As you may have heard us mention before, we here at BIPi are huge fans of the folks at iThemes. When we first started building WordPress websites, iThemes was the source of the first theme framework we ever used to build client sites (RIP, iThemes Builder). Over the years, they’ve grown into a powerhouse in the WordPress community, and they’re at the very heart of our WordPress Support packages; we use their tools Sync and Security Pro as the backbone of the software updates, security measures, and uptime monitoring we do on behalf of our clients.
iThemes also offers regular training webinars on all sorts of topics. This past month was their annual “WordPress Disaster Week,” a series of webinars taught by folks from the WordPress security community. While we’re super confident in the measures we already have in place to keep our support clients’ sites safe and secure, we attended these webinars to brush up on the basics and make sure we’re as up-to-date as possible on current events. With the recent Freemius issue that impacted several of our clients’ sites, a week of focusing on website security was very welcome to our team!
Our biggest takeaway: “Functional Isolation”
We hadn’t heard the specific term “functional isolation” before Disaster Week, but we’re so glad to know of it now! The simplest definition we could find is here:
What is Functional Isolation?
Ability to separate components or parts of a circuit or system. Intent is to protect as much of the associated circuit or system from a failure or malfunction in another associated or contiguous components or parts of the circuit or system.
When it comes to websites specifically, functional isolation is an important element of keeping your site secure. During Disaster Week, there were plenty of campfire-style stories told of nightmare scenarios where repeated use of a password for multiple sites (like using the same password for your email and for your website login), or continued use of a compromised password (where a hacker gained access to a username/password combo via a leak or hack) resulted in expensive and disastrous scenarios. The best example mentioned was the Colonial Pipeline hack in 2021:
The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password.
The basic lesson learned here is an old and common one, one that us humans are still struggling to learn: don’t use weak passwords, don’t reuse passwords across devices/platforms/sites, keep all of your passwords in a secure place, and use two-factor authentication!
Beyond that – and a lesson that we learned long ago and are still committed to – is to use quality web hosting that’s not shared, and especially don’t have multiple WordPress installations on one cPanel account! While we already do that for our clients (thanks to the heroes over at Kinsta), we’ll be looking for other ways to increase the functional isolation of our own internal systems as well as the systems we help our clients build.
If you’ve got any questions at all about how to improve the security of your data, whether it’s on your business website or in your personal affairs, we’re here to advise you! And, if you’re feeling exceptionally nerdy, McAfee has a great whitepaper on the topic of web isolation technology.
Now on our support plan product roadmap: a Security Incident Response Plan
Late last year, we onboarded a large client that required us to meet their security standards in order to access their site for our support work. While we were proud to already meet many of their requirements, we had to take immediate action to meet others. We turned on two-factor authentication for our entire team in some new places, and adopted new security measures, including a well-articulated Security Incident Response plan.
During Disaster Week, there was an entire session devoted to preparation for a security incident, and during that session it occurred to us that, while we have a plan for our own internal systems, we don’t have one for clients’ sites. Thus far, the plan has been “drop everything and start responding”… not a great plan for a growing website support business.
In Kathy Zant’s “Are You Prepared For A Security Incident”, she noted that when something bad is happening, your ability to identify, eliminate, and recover is pretty limited. The stress of the situation combined with the urgency of it can kinda wipe your brain. That’s why it’s so important to have a plan in front of us to guide us.
Over the next 6 months, we’ll be building a Security Incident Response Plan outline and slowly creating them for our support clients… and then using that outline for any new client we onboard.
Part of why we’re prioritizing this are a couple of data points mentioned during her session: 60% of small businesses go out of business within 6 months of the data breach and companies with proactive security policies have MUCH higher average sales and profit margins.
Not only do we worry about what would happen in the event that our own data were to be breached (despite the efforts we put in now, nothing’s perfect… and the specter of cleaning up a breach is the kind of thing that haunts our dreams), it’s our goal to keep our clients safe and enable their profitability. Avoiding data breaches is key to that goal.
Next steps for website security at Berry Interesting
Our first action will be to activate the two-factor authentication feature in iThemes Security on all of our clients sites (or, as many as we can, with client consent) during our April support tasks. Beyond that, we’re excited to codify our approach to security for our clients. The goal is ultimately for our clients’ sites to be so buttoned up that they don’t even think about things like being hacked because they have infrastructure set up to keep them protected.
If you are now realizing that you should have a Security Incident Response Plan for your own business or you’re curious about how you can keep your data safe in an increasingly unsafe online world, please reach out with questions. We’d love to help you review your existing infrastructure and create a plan for responding to data breaches or hacks!
If you’re curious about how Berry Interesting Productions can help you build an outstanding website, we’re always happy to help! Drop us a line or book a consultation directly with our fearless leader, D’nelle. You can also sign up to get emails from Berry Interesting, and we’ll keep you in the loop.