Site Isolation from Google Promises to Repel More Malware Attacks

Against malware

Against malware

Security in the digital business world is really a challenge these days, and the world wide web is becoming as full of nefarious characters at the town of Machine, the ‘End of the Line’ as it were in the cool monochrome Western Dead Man with Johnny Depp from the ‘90s. A few months back we had detailed the big bad Spectre virus that had come onto the scene and posed major threats as regarded the insecurity of data for any type of website handling sensitive personal information.

It continues to be a ‘thing’, and in response to it Google recently enabled a new security feature in Chrome that secures users from malicious attacks like Spectre. It’s called Site Isolation, and is a new feature available with Chrome 67 on Windows, Mac, Linux, and Chrome OS. Here at 4GoodHosting, we’re a Canadian web hosting provider that puts an emphasis on this for obvious reasons, always seeking to be as on top of our clients’ web hosting needs as effectively as possible.

Google’s experimentation with Site Isolation has been going on since Chrome 63, and they’ve patched a lot of issues before enabling it by default for all Chrome users on desktop.

Chrome’s multi-process architecture allows different tabs to employ different renderer processes. Site Isolation functions by limiting each renderer process to documents from a single site. Chrome then relies on the operating system, and mitigates attacks between processes and any site.

Google has stated that in Chrome 67, Site Isolation has been enabled for 99% of users on Windows, Mac, Linux, and Chrome OS, according to a recent post on their company blog, stating further that ‘even if a Spectre attack were to occur in a malicious web page, data from other websites would generally not be loaded into the same process, and so there would be much less data available to the attacker. This significantly reduces the threat posed by Spectre.’

Additional known issues in Chrome for Android have been identified and are being worked on. Site Isolation for Chrome for Android should be ready with Chrome 68.

Need for Speed

Quick mention as well to Speed Update for Google Search on mobile. With this new feature the speed of pages will be a ranking factor for mobile searches. Of course, page speed has already been factoring into search engine rankings for some time now, but it was primarily based on desktop searches.

All of this is based on unsurprising finding showing people want to find answer to their searches as fast as possible, and page loading speed is an issue. Keeping that in mind, Google’s new feature for mobile users will only affect the pages that are painfully slow, and that has to be considered a good thing. Average pages should remain unaffected by and large.

We’re always happy to discuss in more detail how our web hosting service comes with the best in security and protective measures for your website when it’s hosted with us, and we also offer very competitively priced SSL certificates for Canadian websites that go a long way in securing your site reliably. Talk to us on the phone or email our support team.

2 Weeks To HTTPS Becoming a Necessity for Websites

It’s July 9th and two weeks from today the web is officially going with full HTTPS as requisite, and that’s a development that’s been a long time in the making. Securing traffic on the internet is an obvious priority, but of course there are people who are strongly opposed to having a secure web.

Two weeks today Google will be uniformly labeling any site loaded in Chrome without HTTPS to be not secure. Most webmasters will be on top of this and accordingly usage of HTTPS is exploding right now. In the 6 months up to a recent report, 32% growth in the use of HTTPS was seen in the top 1 million sites. Mozilla tracks anonymous telemetry via Firefox browser and recorded big growth (75% page loads) in the rate of pages being loaded over HTTPS. Chrome too, at around the same 75 percent.

We’re a Canadian web hosting provider who’s always got our thumb on the pulse of the industry, so it’s important to relate that quite a few popular sites on the web still don’t support HTTPS (or fail to redirect insecure requests) and will soon be flagged by Google. Plus, let’s clear up a few emerging myths about HTTPS:

  • It’s a Hassle
  • I Don’t Need It
  • It’s Gonna be Slow
  1. It’s A Hassle

No, it’s pretty darn simple. You can protect your site with HTTPS in a matter of seconds for FREE. Sign up for Cloudflare or using a CA such as Let’s Encrypt. We can assist you with any other web security and accessibility concerns you may have beyond https encryption of your website.

