Is Your Site Secure? Tips from a Tech Guy
When we first create a blog or website, all the decisions we need to make can quickly overwhelm us. Do we really need a website and a blog? Should we go with Blogger or WordPress? Do we want to go the free route or pay for a self-hosted site we’ll own?
That last question encompasses many complicated issues I’ll dive into next week. But if we decide to go the self-hosted WordPress.org route, we then also have to choose a hosting company.
What’s a hosting company, you ask? Today’s post is actually the second of two articles about hosting companies. Part One is over at the Writers In The Storm blog, where I cover what a hosting company is and why they’re important. Vitally important to those of us who choose to have a self-hosted site.
So that means we have to know how to pick a good hosting company. How are we supposed to do that? We’re writers, not tech people.
In Part One, I cover some of the things to look for in a hosting company. I’ll wait while you check out that post. *hums Jeopardy theme* Back now? As I mentioned in that post, one critical responsibility of a hosting company is keeping their servers secure because if their servers are hacked, our websites become vulnerable or even go offline.
Today in Part Two, my tech guy will give us the inside scoop on what a hosting company can (and probably should) do to keep their servers secure. Please welcome Jay Donovan!
*****
Tech Talk: Website and Blog Security
Thanks, Jami, for letting me out of the server room for a few moments to talk about how a good hosting provider can help keep your site running safely. *notices a window* Hey, is that sunlight? *squints* Ow, it burns my people.
By my definition, a “good” hosting company views themselves as your partner in achieving your goals rather than one who simply provides a service. That sounds like a trope, but unless you’re planning on acquiring a “tech geek” badge, you’re going to have questions and occasionally need some hand-holding. The providers competing to be the lowest priced host can’t afford to spend much time on support or ensuring that their servers are delivering pages to your site’s visitors lightning fast.
Today we’ll discuss how a web hosting company can help keep your site running securely. Or sometimes, not keep your site running securely. For the sake of simplicity and to keep the author in the back row from nodding off, I’ll limit the conversation to WordPress.org sites and the core software required to run it.
A Quick Technology Primer
To understand what can go wrong, let’s briefly explore the technologies needed to run a WordPress powered site:
- The typical webhosting server runs the Linux operating system. Linux is a competitor to Microsoft Windows and Apple’s OS X. It runs on everything from supercomputers to smart phones. (If you have an Android phone, you’re using a variant of Linux.)
- Apache is web server software. It’s the software that talks to your web browser. It can directly answer requests for images and simple web files (HTML & CSS). WordPress uses both, but it has more complex needs. Luckily, Apache knows to ask for help when it doesn’t know what to do.
- WordPress’s posts, comments, page information, and settings are stored in a MySQL database.
- And the final core piece is the PHP programming language. WordPress is written in PHP.
This ends the jaunt into the tech. *hands out paper “Tech Geek” hats to those still awake* If you know a tech geek, call them to say how you’re currently reading up on securing a “LAMP application.” LAMP = Linux + Apache + MySQL + PHP
Or you can think of Linux as the Buffyverse (Sunnydale and Slayers / Vampire lore), Apache as Buffy, MySQL as Giles, and PHP as the Scooby gang. Everything happens in the Buffyverse but without Buffy, no slaying occurs. (Robot Buffy doesn’t count.) Giles manages all the information and lore. And the Scooby gang does the boring/dirty work but causes almost as much trouble as they prevent.
Why WordPress.com and Some Hosting Companies Limit You
With the tech basics covered, we can move on to how a good hosting company can help you minimize security risks to your web site. Security risks include hackers/malfeasance, hard drive failures, and human error.
My phrasing choice of “minimize risks” is deliberate. With all the complexity involved in each of those components, it’s impossible to guarantee your site will never be hacked. This is especially true if you aren’t diligent about updates and the plugins and themes you choose to install. For this reason, many web hosting companies (including WordPress.com) will limit available add-ons, even at their premium service tiers.
A good webhosting company will have a few roles in helping to keep your site safe.
A Good Webhosting Company Will Take Care of the Stuff They Control
Regular updates of all LAMP and other server software.
Both PHP and WordPress have a somewhat deserved reputation for being insecure. They have greatly improved over the past few years, but you and your host need to be very attentive to security updates. Your host is responsible for PHP and you are responsible for WordPress and plugin updates.
