Hosting a website is like a swan swimming on a lake – on the surface everything is smooth, but in reality there’s an awful lot of activity going on underneath to maintain the grace that everyone sees.
This is especially true of the security side of hosting. Everyone expects their site to faithfully serve up web pages, but most never give a second thought to what’s needed behind the scenes to keep ne’er-do-wells (aka hackers) from getting into the site, taking control, and using the site for their own purposes.
We spend a lot of time and a whole lot of money putting security measures in place to detect, reject and prevent hack attempts. But more could be done with your help. Here are some tips:
1. Keep your software up to date. For example, suppose WordPress brings out an updated version 1.2.3 to fix a security hole. You can keep up to date with WordPress releases on the WordPress News Blog. From that point onwards hackers know that there will be websites out there running the flawed version 1.2.2 and they will go round all the websites they find to see if they can exploit this flaw. For this reason it is imperitive that you update any 3rd party software you are using as soon as possible.
Note that WordPress needs 30MB – 40MB free space to perform an update so you should check how much space you have available before updating. We backup your site each day and keep a week’s worth of backups, so you don’t need to waste space taking your own backups.
If you don’t have enough then you could either upgrade permanently (which will give you more space for uploads or mail) or ask us for some temporary space.
2. It’s not just WordPress. Here at Calico we tend to focus on WordPress because it’s the 3rd party software that’s most widely used by our customers, but the above request is not limited to the WordPress framework. Any 3rd party software you use will get updated, revealing the security holes in previous versions. This applies to other CMS framework systems (Joomla, Drupal, etc) and their themes, plugins, templates, etc. You need to keep *everything* up to date.
3. Add your own security layers. For WordPress (“other 3rd party software frameworks are available”) you can get plugins that will help you configure your settings to make them more secure, and monitor the activity on your website and try to block suspicious activity. We recommend you install security plugins WordFence and iThemes Security as soon as you’ve set up WordPress – we install them routinely when setting up a site for customers.
Another way hackers try to get into WordPress is by trying to break into one of its entry points, the script xmlrpc.php. If you only use the Dashboard to administer WordPress, and not any other means, then you could add the following to your .htaccess file:
Redirect 403 /xmlrpc.php
This will effectively block access to the script. Again, this is something we routinely do when setting up WordPress here at Calico.
Hopefully, by keeping everything up to date and secure, we can together keep your websites working as smoothly as you would expect.