We already know the security of your site is important.
But this is an undertaking that is hard to do properly without the expertise of a website professional who truly specializes in website security (and backups). Finding the right expert is equally as important, as you could be putting your site at greater risk by hiring someone without this expertise, exposing your site to vulnerabilities that only an expert would know to look for.
To shed more light on this, we interviewed Gerasimos from the Codeable expert community who is a WordPress Security Expert with over 9+ years of experience in WordPress and 6+ years of experience in website security.
Codeable is the only WordPress-exclusive freelancer marketplace with highly vetted WordPress experts. We trust our partners at Codeable for high-quality development and security services that are outside our own scope of support to ensure customers are successful with BlogVault and MalCare and are able to find the quality development help they need. Get a free estimate today.
Introduction to Gerasimos
My name is Gerasimos, born in Canada but currently living in Europe due to COVID-19 restrictions.
I started my career as a WordPress freelancer in 2011. In 2014, I managed to clean a worm that had infected our company’s intranet. Hunting down the infection and neutralizing it was so satisfying, and at the same time, I started seeing a lot of WordPress requests for hacked sites. I knew it was the right time to jump into the security niche.
Since then, I’ve successfully cleaned thousands of sites!
I love reading, listening to infosec podcasts (you have to listen to Darknet diaries!), and spending time outdoors either hiking, swimming or just riding my motorbike. I’d love to find some extra free time in order to study and apply for infosec certificates like CEH or OSCP since it has been all my work in the last decade.
How did you get into WordPress Security?
I used to work in a WordPress Support Agency back in 2011. After 3 years climbing up the ladder, I noticed that security related incidents were growing day by day. That’s when I proposed to set up a new service to help customers with hacked WordPress sites.
We would clean the sites, update all elements, audit, and secure them. Back then, we were one of the first agencies worldwide to focus on the WordPresss security niche, so we grew and improved our service while helping our clients.
How long have you worked at Codeable? What are the most important things you’ve learned over the years?
I’ve known about Codeable from the very beginning, and created an account with them in 2015. It wasn’t until last February that a colleague of mine suggested sending an application to Codeable. I consider myself relatively new to being active on Codeable, despite being very experienced in WordPress.
Codeable has a great foundation which gives you the opportunity to learn how to cooperate with other developers in order to offer the best experience possible to your clients. Clients trust the Codeable brand and quality promise, which makes my job so much easier and results in higher quality services.
What is your niche/specialisation?
My niche is cleaning and securing WordPress websites from malware and/or any kind of security issues. I’m usually asked to work on post-hack incidents but many of my older clients return and ask me to maintain their site as well under a subscription plan. In general, my goal is to make WordPress users happy – I just enjoy it more when I’m working on security-related issues!
Most common security mistakes made by a website owner (that you have observed)?
One of the most common mistakes when it comes to website security is related to abandoned subdomains that are no longer in use. In this case, a threat actor (anyone who intends to cause harm against your website) can take control over vulnerable subdomains through services like AWS or Github. They will exploit the website’s services through hosting a copy of the site, sending phishing emails, or even tricking visitors to submit their login credentials.
Same goes with abandoned domains which a company once used but they were left to expire – hackers can register them and search for services which used emails that belonged to those domains. The first layer of security should start with the domain and the DNS.
More info on this here.
What basic steps must a WordPress Website Owner take to secure their site?
These are the main steps I’d recommend:
- Use a secure hosting service
- Add a firewall between your WordPress site and your visitors, using a plugin like MalCare
- Activate and use an SSL for your WordPress site domain
- Disable XML-RPC when possible – XML-RCP allows you to access your site remotely without a browser but is an additional point of vulnerability.
- Rename your WordPress login URL
- Set a login rate limit for your WordPress login page
- Use 2 Factor Authentication for your WordPress Dashboard login page
- Allow 1 or 2 admins following the least privilege principle, the bare minimum of admin privileges necessary to perform their function
- Use complex passwords for your admin accounts
- Change the default admin usernames and randomize them
- Secure your WordPress site files and database
- Update your themes, plugins, and WordPress core files regularly
- Keep only the active theme and plugins
- Use only regularly updated WordPress themes and plugins
- Apply restrictions for bots, certain IPs and countries
- Monitor your site logs and file change
- Backup your site regularly, using a plugin like BlogVault
- Avoid using nulled themes or plugins
- Host-only one WordPress site per account
- Remove any staging or development sites under your site public directory
Coming back to the domain topic – it is important to use a reputable domain registrar. Make sure the domain is on auto-renewal, and only registers domains which pass the radio test for their brand in order to secure them and avoid any phishing attempts.
Use unique emails for registration accounts, which should be different from business accounts, and in general, avoid a single point of failure (don’t keep all your eggs in one basket!).
Lastly, website owners should hide their server IP using a proxy service (to avoid your home IP address being shown and therefore more vulnerable to security threats), as well as ensure that any subdomains that are no longer in use (which used to be connected to a third party like AWS, Unbounce, or Squarespace), are completely removed (for more detail, see common security mistakes question above).
Why is it important to hire a seasoned professional for website security?
Although it might seem like something you can “DIY”, it’s essential to hire a seasoned security professional who will know how to safeguard every aspect of your website. They will know areas to account for that someone who lacks experience will miss. A few main reasons to hire someone with extensive security experience include:
- Outsider Perspective
When you are hiring a seasoned expert that is outside the company, they are able to offer an outside look/perspective on your security infrastructure because they don’t already know the system. This is a good thing because it’s easier for them to find the biggest issues through emulating the same environment that they would through an attack.
- Time and Resources
It’s more efficient to hire a seasoned expert who already knows what they are doing instead of hiring and having to train a developer. This is not only a time saving, but also a huge financial savings when it comes to the hours spent and avoiding a security risk that would land your business back at square one.
Years of experience with many other similar frameworks or environments that simulate clients coming to me for help. Knowing what to hit/what to look for comes easily – the main idea is that you need someone outside your environment who is an expert, efficient, and has the experience identifying issues.
More info on this can also be found on Codeable’s blog.
When is it important to loop in a developer when it comes to security?
The answer is always!
It’s critical to monitor your site to keep up with constantly changing needs in order to ensure your site stays secure. Every experienced WordPress developer knows coding standards, (which in a nutshell, are always updating), and therefore your site’s code must always be updated to keep up with these standards. Vulnerabilities are happening as we speak. Your security expert must always be trained to the latest coding standard.
Where to turn to hire an expert security developer and how much does it cost?
Codeable has a thriving community of 530+ WordPress experts, many with expertise in security, like myself. You might also be wondering what are the typical investment costs for improving a WordPress website’s security level? This of course depends on the level of security already applied.
We recommend reaching out to Codeable for a free estimate for your security project or maintenance service.
There has been a major increase in the number of WordPress users, especially since the pandemic. What are your thoughts on the current state of Website Security? How do you see it progressing?
This is correct. With more people trying to work online, this means that more WordPress sites are being developed. A positive sign is that security incidents are far less than what they used to be years ago. Plugins similar to MalCare and services like Codeable have definitely played a part in this improvement.
In conclusion, a seasoned developer in the security field should have at least 3-5+ years of experience mitigating issues with critical support (including backups and disaster recovery) and/or security. They’ve dealt with it before and should know how to properly safeguard your site, whereas someone who lacks this experience, simply doesn’t know all of the areas/vulnerabilities to account for.
And when it comes to website backups, it’s not just about the backups themselves, but really knowing how to restore your site when something does go wrong, with all considerations taken into account.
Guest post for BlogVault by Codeable.