Backups! Backups! Backups!
- How and how often do they perform backups?
- Are restores tested regularly?
- Are any backups saved to a different location?
- Do different tiers of service have different policies?
- Do they have a Disaster Recovery plan?
All critical servers are monitored.
- Are they monitored from multiple locations?
- Do they watch for and actively block hacker attacks?
A Good Webhosting Company Is Communicative
- Do they actively post about security risks?
- Do they warn about significant upgrades & site changes?
- Are they available for a quick question?
- Is their advice good and info correct?
- Will they admit a problem or cover it up?
A Good Webhosting Company Provides Security Related Extras
- Will they perform WordPress and plugin updates for you? If so what do they charge?
- Can they remotely help with a computer virus?
A Good Webhosting Company Won’t Do Something Bad for You Because It’s Easier for Them
I recently helped with two cases where the hosting company failed their client.
In the first case, an author’s site was hacked multiple times before he came to me for help. In my investigation, I observed that the author wasn’t a typical hacker target. There weren’t any bad plugins, and everything was up to date. He spent hours on the phone with his hosting company and they denied anything was wrong on their end. Turns out the host’s Linux server his site was on had been hacked.
All the other sites running on that server were also hacked, and all of them had been labeled as malicious sites by Google. Even after being cleaned, some anti-virus/firewall software still blocks access to his site.
The second case is about a different type of security, a site owner being secure in the knowledge that their hosting company won’t break them. A very popular site advocating self-publishing disappeared from the net. It was offline for more than a day. Turns out the hosting company cut them off for being too popular.
Yes, seriously!?! The hosting company knocked them offline—no differently than a hacker attack could. Eventually the site owners were able to bring their site back online, except the hosting company forced them onto a VPS (Virtual Private Sever). So now the site owners have to either learn how to manage/update Linux, Apache, MySQL, and PHP or live with the default settings. My gasteds were beyond flabbered.
So how does TechSurgeons stack up to this list? Pretty good. There’s always room for improvement.
Stuff We Can Control:
- Updates: We do extremely critical updates within 48 hours, critical updates within a week, and less important ones monthly. Our goal is to balance expediency with caution. Sometimes those rushed updates have problems of their own so waiting a day or so allows us to avoid the pitfalls.
- Backups and Hard Drives: All servers have mirrored hard drives, so if one fails, the second keeps going. Each LAMP server is completely backed up at 11PM. At 2AM, all sites are backed up to a different server and then those backups are copied to a server at our office. Restores are tested at least weekly, and we’re alerted when backups fail and need to be rerun.
- Monitoring: All servers are monitored locally and from a remote server in Seattle. Hacking attempts are logged, hackers are blocked, and email alerts are sent to us. Excessive login attempts on WordPress sites are not yet logged and blocked—there’s a plugin we want to test which might work really well.
Communicative:
Probably overly so. We use the @techsurgeons Twitter account and often our personal accounts to mention problems, maintenance, and when you should run updates. We’re starting to use our Facebook page and will now post the same messages there. We love it when you ask us questions on social media—it’s fun being helpful. And yes, we admit when we break stuff. It happens—I caused 9 minutes of downtime so far this year.
Security Extras:
Of course. Our rates are on the website. And we’re allergic to nickel & diming so rarely charge for small stuff.
Any hosting company you’re considering should be able to answer these questions for you. I’ll hang out in comments if you have questions about the tech stuff or other hosting issues.
*****
Jay Donovan has been a geek since before geeks were cool. He’s done it all, from remotely debugging the Internet connection for a US aircraft carrier deployed to *REDACTED*, to being responsible for the servers and networks for one of the largest Internet sites in the world, and the most challenging job of them all—parenthood.
He’s trained as a Certified Ethical Hacker (yes, really!) and always uses his geeky powers for good. When he’s not neck deep in wires and computer parts, you’ll find him hanging out on Twitter as @jaytechdad or at TechSurgeons.
*****
Wow! Thanks, Jay! *still giggling over the Buffy analogy* I think I might have understood all that. Maybe.
