Close

March 28, 2013

Is Your Site Secure? Tips from a Tech Guy

Barbed wire fence with text: Is Your Site Secure? Tips from a Tech Guy

When we first create a blog or website, all the decisions we need to make can quickly overwhelm us. Do we really need a website and a blog? Should we go with Blogger or WordPress? Do we want to go the free route or pay for a self-hosted site we’ll own?

That last question encompasses many complicated issues I’ll dive into next week. But if we decide to go the self-hosted WordPress.org route, we then also have to choose a hosting company.

What’s a hosting company, you ask? Today’s post is actually the second of two articles about hosting companies. Part One is over at the Writers In The Storm blog, where I cover what a hosting company is and why they’re importantVitally important to those of us who choose to have a self-hosted site.

So that means we have to know how to pick a good hosting company. How are we supposed to do that? We’re writers, not tech people.

In Part One, I cover some of the things to look for in a hosting company. I’ll wait while you check out that post. *hums Jeopardy theme* Back now? As I mentioned in that post, one critical responsibility of a hosting company is keeping their servers secure because if their servers are hacked, our websites become vulnerable or even go offline.

Today in Part Two, my tech guy will give us the inside scoop on what a hosting company can (and probably should) do to keep their servers secure. Please welcome Jay Donovan!

*****

Tech Talk: Website and Blog Security

Thanks, Jami, for letting me out of the server room for a few moments to talk about how a good hosting provider can help keep your site running safely. *notices a window* Hey, is that sunlight? *squints* Ow, it burns my people.

By my definition, a “good” hosting company views themselves as your partner in achieving your goals rather than one who simply provides a service. That sounds like a trope, but unless you’re planning on acquiring a “tech geek” badge, you’re going to have questions and occasionally need some hand-holding. The providers competing to be the lowest priced host can’t afford to spend much time on support or ensuring that their servers are delivering pages to your site’s visitors lightning fast.

Today we’ll discuss how a web hosting company can help keep your site running securely. Or sometimes, not keep your site running securely. For the sake of simplicity and to keep the author in the back row from nodding off, I’ll limit the conversation to WordPress.org sites and the core software required to run it.

A Quick Technology Primer

To understand what can go wrong, let’s briefly explore the technologies needed to run a WordPress powered site:

  1. The typical webhosting server runs the Linux operating system. Linux is a competitor to Microsoft Windows and Apple’s OS X. It runs on everything from supercomputers to smart phones. (If you have an Android phone, you’re using a variant of Linux.)
  2. Apache is web server software. It’s the software that talks to your web browser. It can directly answer requests for images and simple web files (HTML & CSS). WordPress uses both, but it has more complex needs. Luckily, Apache knows to ask for help when it doesn’t know what to do.
  3. WordPress’s posts, comments, page information, and settings are stored in a MySQL database.
  4. And the final core piece is the PHP programming language. WordPress is written in PHP.

This ends the jaunt into the tech. *hands out paper “Tech Geek” hats to those still awake* If you know a tech geek, call them to say how you’re currently reading up on securing a “LAMP application.” LAMP = Linux + Apache + MySQL + PHP

Or you can think of Linux as the Buffyverse (Sunnydale and Slayers / Vampire lore), Apache as Buffy, MySQL as Giles, and PHP as the Scooby gang. Everything happens in the Buffyverse but without Buffy, no slaying occurs. (Robot Buffy doesn’t count.) Giles manages all the information and lore. And the Scooby gang does the boring/dirty work but causes almost as much trouble as they prevent.

Why WordPress.com and Some Hosting Companies Limit You

With the tech basics covered, we can move on to how a good hosting company can help you minimize security risks to your web site. Security risks include hackers/malfeasance, hard drive failures, and human error.

My phrasing choice of “minimize risks” is deliberate. With all the complexity involved in each of those components, it’s impossible to guarantee your site will never be hacked. This is especially true if you aren’t diligent about updates and the plugins and themes you choose to install. For this reason, many web hosting companies (including WordPress.com) will limit available add-ons, even at their premium service tiers.

A good webhosting company will have a few roles in helping to keep your site safe.

A Good Webhosting Company Will Take Care of the Stuff They Control

Regular updates of all LAMP and other server software.

Both PHP and WordPress have a somewhat deserved reputation for being insecure. They have greatly improved over the past few years, but you and your host need to be very attentive to security updates. Your host is responsible for PHP and you are responsible for WordPress and plugin updates.

Backups! Backups! Backups!

  • How and how often do they perform backups?
  • Are restores tested regularly?
  • Are any backups saved to a different location?
  • Do different tiers of service have different policies?
  • Do they have a Disaster Recovery plan?

All critical servers are monitored.

  • Are they monitored from multiple locations?
  • Do they watch for and actively block hacker attacks?

A Good Webhosting Company Is Communicative

  • Do they actively post about security risks?
  • Do they warn about significant upgrades & site changes?
  • Are they available for a quick question?
  • Is their advice good and info correct?
  • Will they admit a problem or cover it up?

