Security on your website is of the utmost importance for the sake of the investment you have put into your website and the users who use your site. All sites on the net are under the scrutiny of the dangers of the web and require steps to keep up with security and compliance, even more so when those sites house users’ data.
If your site were to get hacked, all of your users’ data would be in danger, which is your responsibility to protect and you can carry liabilities to those users. The hacked site could be used to cause damage to visitors’ computers or used to bulk send spam messages, tarnishing your business name. Worst of all, not being compliant, or getting hacked can have your site de-indexed from the web search engines, or blacklisted from sending email.
Although it is nearly impossible to make your site 100% secure, we will try to convey some of the essentials you can do to keep your site secure and keep up with modern compliance requirements. It is a major part of a site build to manage security and compliance, and if you are unable to attend to the needs of security, you should hire some professional help to get you compliant and safe.
MemberMouse Security Features
MemberMouse uses the latest standards and security protocols for passwords, licensing, and payment transactions and we strive to integrate with any new releases of improved security features. Your MemberMouse website, nor our servers, will ever store your customers' payment details; instead, they are stored on your payment processor's servers.
MemberMouse comes out-of-the-box with several options to enhance the security of your site:
- Account Sharing Protection (enabled by default) allows you to limit the number of IP addresses that can access an account over a 24-hour period.
- MemberMouse can be integrated with Stripe Elements, which is the latest in 3D Secure checkout security technology from Stripe that carries the highest of PCI compliance and is SCA-ready. 3D Secure checkout is mandatory for customers in the European Economic Area (EEA) in order to be compliant. Credit card and billing information is sent directly to Stripe and never touches your servers.
- MemberMouse can be integrated with Authorize.net CIM, this will enable the customer information manager that stores customer details on the Authorize.Net servers. Additionally, the Accept.js token exchange has been incorporated into our Authorize.net CIM integration, so credit card and billing information is sent directly to Authorize.net and never touches your servers.
- MemberMouse can be integrated with Braintree, which includes 3D Secure checkout process using Hosted Fields / 3D Secure 2.0. and carries the highest of PCI compliance and is SCA-ready. 3D Secure checkout is mandatory for customers in the European Economic Area (EEA) in order to be compliant. Credit card and billing information is sent directly to Braintree and never touches your servers.
- Limit Login Attempts Plugin integration - By default WordPress allows unlimited login attempts. We have set up an integration with the plugin Limit Login Attempts that will allow you to configure your site to block an internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
- When creating a user or doing a password reset, MemberMouse forces a minimum password strength requirement of 8 characters. MemberMouse also supports the addition of a custom filter that allows the password to be evaluated based on custom requirements that you can define.
- Checkout can be configured to use V3 of Google ReCaptcha which is the latest version of an invisible system that minimizes bot signups and scammers.
- membermouse.com does not store, nor have access to any of your user’s data nor credit card information.
- MemberMouse is GDPR compliant and has features to manage GDPR requests.
- MemberMouse makes use of the standard WordPress password functionality, so you know you will always have the latest and greatest features within password storage and management.
- MemberMouse is regularly updated and is compatible with the latest PHP versions.
Most modern hosting has the basics required to keep your server secure with tools like Modsecurity or (WAF) web application firewalls. You should never use cheap hosting, or low-level reseller hosting that may not have protocols in place to keep your server secured, or the ability to attend to emergency requests you may have.
Considering that your host should already have common protocols and modules to keep your server safe, much of the security responsibilities of your server fall on you. It’s unfortunately common for many site owners to not consider the potential dangers involved when setting up their hosting package and poor hosting management is responsible for 41% of most hacks. To help keep your server secure, here are some common things which get overlooked that can be attended to in order to keep your server secure:
- Use a strong password protocol to log into your hosting plan with a mix of letters, numbers, and characters, and never use words that can be found in the dictionary.
- Remove any FTP accounts while they are not in use. Many hosts allow FTP to be closed when not in use. Again, use strong password protocols when setting this up.
- All email accounts that are associated with the website, or are on the server should have strong password protocols. If these accounts get hacked, they can be used to access the site and cause damage, plus they can be used in spam email sending.
- Check your file manager regularly for irregularities. Often backups or database files are located in the public_html making them publicly available. These backups can be downloaded easily and all your secure site information is within them, including database access and admin passwords. Keep your file system tidy and only store the necessary files required to make your site function.
- Often check to be sure file and folder permissions are properly set. Files, including your .htaccess file and wp-config file, should be 644 while your folders should be 755. Files can get adjusted to the wrong permission when certain actions take place in your WordPress admin panel, so regularly checking them is important.
- Be sure your server creates regular backups which you can access. Do not rely on plugins to handle backups as they are not reliable and often do not work with MemberMouse.
- Do yearly audits of your server software to be sure you are using the latest compatible versions of PHP.
- Never log into your server if you think your personal computer is compromised. You should be using compatible security software on any computer which you use to access your server and website. This is a very common method your site or server could get hacked.
