WordPress is one of the most popular CMS platforms in the world, but it’s also one of the most hacked. Hundreds of thousands of WordPress installations are breached every year, and online threats only increased during the pandemic. In 2020 we saw security issues jump by as much as 6 times their usual levels, partly because so much economic activity shifted online.

You have to wonder: why is WordPress getting targeted so much?

Why is WP getting hacked so much?

Well, it’s partly due to its popularity, and partly due to the fact that all software has vulnerabilities, including WordPress. In terms of popularity, 41% of all websites, and 60% of the top 1 million sites, are powered by WordPress, making it a “worthwhile” target for hackers. If they can find and exploit a vulnerability in one WordPress site, that can help them crack other WordPress sites more easily.

Open Source can be an open door

On top of that, WordPress code is open source, so new bugs and vulnerabilities are shared publicly. Hackers turn that to their advantage to refine their attacks.

Over 70% of WordPress installations are vulnerable to hacker attacks, more than 47% of hacked sites have at least one back door, and WPScan (a leading database of WordPress vulnerabilities) currently reports a whopping 22,826 vulnerabilities.

WordPress has many moving parts

Part of what makes WordPress so popular is its versatility thanks to the many plugins and themes that make it easy to create and customize a website. But the profusion of moving parts means that there are also many opportunities for a vulnerability to creep in.

WordPress vulnerabilities can be found on numerous levels, from the OS and MySQL database to plugins, themes, and the WordPress core itself.

Websites are not being updated as needed

WordPress core developers, along with plugin and theme developers publish updates to patch security issues and fix bugs, but far too many site owners fail to keep on top of updates. Keeping WordPress updated is an ongoing effort that demands time, awareness and resources.

According to WordPress statistics, only 43% of sites are running the latest version of WordPress, just 0.5% are using the latest version of PHP, and 58.2% are running unsupported versions of MySQL. That’s particularly concerning given that SQL injection is one of the most popular types of WordPress attack.

A profusion of plugins

WordPress plugins are particularly vulnerable, because anyone can build and market one, but not every developer has the same level of skills or security consciousness. Plus you have to stay on top of every one of the numerous plugins your website uses.

Plugins are often bundled together into themes, so site owners aren’t always aware of all the tools running on their site, making it even easier for vulnerabilities to go unnoticed.

It’s alarming that one of the top ten most vulnerable plugins in 2020 was the All In One WP Security & Firewall, which is a stark reminder that even security plugins can turn into a backdoor for hackers.

Protecting your site security is crucial

It’s a no-brainer that it’s important to protect your WordPress site, but it can be hard to know how to do so effectively. Cyber attackers are relentless, using automated tools to bombard sites until they find a vulnerability to exploit.

The most common types of WordPress attacks are cross-site scripting (XSS) and SQL Injection. WordPress sites are particularly susceptible to XSS attacks because so many plugins have XSS vulnerabilities.

Brute force attacks are also common, because the system permits unlimited login attempts. Other modes of attack include DDoS attacks, remote code injections, session hijacking, man-in-the-middle attacks, social engineering, and remote and local file inclusions. There are also many ways to create a backdoor into a WordPress site.

Companies use security defenses, like Web Application Firewalls (WAFs), brute-force protection, and anti-DDoS solutions, but there are too many holes to plug. What’s more, sometimes security efforts can be counterproductive and while they solve one issue, they may create others like slowing down the site. It can often feel like adding security patches and tools is an endless game of defensive whack-a-mole.

And to make protecting your site even more complicated, sometimes security patches and plugins actually conflict with each other, creating new issues where none existed before. Plus security patches also need to be kept updated themselves, adding yet another task to the to-do list.

Headless static WordPress can resolve your security issues

With headless static sites, visitors only have access to a static version of the site that is fast, stable and doesn’t have the broad attack surface of a standard WP site. Some hosting solutions take that one step further, locking away your sensitive backend databases and servers securely in a containerized environment. Either way, there’s not much for hackers to breach, because all they can access is a collection of static files like HTML, CSS, and JavaScript files.

Brute force are ineffective on the vast majority of static sites, and DDoS attacks can actually make the site faster if you’re using a high quality CDN. All the layers of WordPress vulnerabilities are non-existent, but the UX doesn’t change. Some services, like Strattic, can even keep your WordPress admin offline by default, and only bring it online when you need to make changes, adding yet another layer of protection.

With so many vulnerabilities and breaches on WordPress sites, it’s clear that the traditional methods of defense aren’t working. Headless static sites offer a new and successful way to protect your WordPress site and offer excellent UX at the same time.

The post Why security is critically important for WordPress websites appeared first on Strattic - fast and secure static WordPress hosting.

