The roots of the Computer Security Day go back to year 1988. The day was created after an attack towards the Internet’s predecessor, ARPANET. The aim of the Computer Security Day is to raise awareness of cybersecurity issues and to remind all of us to take good care of information security. Here’s how to keep your passwords, WordPress and devices protected!
Just a few minutes is enough to protect your data. With these comprehensive tips, you can make sure your important data stays safe.
How to Keep Your Password Safe
Weak and thus easily crackable passwords can play an important role in whether or not a site gets broken into. Short passwords that don’t contain a variety of (uppercase and lowercase) letters, numbers and special characters, or passwords that are used in multiple services and have never been changed can mean a cybercriminal gets to log in to your user account.
You can create strong passwords with your browser or with a separate password management software or application. The good thing about this kind of password manager is that you don’t need to remember all the passwords – you just access a password database behind one master password, which of course needs to be a strong one. If you don’t want to use a password manager, an alternative is to use complete sentences instead of singular words in the passwords you create. These are usually easier to remember than random strings of letters and numbers!
There are also other ways in which you can ensure good password hygiene: if you’re for example working remotely in a public place, make sure no one can see your password when logging in to services. If possible, use a screen protector on your device, and remember to lock your devices when not in use. Avoid public wireless networks, as using open wi-fi involves risks – anything you do in such a network can be snooped, exposing your credentials.
Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA)
Two-factor authentication cannot be recommended enough, especially on WordPress sites. Seravo’s hosting does provide protection against bots’ automated login attempts, but 2FA can protect your site even if your password was weak or exposed in a data leak previously. You can check with haveibeenpwned.com if your email address has previously been involved in a data leak, and if the password you’re using is thus potentially known to attackers.
For the aforementioned reason, you should never use the same password across different services – it can be leaked from one service and be used to gain access to another service. With two-factor authentication, logging in to the service is further confirmed with the aid of a separate code, device or application, and the malignant login attempt fails.
WordPress Security, Enhanced
In addition to good password hygiene and 2FA, you can also take care of the security of your WordPress site by deploying more advanced security techniques and settings.
CSP and HSTS Headers for WordPress
If you want to protect your site from malicious attacks, you can edit the site’s headers. XSS, or Cross-Site Scripting, is an example of an attack that allows malicious code to be injected into a website. Another example, called clickjacking, is an where elements of a website, such as buttons and links are modified to suit the attacker’s intentions. The site visitors can then be redirected to a potentially malignant website.
Attacks such as XSS and clickjacking can be prevented by using Content Security Policy (CSP) headers. CSP can be used to ascertain that the visitor’s browser is downloading content from the server it’s supposed to, and not from anywhere else.
HSTS header information tells the user’s browser never to connect to the site without a secured HTTPS connection. The HSTS headers therefore provide protection against DNS hijacking, for example.
A template for CSP and HSTS headers can be found at Seravo’s WordPress hosting by default. If necessary, their settings can be edited to further enhance site security. For more information on HSTS and CSP, visit the Seravo Knowledge Base.
When configuring HSTS and CSP, please bear in mind that stricter rules may have an impact on the site’s functionalities. Therefore, Seravo cannot enforce the strictest HSTS or CSP rules on sites in our WordPress hosting. Rather, these techniques should be implemented in cooperation with the site developer and other stakeholders.
Seravo Plugin – Security Settings for WordPress
At Seravo, security is taken care of as well as possible, both in WordPress and in the database. Unlike other service providers, at Seravo you don’t pay any extra for the best security for WordPress – it’s included in each plan. In the Seravo Plugin (Tools > Security) integrated to your WordPress admin dashboard, you can also find more security settings to further improve the security on your site. Be sure to check them out! If you have any questions about the settings, our support will be happy to help you.
Check out also our WordPress Security FAQ, especially if you are considering a security audit on your site. On this page you will find more detailed information on how security is taken care of at Seravo, including how to protect against denial of service (DoS) attacks, how load balancing is implemented and how to interpret the results of a security scan.
Restricting Access in WordPress
It is possible to restrict access to the whole site based on the visitor’s geographical location, implemented either with PHP or Nginx HTTP server. Such a restriction can of course be circumvented, but in some cases it can help to control unwanted traffic, such as bots that unnecessarily crawl the site. For more detailed instructions on how to implement this restriction, see our knowledge base.
We do not recommend trying to hide the WordPress login page (wp-admin, wp-login.php) by renaming it, as two-factor authentication is a much more effective protection for it. Seravo’s developer documentation also has information about restricting access in WordPress.
