In the past we have talked about how we at ManageWP take measures to keep your website’s secure, and we talked about the importance of keeping everything updated, but today we want to discuss why security is not a feature, rather it’s a state of mind for us. In this twofold article I will address how ManageWP Orion helps to protect your websites from known WordPress threats, and explain what precautions we take directly to make Orion a secure dashboard. We are constantly improving our security, and I will share with you future plans to make Orion as secure as Fort Knox.
It’s well known that WordPress has certain security holes, as you would imagine an open source would. An open source gives anyone an opportunity to look for vulnerabilities in the code and exploit not one, but all WordPress websites. With around 3,972 know vulnerabilities (going all the way back to WordPress 0.7) there are plenty of openings for hackers to hit. Most common attacks are via plugins, in fact it’s 52%, 37% coming from core WordPress, and only 11% from WordPress themes. What also makes WordPress a sitting duck for hackers is that it’s easy to use and set up. Everything you need is on one page, and not everyone is careful or security conscious with their site. The appeal of WordPress is giving hackers the ability to control a huge number of sites, all they need is one loophole. The moment your site is connected there is a possibility of a security breach.
But, it’s not all doom and gloom.
How ManageWP Orion Resolves Known WordPress Threats
The oldest rule in the book, is having your whole website, plugins, themes and core up to date. Always run the latest version of WordPress, if you are not, there is a chance that you are running a version with multiple known WordPress vulnerabilities.
With a one click Update All on ManageWP, it takes no effort at all to make sure that you are on track with your updates and to protect yourself from known security threats. We installed this feature to make sure that basic security becomes an easy task, and a habit, so you can avoid any inconvenience with malware on your sites.
An example of a serious breach due to running a plugin with vulnerabilities is the Panama Papers Leak.
Orion has a sophisticated security scan in place. The security check scans the pages on your website and compares the code against the known malware knowledge base. It also performs a blacklist check with a number of services, like Google Safe Browsing, Norton Safe Web, ESET, etc. It also flags certain site errors and outdated software. If by any chance your site has been infected you will get a detailed report and a list of all the infected files. We do not offer cleaning services, it’s down to you to clean your site. You can always use a clean backup to get your site up and running again or attack the malware head on by hiring a professional to do the cleaning for you.
ManageWP Orion Security Let’s You Sleep Easy
It seems like there are threats coming from all sides, and I have barely touched on the subject of security in WordPress. I won’t delve into different types of attacks out there, as it can get overwhelming and discouraging. However, I will summarize how we have made Orion a safe haven.
ManageWP Worker Plugin
Without the ManageWP Worker Plugin you can not use our dashboard. Worker Plugin is a security precaution from our side, it works by exposing the API that communicates with websites. This is our custom protocol and it’s our responsibility to make sure that the API is secure. We do this by securing the API with Open SSL – in other words it’s secured with asymmetric keys, and each website get’s its unique set. Asymmetric keys make only one way authentication possible, reducing the possibility of attacks all together. The Worker Plugin cuts out the man in the middle attack (MITMA) as well, by working as a cryptographic nonce. This means that old communications cannot be reused for the purpose of attacks.
HTTPS and Two Factor Authentication
Our Orion dashboard, like in the Classic, is HTTPS protecting against MITMA and providing website authentication. We also have Two Factor Authentication (2FA), that we recommend you enable. It’s easy to do, by clicking on your name (top right corner) in Orion, going to settings, and then in security you can input your details. Choose from using email or phone, or both. 2FA prevents any would-be hackers from gaining access to your site through means of brute force attacks (or simply guessing your password).
Amazon S3 Storage EU/USA
We have chosen AWS as our backup storage solution, not only because of their cloud compliance, but also for security reasons. However, we take extra steps in ensuring security. We do most of the work on our side. Before any data is shared/sent we make sure it is encrypted. This is done by our security team, whose primary concern is to keep your data safe. This also means that only a limited number of people has access to sensitive data, and the access keys are changed regularly. We don’t like to leave anything to chance.
Recently, you have asked us how safe your FTP credentials are with us. I have to start by saying we have not so far had a single incident or breach, so up to now your FTP credentials have been 100% secure with us. However, we understand your concern and we will never ask you twice for them. No one is obliged to share them with us, the reason we ask is because we invest man-hours in directly solving your problems. It’s about being there to quickly help you.
If you are concerned and want to share them with us, there are two ways you can do this safely. Firstly, best practise is making a “temporary” account over which we can access your websites, get down to the bottom of the problem, resolve it and leave. When this is all done, you simply change them again or delete the account. Secondly, use a one time pass service, like NoteShred, that allows us to see the credentials once and only once.
White Hat Award
We have a White Hat Award, that is given to hackers that find holes in our security and report them to us. So far we have given away 24 awards and we are thankful these people have helped us make our service more secure. This is an ongoing reward system, and we encourage white hat hackers to help us maintain our high level of security.
Website Security Needs Constant Attention
Security measures we plan to implement in the future.
We are always looking for new ways to keep our service secure, and we are planning on implementing MD5 checksum. This will have the ability to perform faster file checks and look for any changes in the files, alerting us of any malicious files. It works by comparing the WordPress core of your website to the official WordPress releases, looking for any type of change in the files. When it finds a difference, we will be able to inform people of any suspicious files. We already have the infrastructure for this in place and we are planning on fully implementing this additional security measure in due course.