• Built-in XML sitemap (although they’re pretty basic so we’ll stick with Yoast’s Sitemaps for now)
• The ability to define a WP installation’s environment (i.e. dev vs. production)
• Support for Chrome’s Lazy Load for images

An interesting new feature is auto-update for themes and plugins. Now you can set plugins and themes to update automatically — or not! — in the WordPress admin. So you always know your site is running the latest code available.

You can also turn auto-updates on or off for each plugin or theme you have installed — all on the same screens you’ve always used.

Updating is critical for security, however…

Updating is critical for maintaining a secure WordPress installation so anything that helps with that is praiseworthy. However, theme and plugin updates can often introduce their own problems, whether it’s compatibility issues that break stuff or even new security vulnerabilities that are inadvertently pushed out in an update.

WordFence wrote a fantastic post explaining all of this and breaks up their recommendations as to whether a site should use auto-updates based on personas.

No need to frantically update WordPress with Strattic

With Strattic, you actually don’t have to hurry to update anything on your WordPress site. On Strattic, your WordPress site is hosted in a secure dedicated container that can only be accessed by authenticated users on your team, and it shuts down when not in use for an extra layer of security. If your WordPress site does have security vulnerabilities, they get left behind when you generate the static version of your site. The web (and all those eager hacker bots) only have access to the static version of your site, and since that is just a collection of static files, the vulnerabilities common to WordPress sites become irrelevant and there’s basically nothing to hack.

So the hacker bots, searching for sites with known published vulnerabilities, who find your statically generated version of your WordPress site powered by Strattic, will be extremely disappointed and will have to move on. Take that, hacker bots!

You can read more about Strattic and how it impacts security on our blog: https://www.strattic.com/category/website-security/

The post To auto-update WordPress or not to auto-update… appeared first on Strattic - fast and secure static WordPress hosting.

Implementing best practices for website security can be the difference between a successful website or a compromised one. A compromised site can have all sorts of nasty consequences that take time, money, and energy (aka grey hairs) to cleanup. Not to mention loss of revenue.

The major hurdle to implementing security is complexity. The more complex the security solution is, the less likely companies are going to adopt it. But, from our experience, many businesses can’t afford their site getting hacked, so it really is worth all the extra effort involved in preventive security measures.

With that in mind, let’s see what kind of website security trends are likely to take center stage in 2019.

1. MarSecOps

Short for Marketing Security Operations, the idea is that security is not just the realm of website developers or the IT department anymore, but rather the marketing department has an equal if not greater interest in, and even responsibility to security.

The rationale being that if your website gets compromised it is likely to result in loss of revenue, and generally the website falls heavily under the management of a company’s marketing team.

To look at it another way, website security is everyone’s responsibility since the success of the website affects everyone, especially the marketing team and the company’s bottom line.

2. Static aka JAMstack sites

Databases are the target of attacks such as SQL injections and XSS (cross-site scripting) attacks, which are two of the most common types of attacks employed on websites running on Open Source software such as WordPress, Drupal, and Joomla.

Decoupling the front-end of a site from the backend and generating a static version of a website has major security benefits since it minimizes the attack surface and there is no longer a database to hack.

Static sites in this context are not referring to static sites of the early 2000’s but rather sites with robust functionality via Javascript, APIs and Markup, otherwise referred to as JAMstack.

3. HTTP Security headers (CSP and HSTS)

SSL is a necessary first step, but it’s not enough to fully secure your site.

Even if your site is SSL’ed and rocking a green padlock, there are still vulnerabilities that are commonly exploited and implementing HTTP security headers such as CSP and HSTS can help protect your site further.

Cryptojacking (using JavaScript on a web page to mine for cryptocurrencies) is a prime example of a rising threat that can be curtailed by security headers.

4. Fool-proof 2FA

Currently, 2FA (Two-factor authentication) is not the golden ticket to security, since there is still plenty of room for improvement. 2FA is typically a combination of a password and a code that’s sent to a user’s phone.

However, attackers can execute a SIM swap to gain access to a user’s phone, or they might find a leaked database with text messages open for snooping.

To combat this kind of attack, we shouldn’t depend on texting, emails or calls from the origin, but rather the codes should be generated by an application like Google’s Authenticator app. The recent Reddit hack was an example of 2FA gone wrong.

5. Serverless

Using serverless architecture instead of finite servers is gaining steady momentum.

With serverless, the infrastructure requirements are taken care of by the cloud provider, and updates take place automatically, so your systems are always up to date.

That means you don’t need to worry about outdated server software, one of the major ways that sites hosted on traditional LAMP-based servers can get hacked.

In conclusion

The only way to be 100% certain that your website won’t get hacked is… to not have a website.

If a hacker is bent on hacking your site, they probably will.

