Recently, there were two popular WordPress plugins—plugins that we’ve used on the WordPress sites we’ve built—that had ZERO-DAY vulnerabilities disclosed.
A Zero-Day vulnerability is a security flaw that is known to the developers and has not yet been patched. That means, it’s a security flaw that can hackers can use to infect your website.
BUT NONE OF OUR SITES WERE AFFECTED!!! (Yay! Good news!)
Many of our Client sites use these popular plugins. That means we could have had multiple infected websites. Scary!
We’re constantly working to make our security protocols better. Earlier this year, we invested in a new security and maintenance platform that gives us the ability to keep all of our Client sites updated and secured on a daily basis. The developers of these two plugins knew of these security problems before the public did and released patches before the public announcement went out. With our maintenance platform, we had these two plugins patched the same day they were released and well before the public announcement went out!
But timely updates of WordPress and its plugins is only one layer of security. Our security protocol has many layers including:
- Building your website in a secure way to begin with! (Security starts before your website is ever launched!)
- Multiple server firewalls that we keep tweaking and refining.
- Commercial-grade security plugin for your site
- Using high-quality themes and plugins that are backed by active development and support
- Hardening WordPress against hacks with our security protocol
- Monitoring security logs
- Keeping our server up-to-date (and tweaked for security & performance…this alone is a lengthy list!)
- Subscribing to security alerts so we know when there are wide-spread active security threats
- Running SSL on all of our sites
- Regular scans of websites and our server for malicious code
- and so much more!
It’s likely that given the nature of these security flaws, our firewalls would have blocked any hackers trying to take advantage of the flaws.
No defense is 100%. And we have to be careful to balance the need for security with the need for performance. Taking security to a blind extreme can make for a slow-loading, boring website. So, we’re constantly evaluating which choices are most appropriate for each Client. We now have decades of experience invested into our security protocol and have yet to have a site successfully hacked.
What would have happened had your website been hacked?
Even though we have a track record of ZERO websites hacked in 15 years, it could still happen. Every day, there are “bots” probing your site looking for security holes. When we look at the security logs, we see hundreds of such attempts every day! Our server’s firewall stops most of them from ever getting your website. Of the ones that do get to your site, most of those are stopped by your site’s firewall. If a bot makes it through firewalls on the server and on your website, chances are overwhelming that there are NO security holes for them to do damage with.
But if it were to happen and your site gets successfully hacked, we’ll quickly be notified and can take action. Usually, all that would be required is to disinfect the affected files and re-secure your website. In a worst-case scenario, we can restore a recent back-up of your site. (Clients on our server and with a maintenance plan, get their site backed-up nightly as part of our server back-up as well as secondary off-site backups.)
It might seem like once your website is published, it just sits there. But it doesn’t. With our maintenance plan, we’re keeping an eye out for security vulnerabilities daily, upgrading your site’s components almost daily, tweaking the security settings of your site, and tweaking our firewall rules. You may not notice our behind-the-scenes tinkering, but we’re there actively keeping your site secure from all manner of threat.
We’ve got your back!