SafetyDetectives spoke with Edward Chan, technical consultant at Lemonade, about the benefits of WordPress, cyberthreats that affect small businesses, and how to stay ahead of hackers and scammers. He also talked about how to reclaim a hacked website.
Thank you for taking some time for us today, can you please talk about your background and what your role is at Lemonade
Hi, my name is Chan Chun Yink, a.k.a Edward. I am currently working as a technical consultant at Lemonade, a web design company based out of Singapore. I first joined Lemonade as a Project Developer, developing websites for our clients such as ecommerce and corporate sites using WordPress. I also did the maintenance and support for our clients’ sites, attending to and fixing various kinds of issues. After gaining enough exposure and experience developing websites, I started taking on the role of a technical consultant, where I do research on solutions and advise on the technical feasibility of our clients’ requirements.
What are Lemonade’s specialties?
Lemonade is an agency that does Digital Branding/Marketing, Web Design/Development for our clients and we specialize in using the WordPress CMS and the Divi theme to build our clients’ websites.
I see that you use WordPress when developing your client’s website, is this a more secure platform than other web builders?
At Lemonade, we specialize in using WordPress as our CMS to build websites for our clients. Getting into the other platforms individually and comparing them one by one would require a longer and more detailed discussion. But having said that, what we can confidently inform is there is no such thing as 100% protection from security breaches regardless of the CMS/web builder one is using. As long as it is hosted online on the internet, the risk will always be there. Every platform will have its own share of risks and vulnerabilities, no matter how secure one claims it to be.
What we need to know is that when vulnerabilities are exposed, there must be good developers quickly working to patch and update the said loopholes. This comes to the important point of the question. To know if a platform is reliable in terms of security, we have to see if there are quality developers actively working on the platform, constantly on the lookout for the next vulnerability raised by security researchers and working on patches and updates regularly on the platform.
WordPress is an open source platform and has the largest share of the world’s websites. This means there is a very huge and active community of quality contributors/developers on the platform, constantly on the lookout for new vulnerabilities and regularly working on patches and updates. Updates to the WordPress core are done on a very regular basis. Just in the last few months, we already have multiple updates being rolled out. So I can confidently say that WordPress CMS is a reliable and secure platform for building websites.
What are the main web security threats for a small business website, and how do you secure the site?
Based on our experience, typically for small corporate WordPress websites that were not managed very well, the main source of security threats is usually due to the site’s plugins and themes. And apparently, this is supported by studies done by security firms too, whereby more than 90% of websites were found to be hacked due to vulnerabilities in plugins and themes.
These vulnerabilities exist as:
- Plugins, Themes, and WordPress core were not updated
- Plugins used were not from reputable developers
- Plugins were long deprecated and no longer supported
In view of these, we take extreme care when it comes to the selection of plugins used when building our clients’ sites. Before diving into using any plugin, we ensure to do careful research first, not only about its features and functionalities but also to see if they have a proper support system in place for their users, such as their response time and the quality of their responses. We see if the plugin is from a reputable company and if they have a long history of support for the plugin. We also see the plugin’s update logs, how active the developers are, and the frequency of their update rollouts. We look at their terms and conditions and if they have a refund policy in place should we still find that it does not meet our standards after purchasing it.
With this, we also created a list of plugins that we have approved for use internally, and we ensure that all sites that are built by us are using the same list of plugins to maintain consistency in the standards of reliability and security throughout.
Should we find a client’s site not built by us using plugins and themes that are not up to date and using non-reputable or deprecated ones, we always update them to their latest versions and remove and replace the unreputable or deprecated ones with our list of quality plugins to quickly secure their site.
As technology evolves and improves, so do hackers; how do you stay one step ahead to create a safe environment for your clients?
Aside from ensuring our clients’ sites are kept up to date and using quality plugins and themes, we also do a security hardening process that covers all important bases of a site’s security by using a quality and reputable security plugin.
These things range from setting up a firewall that features login protection, 404 detection, and IP banning, such as limiting login attempts and locking out bots and hackers from executing brute force attacks on our sites, implementing 2-factor authentication login on the site, disabling PHP code execution on certain directories to prevent code injection attacks, cross-site scripting attack protection, conducting routine malware scanning for suspicious files and codes, audit logging to track activities on the site, setting up reCAPTCHA protection on all forms on the site, etc. just to name a few.
We also do two different backup schedules on two separate locations for all our clients’ sites instead of only one.
Aside from that, we ensure that all sites are installed with the SSL certificate to secure information sent between server and browser by encryption, and we always keep the PHP version of the server up to date, ensuring that it is not on a deprecated version.
We also work with a reputable and quality hosting provider to host our clients’ sites, where regular backups and malware scanning are also done by the hosting provider.
If a hacker manages to bypass the security features, how can a small business owner regain control of their WordPress site?
My recommendation would be to first check if they can still log into their site. If they are able to do so, conduct a malware scan of the site to detect suspicious codes and files and remove them as soon as possible. Also, check the audit log and look for suspicious activities that were done to the site. Ensure there are no suspicious users with Administrator roles on the site. If there are, delete those users too. Change all users’ passwords to a new one, especially those with Administrator roles. Make sure that all the plugins, themes, and WordPress core are updated to the latest version on the site. Delete any plugins that are not in use. Check that all plugins used on their site are from reputable sources/updates released recently.
If they are unable to log in to their site, then they may have to reach out to their hosting provider for help to restore a backup copy of the site that was not affected by the hack or to delete suspicious files/codes via the server.
If they are unsure how to do so, they can always reach out to an expert like us at Lemonade who can help to secure their site.
Thank you