These policies are subject to change without notice
Server Security:
Autumn Lane Paperie maintains varying security measures that protect our server(s) overall and our master accounts. It’s possible that these measures may impact some software that a client needs to use or prohibit a legitimate user from accessing part or parts of the web hosting or website account that they need to access. If this occurs, please contact us via email with a detailed description of the issue & we will work to remedy the issue as soon as possible. The nature of security means that we have to lock certain things out but it’s possible in several cases to allow certain exceptions if operations are impacted negatively.
Autumn Lane backs up every website we host on a daily basis to an off-server location for disaster recovery services.
We provide priority support & free hack repair to Website Support clients. Note that there may be extreme cases where the website can’t be salvaged.
We cannot be held responsible for actions taken by website owners that result negatively on their website, email, etc.
Website owner responsibilities & good security practices:
Above all, the website owner is responsible for their own website. We’re here to help but ultimately it’s not our website.
- Have an uncommon username & a strong password that you don’t use on any other website, app, etc. The absolute worst combination you could have would be a username “admin” & a password of “password” or anything like that. One of the most common ways that an attacker can gain access to an account is if another database is hacked & they’re able to harvest email addresses & passwords – that is absolute hacker gold. It can be a relatively easy thing at that point to find other websites or services that use the same email address as one of the users & there’s a very good chance that the password that they harvested in the compromised database will be used on the newly-discovered website as well.
If you’re not sure what a good password/passphrase may be, it should be incredibly easy for you to remember & incredibly difficult for anyone else to guess. There are also password/passphrase generating services that you can use, a quick search online will turn several up.
There is a service that you can (and should) use to see if your password has been seen in any (known) security breaches in the past here (link). - Keep your website up to date. Outdated themes & plugins are potentially vulnerable to attack, as was seen in the Panama Papers case in which the popular plugin Slider Revolution was very outdated & the version being used by Mossack Fonseca was well out of date & had known vulnerabilities. It was then easy for the attacker to move laterally inside their hosting account & harvest emails that were on their web server which contained embarrassing information on world leaders. Which leads us to item 3:
- Don’t use email on the web server if you’re doing business or communicating about information that you don’t want everyone to see. You should use a dedicated email service such as G Suite or Business Email.
Another reason that you shouldn’t use web server email is because emails that are stored (which includes sent items) share disk space with your hosting account which can cause your website to become unresponsive if your disk space is filled up, until the hosting plan is upgraded or space is freed up.
Yet another reason that you shouldn’t be using web server email is because there’s a very good chance that you will, at some point, get blocked by the server’s firewall because a password was changed on an email account but wasn’t updated on all devices that the email address was set up on or there was a server move to a new IP address, etc. Things change all the time with anything IT-related & web servers are certainly no exception. Dedicated email services have different control measures in place such as two factor authentication (2FA) that send a text to your phone for unrecognized devices so the control is almost entirely in your hands.
- Don’t grant access to your website or hosting account to anyone that isn’t a professional who you’re working with or someone that you trust implicitly.
- Never use themes or plugins that have come from a less-than-reputable source. If the source of the theme/plugin is inaccessible or shrouded in secrecy stay away! It’s a common practice for unscrupulous coders to take premium themes or plugins & rework them to suit their purposes, usually to serve up ads, and then offer them up for free. Remember that you get what you pay for.
The WordPress theme & plugin repositories are well-maintained & they will remove offending themes/plugins, so this is an exception because everything is free in the WordPress repo. That doesn’t mean that everything works well together, though, because conflicts can & will happen, it’s just how it is. This is why our own professional preference is to stick with a handful of known, well-maintained, & well-supported themes & plugins & then do as much as possible without the need for additional plugins, etc. For non-coders, you should research the plugin as much as possible before installing it on your website.
- Use a security plugin. Pick one & stick with it, in most cases, having multiples in place isn’t always advisable. We’ve seen the iThemes (Better WP Security) plugin cause some problems in the past so we would recommend either WordFence or Sucuri, here’s an article to help you decide which you prefer (link).
- Use an antivirus program on your machine, even if it isn’t a Windows machine – it’s a myth that Macs are immune to attack. Their security is better, yes, but security through obscurity is not a sound approach to security.