This post was made possible by Bluehost. The actual contents and opinions are the sole views of the author, who maintains editorial independence, even when a post is sponsored. For more details, please read our disclaimer.
I have a confession to make. I’m really lazy.
I have my own personal WordPress-based blog, but – despite being a hardened geek – I don’t self-host it. I can’t be bothered dealing with the hassle of constantly ensuring that my box hasn’t been popped by a malevolent Internet hacker. I don’t want to get bogged down with the tedium of ensuring that my VPS is patched to infinitum, and configured within an inch of its life to deter any enterprising miscreant.
But, that’s me. What about you?
Regardless of how you choose to manage your WordPress installation, I’d place money on you being concerned about security. I like to think of dealing with security threats in terms of three stages.
The Stages Of Security
The first comes before an attack. Here, you try to ensure that anyone who would seek to compromise the hallowed confines of your website is met with stiff resistance and immense amounts of frustration.
Next, you’re going to have to check that your site hasn’t been compromised. You’re going to need constant vigilance, a watchful eye, and a Sherlock-style ability to notice anomalies in the operation of your site.
Finally, when disaster strikes, you’re going to need to know how to deal with it decisively and confidently. We’re going to talk about that next month, but first I want to talk about the second step. Monitoring.
Hollywood has done an incredible job of portraying the computer hacker as a shadowy individual, wrecking havoc from the digital shadows. The reality couldn’t be further from the truth.
Yeah, they’re probably working from dimly lit rooms somewhere, I’ll give you that. But quiet? Nah. They’re loud, man.
Every attack on every box and every website leaves a trace on a log-file somewhere. The way we understand the types of threats we face (or have faced) is by looking at the logs.
Make no mistake, manually looking at system logs is an insanely tedious job. I’m pretty sure there have been Dan Brown novels that less tedious than that – and that’s saying something. Furthermore, it’s a task that requires insane amounts of precision and attention to detail. It’s not something I recommend you do by hand.
It’s not just security which we need to keep a watchful eye over. Also crucially important is monitoring the performance of a site.
Ensuring that your site is responsive and reliable is pivotal to ensuring the continuing engagement of your readers. According to website metrics giant KissMetrics, a 1 second load delay can result in a drop of user engagement by seven percent, whilst 40 percent of all internet users say they would abandon a website if it takes more than three seconds to load. Understanding how your website works is a vital tool in the battle of making sure your site is speedy and responsive.
Thankfully, there are some products that make this task much easier. And they’re probably better at it than you are. Here’s two of them. And if you insist, I’ll tell you how you can roll your own kick-ass WordPress monitoring system.
The Auditor ($249) is a GPL licensed plugin that allows WordPress Administrators to monitor site security, performance and user productivity.
I’ve got first-hand experience with using this plugin, as I was fortunate enough to be given the opportunity to test-drive it a couple of years back, when it first came out. My first impressions of it were really positive; since then, it has made leaps and bounds.
The guys behind it are Interconnect/IT, who also do a lot of WordPress consultancy and training in the UK, as well as creating some useful plugins and user guides. They’ve got quite a pedigree for doing interesting things in the world of WordPress development.
Plumping down the cash for The Auditor won’t just get you a copy of the code, but also some stellar documentation and lifetime support. Oh, and it’s user extensible, although you’ll need to be quite handy with the PHP programming language.
But what does it actually do? Great question.
Firstly, it checks for unusual activity on your WordPress installation. If you’ve had an inordinate amount of failed logins in a short amount of time, or if an obscure user has suddenly seen his permissions elevated into the stratosphere, you’ll know.
Secondly, you can create custom alerts. If you’re developing a new plugin and you want to observe how it behaves, you can allow it to send messages to The Auditor. This is crucial for WordPress developers who want to see a more global picture of how their plugin works.
These custom logs are extensible, and can be used by developers to register whatever their heart desires. One such use case for this is monitoring the number of Twitter followers on a writing staff over time.
The Auditor is available now, although a new release of the software package is looming, bringing a raft of new improvements and additions, and a licensing scheme that reduces the cost of acquisition.
Sucuri is one of the slightly more popular proactive WordPress security plugins on the market right now. Unlike the Auditor – which is priced at a flat rate – Sucuri charges annually. The cost increases with the number of Sucuri deployments you use.
Let’s talk about what Sucuri brings to the table. You might have guessed that it comes with some event monitoring, letting you know when things have gone awry. As well as that, Securi can also alert you to potential issues via SMS, Email and Twitter. Although, ideally the former would be by a direct message. It’s be pretty awkward if they went around tweeting the litany of security issues plaguing websites.
If that’s not enough, you can pay extra for Sucuri to add a Web Application Firewall (WAF) to your website, stoping browser-based attacks at the door. These work by examining all inputs passed to your website, and discarding the ones that are ostensibly malicious in nature.
Another add-on service offered by Sucuri is automatic off-site backups. The subject of backing up WordPress is a mammoth one, and one that has been covered at length in the past by my colleagues.
One of the more compelling arguments for letting Sucuri handle your off-site backups is its low price point. Five bucks ensures that your site is securely stored on Sucuri’s servers. You don’t need to be a subscriber to Sucuri to use Sucuri backups, and it’s platform agnostic with the only requirement being a *nix box, or a Windows machine running PHP.
Make no mistake, the emphasis of Sucuri is one of security. It’s not really all that great at monitoring how your app performs, and does only one task. Although, this one task is executed perfectly, and as a result I strongly recommend you check this product out.
Do It Yourself
Make no mistake, if you are concerned about the security and performance of your WordPress install, you really should use a third party product. These are made by people who really know their stuff. They know the threats out there, they understand how to defend against them, and they know what makes your site run slower than a pensioner covered in molasses.
However, if you’re absolutely determined to roll your own system monitoring solution, you’re going to need the following components.
The first is a tool to analyze the traffic, noise and logs. These can be left by an external threat, or by a tool you’ve installed to record how your site performs. There are a huge amount of products on the market, but none have the polish that Splunk has.
There’s just no debate here. Splunk is better at visualizing and querying logs than any other products on the market, and I recommend it heartily. I first used it when it was in a very early, beta state. Since then it has flourished, and is a powerful tool in the arsenal of any systems administrator.
Next, you’re going to need to start profiling your application. This means gathering huge amounts of information to see how it performs, and there’s only one particular horse in this race worth talking about. You know who. New Relic.
These guys burst onto the scene just a few years ago, getting huge amounts of attention for being simple to deploy, and gathering huge amounts of performance statistics. Oh, and for giving away more T-shirts than a mascot at a basketball game.
As a developer myself, I’ve got quite a soft spot for New Relic and have used them myself in websites I have developed. I find that their statistics are accurate, and the plugin used to record them is relatively lightweight and easy to deploy. There’s even WordPress specific documentation!
The last tool in our arsenal is a WAF. This serves two purposes. The first lets you know if anyone has been taking pot-shots at your website. The second (as we previously discussed) is to mitigate against attacks on your site.
Cobbling these together into some form of coherent package would constitute an article in itself. It really is a mammoth task, and one which may be more trouble than it’s worth. Especially when you consider that there are packages like Auditor and Sucuri on the market. As a result, I’m not going to go into too many details. Just know that it’s possible.
In this article, we looked at two killer products for keeping tracks on your WordPress install, as well as how you can roll your own solution. With more and more companies using WordPress to manage their online presence, the importance for ensuring the security of a website has never been greater. And with sites clamoring for eyeballs, the need to keep your site speedy and secure has never been quite so important.
I’d be really interested to hear your thoughts on this subject. Drop me a comment below.
Photo Credit: Data Center (Bob Mical)