 16 character passwords, but anywhere from 9 to 12 characters would probably do the trick. We also want to vary the characters that we're using, letters, numbers, and special characters. It's also important to note that, if at all possible, you should not be using words within your passwords. The more randomized the better. It's also ideal to use different passwords for every single panel, and that's where a discussion about password managers comes into place. Maybe you're using one, you're already on board, but a password manager is a fault in which you can keep all of your passwords, and access it through only one password. So, there's not a lot to remember, but it's going to allow you to use strong random passwords for everything without having to remember them all. Password managers are also going to be helpful in allowing you to share passwords securely, revoke access securely, update passwords with just a few clicks, and auto fill pages that you need those passwords on, if you want to use that. One security plug-in, please. When I was working, before Sucuri, with a company that dealt with computer malware quite often we would log into someone's computer ... they would purchase our service and think that they were safe, but get infected. Then, of course, we're to blame, we have to figure it out. When we connected you find that they have not one, but maybe two, or three, or four antivirus programs with active protection. Website security plug-ins are going to be a similar subject there. If there are multiple elements vying for control of who's getting access they can render each other useless, so one security plug-in, if you're going to use that option, is going to help keep your site safe. Multiple plug-ins will not keep your site safer. Nonstandard usernames. Another one we see quite often at Sucuri. Admin is probably not your best choice, use something relevant to you that's going to be difficult to guess. Applying an SSL is also something that's really important and free. Let's Encrypt is something we use at Sucuri. You can get a free SSL for your website, and that's not going to protect your files, but it's going to insure that any data transferred to and from your website like email addresses, contact details are secured for your users. The other completely free, and very approachable thing that you can do for your website security is have a Plan B. I am all too familiar with the level of surprise, and stress that comes with being compromised, dealing with customers who were in that situation many, many, many, many times. Most people don't anticipate that not only is a website hack going to be frustrating for you in dealing with the hack there's also a lot of fallout to consider. Your users might have complaints. They might want to know what you're going to do to secure the site. There might be frustration if login information or, forbid, credit card details have been stolen, so it's important to consider in advance with a clear head what your plan will be, and then if there's even a hint of a security concern you can take the necessary steps to secure your site and ensure that everything's okay in as stress-free an environment as possible.