A Good Webhosting Company Provides Security Related Extras

  • Will they perform WordPress and plugin updates for you? If so what do they charge?
  • Can they remotely help with a computer virus?

A Good Webhosting Company Won’t Do Something Bad for You Because It’s Easier for Them

I recently helped with two cases where the hosting company failed their client.

In the first case, an author’s site was hacked multiple times before he came to me for help. In my investigation, I observed that the author wasn’t a typical hacker target. There weren’t any bad plugins, and everything was up to date. He spent hours on the phone with his hosting company and they denied anything was wrong on their end. Turns out the host’s Linux server his site was on had been hacked.

All the other sites running on that server were also hacked, and all of them had been labeled as malicious sites by Google. Even after being cleaned, some anti-virus/firewall software still blocks access to his site.

The second case is about a different type of security, a site owner being secure in the knowledge that their hosting company won’t break them. A very popular site advocating self-publishing disappeared from the net. It was offline for more than a day. Turns out the hosting company cut them off for being too popular.

Yes, seriously!?! The hosting company knocked them offline—no differently than a hacker attack could. Eventually the site owners were able to bring their site back online, except the hosting company forced them onto a VPS (Virtual Private Sever). So now the site owners have to either learn how to manage/update Linux, Apache, MySQL, and PHP or live with the default settings. My gasteds were beyond flabbered.

So how does TechSurgeons stack up to this list? Pretty good. There’s always room for improvement.

Stuff We Can Control:

  • Updates: We do extremely critical updates within 48 hours, critical updates within a week, and less important ones monthly. Our goal is to balance expediency with caution. Sometimes those rushed updates have problems of their own so waiting a day or so allows us to avoid the pitfalls.
  • Backups and Hard Drives: All servers have mirrored hard drives, so if one fails, the second keeps going. Each LAMP server is completely backed up at 11PM. At 2AM, all sites are backed up to a different server and then those backups are copied to a server at our office. Restores are tested at least weekly, and we’re alerted when backups fail and need to be rerun.
  • Monitoring: All servers are monitored locally and from a remote server in Seattle. Hacking attempts are logged, hackers are blocked, and email alerts are sent to us. Excessive login attempts on WordPress sites are not yet logged and blocked—there’s a plugin we want to test which might work really well.

Communicative:

Probably overly so. We use the @techsurgeons Twitter account and often our personal accounts to mention problems, maintenance, and when you should run updates. We’re starting to use our Facebook page and will now post the same messages there. We love it when you ask us questions on social media—it’s fun being helpful. And yes, we admit when we break stuff. It happens—I caused 9 minutes of downtime so far this year.

Security Extras:

Of course. Our rates are on the website. And we’re allergic to nickel & diming so rarely charge for small stuff.

Any hosting company you’re considering should be able to answer these questions for you. I’ll hang out in comments if you have questions about the tech stuff or other hosting issues.

*****

Jay Donovan has been a geek since before geeks were cool.  He’s done it all, from remotely debugging the Internet connection for a US aircraft carrier deployed to *REDACTED*, to being responsible for the servers and networks for one of the largest Internet sites in the world, and the most challenging job of them all—parenthood.

He’s trained as a Certified Ethical Hacker (yes, really!) and always uses his geeky powers for good. When he’s not neck deep in wires and computer parts, you’ll find him hanging out on Twitter as @jaytechdad or at TechSurgeons.

*****

Wow! Thanks, Jay! *still giggling over the Buffy analogy* I think I might have understood all that. Maybe.

Too many “hosting companies” don’t have the tech background to build the redundant networks and servers that can handle hardware crashes and high traffic, much less hacking attempts. As of a year ago, my site was the target of 150-200 hacking attempts per day. My site has been linked to from HuffPo and MediaBistro and didn’t go down.

I’m happy to leave my site in the hands of a professional who lives and breathes this stuff (except for when we briefly let him out to glimpse sunlight *smile*). And now we all know the questions to ask of any hosting company we’re considering. Let’s give Jay a big hand for filling us in on hosting companies!

Registration is currently open for my two workshops designed for those with no knowledge of WordPress, websites, or blogs. Interested? Sign up for only one of the workshops: For a free website/blog: “Develop a Free Author Website in 60 Minutes (or Less!)”; or to set up a website/blog you own: “A Newbie’s Guide to Building a Self-Hosted Blog or Website.” (Blog readers: Use Promo Code “jamisave” to save $5 on registration.)

Did that explanation make sense to you or do you need clarification? Does knowing all the ways a poor hosting company can screw things up—and knowing the right questions now to judge if a hosting company is good or poor—make you more or less likely to go the self-hosted route? If you’re self-hosted, do you know what your hosting company does to keep your site secure? Do you have any questions for Jay?

Pin It

What do you think?

52 Comments on "Is Your Site Secure? Tips from a Tech Guy"

Click here to learn more about Lost Your Pants workshop
Notify of
avatar
5000
Sort by:   newest | oldest | most voted
Jami's Tech Guy

Hi Jami, thanks for letting me escape the comments section! It’s good to know we can team up to write an amazingly short post.

