GoDaddy, the company that hosts my website that I created with Backlight, is offering me additional website security, two options deluxe and essentials. I already have installed the SSL security. I am wondering how much I need these additional services and whether or not there are any alternatives. The Essential Website security does a daily scan of my website for malware and then removes it. The Deluxe version adds a firewall. Essentials costs about $67 per year, which I consider reasonable, if it is a good security measure. The Deluxe costs almost double, so I am not inclined to purchase it. I have a shopping cart that ties into PayPal.
What do people think about the need for these additional security measures and are there any cheaper alternatives.
I am hoping that some one who has a deeper understanding of how Backlight creates my website will be aware of potential security threats and whether or not this security service, daily scans for malware and then removing any detected malware, is something that applies to a Backlight created site. Does a Backlight created site have built in protection against malware?
Hi @Ken, as the developer of the backend of Backlight I have a good idea of how it works from a security point of view. Firstly, there are no known security issues in Backlight, and we are unaware of anybody’s site ever having been compromised via Backlight. We follow best practices to avoid common security issues, such as using strong encryption on passwords and protecting database queries from SQL injection attacks.
There are potential weak points in the way you use your site and access Backlight. Firstly, I would recommend SSL, as you have done. That prevents others snooping on passwords or other customer data. Secondly, I would activate two-factor authentication, via the Backlight settings. That adds further protection to your Backlight admin login. Thirdly, I recommend accessing your site’s files via SFTP or SSH rather than standard and insecure FTP.
If you run Wordpress then your site is at much greater risk than running Backlight alone. In that case, take care with strong passwords, disable or remove plugins that you don’t need, and install and use the excellent Wordfence plugin for monitoring and reporting on security issues. I suggest looking further into this as I am not an expert.
You’ll also want to look into potential security issues of other third party software you may be running on your server.
If you can achieve the above without needing GoDaddy’s security add-ons then you can probably do without them.
I’m not sure where it fits into the picture, but GoDaddy has typically run mod_security on their web servers, which adds another layer to block malicious traffic from reaching your web applications (e.g. from reaching Backlight). While good in theory, this has caused publishing to fail on GoDaddy sites, as GoDaddy’s security rules incorrectly classifies Publisher’s server requests as a denial-of-service attack and blocks publishing for 60 seconds at a time.
Thanks Ben for explaining. I am using the SSL, plus I have been using the two-factor authentication when accessing my Backlight admin/settings. I do not run Wordpress. I have in the past used FileZilla to upload some specific files for my website. I assume it was using the FTP protocol. I notice it seems to give a SFTP option, which requires a “Private Key”. I do not have any knowledge about this, perhaps the Private Key is something GoDaddy can provide.
Appreciate your help and hard work creating Backlight.