In the past we have talked about how we at ManageWP take measures to keep your website’s secure, and we talked about the importance of keeping everything updated, but today we want to discuss why security is not a feature, rather it’s a state of mind for us. In this twofold article I will address how ManageWP Orion helps to protect your websites from known WordPress threats, and explain what precautions we take directly to make Orion a secure dashboard. We are constantly improving our security, and I will share with you future plans to make Orion as secure as Fort Knox.
It’s well known that WordPress has certain security holes, as you would imagine an open source would. An open source gives anyone an opportunity to look for vulnerabilities in the code and exploit not one, but all WordPress websites. With around 3,972 know vulnerabilities (going all the way back to WordPress 0.7) there are plenty of openings for hackers to hit. Most common attacks are via plugins, in fact it’s 52%, 37% coming from core WordPress, and only 11% from WordPress themes. What also makes WordPress a sitting duck for hackers is that it’s easy to use and set up. Everything you need is on one page, and not everyone is careful or security conscious with their site. The appeal of WordPress is giving hackers the ability to control a huge number of sites, all they need is one loophole. The moment your site is connected there is a possibility of a security breach.
But, it’s not all doom and gloom.
How ManageWP Orion Resolves Known WordPress Threats
The oldest rule in the book, is having your whole website, plugins, themes and core up to date. Always run the latest version of WordPress, if you are not, there is a chance that you are running a version with multiple known WordPress vulnerabilities.
With a one click Update All on ManageWP, it takes no effort at all to make sure that you are on track with your updates and to protect yourself from known security threats. We installed this feature to make sure that basic security becomes an easy task, and a habit, so you can avoid any inconvenience with malware on your sites.
An example of a serious breach due to running a plugin with vulnerabilities is the Panama Papers Leak.
Orion has a sophisticated security scan in place. The security check scans the pages on your website and compares the code against the known malware knowledge base. It also performs a blacklist check with a number of services, like Google Safe Browsing, Norton Safe Web, ESET, etc. It also flags certain site errors and outdated software. If by any chance your site has been infected you will get a detailed report and a list of all the infected files. We do not offer cleaning services, it’s down to you to clean your site. You can always use a clean backup to get your site up and running again or attack the malware head on by hiring a professional to do the cleaning for you.
ManageWP Orion Security Let’s You Sleep Easy
It seems like there are threats coming from all sides, and I have barely touched on the subject of security in WordPress. I won’t delve into different types of attacks out there, as it can get overwhelming and discouraging. However, I will summarize how we have made Orion a safe haven.
ManageWP Worker Plugin
Without the ManageWP Worker Plugin you can not use our dashboard. Worker Plugin is a security precaution from our side, it works by exposing the API that communicates with websites. This is our custom protocol and it’s our responsibility to make sure that the API is secure. We do this by securing the API with Open SSL – in other words it’s secured with asymmetric keys, and each website get’s its unique set. Asymmetric keys make only one way authentication possible, reducing the possibility of attacks all together. The Worker Plugin cuts out the man in the middle attack (MITMA) as well, by working as a cryptographic nonce. This means that old communications cannot be reused for the purpose of attacks.
HTTPS and Two Factor Authentication
Our Orion dashboard, like in the Classic, is HTTPS protecting against MITMA and providing website authentication. We also have Two Factor Authentication (2FA), that we recommend you enable. It’s easy to do, by clicking on your name (top right corner) in Orion, going to settings, and then in security you can input your details. Choose from using email or phone, or both. 2FA prevents any would-be hackers from gaining access to your site through means of brute force attacks (or simply guessing your password).
Amazon S3 Storage EU/USA
We have chosen AWS as our backup storage solution, not only because of their cloud compliance, but also for security reasons. However, we take extra steps in ensuring security. We do most of the work on our side. Before any data is shared/sent we make sure it is encrypted. This is done by our security team, whose primary concern is to keep your data safe. This also means that only a limited number of people has access to sensitive data, and the access keys are changed regularly. We don’t like to leave anything to chance.
Recently, you have asked us how safe your FTP credentials are with us. I have to start by saying we have not so far had a single incident or breach, so up to now your FTP credentials have been 100% secure with us. However, we understand your concern and we will never ask you twice for them. No one is obliged to share them with us, the reason we ask is because we invest man-hours in directly solving your problems. It’s about being there to quickly help you.
If you are concerned and want to share them with us, there are two ways you can do this safely. Firstly, best practise is making a “temporary” account over which we can access your websites, get down to the bottom of the problem, resolve it and leave. When this is all done, you simply change them again or delete the account. Secondly, use a one time pass service, like NoteShred, that allows us to see the credentials once and only once.
White Hat Award
We have a White Hat Award, that is given to hackers that find holes in our security and report them to us. So far we have given away 24 awards and we are thankful these people have helped us make our service more secure. This is an ongoing reward system, and we encourage white hat hackers to help us maintain our high level of security.
Website Security Needs Constant Attention
Security measures we plan to implement in the future.
We are always looking for new ways to keep our service secure, and we are planning on implementing MD5 checksum. This will have the ability to perform faster file checks and look for any changes in the files, alerting us of any malicious files. It works by comparing the WordPress core of your website to the official WordPress releases, looking for any type of change in the files. When it finds a difference, we will be able to inform people of any suspicious files. We already have the infrastructure for this in place and we are planning on fully implementing this additional security measure in due course.
Security Scan Scheduling & Reporting
As an added feature on our existing Security Scan, we are planning in the near future to create the possibility to schedule your scans and receive automated reports of said scans. We have not yet decided what this will look like, or what the options will be regarding the time frames for scheduling, we are thinking to replicate the system we use for Backup scheduling or Client Reports, giving you the same options for your Security Scan. What do you think? Comment below and tell us what you want your Security Scan Scheduling & Reporting to look like.
Our Own Security Scan
We have always had the idea to create our own Security Scan, and we are planning on taking this on after the official Orion release. With our security expert team we are outlining what our scan will look like, but we are aiming to make it the most up to date and secure scan customized exactly to our dashboard. When we have more details we will write an elaborate post about it.
Your Website, Your Security
The reality is that attacks can come from anywhere, be it via shared hosting or your login page, it may seem mind-boggling. Don’t let it be. There are certain things you can do to protect your website. The most important being trust your source and be conservative in your selection of plugins and themes. To make them as safe as possible, keep everything updated, we have said it 3 times now, but it’s crucial you always run the latest versions of everything on your website. Use the things you are given to make your security top-notch: security scans, two factor authentication, update all feature. They are installed to help you, and let you sleep easy. At the end of the day we have your back, and we will always keep you updated with any security issues, like we did with the DDoS attacks.
Our service is secure and up to this day, we have not had any major issues, but, the best thing to do is not to trust us with things you don’t want to.