-Jay
@jaytechdad

Melinda S. Collins

Hi Jay! Hi Jami!

WOW! So much information here. 🙂 And all of it made perfect sense. I’m still laughing over the Buffy/Scooby gang analogy, too. That was awesome, Jay! 😀

Thank you both for all of the helpful information you’ve been providing on author websites and blogs! You guys are rock stars!! 😉

trackback

[…] we’ve got a great deal for WITS readers at the bottom of this post!). Part 1 is here today, Part 2 is at her place […]

Kimberly Gould

Thanks for all the tips and advice, Jay. I’m going to share this post with my tech guy (also husband). I know the basics of how to update my webpage, but I don’t have any real idea how to drive the guts. I don’t think our service provider does much in that vein either….

Jami's Tech Guy (Jay)

Thanks Kimmy! If he has any questions, have him email me.

-Jay
@jaytechdad

Buffy Armstrong

Jay, you are awesome. That is all I’m going to say.

Jami's Tech Guy (Jay)

Awww, thanks! *blush*

-Jay
@jaytechdad

C. C. Cedras

Jami/Jay (there’s that alliteration that I love!) — this is a great post and what this tells me is that I don’t really feel like spending the time to check out Bluehost for it’s WordPress expertise and will just head straight on over to Jay’s TechSurgeons. Among other things, Jay has a far wittier sense of humor.

Still have to work out my inner dilemma of going off on a (website) frolic of my own or continuing down a path with my co-writers (with whom I share a WordPress.com blog). Leaning toward the former, actually.

Widdershins

*waves to Jay*

It wasn’t until I hung out at WANACon last month that I had any idea at all of the differences between WordPress .com and .org. … this post has slipped the last cog into place. (I often visualise my thought processes as parts of an Escher-esque Steampunk clockwork machine)

Thanks Jay and Jami for explaining to someone who just wants her platform to wok, how her platform works! … and for the Buffy analogy.

So, when I’m ready to shift gear levers and go .org, who am I gonna call?

Jami's Tech Guy (Jay)

Hi Widdershins,

*waves hi back* Be sure that whomever you call knows not to cross the streams…

*hums the Ghostbusters theme*

-Jay
@jaytechdad

ChemistKen

Thanks for all the info, Jami. I’m looking forward to your class in April.

Julia Broadbooks
Julia Broadbooks

*adjusts paper hat* Well, I stayed awake for the whole thing, but I might need to read it a second or even a third time to take it all in.

Jami's Tech Guy (Jay)

Good job Julia! 🙂

I’m now imagining a future conversation after an outage… Well, after installing a new version of the Scoobies, Buffy stopped answering calls and needed to be kicked. Oh and I don’t know what’s going on with Giles’s backup.

Sheesh!

-Jay
@jaytechdad

Diana Beebe

I knew there was a reason I fell into my tech writing job–so I wouldn’t be terrified of the technology when I finally did something about a website. (OK. It still scares me a little.) Thanks, Jay! You are on my to do list to call…

Jami's Tech Guy (Jay)

Awww, thanks!

-Jay
@jaytechdad

Morgyn
Morgyn

Gasteds, Jay?

Feeling like an idiot, LOL. Even Google couldn’t explain this one to me. And worse, all the Linux, etc made sense.

Dangling in the outer limits, . . .

Jami's Tech Guy (Jay)

Sorry Morgyn,

“gasteds were beyond flabbered” is my silly of saying flabbergasted.

http://dictionary.reference.com/browse/flabbergasted

-Jay
@jaytechguy

Morgyn
Morgyn

Major smile. No wonder Google and I were goggled!

Shah Wharton

Hey Tech Guy

Great article on what I should be looking for. After my experience, I’ve thought about returning to FREE WordPress. Even my theme developers (who offer excellent customer service) are shoddy when I actually ask for help with a problem. I’m also not sure any of this expense has helped my ranking or benefited me in any way. My free sites run better, are free, and present a lot less hassle.

Does your service help someone move from another provider to yours? I tried to move a few months ago and it was a nightmare. But my contract is up for renewal and I’m looking for a new provider.

Shah X

Jami's Tech Guy (Jay)

Hi Shah,
Thanks for considering us for hosting! Yes, for our Premium Hosting plan and above we will at least help with the move. If you trust me with the passwords to your existing site, I’ll move your site for you. 🙂

-Jay

Julie Glover

Yeah, that LAMP part was starting to sound like Muzak until you got to the Buffy comparison, and then I got it. Thanks for that!

I want to say to the readers that I just took Jay’s internet security course, and I am realigning my computer configuration as a result. It was very helpful, and I think he’s doing another one soon through WANA. Next, I’ll need to rethink my website. But one thing at a time…

Jami's Tech Guy (Jay)

Awww, thanks Julie!

-Jay
@jaytechdad

trackback

[…] (If you’re tuning in late, check out my previous posts with background information about WordPress.com versus WordPress.org and hosting companies.) […]

trackback

[…] I hope this series has shared useful information—like how to welcome disabled readers and make our site secure—that you haven’t seen […]

wpDiscuz