Security
Unless you're on a host that doesn't support it (or offers other native security tools), we have enabled the Wordfence Security plugin to improve the security of your WordPress website. Out of the box, it provides recommendations and security features that makes your site more secure than the standard WordPress site or blog.
However, while the default configuration is great for most clients in most situations, there may be features and options that you may want to configure differently for yourself. To access these settings, from your navigation menu click on Wordfence > All Options. This will take you to a dashboard with a complete list of Wordfence settings.
As part of this security plugin, you will receive two types of notifications:
Site Lockout Notification – If you get this, it most likely means that Wordfence detected someone visiting a large number of 404 pages — which typically means that a robot was trying to find standard insecure pages within WordPress. We moved those pages, so instead these robots are generating 404 errors. This notification can also be generated if a site visitor repeatedlt tried and failed to login to the site admin. If you look at the location by clicking on the link and it's somewhere your staff or users typically aren't visiting from — like China or Ukraine — then it's most definitely a spammer being blocked out of your site. You needn't take further action; Wordfence has already blocked this user from visiting your site!
WordPress File Change Warning – This means that core files on the site have been changed. If Cornershop is working on the site or you recently updated a plugin, then you can simply ignore these. If no one has been working on the site, please forward it to Cornershop.
Feature | Description/Notes |
| Users | By default WordPress initially creates a username with the username of "admin." This is insecure as this user has full rights to your WordPress system and a potential hacker already knows that it is there. All an attacker would need to do at that point is guess the password. Changing this username will force a potential attacker to have to guess both your username and your password which makes some attacks significantly more difficult. Cornershop has enabled this for you. |
| **Away | As many of us update our sites on a general schedule it is not always necessary to permit site access all of the time. The options below will disable the backend of the site for the specified period. This could also be useful to disable site access based on a vacation or some other schedule where the site shouldn’t be accessible. |
| Ban Users | This feature allows you to ban hosts and user agents from your site completely using individual or groups of IP addresses as well as user agents without having to manage any configuration of your server. |
| Content Directory | This feature allows you to ban hosts and user agents from your site completely using individual or groups of IP addresses as well as user agents without having to manage any configuration of your server. |
| **Database Backup | While this plugin goes a long way to helping secure your website nothing can give you a 100% guarantee that your site won't be the victim of an attack. When something goes wrong one of the easiest ways of getting your site back is to restore the database from a backup and replace the files with fresh ones. |
| Database Prefix | By default WordPress assigns the prefix "wp_" to all the tables in the database where your content, users, and objects live. For potential attackers this means it is easier to write scripts that can target WordPress databases as all the important table names for 95% or so of sites are already known. Changing this makes it more difficult for tools that are trying to take advantage of vulnerabilities in other places to affect the database of your site. Cornershop has enabled this for you. |
| Hide Backend | The "hide backend" feature changes the URL from which you can access your WordPress backend thereby further obscuring your site to potential attackers. Cornershop has enabled this for you. |
| Intrusion Detection | 404 detection looks at a user who is hitting a large number of non-existent pages; that is they are getting a large number of 404 errors. It assumes that a user who hits a lot of 404 errors in a short period of time is scanning for something (presumably a vulnerability) and locks them out accordingly. We have set a threshold of 50 errors in 3 minutes will lockout the user for 15 minutes. After 3 lockouts, the person will be blacklisted. |
| Login Limits | There are people and robots that will keep trying username and password combinations to break into your site. Assuming that people usually remember their password after a few tries, we have set a login limit of 10 attempts in 5 minutes or else the person will be locked out for 15 minutes. After 3 lockouts, the person will be blacklisted. |
| Logs | This will show you the number of 404 errors being generated on the site, as well as a list of any users currently locked out. If a real user sees a blank white screen with the word “error” on it, then visit this page and click the blue button to “Release Lockout.” |
** We encourage you to configure these settings by visiting the plugin and following the steps as prompted in WordPress.
Maintenance
Cornershop provides a variety of support packages that can assist with everything from plugin updates to hosting to content updates and custom requests. For more information, take a look at all of our support packages or reach out to your project manager.
What to Do if Your Site Goes Down!
Unfortunately, sometimes websites go down, often for reasons that you have no control over.
Down for Everyone?
If you believe your site is down, first go to http://downforeveryoneorjustme.com/ and enter your site URL. If it reports that the site is down for just you, there’s likely an issue with your computer or Internet - try rebooting. If it’s down for everyone at your office, it may be an issue with your office’s Internet or network, and you may want to contact your IT department.
Contact Your Host
If http://downforeveryoneorjustme.com/ confirms that the site is down for everyone, it means that no one can access it. We find that 90% of site downtime is due to hosting issues. Your host is the company that is hosting your website, like Dreamhost or Bluehost. You should call them (not email or submit a ticket - those are lower priority) immediately to see if they are aware of any outages. They will work with you to get your site back up.
If It’s Not a Hosting Issue
If your host is not able to help, you are welcome to reach out to us at support@cornershopcreative.com.
After receiving your email, we will offer to spend up to an hour of investigation at our rush rate of $250/hour. At the end of the hour, we’ll report back on our findings and present a plan for fixing. This could be a code fix, changing server configurations, migrating plugins, or continuing to work with the host. Note that Cornershop does not provide 24/7 support, so we will begin our investigation on the next weekday after 9 a.m. Eastern.