Not too long ago, a few of my WordPress blogs, managed by me and hosted on a small hosting company's shared servers (the economy plan), got hacked. And not just once, but repeatedly.
Over the course of a month, every few days I'd get the dreaded email from the hosting support team that my site(s) were compromised, locked down by them to prevent the spread of infection, and that I needed to fix it.
The cleanup works was tedious. The configuration verification and back-end tweaking were time consuming. In those few weeks, I learned more about WordPress security than I wanted to know.
And despite my best efforts, it kept happening. I felt like a chump!
I tried everything they recommended: CloudFlare, premium hosting (where every WordPress install isn't share a common directory structure), numerous firewall and security plugins, blocking numerous IP addresses from countries that are notorious for hacking, locked down the .htaccess file, etc.
And in the end it was all for naught. I either wasn't cleaning out infected files properly, which would soon cause re-infection, or an unknown hack was getting through my defenses. And my hosting company wasn't much help.
Either way, it sucked. With enough time, I'm confident I could have solved the root cause, but after the 5th or 6th time, I was ready to walk away from being the administrative duties of the sites. Fortunately they were for small side projects that didn't have any major impact when they went down.
Lesson 1: After that experience, I can't say that I'm still a fan of (self-hosted) WordPress - I don't recommend it anymore, even though it has amazing flexibility and community open-source support.
What else did I learn? Lesson 2: that unless you truly enjoy the burden of managing your infrastructure configuration, to opt instead to use Managed Services that someone else is responsible for!
Microsoft Azure's Shared Responsibility Model |
And the more they "own" the more they have to worry about security and patching. In the "highest level" SaaS model, the customer has almost NO security responsibility. The cloud provider takes on almost all of it!
This might explain the rise of SaaS software offerings, Identity as a Service offerings, and Serverless Computing. When someone else does the install, patching, maintenance, management, and protection of a system / server, you are relieved of that burden. It frees you to focus on what you love.
Of course, sharing the responsibility with a cloud provider is no guarantee you won't get hacked, so you have to make sure your infrastructure and websites are being consistently backed up, and that you have a restoration plan and incident response plan in place.
But with that said, transferring some of the risk and headaches to some other party is frequently worth the investment!
As a cloud security geek, I usually love security challenges. That's what I get paid for. But unless we have similar titles, I'm betting you DON'T love dealing with security. So the best security advice I can give you is hand off the challenge to someone else.
For example, did you notice this blog is on Google's Blogger platform, and not self-hosted WordPress? Sure, I don't get as many features, and I relinquish some control, but I also don't have to worry about securing my blog and the servers it runs on. That frees me up to focus on my employer's and clients' security issues, which suits me just fine!
To reduce your security and management headaches, use managed services whenever feasible, but make sure you don't abdicate your responsibility to ensure that the cloud provider is doing their job.
As a business owner or employee, you ALWAYS have overall responsibility and oversight for your security situation.
I hope this lands on some receptive ears. If so, please let me know your thoughts, struggles, or questions on this topic.
-Ryan
No comments:
Post a Comment