Categories
security

Web Security Due Diligence

Whilst it is seemingly impossible to cover all the bases we have a primary duty of care to : 

  • Identify risks – treat or mitigate
  • Demonstrate that security is taken seriously
  • Constantly improve

 Unfortunately too many organisations take a knee jerk approach to Website Security Due Diligence – reacting to legislative or regulatory demands such as GDPR or the professional body they are a part of. Others rank the importance of web security based on its impact on performance e.g. how security, such as SSL impacts on SEO ranking. We continue to be surprised (shocked, amazed, appalled) by the number of ‘professional’ websites – public and private sector, that we encounter that are waving Cyber Essentials and Information Security banners and badges yet lack the obvious – encryption, an appropriate and relevant privacy policy, opt in on contact forms, exposed credentials…

  1. Audit – brainstorm, scan or look for issues.
  2. Action – take immediate action, schedule next action.
  3. Assess – monitor effectiveness. Can anything be done better ?
  4. Account – document all the above to form an incident record.
Categories
security

Web Security Risks Impact

  • Data Theft
  • Malicious Code
  • Unauthorised Access
  • Fraud – through impersonation
  • Punitive Fines for GDPR breaches
  • Loss of business and revenue
  • Reputational Damage
Categories
maintenance security

WordPress Malware Scan & Fix

A significant proportion of website owners are unaware of malware present in their hosting and infecting their websites – and even if they were they wouldn’t know what to look for. An effective WordPress security maintenance check should include a scan for known malware and suspicious files – identify them and suggest a fix – delete, quarantine etc. For persistent malware problems the frequency of scanning should be increased until the source or cause can be identified and treated.

Categories
security

Login Activity Audit

We have encountered additional administrator accounts on clients websites that no one seems to have created or can account for. As part of a WordPress Security Maintenance check the following needs to be done, at minimum:

  • Remove all unaccounted for admin accounts – restrict it to one or two
  • If feasible whitelist yours and the clients static IPs
  • Change the default path to the admin panel
  • Maintain an access log of all logins to the admin panel.
  • Blacklist IPs that repeatedly attempt to gain unauthorised access.
  • Enforce a strong password policy
  • Add Two Factor authentication
Categories
security

Form CAPTCHA

Contact forms are without fail prime candidates for spammers be they human or automated ‘bots’. They can also be use in brute force attacks to gain access to your website administration.

CAPTCHAs have come a long way since having to answer a simple challenge question or solve a mathematical formula.

Where contact forms are in use the most suitable amd secure form of CAPTCHA should be enlisted.

Categories
security

SSL Encryption

Install SSL certificate and verify

SSL Certificates were once the preserve of ecommerce sites and corporates handling sensitive client data – not so today. For any site to be taken seriously and to have credible ranking in Google the trusty padlock has to be there in the address window closely followed by the https:// prefix.

An SSL certificate :

  • Encrypts and secures traffic to and from your website
  • Prevents phising
  • Buys in user confidence
  • Improves your Google ranking

As part of the WordPress security check the validity of the certificate is checked, access errors and mixed content identified and fixed.

Categories
security

Disable File Editing

Turn off file editing

WordPress allows editing of themes and plugins via the administration panel. Hackers or unauthorised users can subvert the intended use of your website or change the displayed content unless this vulnerability is mitigated.

As part of a wordpress site security review file editing should be turned off and its status checked during subsequent maintenance checks.

Categories
maintenance security

Disable PHP Error Reporting

Disable PHP error reporting

PHP error reporting can be exploited by hackers to glean information about your hosting, website platform or CMS and where to focus their attention to take advantage of known weaknesses in software or applications.

Interrogating error messages and the header information provided can yield the following information :

  • Host operating system
  • Which Control Panel is being used
  • Which plugins are being used…etc.

Having this information a hacker can narrow their attention to be specific to your environment.

This should be covered in a WordPress Security Maintenance review.

Categories
security

Sectigo SSL Certificates

Most have heard of Comodo or Comodo CA when the conversation is had regarding SSL Certificates. No surprise as Comodo issued 91 million certificates to more than 200,000 customers worldwide. Comodo is now owned by and branded as Sectigo who describe themselves as follows :

Sectigo is the world’s largest commercial Certificate Authority (CA) and a leading web security solutions company, enabling organizations worldwide to secure their identities, web presence and connected devices. Enterprises of all sizes rely on Sectigo SSL for multi-layer defense against rising and more sophisticated web-based threats across websites, devices, infrastructure, and cloud – from the biggest brands to the smallest websites – so that they can secure today and seize their tomorrow.https://sectigo.com/about

HDUK Limiteds clients benefit from security products from the biggest and best providers – at the best value added prices.

Get SSL Today Via HostFraser.com

Categories
maintenance security

Website Security Due Diligence

HDUK Limited is managed by professionals with years of corporate management experience delivering IT, Service and Compliance. The majority of our clients today are relatively small operations employing between 1 and 50 individuals, without the deep pockets or big budgets that a multi-national invests in hired staff to routinely perform due diligence security checks on their public facing assets – websites or apps. However ‘small’ we think we are – we are exposed to exactly the same risks as large corporations :

Website Security Risks Impact

 
  • Data Theft
  • Malicious Code
  • Unauthorised Access
  • Fraud – through impersonation
  • Punitive Fines for GDPR breaches
  • Loss of business and revenue
  • Reputational Damage
 
 

Website Due Diligence Actions

 
Whilst it is seemingly impossible to cover all the bases we have a primary duty of care to :
 
  • Identify risks – treat or mitigate
  • Demonstrate that security is taken seriously
  • Constantly improve
 
Unfortunately too many organisations take a knee jerk approach to Website Security Due Diligence – reacting to legislative or regulatory demands such as GDPR or the professional body they are a part of. Others rank the importance of web security based on its impact on performance e.g. how security, such as SSL impacts on SEO ranking. We continue to be surprised (shocked, amazed, appalled) by the number of ‘professional’ websites – public and private sector, that we encounter that are waving Cyber Essentials and Information Security banners and badges yet lack the obvious – encryption, an appropriate and relevant privacy policy, opt in on contact forms, exposed credentials…
 
 

Website Maintenance Plans

 
HDUK Limited (also known as Hosting & Design UK for web clients) provides adhoc, on demand or regular maintenance interventions for Small, Medium and Larger businesses enabling due diligence to be evidenced and maintaining a document trail.
 
Activity log – who has last accessed your web administration and when
Users – are there any unexpected or surplus to requirements admin accounts
Malware Scan – identify, record and treat suspicious files
Mitigate Risks – update plugins and themes, remove surplus.
Security Enhancements – mask default login names and paths, set correct access permissions
plus: two factor authentication, CAPTCHA, honeypot traps etc.

See our WordPress Security Maintenance Checklist

 
If your budget or operational needs do not support a full time, employed resource then speak with us and pay for what you need and as often as you need it – 0207 993 4796 or mobile 07956438026.
 

 Contact us today – for a Website Maintenance Plan that suits your needs.

 
 

 

 

Monthly Website Maintenance Plan

Adhoc or ongoing wordpress website maintenance agreements
£ 60 Monthly
  • Core Files, Theme and Plugin Updates
  • Security Surveillance and Malware Check
  • Performance and Functional Checks
  • Computerised Management Database Email Updates
Popular