But, the majority of hackers are trying to find the easiest route to hack into a site and try to take advantage of weak or stolen passwords, or vulnerabilities due to outdated software.

So what’s the best way to secure your site?

First, make sure you’ve covered all the low-hanging fruit such as using strong passwords, having proper backups, and limiting login attempts.

Second, if you want to ramp up your security even more this coming year, then consider learning more about the above-mentioned security measures.

The post 5 predictions for website security in 2019 appeared first on Strattic - fast and secure static WordPress hosting.

Here is a roundup of notable website security incidents from around the web in the last few weeks. Apologies in advance for all the #doomandgloom.

Are you or aren’t you ready for December 31?

On Dec. 31, 2018, around 62 percent of all websites still running a PHP 5.x version will stop receiving security updates, exposing hundreds of millions of websites, if not more, to serious security risks.

Update, people, update! Or go static…

Share gone wrong

If you ever used a script called “New Share Counts” to show a tweet counter on your site, remove it now! Over 800 sites have been compromised. There’s a link in that post that will show you the affected websites.

Attack of the Chacha

Hosting control panel solution VestaCP was compromised in an attack that installed malware used to carry out DDoS attacks.“The attacker tried launching Linux/ChachaDDoS via SSH”.

Hadooped

For nearly a month, a new botnet has been targeting unsecured Apache Hadoop servers, and planting bots on vulnerable servers to be used for future DDoS attacks.

They told me I was gullible… and I believed them

Don’t fall for these email scams – PayPal, Amazon, Facebook, banks, and and oldie but a goodie…Nigeria. Think you’d never fall for a phishing scheme? Just remember, 91% of all cyber attacks start with a phishing email.

Worst-kept Secret

Zero-day (a vulnerability that has been disclosed but not yet patched) in the popular jQuery File Upload plugin has been actively exploited for at least three years. Yikes! A fix is out but the plugin is used in so many projects that patching will take ages! There are even YouTube video tutorials on how to exploit the vulnerability to take over servers.

Shopping for vulnerabilities

New WooCommerce vulnerability fixed in latest version. The user role “Shop Manager” had the capability to edit the Admin user, which can lead to a site takeover and file deletion. WooCommerce has over 55 million downloads. Update, update, update!

Clicking all the storefronts

There’s a new version of reCAPTCHA being released, so no more “how many storefronts do you see?” validation. Phew.

GDPiRony

Perfect irony when the WP GDPR Compliance plugin has a zero-day vulnerability that allows hackers to install backdoors and take over sites, gaining access to private data and more. The vulnerable plugin means that hackers can create admin-level accounts and wreak havoc, or inject malicious scheduled actions to be executed by WP-Cron. If you’re one of the 100,000 people using the WP GDPR Compliance Plugin, update now!

High Time for Data Security

Canada Post leaked personal data and orders of thousands of cannabis smokers. Marijuana is legal in Canada, but it doesn’t mean people want their usage known.

Swindler Up Ahead

Google is introducing a small but important update to its Chrome browser, to prevent consumers from being swindled by underhanded or unclear mobile subscription services. Chrome will display a “The page ahead may try to charge you money” warning.

Strattic is a solution that was created to optimize WordPress websites for speed and security by making them static and serving them on serverless architecture.

Feel free to contact us at info@strattic.com or sign up for our newsletter below.

The post Tales from the (not so) secure web: GDPiRony edition appeared first on Strattic - fast and secure static WordPress hosting.

Masters of Malware

A new “malvertising” campaign linked to user “Master134” redirects traffic from over 10,000 hacked WordPress websites and sells it to a well known ad platform AdsTerra, who resells the traffic to other companies, who then resells the traffic to their clients. The ads contain malicious code with the intent of infecting a user with malware. The WP sites were using v4.7.1 which was vulnerable to remote code execution attacks.

Stay in your lane

A new browser security risk allowed websites to use execution side-channel attacks to steal passwords from other websites that are open in the browser. Luckily, Chrome released a major security update featuring Site Isolation, ensuring that sites are processed separately, isolated from each other. If you notice your browser slowing down slightly, this could be why – site isolation will increase Chrome’s memory use by approximately 10%.

Arrr, matey, did ye get more (crypto) loot?

Cryptominer Crypto-Loot (a CoinHive competitor) injected malware into WordPress and Drupal sites by attacking their files in RawGit CDN, a CDN for Github files.

Crypto-Loot is an in-browser cryptominer that provides website owners with a script that they can run on their sites to mine the cryptocurrency Monero using the site visitors’ CPU power.

A Bitter Symfony

Drupal released a security update (8.5.6) because of a serious vulnerability in a component in Symfony, a third-party library. The same vulnerability was found in the Zend Feed and DIactoros libraries.

