As you know 3001Web only offers fully managed hosting. Security is one of our biggest focuses here at 3001Web so below are a few things you need to know about how we keep your site up-to-date and secure. Please bear in mind that your site's security is YOUR responsibility, not ours. These are just things we do or insist upon to help you achieve that aim.
I am sure you are aware of the consequences of a data breach. Violations of data protection regulations, such as GDPR or CCPA, can lead to huge fines and legal action. Just the cost of sorting out a data breach is eye-watering, one breach can literally bankrupt a small business.
It really isn't worth the risk and we need to do everything we can to make our sites secure.
UPDATES
A big part of our managed hosting is that we take care of all WordPress core, theme and plugin updates for you. We scan all sites on our servers daily for updates and if there are any they will be performed by us as soon as it is practically possible.
To facilitate this we will install a couple of plugins on your site
- Our updates and maintenance plugin
- Admin menu manager pro
These plugins will be hidden from other users including yourself for security reasons. Don't worry, if ever you decide to change hosts let us know and we will log in and remove the plugins.
We will update all the plugins and themes that we can. If your site has premium plugins you must keep your licenses up to date so that we can update them. If at any point you cannot afford to renew a license for a plugin or theme contact us by support ticket as we do have developer licenses for a LOT of premium plugins and may be able to help you reduce costs.
ABANDONED PLUGINS AND THEMES
We will also monitor your sites for abandoned plugins or themes. By that we mean plugins or themes that have not been updated in over a year. Web computing languages are changing ALL the time and plugins and themes need to keep up to stay secure. Quite often if an author releases a free theme or plugin eventually they will get fed up with maintaining it and simply stop doing so, remember they are not being paid for their time so this is a fairly regular occurrence and why we usually recommend only using well established or premium plugins for your site.
If they stop updating the plugin or theme it then becomes a security risk and we will INSIST that it is removed or replaced with another actively maintained plugin that does the same job.
DISABLED PLUGINS
If you have plugins installed in WordPress that are disabled (not in use) then you must remove them. Leaving disabled plugins on your site is a HUGE security risk. If it is a plugin that you use infrequently either remove it and re-add it when you need it (recommended) or leave it activated.
ADMIN AREA SECURITY
You may not be aware but hackers and spammers are constantly trying to gain access to WordPress sites this happens to ALL sites on a daily basis (yes even yours) so the security needs to be tight. With that in mind, we will also install two security plugins to your site to add extra protection for your WordPress admin area.
We will install the following two plugins to your site:
- Limit login attempts reloaded. This prevents amateur hackers from using password-cracking software and firing thousands of different username and password combinations at your site to try and get access to your admin area.
- BBQ Pro. This is a professional-grade premium double firewall and a bad bot blocker. We will provide this free of charge for you for as long as you host with us.
These two plugins will replace other heaver WordPress security plugins like Wordfence which we may remove (we will tell you first).
We also STRONGLY recommend you add 2FA to your site. Yes, we know it is an extra step each time you log in but trust us it is nowhere near as inconvenient as losing your business or a small fortune to a data breach. You can pop in a support ticket for help with setting that up.
ADMIN USERNAMES
It is vital that your site should never have an admin account with the username "Admin" This is the very first thing automated programs that try to guess your access details will try. If your username is "Admin" they are instantly halfway there all they need now is your password. We should never make it easy for them. If your site has any accounts with "Admin" as a username we will ask you to change that. We will guide you through it just pop in a support ticket.
Of course, our servers are protected with state-of-the-art security, but none of that will matter if you leave your website vulnerable by not doing all the things above.