Too many “hosting companies” don’t have the tech background to build the redundant networks and servers that can handle hardware crashes and high traffic, much less hacking attempts. As of a year ago, my site was the target of 150-200 hacking attempts per day. My site has been linked to from HuffPo and MediaBistro and didn’t go down.
I’m happy to leave my site in the hands of a professional who lives and breathes this stuff (except for when we briefly let him out to glimpse sunlight *smile*). And now we all know the questions to ask of any hosting company we’re considering. Let’s give Jay a big hand for filling us in on hosting companies!
Registration is currently open for my two workshops designed for those with no knowledge of WordPress, websites, or blogs. Interested? Sign up for only one of the workshops: For a free website/blog: “Develop a Free Author Website in 60 Minutes (or Less!)”; or to set up a website/blog you own: “A Newbie’s Guide to Building a Self-Hosted Blog or Website.” (Blog readers: Use Promo Code “jamisave” to save $5 on registration.)
Did that explanation make sense to you or do you need clarification? Does knowing all the ways a poor hosting company can screw things up—and knowing the right questions now to judge if a hosting company is good or poor—make you more or less likely to go the self-hosted route? If you’re self-hosted, do you know what your hosting company does to keep your site secure? Do you have any questions for Jay?
Pin It
Hi Jami, thanks for letting me escape the comments section! It’s good to know we can team up to write an amazingly short post.
-Jay
@jaytechdad
Hi Tech Guy,
*snort* Short. Ha. This might be my longest ever post. LOL! But it’s all great information, so how could I cut any of it? 🙂 Thanks for the great guest post!
Hi Jay! Hi Jami!
WOW! So much information here. 🙂 And all of it made perfect sense. I’m still laughing over the Buffy/Scooby gang analogy, too. That was awesome, Jay! 😀
Thank you both for all of the helpful information you’ve been providing on author websites and blogs! You guys are rock stars!! 😉
Hi Melinda,
Yay! I’m glad it made sense to you. 🙂
You and I are a bit less tech-averse than others though, so I’m sure some people will have questions–and that’s okay. That’s why we have Jay here today. LOL! Thanks for the comment!
[…] we’ve got a great deal for WITS readers at the bottom of this post!). Part 1 is here today, Part 2 is at her place […]
Thanks for all the tips and advice, Jay. I’m going to share this post with my tech guy (also husband). I know the basics of how to update my webpage, but I don’t have any real idea how to drive the guts. I don’t think our service provider does much in that vein either….
Hi Kimberly,
Exactly. Us writers think we’re doing a good job with adding posts, pages, and maybe doing WordPress and plugin updates. And we are! 🙂 We’re writers–we don’t want to learn (and shouldn’t have to spend our time on) how to do all this technical stuff ourselves.
But that means we do have to find a good partner, just as much as any partner we have for publishing our book (agent, editor, cover artist, formatter, etc.). So I hope these posts give us an idea of what questions to ask to find that good partner.
It’s easy to think that just because nothing’s broken–yet–that a hosting company must be good. But one commenter in Part One listed the hosting company they were happy with–and they have no idea that their site will go down if they’re ever successful because their host can only handle 11 visitors at a time. *sigh*
Now we can use these question to dig deeper than “it seems okay.” 🙂 Thanks for the comment!
Thanks Kimmy! If he has any questions, have him email me.
-Jay
@jaytechdad
Jay, you are awesome. That is all I’m going to say.
Awww, thanks! *blush*
-Jay
@jaytechdad
Hi Buffy,
I’ll second that. 🙂 Thanks for the comment!
Jami/Jay (there’s that alliteration that I love!) — this is a great post and what this tells me is that I don’t really feel like spending the time to check out Bluehost for it’s WordPress expertise and will just head straight on over to Jay’s TechSurgeons. Among other things, Jay has a far wittier sense of humor.
Still have to work out my inner dilemma of going off on a (website) frolic of my own or continuing down a path with my co-writers (with whom I share a WordPress.com blog). Leaning toward the former, actually.
Hi C.C.,
LOL! about Jay’s sense of humor. That he does. 🙂 The other post he’s done for me here is his imitation of Smeagol reading The Hunger Games. And really, is there anything crazier than that? Hee.