Crumbled Cookies

Websites in a pinch to launch a cookie consent popup on their site may have unknowingly used a a malicious script that redirects users to a website selling anti-virus software which is likely to have malware.

Finnish Anarchy

A DDoS attack shut down many government websites in Finland for several hours including the Finnish National Insurance Institution (Kela), the Population Register Centre, the police, and more.

Faking a Cyber Attack

Well, this is a first – a false claim of a DDoS attack. Congress is set to grill the FCC’s chairman for falsely claiming his agency was hit with a cyberattack — and how it could affect the war over net neutrality.

The all-mighty padlock

Starting October 23, 2018, Chrome and Firefox are set to distrust all certificates issued by Symantec or partner companies (before June 1, 2016) and there are still over 800,000 website with old security certificates.

If you visit a site with an older certificate, you may see security warnings, no longer see the green padlock, or the site may be blocked entirely.

You can use this tool to check out information about your site’s SSL status: http://sslchecker.com/

Well, that escalated quickly

Last September, Wordfence exposed the person responsible for purchasing and distributing several WordPress plugins (Display Widgets plugin among them) and injecting shady SEO spam into hundreds of thousands of websites.

Now, BBC and The Times reported that the same individual was also responsible for an extremely profitable website called “UK Meds” (it paid for his Lamborghini and fancy watch) where you could purchase prescription meds without a prescription.

Soblaugh

An 11 year old hacked a replica of the Florida state website and change the election results. In 10 minutes. Oh boy.

Mage…r file hack

More than 7,000 Magento sites have been infected with malware in the past six months through brute-force attacks that steal customer’s credit cards and identities.

Noooooo! Not The Oatmeal!

The Oatmeal was hit with a DDoS Attack. The chutzpah! Don’t worry, they’re online again. Though we’re still waiting for a comic about the incident.

¡Que terrible!

The Central Bank of Spain was offline for a week (a week!!) due to a DDoS attack which was claimed by the hacktivist group Anonymous Catalonia.

Update and delete leftovers

The Duplicator plugin patched a critical remote code execution (RCE) vulnerability in the latest version. If you’ve used Duplicator, make sure to upgrade immediately and delete any leftover files from the migration process.

Smells phishy

New phishing email targets WordPress users to update their database. The email is designed to look like an official WordPress message. If you’re thinking “What kind of idiot gets phished”, boy do I have a podcast for you.

Howzit?

Welp, that’s ironic. A South African government website specializing in cybersecurity was taken down by a DDoS attack.

HTTPS comics

How HTTPS works. In comic form. In case you were interested. Compugters and Certificats. A must-see.

99 Problems and a DDoS is probably one of them

DDoS Attack Volume Rose 50% in Q2 2018. That’s a whole lot of attacks. Chances are pretty good that you or a site you use has been attacked.

Ugh! Get me out of here

Massive WordPress Malware Redirect Campaign Targets Vulnerable tagDiv Themes and Ultimate Member Plugins. Update your plugins!!!

$6,000,000,000,000 (6 trillllion dollars)

Cybercrime expected to hit $6 trillion in damage annually by 2021. That cost is double the $3 trillion in damages that occurred in 2017, according to a Cybersecurity Ventures report.

Risky Business

New study find that almost half of the world’s most popular websites are risky to web users.

Evil Cursors

Thousands of WordPress sites with outdated and vulnerable themes and plugins were hacked with malicious code that redirects users to tech support scams, some of which use new “evil cursor” Chrome bug.

Mine… It’s all miiiiine

Indian government websites ‘hacked’ to mine cryptocurrencies. In addition to this incident, an estimated 119 prominent Indian websites still run the Coinhive mining script which has been widely used to fraudulently mine the anonymous crypto Monero.

Formjacked

Internet security group warns against rise of formjacking hack. Know what can help prevent this? Content Security Policies (CSP). You know what service offers CSPs to all websites? Strattic

UN-doing of the UN

United Nations WordPress Site exposes thousands of resumes. Aaaand then it got worse when they accidentally published passwords, internal documents, and technical details about websites when it misconfigured Trello, Jira, and Google Docs.

Fearful Leaders

46% of enterprise brands fear website data breach. Worse yet is that 67% of respondents freely conceded that they had implemented no marketing security for their website.

Angry Students?

190 UK Universities were targeted with hundreds of DDoS attacks and it looks like the culprit might be staff or students.

Can I get a C. S. P. ?

British Airways data theft demonstrates need for cross-site scripting restrictions. Content Security Policy, people!

Strattic is a solution that was created to optimize WordPress websites for speed and security by making them static and serving them on serverless architecture. 