Jen Fisher:We want to consider all the points of access that your particular website has. We want to list individuals who have access, how you're going to update all the passwords. When your site is compromised it's very important to do that. We at Sucuri would do that after the cleanup, but if you're dealing with things on your own you want to update passwords as soon as possible. Updated passwords are going to be sent to anyone who's working with you securely. If you have someone who's available to help with the compromise getting the information over to them safely on encrypted channels is going to be something to think about. Backups are always a good idea. A website backup might not save your site in this situation, but sometimes if malicious code is injected and you have a backup you can just revert to the state before the hack, and your site may be okay. On the subject of backups I recommend keeping them off the hosting server, if at all possible. That's going to ensure that you have a redundancy if the hosting server is impacted, or maybe the hosting server is unavailable you're going to have the backup somewhere else. If you have to keep backups on the hosting server it's important to keep them in a directory that is not obviously a backup because those are often targeted and exploited. Keep it outside of your root directory in a folder that you've named uniquely, maybe not just 'backups.' If you can't revert the site to a backup to fix things what will you do? What are your resources? Is that the point where you'll contract a paid service? Are there any any other resources available to you who you can reach out to for help with that. At this point, I want to also recommend our other webinars. We have quite a few on how to deal with hacks, so check those out in advance, if at all possible know what your course of action is going to be there. Those are the very simple ways, everyone can and should be doing those elements. We'll also discuss some intermediate options here. I don't want to give anyone information that's going to harm their site, so if you consider applying these, and I really do encourage that everyone at least try them out, it's really valuable to apply. Please be sure to that you're applying them to folders ... or, sorry, files that are backed up, so you can revert if a change causes an issue for your site. Also, make a note of the changes that you've made just so you know what to reverse if something goes wrong. We can consider disallowing PHP execution via .htaccess or permissions. Quite often malware is executable, a PHP file. Disallow file editing in wp_config through .htaccess. That is not a file that the public would need to be editing from a public vantage point. The Sucuri plug-in is also going to do some of the things for you. It's completely free. It's available in the WordPress repository, so consider checking that out, if you want to do some hardening to your files in this way, but don't really want to toy around with them. IP-based limitations are also incredibly useful. If, for instance, you can contact your Internet service provider and get the range of IPs that you're working from you can lockdown access to certain directories or pages based on just those IPs. If they change, obviously, you'll need to update them, but that means that if your password is leaked nobody's going to be able to access those pages even if they have all the right information if they're not coming to the page from an IP in that list. I also recommend limiting access to wp_includes images and uploads folders. Quite often permissions are not what they should be on those areas, so check them out if you can. Restricting upload capabilities, I know from Sucuri's perspective sometimes this can be a bit of a hassle. We don't accept uploads in any of our support channels. Why? Because malware can be updated, and shared in that way either intentionally or unintentionally. Sometimes the files that you're sharing might have malware on them and you might not be aware of that. Uploading is also not, typically, necessary for most websites. If you're going to allow uploads consider allowing only the uploads that you might need ... sorry, the file types that you might need. If you're going to allow uploads consider encouraging people to use a link sharing service. You can often share any type of document through like Google Drive, or an image sharing service without the need to actually get files. It's going to reduce risk for you. Avoid renaming extensions to void your security protocols. This is something that came up when I was talking with our remediation supervisor in advance of this presentation. If you have put PHP based limitations on something, if you're pretty secure but, for instance, in this example if you rename your wp_config.php to a .bak extension, for instance, in the name of trying to edit some of these things you are going to void the PHP file extension therefore voiding any PHP based restrictions that you have on that file. So, just be conscious even when you're doing things in the name of security what ramifications changing your file names might have. We'll go back, again, to the very general to discuss Internet security as a whole. Everyone can and should be doing these things. They're easy to apply, so I would encourage you to try them out. Script blockers, used every single day at Sucuri. We joke that script blockers save lives. When you access a webpage a lot of content is loading. A script blocker is going to allow you to manage what you allow to run, essentially. So, it's going to tell you, "Well, these are the scripts that are running. Do you want to allow them," and you can choose, if you so wish. A script blocker is going to be a little bit ... not difficult, but for the first little while you might notice that webpages aren't loading, and have to think why, and the script blocker might be the cause, but you can then choose to allow those scripts to have everything load correctly.

Jen Fisher:Antivirus programs with active protection, on all devices. Just one on each device. Active protection is going to ensure that if you do click a link, or a malicious site, and something has attempted to download to your computer it's going to block that for you. Two factor authentication and password managers, we already talked to. These are valuable for every account. Email accounts, whatever, social media accounts, if at all possible. Both of these elements are going to just be, generally, helpful online. Be aware of social engineering and phishing risks. This is something we at Sucuri are very aware of. Links, downloads, it's important to be aware of what you're clicking on, and ensure that it's from a trusted source. There are options online that are going to let you scan URLs, scan files to ensure that they're safe. I would recommend doing that before you click on anything from a source that you're not already trusting. It's also important to note that things like bank accounts never enter your login information online via a solicited email without verifying that the organization you're connecting to has actually sent you that email. Discuss your security requirements. If you have all of these great things in place, and you yourself are very secure, your site is very secure, but you're working with others who may not be aware of those requirements those are points of potential risk. Having conversations with other people who are connected with your site, or who might be working with your files is just going to ensure that everyone's on the same page. Send info securely, we've already touched on this a bit, but sending anything over non-encrypted channels is going to be a risk. You can do it, you might be fine, but you might not, so why take the chance? And, if you're ever unsure ask. Come to, and we'd love to chat with you about questions. Any good company that you're going to connect with online is going to be interested in having conversations with you to elevate your own awareness of security because that's in the best interest of everyone. The more I can help to educate our customers about what their responsibilities or needs might be the easier it is for them, and then the less support we have to provide, which we never mind providing, by the way. Ask your questions to our team, to your hosting provider, anyone who's available to you and we have an opportunity now to answer questions, if you have any. Nikki?

