We’ve spent a year protecting ourselves, but what about our data?

We’ve spent a year protecting ourselves, but what about our data?

Let’s not beat about the bush, it’s a been a bit of a strange year. Face masks and distancing became ‘normal’, and as for what the next few months hold… well, that’s still anyone’s guess.

Have we learnt anything in this strange time though? Some would say they’ve learnt not to trust politicians, or local or national Government, but that’s not really the road I want to go down right now…..

Back in March 2020 several people said – or at least thought – “it will all be over in a few weeks” and put parts of their normal routines on hold for that time. Ian Dickson‘s advice at the time was “plan on this lasting six to eight months”. Some no doubt laughed, but many people I know took this advice and planned accordingly. Whichever school of thought you subscribed to here though, one thing was common for us all: no one knew how long it would last or what would happen. I dare say it’s often like that in a lot of businesses, organisations, even families.

We adapted to doing things differently. For some this was harder than others. I’ve been advocating, practicing and facilitating remote/home-working for almost twenty years. I used Zoom before most people had even heard about it. In many ways I had it easy, but not everyone did. I had the privilege of helping some people transition to working differently, of helping businesses change their focus and way of working (hate the P word), and watching some thrive over the past year. I’ve also seen some former colleagues and friends slide away into the background, sometimes their businesses too.

We put more effort into protecting ourselves. Washing hands, social distancing, wearing masks, and now vaccinations. We stopped doing things that could have a higher risk (not necessarily through choice, but generally for the right reasons) and got to know the insides of our homes much better.

But what about our data?

Throughout this period of putting more effort into protecting ourselves, I’ve had several failed hard drives come in for repair and recovery, and been called upon to recover a number of hacked websites too. It’s left me wondering what it would be like if we applied some of the lessons and changes of the past year to our digital lives as well as our personal lives.

The simple takeaway is backup, backup, backup. Whether it’s the files on your computer, the photos on your phone, the USB stick that you carry around, your emails, your website… whatever digital data you rely on: backup!

Washing hands. Two minutes isn’t long in the scheme of things, and a squirt of hand sanitizer here and there doesn’t really eat into our productivity. Yet we so often pull a USB memory stick thing or external hard drive out of it’s slot without making sure the computer isn’t still accessing it – the quickest way to cause corruption and data loss. We don’t save out work as we go along ‘just in case’ (goes and presses save draft). We don’t install the updates for software we rely on, or the themes and plugins on our website… You get the idea: quick and simple steps that can help prevent bigger problems.

Social distancing. We became wary of other people getting too close, but make little effort to protect ourselves with unique/complex passwords as we know we should. We’d wipe down the handles of a supermarket trolley but not run an anti-virus scan on our computer or website. We’d limit the number of people we were with, yet some web designers and hosts will put multiple websites onto a single account, so that if one gets breached the hacker has access to spread their virus or malware to them all. I’ve seen it happen sadly.

Wearing masks. The barrier to help prevent the spread of the virus, stopping it from getting in (or out, or both… let’s leave the exact science and questions about type and filters to one side for now for the sake of the analogy, thanks). In the digital world the obvious equivalent would be a firewall. Windows has one built in. Your router may too. Does your website? We install WordFence on all WordPress sites we manage, and one site reported over 500 blocked access attempts one afternoon last week. Someone was clearly intent on causing some damage to that site. They couldn’t. We also recommend CleanTalk to protect against spam submission on contact forms and comments.

Prevention is better than cure – we’ve all heard the adage, and it’s so true in these examples. Last week we were called upon to look at two websites that had been compromised. One client hadn’t even started to build anything on their site at the time, but it was redirecting visitors to malware. Given that there was nothing on there the quickest and safest option was to just delete the files and start again. The other was a well-established business site with content that had been built up over a number of years. Someone had gained access, edited the content of files, installed others, and the net result was that the site was no longer accessible at all. We were able to restore the entire site within a couple of hours, but had there been a backup in place it would have taken ten minutes.

Practical Steps

Right, enough wittering on: what steps can you take to protect your data?

  1. No matter what else, take regular backups of your data. If your site is hosted with us you have access to manual backups in the Hosting Control Panel and can take your own backup at any time. If you are on a Managed WordPress plan (CloudHost Connect) then we are running regular offsite backups for you.
  2. Keep each website in a separate hosting account so that others aren’t vulnerable if one gets compromised. It can mean paying slightly more, but we can sometimes negotiate on the cost of additional hosting accounts.
  3. Have a Firewall and other protection in place. Most Hosting providers will have some level of protection on their network already – do check and make sure it’s enabled. If you are using WordPress, install and configure WordFence to help protect the site for you… again, if you have a Managed WordPress plan with us then you’re already covered, and CleanTalk can be added if needed.
  4. WordPress is the most common CMS, and therefore the one that hackers prefer to target. It’s really important to make sure that the core code, themes and plugins are kept up to date. (Yes, we can…)
  5. Check who has access to your website and hosting account. Remove people who no longer need access and make sure that passwords are unique, complex, and changed regularly.

