Consider yourself hacked

We now know why the hackers are after websites and how they are targeting them (if you missed this, check out the previous episodes).

You’ve probably also noticed that I’ve intentionally avoided giving the “use X for Y” recommendations and have not covered any defensive methods in the past 3 episodes.

This is because the most powerful thing you can do to keep your website (and your business) safe is to think about security in a correct way. You don’t wash yourself only when someone is saying you stink (I hope).. Same should also apply to security.

Peace of mind = False sense of security

People tend to search for “one-click” and “all-in-one” solutions for the problems which often feel too complex to understand or what feels inconvenient enough so they just want the problem to go way.

This is especially true in the WordPress ecosystem, where security has mostly been something that is dealt with only after a complete failure. This is why for more than a decade, the most popular security services have actually been incident response services instead (clean-ups).

The security companies should take some of the blame here. Even today, you can find security services that market “peace of mind”, “plug and play security”, and some even go as far as claiming to offer 100% security.

The truth is, as soon as people go for “peace of mind”, they’ll become the most vulnerable. It’s when you think that you’re secure, but don’t even care to check. The “peace of mind” is what mostly leads to a false sense of security.

Security is an ongoing process

Security is not that complicated and mysterious as it may look like. You don’t need to understand every technical aspect of how computers, servers and web technologies work.

However, you do need to know what are the things you, your website & business relies on. Once you know that, you can start mapping your attack surface and then set up defensive measures to keep it covered.

The things you rely on, constantly change, which is why security should never be approached with “set it and forget it” mindset. You can’t protect what you don’t know about.

Expect to become compromised

In the end, we’re all humans. Regardless of how hard you try, it’s pretty much inevitable not to miss something, make a mistake and maybe even get compromised. If you’ve already expected this to happen, and have a plan prepared, it will be much easier to recover.

Having a DRP (Disaster Recovery Plan) can also become extremely important in other situations. For example, when you’ve lost access yourself, or if people who originally held access are not around anymore.

Essentially, the idea is to write down a detailed step-by-step guide which should be followed as soon as there is an incident unfolding. It’s much easier to come up with a plan now, then try to do it under the high stress. It will save a lot of time, money and nerves.

Conclusion

Security is a process and not something you can have a “silver bullet” for. It’s about being proactive and keeping clear overview of what you rely on. Only then you’ll be able to know where security is needed.

Imagine that you’re already compromised. What was the weakest link?

Next week, let’s start mapping the attack surface!

Some more resources:

• https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online
• https://www.ready.gov/business/emergency-plans/recovery-plan

PS! As a reminder, if you wish to get those episodes directly on your email. Here’s a newsletter we created just for that: http://subscribepage.io/patchstack