Feel free to contact us at info@strattic.com or sign up for our newsletter below.

The post Cyber Security Awareness Month: Tales from the (not so) secure web appeared first on Strattic - fast and secure static WordPress hosting.

SSL (Secure Sockets Layer) makes sure there’s a secure internet connection to protect data (think personal details and credit card information) being sent online. You can think of it like a private tunnel from your browser to the server receiving the information. The information is encrypted to make sure that no prying eyes can read or modify that information while it’s being transferred.

What is HTTPS?

Once your site is secured by a SSL certificate, HTTPS will appear in the URL. You’ll also get the coveted green padlock.

Google, who wants to ensure that users’ experience on the web is as useful and secure as possible, is encouraging sites to implement SSL in order to make sure the overall web is secure. In 2014, Google announced that they would give a ranking boost to encrypted sites.

And, since July 2018, Google Chrome is pushing even further by marking non-https sites with a “Not secure” message in the browser bar.

At Strattic, we take security seriously. All sites on Strattic get a free AWS SSL certificate.

Why SSL is not enough

SSL is a necessary first step, but it’s not enough to fully secure your site.

Even if your site is SSL’ed, there are still vulnerabilities that are commonly exploited and there are steps that should be taken to help secure your site further.

Security headers to the rescue!

Whenever a browser requests a page from a web server, a server provides the browser with the content along with some useful information, called headers.

Many SSL-related vulnerabilities can be mitigated with a special type of headers, called security headers that can tell browsers how to treat content on a web page such as “whitelist certain types of content from trusted sites” or “only load this site over HTTPS”.

Security header #1: HTTP Strict Transport Security (HSTS) to solve man-in-the-middle attacks

When a site performs a 301 redirect from the http to the https version of a site, the redirect does not fully protect the site visitor, since it can be intercepted between when the visitor requests the http version of the site, and when it reaches the https destination, for a type of attack called a “man in the middle” attack.

In order to prevent this interception during a redirect, you can use the HTTP Strict Transport Security (HSTS) header, which allows site owners to instruct browsers to always go straight to the https version. This removes the window for the man-in-the-middle attacker since the http version of the site is never accessed, not even for a second.

In order for sites to be HSTS-enabled, the HSTS header “Strict-Transport-Security” must be in place, the site must meet a number of criteria outlined here, and then be submitted to the HSTS Preload list.

Because security is extremely important to us, we have implemented HSTS for all our client’s websites. In order to complete the process, all our clients have to do is fill out the HSTS Preload form to get added to it. You can read more about HSTS and possible drawbacks here.

Security header #2 Content Security Policy (CSP) to solve mixed content errors

A Content Security Policy (CSP) uses browsers to detect and mitigate certain types of attacks like cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. A CSP can be used for simple purposes like enforcing HTTPS on SSL-enabled sites, to more sophisticated uses like authorizing only truly trusted sources and blocking others.

Using CSP also makes sure that there are no mixed content errors on your site. For example, if your site is on https but you embedded a YouTube video with a http link, then you would otherwise wind up with mixed content errors in the browser console. These mixed content errors will prevent the green padlock from displaying next to your url in the browser bar. A CSP could direct a website to make make all urls are always https, to avoid any mixed content errors.

To learn more about CSP, watch Miriam Schwab, CEO of Strattic’s presentation at WordCamp Europe.

Most sites do not have a CSP installed, but it’s important to be aware of it and how it can be used to add an additional layer of security to your website.

All Strattic sites come with an automated and customized CSP.

Conclusion

Most site owners think that once they’ve added a SSL certificate to their website, they can move on and go drink a piña colada on the beach. That would be nice if the web was all rainbows and unicorns. But as we’ve seen, the web has plenty of hackers trying to ruin..well, just about everything. So, to harden your site’s SSL, make sure to implement HTTP security headers such as HSTS and CSP. Or, you can give Strattic a try, and we’ll take care of it for you.

The post Why SSL is not enough to secure your site and why you should use HTTP security headers appeared first on Strattic - fast and secure static WordPress hosting.

The problem is that these band-aids that keep the site from falling apart can come with some not-so-lovely side effects. Much like drug commercials with the dramatic scrolling list of side-effects.

Security plugins may cause bloating…

One of the most popular WordPress security plugins is Wordfence with over 2 million downloads. WordFence has contributed tremendously to the security of the WordPress community, both in terms of what the plugin offers, but also in terms of ongoing research and reporting.

Wordfence is very robust and has many options, and settings, but site owners usually just leave all the default settings when adding the plugin to their site. The default settings do offer a good level of protection, but they can end up causing strain on your server, which could cause your site to slow down, or cause other functionality on your site to stop working properly.

