Tag Archives: security

Improvements to Managed WordPress

2020Media is delighted to announce new features to their Managed WordPress hosting plans.

Global CDN Performance and DDOS protection

  • As a hosting partner for CloudFlare, we are delighted to offer the benefits of their free global CDN plan to all our Managed WordPress customers.
  • Websites load twice as fast on an international CDN and use 60% less bandwidh.
  • Cloudflare also blocks thousands of malware, DDOS  attacks.
  • “Railgun” an optional add-on for even more performance.
  • WordPress database optimisation done automatically to keep WordPress fast.
Cloudflare Distributed Performance and Security

Managed WordPress Backups

  • We efficiently auto-backup only the changes every 24 hours.
  • Your sites are safely backed up to Google Drive, Amazon S3 or Dropbox.
  • Stage an update to check integrity before making the changes live.
  • With smart update detection techniques, we automagically detect security updates and apply them on your WordPress sites.

Updates with complete Peace of Mind

  • Automatically backs up your WP site whenever an update takes place, be it an auto or a manual update.
  • Automatically checks your site after every update and notifies us in case of a bad update so that we can restore your site.
  • We can restore a specific file or an entire site or just the database. We can also restore your website even if it’s down or deleted.

Security Features

  • Regular security scans against the complete site.
  • Advanced bot blocking technology locks out intruders without compromising performance.
  • Alerts from Google Search Engine Console reports any problems with your site that might affect it’s search engine ranking.
  • Sucuri Malware scans to root out malware.
Your WordPress watchdog

Summary

“The 2020Media Managed WordPress service keeps on getting better and better” … Richard Clarke

If you’re looking for a faster, safer website, you’ve got a good start with 2020Media.  Contact us on 0370 321 2020 or email sales@2020media.com

Security Fix for Joomla

Source: Security hotfixes for Joomla EOL versions – Joomla! Documentation

joomla34graphicThe Joomla project has just released Joomla 3.4.6 to address a Critical Vulnerability.

The vulnerability is also present in discontinued Joomla 2.5 and 1.5 series (Joomla 1.0 is ok). If you still have sites running off these old Joomla versions you must patch them appropriately.

For these old versions, a simply file replacement is all that is needed.

https://docs.joomla.org/Security_hotfixes_for_Joomla_EOL_versions

2020Media will happily undertake this replacement for any Joomla user, whether they are a customer or not. Please let us know if we can help by contacting us.

Drupalgeddon – our response

drupalgeddonDrupalgeddon!

The recent #drupalgeddon incident and comments from a customer made us rethink how we apply Drupal updates for customers (2020Media is a leading UK Drupal hosting provider. We offer a tuned hosting environment for Drupal that is fast and responsive).

For those who missed it on the BBC news and elsewhere, ‘drupalgeddon’  was a security weakness in the Drupal content management system which allowed attackers to take over websites.

http://www.bbc.com/news/technology-29846539

Mark Stockley, an analyst at security firm Sophos, said the warning was “shocking”. “Many site owners will never have received the announcement and many that did will have been asleep,” he said. “What Drupal badly needs but doesn’t have is an automatic updater that rolls out security updates by default.” There is strong feeling on both sides with many arguing against “dumbing down” Drupal.

Whilst we wait for an auto-update mechanism in Drupal (perhaps in Drupal 8?), we’ve always been able to update Drupal for our customers. It’s a free service but one done “on request”.

We do not apply updates automatically to any and all Drupal sites we host for a very good reason. The risk of breaking a customer’s site is too great. It’s worth noting the Drupalgeddon security problem was the first such in 9 years. So it’s arguable the risk of such a security problem happening again on such a scale is manageably small. Drupal updates typically replace the entire Drupal codebase, leaving just the /sites/ folder untouched. If a  customer or their developer has made any changes to a core file, these changes will be wiped out.
Sometimes a bug will be fixed or a feature changed as a result of an update. The site may well have a work around in place already for the bug and the update will then cause the site to break. These are just a few of the reasons.

The problem for us is, we did not build the site in the first place, nor are we familiar with it’s inner workings. So for us to be sure the site is in a working state after an update is very hard to do. A working homepage does not signify the site is 100% working. If the customer is going to be involved, which in our view they have to be, to check the site after the update, they should be involved all the way through – from the point of getting a Drupal notification email of an update, or getting a notification from the Drupal security list through to the timing of the update, to checking the site afterwards in case a roll back is required.

What changes have we made? Actually very little. We have simply streamlined our internal processes to make the technical side of doing the update a lot quicker. A lot of our customers have several sites with us. So we are now using some simply scripting so we can update all a customers sites, once they give us the go ahead.

Inspiration for the scripting came from Dane Powell ‘s blog: http://danepowell.com/node/69

Our version of the script is:

Update Multiple Drupal Sites Script


#!/usr/bin/env bash
installpath[1]=/our/pathtosite1
installpath[2]=/our/pathtosite2
installpath[3]=/our/pathtosite3
for index in 1 2 3
do
filepath=${installpath[index]}
printf "Updating %s\n" "$filepath"
cd $filepath
drush pm-refresh
drush archive-dump --overwrite --destination=/pathforbackups/backup.tar
yes | cp .htaccess ../
drush vset --always-set maintenance_mode 1
drush cache-clear all
drush up drupal --yes
drush vset --always-set maintenance_mode 0
drush cache-clear all
yes | cp ../.htaccess ./
chown -R apache:apache ./
done

 Notes on the script.

This script is for discrete Drupal sites, not Drupal multisite.

We copy .htaccess out of the way and put it back afterwards and we noticed Drupal updates sometimes overwrote the original.

The final steps resets the file ownership permissions on the site to whatever your webserver runs as. If using suphp this would need to be changed.

Output is written to the command line so you can see what is going on.

Use at your own risk. Comments and improvements are welcome.

Protect your WordPress website

The WordPress brute-force login attacks show little sign of abating and we recommend all users ensure their sites are secured against this attack.

The Attack

Since spring 2013, hackers have been calling the WordPress login url with “standard” usernames (like ‘admin’) and thousands of passwords.  In our experience nearly all users have ‘admin’ as a user account so this makes them especially vulnerable.

The Solution

Well – not a solution exactly but it should protect your site being hacked.

The solution we propose is to change your username to something only you know about. If you are creating a new WordPress site, don’t use the default ‘admin’. Choose a new username.

If you have an existing site, you can’t simply delete the user ‘admin’ – therefore there are lot’s of free plugins around to change it instead. The one we’ve been using is called ‘Username Changer’. Install it, activate it, change your username and then remove it.  It’s a one off job.

2020Media can help

Additionally 2020Media would like to  see these WordPress attacks stop – realistically this is not going to happen – it’s a distributed attack from botnets, and things will change only when it’s not worth the hackers while any more.

2020Media are happy to change your login username for you plus we can add additional server-side security which will mitigate the denial-of-service aspects of the attack.

Managed WordPress

The Managed WordPress service from 2020Media is something anyone not logging in to their WordPress site on a weekly basis should seriously consider. Even if you do, get peace of mind as updates to WordPress, Themes and plugins are done for you. Read more