Ooo, group blogs. That’s a whole ‘nother animal. 🙂 I’ve never been part of a group blog, so I don’t feel qualified to take on the subject fully, but…
My basic impression is that they can be great for expanding readership and lightening the blogging load. However, the group blog can get the branding and name recognition rather than the individual contributors. I’ve seen some group blogs overcome this issue for the most part. The Writers In The Storm blog uses an author plugin at the bottom of each post with a picture and short bio of the post author. That helps brand the authors themselves in addition to the group blog’s reputation for quality.
We can think of the group blogs we know. Can we name some or most of the members? If yes, we can look at those blogs to see what they’re doing right. If no, we can see what they’re doing differently. I hope that helps with your decision. 🙂 Thanks for the comment!
Jami, these are GREAT ideas for thought on the group blog thingy! First thing I’m going to do is see if we can get the author plug-in for our free WordPress.com blog. Second thing I’ve already warned my co-bloggers about is the necessity of using our “real” faces in our avatars. Plus, we’ll need to sharpen up our bios — one of the co-bloggers has just piggybacked off of mine and I think the other still hasn’t WRITTEN one!
BUT, you’re basic point is one we need to consider carefully — that in a group blog the individual authors are not being branded. Well, baby steps.
Thanks a million for sharing your thoughts. I’m off to read Jay, imitating Smeagol….
And, of course, the plugin situation is a “NO” currently, because we’re not using WordPress.org software, nor are we self-hosted … yet. I really need to get crackin’ on this stuff.
Hi again C.C., I feel like I’m following you around the Internet.
If you’d like to get a feel for wordpress.org, I can create a test site for you to play with. That way you can get a better feel for the differences and what you can do with plugins.
-Jay
@jaytechdad
That offer is almost TOO generous, Jay, but I will quite likely take you up on it when you have time. I’m no dummy.
Thanks, so much, for sharing so much of your time and expertise!
Hi C.C.,
Yes, I was going to point that out, but saw that you’d figured it out already. Do a Google search on “wordpress.com author box” to see if there are any solutions for that. 🙂 Thanks for the comment!
I’ll check that out, Jami, thanks! You guys are all so great to leap in with help and advice.
Hugs!!!
C.C. ~ If it’s a WordPress blog, all you have to do is invite each member to be an admin on the blog. For example, I have More Cowbell (Jenny Hansen’s blog) and I’m able to check up on WITS in my dashboard.
We’re both on the free dot com version so I don’t know whether this could put a hitch in things if you were on your own self-hosted site. We keep a page of our writers and each has a post that can be updated at any time. That usually gets linked to with the person’s name at the top of the post, although Laura Drake and I link to our own sites.
Each of us are blog mistress for a month and we rotate that throughout the year so everyone is mistress for 2-3 months a year. We all have set up our Gravitar accounts too, which seems to help on WordPress.
I don’t know how helpful or non-helpful that is for you, but that’s how we do it at Writers In The Storm.
Oh, and we also keep a shared Google Calendar so everyone knows what dates are open when we recruit guest posters. 🙂
Love how organized you all are, Jenny! It shows in the quality of WITS. 🙂
I’ve done a bit of this on http://stilettosstoliandscribbles.wordpress.com, I set up the blog but the other bloggers are admins and we have traded off being “boss”, but not on a regular schedule. Anyway, this is all a great education on what more I COULD do with WordPress! Thanks, Jenny!
Hi Jenny,
Yay! Thanks so much for sharing this information. 🙂 I was just using WITS as an example, so thanks for this comment!
Hi C.C.,
Happy to help! I’m certainly not “down” on group blogs–I’ve discovered many authors through them and many big name authors stick with group blogs because they can be less time consuming.
But yes, it comes down to doing what you can to make sure you’re able to brand yourself on top of the group blog. Some group blogs use only a byline to differentiate between posters and that makes it much harder. 🙂 Thanks for the comment!
You have hit the nail precisely on it’s little pointy head, Jami. The group blog does help by sharing the workload, though that is uneven? Still, I need to figure out how to unravel the spaghetti in a way that’s productive and not DEstructive.
Thanks for all the wonderful advice!
Hi C.C.,
I’m happy to help. 🙂 Good luck no matter what you decide!