Protect Your Contact Forms and Put an End to Spam
If your WordPress site has any forms and they are not protected with a captcha, the forms can potentially be used by a bot to send spam. A captcha plugin can tell the difference between a human users and a robot, so that the form cannot be abused for outgoing spam.
It’s also worth checking if the settings of the contact form plugin you’re using has any additional built-in settings to help you keep spammers at bay. You should also check your domain’s SPF, DKIM and DMARC records, which we will cover later in this article.
Keep WordPress Updated
Keep your WordPress updated! At Seravo, our unique update system first tests the updates in a separate copy or a shadow environment to ensure that the site does not crash after the updates. Seravo’s WordPress hosting also includes security updates. We monitor information about new vulnerabilities that are discovered, and we always make security updates to your site without delay, separate from the update system.
It is also a good idea to keep the PHP version of your site up to date. Prior to a PHP upgrade, you should make sure that the plugins and theme of your site support the newer PHP version. If the theme you are using is custom-made, or if your site has tailored custom plugins, you may need the help of a site developer to upgrade the PHP version.
Uninstall Unused and Unnecessary WordPress Plugins
Make sure to uninstall any and all plugins that are not actively used on your WordPress site, especially if they have been abandoned as obsolete even by their own developers. By cleaning up the plugins, you will have less code on your site for an attacker to find vulnerabilities to exploit.
Monitoring is included in every plan at Seravo. Our 24/7 monitoring will notify the site’s technical contact if a plugin with a known vulnerability is installed on your site. However, hackers may be able to exploit vulnerabilities before they are discovered, so it is always a good idea to remove unnecessary and redundant plugins. At the same time you optimise your site – no extra content slowing down your WordPress!
Backups You Can Rely On
At Seravo, you don’t need to take care of installing and keeping an eye on a separate backup plugin, as your site is automatically backed up once per day, included in our WordPress hosting and upkeep. Each backup is stored for 30 days, allowing your site to be restored quickly and reliably. You can either restore the backup yourself with the aid of our instructions, or let our support team do it for you for free. Restoring your site from a backup is part of Seravo’s customer service, no extra charges!
Additional Tips for Information Security
Beware of Scam Emails
Treat incoming emails and messages with caution, always check the address from which they were sent. Does the domain of the sender’s email address seem legit? It is safest not to click on any links in the message until you are sure of the sender. If something seems off, the message might be a phishing attempt. Look out for things like errors in spelling, weird domains, URLs and links, sense of urgency or requests to suddenly transfer money. Never share your credentials with anyone if asked, no matter how important it may first seem!
Verify Domain Information
At Seravo, maintaining one domain is included in each plan. Customers who have transferred their domain management to Seravo may receive an email asking them to verify the domain or to check their contact details. Such a message is valid, and the domain owner information must be kept up to date as required by ICANN. You can find an example of a message like this in the Seravo knowledge bank. However, if you are concerned about the message’s authenticity, it is safest not to click on any links and forward the message to firstname.lastname@example.org. We will then check the validity of the message.
Check DNS records: SPF, DKIM and DMARC
Are you getting messages where the sender appears to be a familiar person and the domain name seems valid, but the content is clearly the work of a spammer? A phishing message can be sent from any address. One way to prevent such domain abuse is to make sure that email DNS records are properly configured.
The SPF, DKIM and DMARC records affect the way the email traffic on your domain is handled, and so it is worth taking the time to configure them as desired. The different records take care of different things, but all of them improve the email traffic so that the emails don’t get treated as spam. Unfortunately not all organisations have adopted DMARC, for example.
Although Seravo cannot directly determine the content of these DNS records on behalf of our customers, you can always contact us if you have any questions about them. If the domain has been transferred to Seravo, you can access and edit the records by logging into WordPress, under Tools > Domains. See the this article for further instructions.
Help, I Think My Site Has Been Hacked!
If your WordPress site is hosted at Seravo, don’t worry – our monitoring will check your site for security breaches and report them to you. Seravo’s security guarantee ensures that we’ll get your site back up and running at the end of the investigation and clean it of malicious code, free of charge. You can read more about the security guarantee on the WordPress Security FAQ page. Contact us as soon as possible if you suspect your site has been compromised and we’ll sort it out!
Fast and Secure Server for Your WordPress Site
Seravo’s premium WordPress hosting and upkeep ensures that your site stays fast, secure and updated. We don’t only sell server capacity – we want your site to run well and optimized, whether it’s a standard WordPress site, an e-commerce site or a multisite. We’re always happy to advise you on all your WordPress and security needs!