For example, Wordfence offers malware scans which can take a lot of time to execute and can use a lot of server resources.

Wordfence also has a feature to stop brute-force attacks. In order to do that, the plugin needs to keep a log of who is attempting to enter the site, where they’re coming from, and how many times they attempt to login. This active logging can bloat your database and add extra load on the server.

At Strattic, we don’t use security plugins

TL;DR: Strattic users serve a static version of their WordPress site. Having a static site removes 99.99999% of the attack surface.

Here’s how Strattic works in a nutshell:

Let’s take a look at some of the most common WordPress vulnerabilities and how they’re handled on Strattic without a plugin.

Cross-site scripting (XSS)

This is the number one security vulnerability in WordPress sites.

Cross-site scripting (XSS) is when a hacker tries to inject a script into your source code and have it loaded in the browser. It can originate on the server or client side. Once the attacker has this type of privilege it has the same privilege as your browser so it has access to your cookies, your web storage, and your DOM, which is not good.

A recent example of a XSS attack is the Browsealoud attack. Browsealoud is an accessibility browser add-on. The attackers got access to the library that these sites were calling and turned it into a cryptomining tool and 5,000 sites were affected.

Solution
By removing the database and serving a static site, Strattic eliminates any server-side XSS attacks.

In addition, Strattic allows you to set Content Security Policy (CSP) in order to whitelist resources that you want the browser to load for your webpage. Rather than trying to guess what potential harmful resources are out there, you authorize trusted services.

A CSP is added to the header and tells the browser which scripts are ok to load, and which aren’t. For example, you might create a CSP that authorizes the browser to load Google scripts like Google Analytics tracking code.

The point of CSP is not to prevent XSS attacks, but it gives your site an extra layer of protection if your site is compromised.

You can read more about CSP here.

DDoS or Traffic spikes

A distributed denial of service (DDoS) attacks work by overwhelming a server with data requests, with the intention of bringing down the server or the site.

You can take a look at some of the notable DDoS attacks that made headlines in 2017.

Traffic spikes, which could happen if your site gets featured on the front page of a popular publication, will likely overload the resources on the server with the sudden shock of thousands of visitors. In a way, this can be seen as a mild form of a DDoS attack insofar as the server is getting majorly overloaded and doesn’t have the resources to keep up, which could result in your site going down.

Solution
Strattic sites are static and disconnected from the WordPress installation, so they can scale almost infinitely.

In addition, Strattic uses serverless architecture which runs only when triggered by an event, like a new visitor to the website so that you don’t need to worry about scaling or traffic spikes, because it is inherently elastic and you’d never need to add more server resources ahead of huge press coverage.

Finally, Strattic uses an integrated CDN to serve the static web pages from a location closest to the user. So, if one CDN location gets DDoSed, another location can take over and avoid any downtime at all.

SQL injection

The second most common vulnerability on WordPress sites is SQL injection. An SQL injection is when a hacker injects SQL commands into a submittable form on your site (ex. comments form, contact form, search form, etc), in order to get access to your site’s database. This vulnerability is usually a result of poorly-coded websites, plugins, or themes.

Solution
Since our public-facing sites are static and detached from the WordPress installation, there isn’t a database connected to the site’s forms. Strattic has client-side functions that handle forms instead.

Brute force attacks

This is the cyber equivalent of someone coming to your door and trying to break in with an infinite amount of keys to pick the lock.

For a WordPress site, a brute force attack refers to a hacker (usually a bot) relentlessly trying to break into the backend of the website with trial and error using an infinite number of username and password combinations.

Solution
Since Strattic’s public-facing static sites are detached from the WordPress installation, there’s nothing to log in to, and therefore nothing to hack.

Man-in-the-middle Attack

In order to make sure that all visitors are reaching the https version of your site, web developers will generally set up 301 redirects from the http version to the https version for those users who type in the http link, or are following links from other sources that still point to the http version of the URL.

However, what many people don’t realize is that the redirect does not fully protect the site visitor, since there is a window of opportunity (however small) between when the visitor requests the http version of the site and when it reaches the https destination for a type of attack called a “man in the middle” attack. Some examples of these types of attacks are protocol downgrade attacks and cookie hijacking.

Solution
A security header called the HTTP Strict Transport Security (HSTS) header, allows site owners to instruct browsers to always go straight to the https version. This removes the window for the man-in-the-middle attacker since the http version of the site is never accessed, not even for a second.

Because security is extremely important to us, we have implemented HSTS for all our client’s websites. In order to complete the process, all our clients have to do is fill out the HSTS Preload form to get added to it. You can learn more about HSTS here.

To sum up…

To sum up, here’s a comparison of standard security measures versus how they’re handled on Strattic.