*waves to Jay*
It wasn’t until I hung out at WANACon last month that I had any idea at all of the differences between WordPress .com and .org. … this post has slipped the last cog into place. (I often visualise my thought processes as parts of an Escher-esque Steampunk clockwork machine)
Thanks Jay and Jami for explaining to someone who just wants her platform to wok, how her platform works! … and for the Buffy analogy.
So, when I’m ready to shift gear levers and go .org, who am I gonna call?
Hi Widdershins,
Love your mental imagery! 🙂 And I’m happy to share knowledge so people can make informed decisions. Thanks for the comment!
Hi Widdershins,
*waves hi back* Be sure that whomever you call knows not to cross the streams…
*hums the Ghostbusters theme*
-Jay
@jaytechdad
Thanks for all the info, Jami. I’m looking forward to your class in April.
Hi ChemistKen,
You’re quite welcome. 🙂 Thanks for signing up for my class and thanks for the comment!
*adjusts paper hat* Well, I stayed awake for the whole thing, but I might need to read it a second or even a third time to take it all in.
Good job Julia! 🙂
I’m now imagining a future conversation after an outage… Well, after installing a new version of the Scoobies, Buffy stopped answering calls and needed to be kicked. Oh and I don’t know what’s going on with Giles’s backup.
Sheesh!
-Jay
@jaytechdad
*snort* LOL! Wow, I understood that, Jay. Mission accomplished! 😀
Hi Julia,
*looks up from sprinkling glitter on hat* LOL! I don’t blame you. 🙂 Thanks for the comment!
I knew there was a reason I fell into my tech writing job–so I wouldn’t be terrified of the technology when I finally did something about a website. (OK. It still scares me a little.) Thanks, Jay! You are on my to do list to call…
Awww, thanks!
-Jay
@jaytechdad
Hi Diana,
Yes, I have a tech writing history too, so I can fake understanding sometimes. LOL! Thanks for the comment!
Gasteds, Jay?
Feeling like an idiot, LOL. Even Google couldn’t explain this one to me. And worse, all the Linux, etc made sense.
Dangling in the outer limits, . . .
Sorry Morgyn,
“gasteds were beyond flabbered” is my silly of saying flabbergasted.
http://dictionary.reference.com/browse/flabbergasted
-Jay
@jaytechguy
Hi Morgyn,
LOL! Yes, sometimes you have to watch out for Jay’s sense of humor. But hey, you understood the tech stuff, so it’s all good. 🙂 Thanks for the comment!
Major smile. No wonder Google and I were goggled!
LOL! Too funny, Morgyn. 🙂
Hey Tech Guy
Great article on what I should be looking for. After my experience, I’ve thought about returning to FREE WordPress. Even my theme developers (who offer excellent customer service) are shoddy when I actually ask for help with a problem. I’m also not sure any of this expense has helped my ranking or benefited me in any way. My free sites run better, are free, and present a lot less hassle.
Does your service help someone move from another provider to yours? I tried to move a few months ago and it was a nightmare. But my contract is up for renewal and I’m looking for a new provider.
Shah X
Hi Shah,
I’ll make sure he sees this question. 🙂 I hope you figure something out that works for you. Thanks for the comment!
Hi Shah,
Thanks for considering us for hosting! Yes, for our Premium Hosting plan and above we will at least help with the move. If you trust me with the passwords to your existing site, I’ll move your site for you. 🙂
-Jay
Yeah, that LAMP part was starting to sound like Muzak until you got to the Buffy comparison, and then I got it. Thanks for that!
I want to say to the readers that I just took Jay’s internet security course, and I am realigning my computer configuration as a result. It was very helpful, and I think he’s doing another one soon through WANA. Next, I’ll need to rethink my website. But one thing at a time…
Hi Julie,
LOL! Yes, that’s Jay for you–just when you start nodding off, he hits you with a zinger. 🙂
Yes, I think Jay’s planning another internet security class for the end of April. Thanks for the comment!
Awww, thanks Julie!
-Jay
@jaytechdad
[…] (If you’re tuning in late, check out my previous posts with background information about WordPress.com versus WordPress.org and hosting companies.) […]
[…] I hope this series has shared useful information—like how to welcome disabled readers and make our site secure—that you haven’t seen […]