For further advice on choosing a hosting provider as well as minimum requirements for running MemberMouse, you can review our article WordPress Hosting Providers.
The WordPress Codex has a massive article on Hardening WordPress that discusses vulnerabilities, setting secure file permissions, securing database and admin panel access, and more. This article is a must-read for any website owner who wants to learn more about the security required for your website. Most all of the recommendations are easy to accomplish and can seriously improve the health and security of your investment.
The most important steps you can take to help protect your WordPress are:
Passwords: Require all admin accounts to use a strong password protocol. Consider using 2 Step Authorization to prevent access to these accounts. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server, have your website banned from search engines, and destroy your website and its user’s private data.
The email account associated with the admin account should also have strong passwords and 2 Step Authorization because they can be used to easily access your WordPress installation.
Updates: 83% of websites that get hacked are not updated properly. It is the single most important step you can do to secure your website. Never let updates get behind by activating Automatic Updates which is a feature built into WordPress.
Tidiness: Remove unused plugins and themes. You want to keep one default WordPress theme aside from your primary theme, but any unused plugins should be removed unless you plan to re-enable it soon.
Heavily evaluate if you need a plugin. Less is better when it comes to plugin count and only install plugins that are regularly updated and come from a reputable seller.
After migration plugins, database plugins, or file editing plugins are used, they should be removed promptly. Unauthorized access to these plugins can spell disaster as they provide a simple path to the needed areas a hacker requires.
Access: Always work on your site and server from a trusted network. Avoid cafe internet or public WIFI at all costs.
Use a Limit Login plugin to limit unusual login attempts. It is very common to have your website login attacked on a daily basis. Sometimes thousands of times per day, so using a login plugin will block bad attempts at logins and prevent them from continually attempting access.
Remove unused admin accounts within WordPress.
Disable Theme and Plugin Editors from WordPress Admin Panel to prevent file edits when your site is accessed without authority.
SSL, HTTPS, and PCI Compliance
All websites, be they one that takes payments or not, should use an SSL and be secured with HTTPS. Login data, as well as the transference of information to your users, should be secured for everyone’s protection.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. This not only means that it is required by law to have a properly installed SSL on your site if you have a store or a membership site, but it also means that you need to go to greater lengths to secure your website and this article covers many of those steps you can take.
If you would like to learn how to install an SSL to your site, we have a detailed article here with directions on how to install one on your site.
Just having an SSL certificate and using HTTPS doesn't necessarily mean that you will be fully PCI compliant. The requirements vary based on your business type, technical setup, and/or volume. If you have PCI compliance concerns, it is best to speak with your payment processor or a PCI-DSS expert. This article is a good primer on the subject and can help you understand what, if any, additional steps you'll need to take:
These PCI FAQ guides are also succinct and helpful:
Domain and DNS Security
Securing the account your domain is listed on (such as Godaddy, Namecheap, etc) should be protected using strong password protocols and when possible, 2 Stage Login. If unauthorized access is gained to your domain’s DNS settings, a website can be changed or hijacked, and potentially the domain can be stolen. A yearly audit on your domain’s account to be sure all contact information associated with the domain is up to date and accurate is good protection and it can help with maintaining ownership.
DNS security is less often considered, but steep consequences can occur if your DNS is hijacked. These attacks can redirect a website’s inbound traffic to a fake copy of the site, collecting sensitive user information and exposing businesses to major liability. One of the best-known ways to protect against DNS threats is to adopt the DNSSEC protocol.
Many options are available for DNS protection, but Cloudflare is a great option as it will not only protect your DNS, but it can protect your site from bots and allow all your server resources to go to real users instead of attacking bots. The huge variety of options they offer are excellent for protecting your website and have a variety of pricing plans, including free.
Passwords and updates are the foundation of security and are so often overlooked or their importance ignored. Often people think their password is strong when in actuality, it’s probably been leaked on the dark web hundreds of times and has no security at all. Try and get in the habit of regularly updating your passwords everywhere and using a reliable password manager.
Attend to website software updates as timely as possible. Not only will this help keep you secure, but it often resolves problems you may be having with your software or plugins.
If you do have an unfortunate run-in with a hack, use a reliable professional to resolve the hack, and never rely on a simple plugin to protect you or “fix” the issue. Aside from removing the malware, and preventing its return, many steps can be involved to repair these situations, including the need for documentation of the resolution to wipe out blacklisting on search engines and email providers.
You may also have a legal liability to inform your site members of the breach and having a professional to assist with the tedious project of notifying your member base, required jargon and what was breached will prove invaluable.
Simply educating yourself on the importance of security is also a great starting point. Below I will include references to data points used in this article, as well as other great resources for learning about security.
- How Do Websites Get Hacked?
- How to Improve WordPress Security [Infographic]
- Hardening WordPress
- Two-Step Authentication
- Configuring Automatic Background Updates
- Password Best Practices
- WordPress Repository - Plugins Tagged Security