The post We don’t use security plugins on WordPress sites. Here’s what we do instead. appeared first on Strattic - fast and secure static WordPress hosting.

WordPress is a wonderful CMS but its dynamic and Open-Source nature means site owners often suffer from slow-ish and vulnerable sites. That’s why you’ll find a ton of articles online about how to speed up and secure WordPress sites. The problem is that implementing these techniques can end up being quite time-consuming and expensive, so I thought I’d dig in and see what costs an agency can expect when speeding up and securing their customers’ websites.

How to check your site’s speed

The consensus is that a fast site takes under three seconds to load, though we all know that three seconds in internet time is like three minutes in real-world time. Around 3-4 seconds, I find myself muttering “just load already”.

One of the most popular free tools for analyzing site speed is Pingdom. You can test your site’s loading time in a few locations (NYC, San Jose, Stockholm, and Australia).

However, your results from site speed testing tools can vary wildly for the following reasons:

1. The geographic location you select can impact the page load speed, depending on where your site is hosted.
2. If your site is being cached, the first test will always be slower than a second, repeat test.

Despite all that, it can be useful to get some kind of benchmark regarding your site’s speed.

Once you have your speed test results, you can decide if it’s worth it for you to invest resources toward making it faster.

How to check your site’s security

It can be hard to tell if your site has been infected with malware or otherwise compromised, since hackers can be very sneaky. In order to know to a high degree of certainty whether your site is secure or not, there are a number of tools you can use to analyze your site.

You can start with a Sucuri malware scanner, but we’ve found that it doesn’t catch everything and therefore isn’t 100% reliable, but it is a starting point.

You can also run your site through a security header test. Security headers tell browsers how to deal with certain threats and types of content that are being loaded on your site. You can learn more about the implications of security headers in Miriam’s talk from WordCamp Europe about Content Security Policies.

Even if your site scan comes back clean, keep in mind that WordPress is constantly being targeted because of its popularity, and plugins and core software need updating on a regular basis to keep your site secure. Studies have shown that on average, WordPress sites get attacked 50 times a day!

Google cares about speed and security

Google takes security and speed very seriously because they want users to have a good and safe experience on a website. So chances are, if your site is optimized for both, and all your other SEO practices are in place, your rankings could get a boost which translates into more people interacting with your site.

Bottom line: how much will it cost?

You’re not gonna like the answer. The answer is… yep, you guessed it… it depends. The cost depends on just how far you want to take things and what you’re willing to pay for. But the following will give you a rough outline of the costs involved.

There are a heck of a lot of free tools out there (thank you to all you people who make them free) that can seriously help with your site speed and security. But, as you might expect, a paid version of the same service will often give you valuable features and support.

Tools and plugins for a faster WordPress site

Here are some tools that could have the biggest impact on your site speed:

Caching
Caching helps make your site load faster the second time a user visits your site by serving a static version of your site.

1. Free: Plugins include WP Super Cache and W3 Total Cache. Your server provider may also have some additional caching services available.
2. Paid:  WP Rocket is probably the most popular. Cost: $199/year for unlimited websites

CDN
A CDN (Content Delivery Network) serves a copy of your site’s assets (images, stylesheets, javascript files) from a server closest to the user, thereby decreasing page load time.

• Free: The most popular CDN is Cloudflare, which has a free tier but for agencies, this might not be enough.
• Paid CDN: Cloudflare PRO plan: $20/month per domain; StackPath (formerly MaxCDN) Professional plan: $299/month.

Image Optimization
Images can really weigh down a site so it’s super important to compress them.

• Free: reSmush.it, EWWW image optimizer. Smush has a free version but you’d need to upgrade to the PRO version for bulk ‘smushing’, and the ShortPixel plugin has a freemium plugin that lets you bulk optimize up to 100 images. You could also use Tinypng.com but you’d need to manually upload each image, which can get tedious pretty quickly.
• Paid: ShortPixel $30/month for 55,000 images per month

Static Site Generator
Flattening your site into a static site can speed up your site since the pre-rendered files load much faster than a dynamic site, since they don’t have to wait to interact with the database.

• Free: There are free plugins like Simply Static but there are many limitations you should consider before using this tool.
• Paid: I’d like to put Strattic here, except it’s not *just* a static site generator, it also includes a CDN, HTTP/2, automated security, and serverless hosting that lets you have a static site with some dynamic functionality so that you can use native contact forms and site search.

Tools and plugins for a more secure WordPress website

Here are some tools that can have the biggest impact on your site security:

Limit Login Attempts
Limit how many times someone can try to login to prevent brute-force attacks.