Nikki Gerren:Yeah, great job. Okay, we have time for just a few, so let's start here. "My site uses managed hosting, do I still need to be concerned about security?"

Jen Fisher:The answer there is ... well, yes, you do. Managed hosting, like one of Sucuri's or another paid service, is just going to elevate the point from which you need to take over, but security is still something to consider especially when we're dealing with passwords, securing those tangential accounts, but each managed hosting provider might be a little bit different, so you're going to want to just have a conversation with them about what your responsibilities are and what they recommend.

Nikki Gerren:Sounds good. Let's see. Also, we have, "Can you speak to reasons why a site might be a target?"

Jen Fisher:We get this all the time. I blame CSI. A lot of people get hacked and think that they have been targeted personally for some specific reason. It is possible, actually, for your site to be targeted if you're a large corporation. You may be a direct target for some reason if you're a company that has very specific views that other organizations, or groups don't agree with. It is possible for you to be targeted directly. But, I can't give you a figure because I don't know the exact number, but in the majority of cases sites are targeted because they're vulnerable. It's not about you. You could be a blogger, you could be a bank, if you have the same vulnerabilities you're in the same pool of risk, unfortunately, so just try and keep your site safe, and you'll be a lot better off online.

Nikki Gerren:Great. Okay, I like that answer. Also, we have ... well, this one had Stephanie named to it. "How would you recommend we send credentials to people who need access to our sites? For example, like web developers?"

Jen Fisher:Again, password managers are going to let you do this, typically. LastPass is a really popular one that I know has this option. Any login info that you have set there you could usually click on that and choose the option to share the information with a specific email recipient. There's some question about how secure the password is because LastPass sometimes, I think, does include that, but it's going to be a lot safer than sending things directly through email or text. You can also use encrypted text services actually. A lot of them provide that option, but I don't want to get too dicey there. It's important to consider the politics of those services as well. Like WhatsApp is encrypted, but it's also connected with Facebook, and there's some concern there. I recommend using the password manager option if that's available to you at all.

Nikki Gerren:Like LastPass, you said, or ...?

Jen Fisher:Yeah. There's a lot of them out there. Choose one that works for you. Most of them are free or very inexpensive for a yearly period. LastPass is just quite popular, so start there. You can check others out if you don't like the features.

Nikki Gerren:Yeah, I like that one. Finally, let's do this one, "Do you have any recommendations for a good firewall plug-in?"

Jen Fisher:Actually, I'll need to look into this for you. So, we might [inaudible 00:30:10] content on that but, again, in this webinar I don't want to make any recommendations for site code just because your site might be the anomaly where our general recommendations would not apply, or would break something, so I'd love to get that answer to you afterwards here just so we can ensure that all of the considerations are covered.

Nikki Gerren:Well, that wrap things up. That's the amount of questions we can kind of get to. We appreciate everybody for attending, and Jen thank you, again, for ... this was your second webinar, right?

Jen Fisher:Yeah. Yes.

Nikki Gerren:I think so. So, thanks again for taking time out of your day. We look forward to seeing everyone next month. We have our webinar, that's June 18th, I believe, and it's on what are the most common types of hacks, so hope to see you all there, and have a good day.

Jen Fisher:Thank you!

See Full Transcript


Similar Past Webinars

In the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.

Webinar - The Anatomy of Website Malware

What is website malware? In this webinar, we’ll cover the most common website malware types, what various samples look like so you can recognize them, and also show you how they work.....

Webinar - Impacts of a Website Compromise

Sucuri Co-Founder, Tony Perez, brings awareness and education to website owners about the risks, impacts, and threats to their online properties. Learn why a website hack can be devastating to your business or web project, including a few key points you might not have considered. ....

Webinar - 2018 Hacked Website Trends

Join us as we provide insights on the top open-source CMS security, out-of-date software, and specific malware families that we see trending on hacked websites.....

Webinar - How To Know For Sure You Can Trust A Plugin

A webinar to help you minimize risks and stay secure as you're downloading WordPress plugins.....