There are several “Levels” to your web presence and in most cases (unless your I.T. department has dictated the use of an alternate solution) Skunkworks has the following security measures implemented at each of these levels for your firm.
1. Registrar level
The login for the place where you registered your business' domain name is your most critical and sensitive asset. It is at the highest level of importance for your web presence. No matter how secure everything else is, if your registrar login is compromised, then all other security measures were for naught. This is “The master key to the entire kingdom” so to speak.
ie: Don’t let password abc123 here be your business' downfall.
Skunkworks tries to point our clients towards using Hover for domain registrations. Hover in addition to being reputable and non-sales oriented, has high security two-factor authentication available for account holders so that even a compromised password won’t allow access.
2. DNS Level
Whenever possible Skunkworks implements Cloudflare for our clients' domains. Cloudflare routes traffic looking for [yourdomain.ca] to the server that houses your website. In addition to just routing the traffic, Cloudflare helps protect it.
Advanced threat detection helps filter out malicious traffic before it even reaches your web server or the website housed on it.
Extensive Firewall controls help to lock down access even further allowing entire countries to be prevented from reaching your login screen.
Automatic forced SSL ensures that all traffic between the visitor and the website is encrypted in transit and not able to be eavesdropped on by hackers.
Cloudflare acts as a proxy between your domain name and your website which allows it to mask the true origin IP of your web server, helping to prevent direct attacks.
Access to Cloudflare’s controls are permission based and the account holder is able to revoke a delegated party’s granted access at any time.
The account holder logs in with a Google account which has many independent security measures in place including 2FA.
3. Server Level
Wherever possible Skunkworks utilizes DigitalOcean for providing servers to our clients. The server itself is a private server, unlike cheap generic shared hosting, which helps prevent possible cross-site compromisation. It runs independently and isolated from your corporate network and neither have direct access to each other.
The server is also pre-configured by ServerPilot to deny access to any connection that isn’t for the purposes of viewing a website or transferring files over the most secure and encrypted connection available.
Easily guessed default details are reconfigured to reduce the threat from bots scanning the entire internet for possible opportunities to exploit.
All system passwords are machine generated strong passwords created using best practices for password generation.
The DigitalOcean account holder logs in with a Google account which has many independent security measures in place including 2FA.
4. Website Level
Your website itself has many measures in place to help prevent compromise.
- Apache .htaccess file
The web server software that is installed on the server and allows it to display websites to visitors (named “Apache”) has a powerful configuration file called the .htaccess file available to utilize. Skunkworks has equipped your website with a custom .htaccess file that was developed internally over several years and helps close known vulnerabilities and further enhance your site’s security. - Cloudguard
This plugin communicates with Cloudflare’s service to determine the geo-location of a connection attempt to the login screen. If it’s not from our own country, then the connection is denied. - Google Captcha
An “I’m not a robot” verification check also helps protect the login screen from bots or intrusion attempts that may be originate from within Canada. - iThemes Security plugin
One of the best security plugins available for Wordpress includes a full feature set at no cost. Email alerts to Skunkworks notify us immediately of any issues. - Sucuri plugin
Monitors Wordpress integrity and reports on any detected potentially suspicious activity. - Wordfence plugin
Scans for malware infections on your website and includes firewall options that may be used on your site if Cloudflare is not available. - External Monitoring
Skunkworks employs several automated monitoring tools to keep an eye on your web server and its website(s). These tools monitor uptime, page speed, the domain itself, the server itself, and SSL certificate status. - Further options
The ability to turn off notification emails (which contain form submission details) does exist and is available if desired. This will prevent private information from being transmitted via email and stored within the recipient’s inbox. This requires that form submissions are instead retrieved by logging in to the website and viewing them there directly which many clients find to be inconvenient for them despite its higher level of security. - Backdoor
Skunkworks is able to regain access to a compromised Wordpress site so in the unlikely event of a website takeover where all Admin access has been removed, it can be recovered at the server level. This is done via the command line at the web server level with the tool WP-CLI.
The ability to “Flush” old previously collected and stored form data within Wordpress, exists within the Gravity Forms plugin.
If you are worried about an authorized administrator of your website accessing and misusing data collected through your forms…
- You may want to consider lowering that Wordpress user’s permissions level so that they cannot see information they aren’t trusted with having access to.
- A sold-separately solution called Gravity Forms Encrypted fields is available for $40 USD that will help hide the information from being visible to Admin users of the website and further secure the data on the web server. Skunkworks has purchased a copy for ourselves and is currently assessing it but has no recommendation to pass on for it at this time.