Security Scan Scheduling & Reporting
As an added feature on our existing Security Scan, we are planning in the near future to create the possibility to schedule your scans and receive automated reports of said scans. We have not yet decided what this will look like, or what the options will be regarding the time frames for scheduling, we are thinking to replicate the system we use for Backup scheduling or Client Reports, giving you the same options for your Security Scan. What do you think? Comment below and tell us what you want your Security Scan Scheduling & Reporting to look like.
Our Own Security Scan
We have always had the idea to create our own Security Scan, and we are planning on taking this on after the official Orion release. With our security expert team we are outlining what our scan will look like, but we are aiming to make it the most up to date and secure scan customized exactly to our dashboard. When we have more details we will write an elaborate post about it.
Your Website, Your Security
The reality is that attacks can come from anywhere, be it via shared hosting or your login page, it may seem mind-boggling. Don’t let it be. There are certain things you can do to protect your website. The most important being trust your source and be conservative in your selection of plugins and themes. To make them as safe as possible, keep everything updated, we have said it 3 times now, but it’s crucial you always run the latest versions of everything on your website. Use the things you are given to make your security top-notch: security scans, two factor authentication, update all feature. They are installed to help you, and let you sleep easy. At the end of the day we have your back, and we will always keep you updated with any security issues, like we did with the DDoS attacks.
Our service is secure and up to this day, we have not had any major issues, but, the best thing to do is not to trust us with things you don’t want to.
Congrats on Orion!! I had an account with you guys years ago – probably when you first opened. And it was expensive for my size… this new dashboard is just dreamy!
That was my question though – I have been looking everywhere – are the security scans automated? I pay a hefty fee to sucuri for that service and it would be a no-brainer to bring all my maintenance clients here if that were covered. every 6 hours at Sucuri. How often is recommended?
Do I need to login and manually run scans daily for clients?
Welcome back, Cathy! 🙂
The Security Check will get an automated version within a month – you’ll be able to run daily/weekly checks and receive an email/Slack notification if we find anything suspicious.
Another cool thing is the Client Report integration – if you send an executive summary of everything you’ve done for your clients, you can include the Security Check for extra style points 🙂
Hi Nevena. Could you fix the link in my post? If your weblog comment section (WordPress I’ll assume) doesn’t accept html links or uses MarkDown, you should let your avid readers know so we can format our comments appropriately. Thanks.
Keeping everything up to date all the time is not really the right advice for business owners with sophisticated sites.
WordPress releases security patches all the way back to 3.7 (on version 3.7.14) I believe. While I don’t recommend running a version of WordPress that old (3.7 is due for security retirement any day now), running a version like 4.2 with its latest security patches means more stability, particularly if your site has custom code (most businesses do at this point).
Plugins often have issues with cross-compatibility, especially if you are using the latest versions. Most do work fine with an older version of WordPress. There are some plugins which should always be up to date though: plugins which work with uploads, images and complex form submissions (like Gravity Forms or most sliders and galleries). A business can lower WordPress maintenance costs by four times by only doing a major version upgrade every 16 months instead of three times/year. We call this approach BusinessPress. Slowing down updates does not mean that an agency doesn’t need or want a WordPress management system. We’re both users and fans of ManageWP ourselves.
Indeed we’re talking to the development team about new options for security updates only.
Scheduled scans would be huge!
+1 for scheduled scans!
Agree. Security scans are an excellent idea.
How will this play with WordFence? As a matter of course, I put WordFence Pro on all my sites.
Hi Darren, at the moment WordFence Pro offers more options than us with regards to security scans and real time alerts. It has great features. However, when we release our Automatic Security Check, you won’t need all of the WordFence features, otherwise you will end up paying for the same thing twice 🙂 We are looking to release our own security model that will be customizable like most of our tools, but for now WordFence has more options to keep you updated on all of your site security.
Yea, DEFINITELY enable the security scanning & reporting. As a major selling feature of my services, it would be great to report on the progress.
When is Orion being released??? I need to mix & match different levels of support ASAP!
Hey Sam, glad you’re excited as we are about scanning and reporting. This is something we will work on after the Orion release, which should be in the next couple of months. Orion and the additions are all around the corner. Stay tuned!
Great idea for mix & matching levels of support and I can definitely see how scanning and reporting will be useful in this case.
After reading this article, I will enable 2FA even though it is a pain to do when logging in! Of course, I realise that it is another neccessary precaution in the war against our enemies.
I’ll second the “Yes Please” from Brad!
PS: I always look out for your weekly notification to inform & remind me.
Hi Morgan, yep it is a pain when you want to do something quick and then you need to do an extra step when logging in, but ultimately it’s worth it! Yep, scheduling and reporting is next on the to do list, it will hopefully just save lots of time and keep you fully informed on what’s going on security wise on your websites. Glad you follow us weekly and let us know if there is anything in particular you want to read about.
Security Scan Scheduling & Reporting – YES Please 🙂
Glad you like the idea 🙂
Yeah, scheduled scans would be fantastic!