WebSite security

  • Security
  • Reliability
  • Usability
  • Functionality
  • Availability

In my opinion, I have a few trusted Hosting Providers that take care of most of the things mentioned here FOR me, often even costing less than the one you might be using.
I do not need to go in and tweak much to Make It Right and is easy top check. Most Hosts miss many essential and simple things

Cartoon thief safecracker breaks into a safe vector illustration - 51877416* SECURITY
On no account should you be transferring/publishing  your material to or from  your site with anything that sends information unencrypted. Principally, your username and password must not cross the Internet readably or it will be intercepted and misused.
“FTP” (File Transfer Protocol) is “ancient” technology and just such a transfer program.
Firstly make sure your site has the service itself *OFF* so in fact it cannot be used or abused by anyone ‘out there’
This is even true if YOU do not use it for what you do.
The simplest replacement, If Available, is something called: “SFTP” (Secure File Transfer Protocol) but, your Host must Provide this
Don’t Worry- whatever you use for doing FTP, if it’s new enough,  will be able to do this in almost exactly the same way the FTP you were used to, does. It runs via a so called “Secure Shell”
(a kind of wrapper that encrypts everything within) so your literature may mention “SSH Login/Password… etc)
So, you say, you are using a WordPress Website that does not use this method at all? Watch Out. your Hosting Provider likely has an FTP access method turned on that you never use but that is vulnerable. get them Turn It OFF COMPLETELY.

  • If you Web Host has no ability to do this, does not know what you are talking about or says “It Is Not Possible” or charges or gives you the runaround…You know how that goes…
    The only acceptable answer by them is: “Ok!”
    else go elsewhere.

Your Web Service must have the “SSH/SFTP/SCP” service turned on. If they are Smart, it will NOT use the “Default Port” of 22.
Why Not? Because that is where miscreants will be looking for it.
“Never be where your enemy expects you to be” (The Art of War)
There are over 65,000 alternatives to force a miscreant to look- Make them work for it and, for reasons I won’t go into, much, ensure the “Port Number”: chosen is well over 1024.
Clever Hosts will boobytrap Port #22 to totally lock out whoever is knocking at that (wrong) door. : )

  • Your SFTP program will have an Option to change that Default port number from 22 to whatever was chosen by the Hosting Provider. 
    Don’t Forget: your Hosting Provider must be the one to provide  that non default port away from 22, then you follow suite.
    It’s not like you get to set some random port and that’s
    what’s used : ) If they cannot or will not, blah blah, Go Elsewhere.
    (you do know about Secure UserName/Password, right? 
    and, No amount of secure shelling can compensate for lame account credentials, passwords.
    You do not use “admin” as a Login, for example, right?

I like free program CYBERDUCK, for ALL platforms : )
Or command line: “sftp” if available,
You lucky Windows users: Try free WINSCP There is never a need to pay for a decent Transfer Program!

  • Your Webhost should reasonably be expected to keep its infrastructure Up To Date– Many use so called PHP. If this or things like it are out-of-date, it is vulnerable to misuse. Also- If their server ITSLELF is out-of-date… Good Luck.
  • So your Site either keeps or forwards Emails? If these Emails originate within a Form for Posting- that form must resist being bombarded by scripts that send junk mails.
    The commonest method is so called CAPTCHA  that forces miscreants to do uniquely Human work that a Script cannot do.
    Miscreant Scripts cannot easily “Read” images of traffic-lights, crossings and boats : )) –
    “Web Spamming” using forms on your site at its worst can, unknown to you, send Spam Emails to 3rd parties as “Someone Else”  and get you shut down or blocked by Google Searches.
    You could just wait until this happens then deal with it but this is Not Smart as it’s far harder ti unravel such a problem after it has happened that before. the excessive traffic can also make your Provider shut you down or bill your service for more traffic!

If your “domain” has Email where mailboxes are provided- the Protocol used MUST NOT include insecure methods
IMAPS not IMAP. No POP at all Please. and OAuth,
(Online Autherication) not generic  Username/passwords.
If you do not know what these things mean that’s OK so long as your site is NOT doing these things : )

Did I Mention? If you have them: Move OFF,,, & its affiliates. These Email services are notoriously unreliable and insecure. “Just Saying”
Gmail.Com which not perfect seldom has problems
Another Blog I may talk about how To Move Email Services.
* your Domain’s DNS (domain Name Service) ideally uses SPF and more to hips Verify ‘real’Emails sent as ‘you’

    FTP and even SFTP/SCP are all turned off and unavailable because lucky you you, you  get to publish and manage stuff over a Web Page? GOOD!
    First Off: Ensure WordPress is set to auto Update itself and its plugins. From ver 5.8 upwards, “Auto Update” of WordPress itself should be ENABLED and also for Plugins.
    (Remove all unknown themes and plugins while poking around-
    they can be an attack vector)
    Can Updates Cause Problems? YES OF COURSE but NOT updating will cause worse problems.
    There is now a mechanism to re enable your website with reasonable simplicity if some Update seems to Lock you Out. SO ensure that Worpress has a working “Notification Email Address” often the same as the Admin Login Email so that you will be Emailed reports of such actions and more.

Your whole site is using a Secure Certificate/SSL via “HTTPS://” and not “HTTP://” right?
If not- when you Publish stuff, the log in credentials and password are traversing the Internet in an easily stealable format.
Also true if your visitors are interacting in any way with forms or password protected pages,
Furthermore, any attempt to access the insecure version of the site on port #80 should redirect everything to the Secure version on port #443
(These are the Defaults and should not be altered)
Chrome Browser for example, will not longer deal with old standard port 80 and will immediately go looking for the Secure version of your site… Pretty soon, port #80 will I feel become officially unsupported! Do NOT Turn It Off Just Yet Though.
Just be sure your visitors get re direct 80->443
(Google Elsewhere- sorry ’bout that I cannot cover it all)

— Sep 18 2021 – To Be Continued

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.