Over the years I have had people contact me because their sites were hacked. It did not matter whether the sites were written in Joomla, PHP, HTML, WordPress or Drupal. The results were always the same. The site was down for the duration. The duration turned out to be longer than just restoring a backup file because restoring a site to the condition it was in the day before it was hacked is only a first step.
It’s like resetting ten bowling pins. Without additional security measures, the same hackers or the friends to whom they bragged about your site will try to knock it down again. Most people have no clue as to how many assaults their sites endure. The security packages we use report that some of our sites block anywhere from 50 to 200 attempts PER DAY. The blocked IP’s are usually foreign, but that matters little. Domestic attempts can be just as tenacious.
Typically it takes us about 5 hours to restore and clean up a hacked site. Five times our hourly rate would pay for a number of security plug-ins and procedures. Still, many clients run the risk of getting hacked because they don’t want to spend the money to secure the site.
So, if you are hosting websites, you need at least enough security to protect your clients from themselves. Ultimately, it also protects you.
Let me suggest a strategy that will enhance the value of working with you to reduce those desperation phone calls that always accompany hacked sites.
WordPress Security Plug-ins
There are four major structures that we use on every site that we build. We don’t really give the client a choice. We purchase a developer’s license on each product and amortize that over the size of the client base. Viewed from that perspective, we are talking only a few dollars per month for each client. They pay for it when they pay our annual hosting fee.
1). SSL – Secured Socket Layer: Your clients need a dedicated IP and a secure socket layer. They think they don’t, but if you are going to post blogs back to Facebook, you will need either a unique SSL or a shared one, at a minimum. More importantly, you are providing Google with another way to verify that your sites are for real. And given the fact that most sites have a “Contact Us” form, you owe it to the people visiting the site to provide a safer form.
2). Akismet – Yes, it’s overpriced, but it works. I have removed over 15,000 spams from client sites that lacked this level of protection. I have a technique for doing that en masse, but that will cost you a beer.
3). WordFence – I really like this product because it provides protection against denial of service attacks, offers country IP blocking and will scan the site for malware that has been uploaded. You can also configure it to check for file changes. A common hacking technique is to upload pseudo images that contain executable code. Often assaults of this nature don’t destroy your site. Instead they use it as a mule to carry spam advertisements for tennis shoes. WordFence can help with all of that.
4). iThemes Security Pro – We don’t use every feature that this product contains because some of them cause problems. However, the ones we use are a powerful deterrent to the most common hacking techniques. They also integrate the results of a large network of sites that have identified and banned the IP’s of known hacking sites. One other precaution you should consider is to use a backup product that stores the site files away from the hosting server. This protects the client from a fire or the guy who gets drunk at the Christmas party and deletes all the backup files. Cloud storage is remarkably cheap. My Amazson S3 bill is less than $5.00 per month for every site we backup…combined.
