BREAKING: This is the worst of all worlds. DotNetNuke (DNN) host and Deluxe brand Managed.com looks to not only be unavailable but reports on WebHosting Talk suspect a very nefarious situation – ransomware. Not sure on the scope, and I assume there are backups somewhere for customers that are firewalled from this outage but this gives us an opportunity to touch on some core processes everyone should have in place.
This is absolutely not the name or species of a character on The Mandolorian, disaster recovery-as-a-service (DRaaS) is a real thing. Managed service providers (MSPs) plan for this on the more infrastructure side (document management, single sign-on, etc.) but should hosts also start explicitly creating DRaaS solutions? On oldie but good, from Steadfast, What Is Disaster Recovery Planning?: “How quickly would your business recover from an incident that deprived it of access to critical hardware or software? In the event of an incident, how many of the business’s operations could continue without disruption? Disaster recovery planning provides answers to these questions and helps to ensure that they are good answers.”
You don’t need an intergalactic bounty hunter to fight bad guys. iThemes Security Pro will secure and protect your WordPress sites from the wretched hive of scum and villainy across the internet! Prevent hacks, security breaches, malware and more. This is the way.
Reduce the Vectors
Now this isn’t to say that an issue at the core would prevent a situation that we see at Managed.com but this is a great case where static site builders like Strattic, Shifter, and FLATsite can make a compelling case for sites that don’t really need all of the application access. In fact, the FLATsite solution is most interesting because they literally off-load your pages to anywhere. You could theoretically have a VPS somewhere that only supports FTP and your site would be pushed there. The JAMstack as a whole – contrary to thought that there are too many vectors – may actually be more resilient since on piece that’s taken down shouldn’t effect the whole site, see The Static Site Question.
Security is Hard
Most WordPress sites are in managed (good) or traditional (your mileage may vary) hosting environment. The big and/new managed hosts like WP Engine, Convesio, and Pantheon or always looking to mitigate issues. You’ve got build-in hardening with CDNs, virtual firewalls, and tons of other layers of security. On the traditional (aka shared) hosting side you will need to take more hands-on action. You’re most likely using cPanel or Plesk as part of your plan, WordPress Hardening: One-Click Security with cPanel: “WordPress is far and away the most widely-used content management system on the web, but that popularity comes at a price. It’s also the most attacked CMS. Not because it’s un-secure, but because attackers know that a WordPress vulnerability is a gateway to tens of millions of websites.”