Help if you need it

If you have any concerns about your own website, hosting or computer then get in touch and let’s see explore what might need to be done.

Extra WordPress tools on CloudHost.One™

If you have WordPress Hosting on our platform you also have access to some additional tools in your Hosting Control Panel that can help keep the site safe and secure.

CloudHost.One WordPress Tools

You can quickly see which Plugins and Themes are installed and enabled, and can deactivate them if needed from the Control Panel (this can be helpful if one is causing problems). Users can be viewed, added, edited or removed from here also.

If you are looking to make changes to your WordPress site, our 1-click Staging environment can be a huge help. It will create a copy of the site so that you can work on changes without affecting the live site, and once you are ready you can then push all those changes from the Staging site to the Live site in a single click.

Finally, the Checksum Report checks the core files of the WordPress installation and determines if they match those of the official WordPress core repository. Should it find any possible problems you’ll be alerted, and can then fix those files. (You may want to also take advantage of the Malware Scanner further down the page too!)

Is your WordPress site Secure?

Is your WordPress site Secure?

I’ve spoken with two people this week who lost access to their website, as a direct result of not keeping on top of security updates. 

Both of them are WordPress sites – a popular platform, with lots of additional functionality available through third-party plugins. Its popularity means it is often the target of hacking attempts too though, which is why it is vital to ensure that the core code and any plugins or themes in use are regularly updated. Whilst some of the updates are functional (adding new functionality or making things easier to use), some are security patches resolving vulnerabilities that have been detected in the code.

To give you an idea of how some people take advantage of this, here’s the message I received from one of the people I spoke to:

Is your WordPress site Secure? 1

…it has been hijacked. Someone, a few months ago wanted some money or else.
He honoured his word.
So now it’s closed until, I can find some one to sort it out on a charitable basis for now.

Someone had managed to gain access to the site, remove the existing admin logins, and make themselves the only admin for the site. When they did not receive the money they asked for, they deleted the entire site.

The Charity were not in a position to resolve the issue themselves. Their hosting provider gave them a backup of the site, but said that the backup contained the malware used to exploit the site still, and would not put it live for them until they paid to have it checked and cleaned.

Another person contacted me after noticing their website was not loading. Instead, an error message was shown. She eventually found out that her hosting provider had taken the site offline after they discovered malware on it. They had written to her two months ago, but the email had been overlooked. Their automated malware scanning system had noticed the code, and highlighted the infected file. Eventually, the host removed the malware on the site and restored access…it took two minutes, but they had done nothing for two months.

She doesn’t know when the website was taken offline: it may have been down for the whole two months! Their only recommendation was that she pay an additional £5 per month for a scanning service…. a service which clearly was already running since they had previously notified her of malware.

 

Tips for keeping your site secure

There are several measures that can be taken to help protect a WordPress site. Here’s our top recommendations:

  1. Regularly update the core code, themes and plugins
  2. Take regular backups in case of disaster recovery
  3. Avoid having a user called ‘admin’
  4. Use unique complex passwords

If you want to take things a step further, then you may also want to use a security plugin to detect – and block – unusual activity. These typically look for attempts to login as ‘admin’, repeated failed logins of any kind, or repeated 404 errors; and then block that IP address for a period of time. Two-factor authentication is also worth considering, requiring a user to respond to an emailed link or other form of additional authentication when trying to login. Some security plugins also give you the option of changing the URL used to login to the site, or present a captcha to detect bots on the login screens.

Some webhosting providers have additional tools available to help keep your site safe and secure. Sometimes these tools are provided as standard, sometimes they charge a premium for them.

Our hosting provides a ‘checksum report’ for the core WordPress code, which ensures there are no changes to the main code. Malware scanning, permissions check and on-demand backups are also included on every site as standard.

For sites connected to our WordPress Management Platform, regular backups are taken and stored off-server, and every site is checked at least once a week for any code updates. A staging environment is also available so that changes can be tested without affecting the live site. Additional security is also applied to most sites automatically, and provided as standard on all sites that we actively manage. All from just £10 a month.

Do check what your host provides, take a backup of your site today, and ensure all the updates have been applied.

Schedule a Tech Surgery Consultation

If you’re unsure about any of this, or want it taken care of for you, then get in touch today and we’ll make all the necessary arrangements. A one-off Tech Surgery is currently just £25, and in most cases will cover the work needed.