For a variety of reasons, the client preferred I omit their name from this story, but agreed the lessons that the consult discovered could be valuable for many to learn from, so it is worth the share.
In today’s world, cyber risks like Ransomeware, are sadly an abundant threat to any business – particularly the smaller business that may not see themselves as a target to would-be hackers. Most of my colleagues in the IT world would agree, that for most… “it’s only a matter of time when you get hacked”. They would also readily agree that those companies that are prepared for the potential of “when a hack happens” are the ones that sit in the best position. While it may not always eliminate the threat, being proactive with a recovery plan in place can save you thousands, if not millions of dollars – depending on the site and the value of the interruption.
In this situation, a friend referred me to their friend who was managing a fast-growing consulting company. Their entire company was remotely managed so the value to keep their operations functioning was a top priority to them. To manage their company, and deliver their multi-channeled marketing strategy, they operated several websites. All of them were self-hosted WordPress sites, built by someone within their organization who was admittedly a novice developer with zero knowledge of website security. Our mutual friend knew I’m highly experienced in WordPress and a stickler for security since I have managed two of their sites for several years now without issue. So when the topic came up, I was brought into the conversation to explore their set-up for proper functionality as well as to help them establish a recovery strategy going forward.
After gaining access to their sites, multiple security concerns were found. Not only did they lack basic security plugins to help deter unwanted attacks, but there was no systematic process in place to manage the updates to their system or plugins. In fact, each of the five websites had a different theme and for the most part, different plugins. None of the tools were really evaluated for developer integrity but randomly chosen for the least of cost and function it provided. Essentially, as updates were pushed out, they simply applied them and hoped for the best!
Luckily, nothing had gone wrong to this point, but as a result of my investigation, there were several security recommendations included in my report submitted to them. Those included…
1) Add a Firewall: Recommendation to install a reputable Security Plugin that provided both file scanning and firewall protection. I also recommended several server-side settings that could be made to the .htaccess file to further enhance security and minimize unwanted access to frequently targeted files.
2) Better Organize Operations: In a multi-site situation like this, I find it easier to use one, professionally managed theme that has plenty of design functionality and use it for all of the sites. It can reduce their maintenance time and provide greater efficiency for those who need to access the site to make content updates instead of requiring them to become familiar with different builder tools or structures. In this case, theme consistency although a potential extra cost on the design-up front could prove a valuable investment overall in maintenance.
3) Better Monitor Plugin Providers: Create a record of the plugins that each of the sites uses and check them regularly against complaints or “Threat” lists to make sure the developer of that plugin is doing their part to manage their product well. If not, choose something else.
4) Monitor Site Activity: Add a plugin that tracks user access and can help identify questionable behavior on the website by authorized users. This type of tool may also help you identify who internally has compromised credentials or a computer with potential cybercriminal access through bot or keylogger infection.
5) Create a Regular Maintenance Schedule/Process: Create a regular “maintenance schedule” that begins with creating a manual, off-server back-up of the website and data files and store them in a secure local or encrypted off-site file as your “ransomware recovery strategy”. Once the backup is secure, use a sandbox environment to test the system, theme, and plugin updates before applying them to the actual site to eliminate potential conflicts in the code.
6) Monitor Server Activity: Become keenly aware of the file structure for each of the sites and browse the server files regularly, looking for anything out of the ordinary. I have seen far too many situations where server files have gotten compromised from the server-side and random .exe files or random directories showed up hoping to blend into other files.
7) Minimize Access to PPI: During maintenance, it is also a good time to download any personal data collected by online forms and stored on the site database. Once downloaded, delete them from the database. This helps keep your database reasonable size as well as limits the number of records a hacker could get access to should they gain access to your files.
The result was helping them establish a production schedule to get these items in place across all of their websites. Secondarily, we defined a regular security strategy that included preventative user procedures and prevention training for those with User Access and Administrative Authority. This strategy implemented procedures they were to follow on a daily, weekly, monthly, and yearly basis to create, manage and maintain a more secure web environment to protect their business as well as their user experience.