Security is very important. There are several consequences to having your site hacked. Once a hacker gains control of your site, they can change your content, most commonly by adding unwanted ads and spam. They can also install ransomware, which locks you out of your site until you pay the hackers to disable it and return your site to you. A more subtle form of attack is to load malicious scripts that run in a user’s browser. These scripts run invisibly in the background and can log a user’s keystrokes, track their data, redirect them to other sites, and download unwanted files. This is particularly critical if you’re running an eCommerce site. A keylogger could capture the payment information of every user that uses your site.
There are performance considerations as well. A hacked site loading a bunch of extra, unwanted code will be slower, which will affect your search ranking. Also, search engines warn users away from sites they’ve determined are compromised, and it’s hard to earn trust back from a user who’s just been told by Google that your site is unsafe, even after you fix the problem and the warning goes away.
Securing a website happens at several levels. The outermost level is the hosting. If you host and manage your site with us, we put it on Pantheon. Pantheon is a developer-focused WordPress host with a focus on speed and security. Pantheon’s hosting builds in a web application firewall called Fastly that catches most security threats before they even reach your web server. If anything does get through, we provide nightly backups that let us restore your site with the click of a button.
We’ll also secure your website with HTTPS, a secure version of the HTTP protocol that encrypts the connection between the browser and the website. Non-HTTPS sites pay a search ranking penalty, and modern browsers will warn users that the connection is not secure.
The next level of security involves hardening your specific site against attack. That means tightening file permissions, deleting extraneous files, changing your database table prefixes – the list goes on. Hardening your site happens over a continuum, and the more secure we make it, the less easy it is to use. For example, we can set up two-factor authentication when you log into the dashboard, meaning that every time you want to log in, you have to also enter a code texted or emailed to you. This makes your site much more secure, but it also slows things down. How far to go in hardening a site varies on a case by case basis, but we’ll work with you to figure out your needs and make sure that we strike the right balance.
The final level involves some personal security practices. We can build all the security in the world, but if your administrator username is “admin” and your password is “12345”, it won’t take long until someone brute forces their way into your dashboard. Pantheon has a three-tiered hosting setup that limits the amount of damage an attacker can do even if they do get into an administrator account, but they can still cause a lot of trouble. We’ll provide you with a training document on good personal practices and answer any questions you have.
We don’t require our clients to use our hosting and management service. We’ll happily launch your site on the web host of your choice. You’ll lose out on the features and speed of Pantheon, but we can still secure your site at the hosting level with a third party solution for automatic backups and the manual installation of your SSL certificate for HTTPS. We can also configure a web application firewall to route traffic to your specific host.