• Free:  Wordfence is the most popular WordPress security plugin at the moment, and for good reason. It helps you lock out users after a certain number of password attempts, perform security scans, and many other features. However, it can put a load on your website’s database.
• Also free: Jetpack has a built-in brute-force protection mechanism called Protect. It also adds a widget to your admin dashboard showing how many malicious attacks were blocked on your site.

Automatic updates
Keeping your WordPress up to date is probably the most important thing you can do to keep your site safe.

• Free: Companion Auto Update is a free plugin. ManageWP and InfiniteWP both have free versions of their service.
• Paid: ManageWP bundle for 25-100 sites: $150/month but there’s also modular pricing. InfiniteWP with all addons 1-10 sites: $147 per year

Backups
If you want to sleep easy at night, then it’s critical to have backups since it’s wishful thinking that your site will never ever get hacked. Just be careful to save these backups off-site since otherwise it could quickly hog your server storage quota. Also, if the server with your website crashes, all your backups are at risk too!

• Free: Updraft Plus
• Paid: Blogvault Agencies up to 100 sites: $99/month. We love Blogvault – they make it super easy to backup, migrate, and test-restore sites. There’s also VaultPress, which ranges from $39 – $299/year per site depending on which features you need.

Malware Scanners and cleanup services
It’s important to constantly scan your site for malware, and clean it up immediately if anything is detected.

• Free: Sucuri plugin and Wordfence plugin but in our experience they haven’t always detected malware that was detected by other services such as Malcare.
• Paid: From our experience, Malcare has been extremely reliable and their one-click cleanup is extremely handy: $59/month for up to 20 sites. Sucuri offers a paid version for $500/year per site with fast response report and cleanup.

Additional costs

In addition to these tools and services, it’s likely you’ll also need a developer to implement the rest of the best practices for speed and security such as leveraging browser caching, gzip compression, etc. For a more in-depth look at what you can optimize, here are 21 ways to secure your site, and 9 ways to speed up your site.

Conclusion

If you’re thinking, meh, I don’t really need to do all this stuff, I would also say that not optimizing your site for speed and security could end up costing you just as much, if not more since you’d need to deal with downtime, lost visitors and cleaning up all the damage. To put it another way, making your site fast and secure may be annoying, but taking it seriously yields significant results, and is simply part of the cost of having a website these days.

The post How much can it cost to optimize a WordPress website for speed and security? appeared first on Strattic - fast and secure static WordPress hosting.

In order to make sure that all visitors are reaching the https version of the site, web developers will generally set up 301 redirects from the http version to the https version for those users who type in the http link, or are following links from other sources that still point to the http version of the URL.

However, what many people don’t realize is that the redirect does not fully protect the site visitor, since there is a window of opportunity (however small) between when the visitor requests the http version of the site, and when it reaches the https destination, for a type of attack called a “man in the middle” attack. Some examples of these types of attacks are protocol downgrade attacks and cookie hijacking.

Icon made by Freepik from Flaticon is licensed by CC 3.0 BY

HSTS security header to the rescue

Security headers offer ways to tell browsers how to treat content on a web page. For example, Content Security Policies (CSP) allow site owners to whitelist certain types of content that they know to be safe for loading on a web page.

Another type of security header, and the one that’s relevant to the issue described here, is the HTTP Strict Transport Security (HSTS) header. HSTS was set up by web giants including Google and PayPal to allow site owners to instruct browsers to always go straight to the https version: don’t pass go, don’t redirect on the server, don’t collect 200 bitcoin. This removes the window for the man-in-the-middle attacker since the http version of the site is never accessed, not even for a second.

In order for sites to be HSTS-enabled, the HSTS header “Strict-Transport-Security” must be in place, the site must meet a number of criteria outlined here, and then be submitted to the HSTS Preload list.

Because security is extremely important to us, we have implemented HSTS for all our client’s websites. In order to complete the process, all our clients have to do is fill out the HSTS Preload form to get added to it.

The drawbacks of implementing HSTS

While the benefits of implementing HSTS are clear, it’s important to understand what it entails, since it could prove challenging:

1. All subdomains must also be HSTS and this doesn’t necessarily work for everyone.
2. If for some reason you would like to remove your site from the HSTS Preload list, you can do so with this HSTS removal form, but it can take months for your site to be removed.

What do Strattic customers have to do in order to get HSTS working?

Strattic has HSTS preload eligibility support set up automatically for all sites. If your site is on Strattic, the only thing you need to do is enter your domain and then submit the form on hstspreload.org to add your site to the HSTS preload list. And then wait to be accepted which could take several weeks.

Additional resources:

• Mozilla: HTTP Strict Transport Security
• Wikipedia: HTTP Strict Transport Security

The post New Strattic feature! HSTS preload eligibility support for all Strattic sites appeared first on Strattic - fast and secure static WordPress hosting.