  1. I Don’t Need It

Well it turns out, you do – particularly as it relates to the safety and privacy of those visiting your site. Without HTTPS, anyone in the path between your visitor’s browser and your site or API can peer in on (or make modifications to) your content without you needing to be made aware of it. Governments, employers, and even especially internet service providers can and have been overseeing content without user consent.

If having your users receiving content unmodified and safe from maliciously injected advertisements or malware is a priority for you, you are advised to move your website to HTTPS.

Add the fact that the major browsers like Apple, Google, Mozilla, and Microsoft, are restricting functionality to only work over HTTPS. Google will soon block unencrypted mobile app connections automatically in their upcoming Android version. Apple has announced that apps must use HTTPS, but there has been no official announcement of this yet.

  1. It’s Gonna be Slow

The last common myth about HTTPS is that it’s not speedy enough. This belief is a holdover from an era when SSL/TLS might have had a negative performance impact on a site, but that’s not the way it is today at all or ever. HTTPS is also now required to enable and enjoy the performance benefits of HTTP/2.

Here’s two untruths to consider:

1) It takes incrementally more CPU power to encrypt and decrypt data; and

2) establishing a TLS session involves nothing more than 2 network round trips between the browser and the server.

HTTPS content from the edge – 10-20 milliseconds away from your users in the case of Cloudflare – SSL/TLS enabled sites are superior. And even when they are not served from an edge provider they still function at a high level. Advanced users should also consider using HSTS to instruct the browser to always load your content over HTTPS, saving it a round trip (plus page load time) on following requests.

Improving Site Security with WordPress User Roles

WordPress continues to be the most popular choice when choosing a vehicle for building a basic website. Those of you who are a single individual running such a website likely haven’t given much thought to WordPress user roles. In the event that you ever want to allow someone else access to your site then it’s helpful to know how to use these user roles. With them you can give people access to certain areas of your site, but only to certain areas of the site where they’ll be doing what you’ve requested them to do.

Enabling everyday folks to be more in command of their digital presence is a part of what’s made 4GoodHosting a leading Canadian web hosting provider and, while we prefer websites that are much more dynamic, we understand that WordPress is intuitive to use and works perfectly well for a good many of you.

So, today we’ll discuss what WordPress user roles are, have a look a their importance, and share some tips on how to use them the right way to improve overall site security.

Defining WordPress User Roles

WordPress features a role management system that enables you to specify what actions users can or can’t undertake on your site. As your site expands, knowing how to use these roles is a very valuable bit of knowledge. Each role can be specified based on certain capacities, and one example would be enabling one use to publish a post while allowing another to update plugins and themes. Here are 6 default user roles that can be taken on separately to improve security for the website.

  1. The Administrator Role

This is almost certainly one you’re already very familiar with, given the fact it’s the role you’re assigned when you create your site. There is commonly only one administrator role and it gives access to everything related to your site. Given this role is all powerful, you should be very leery of giving anyone this high-level access to your site.

  1. The Super Admin Role

Note as well that there is one user role that’s technically a step higher than the admin role – the super admin role. The super admin role will only exist when you have a network of connected WordPress sites working in conjunction via WordPress’ multisite installation. This role is responsible for the entire network of sites, and comes with the same privileges as an admin extending out across the entire network of sites. Having a super admin role diminishes the capacity of the standard admin role. He or she can will no longer be able to modify or install plugins and themes, or make changes to user information.

  1. The Editor Role

This individual will, not surprisingly, have pretty high-level access to your site. They’ll be responsible for content management – which is huge – and they’ll be responsible for creating and editing pages and posts, plus moderating comments and changing categories. Access to plugins or themes won’t be possible for the editor, but everything related to publishing content is dictated by them.

  1. The Author Role

Not much to be concerned about there. The author will be able to create, edit, and publish posts, but not much more than that. They won’t have access to any pages, nor any level of administrative access.

  1. The Contributor Role

The contributor role has even less access than the author role, and worthy of even less concern accordingly. Contributors will be able to read the posts on the site, edit them and delete their posts. Not much more than that. They will not be able to post publishings or upload media files.

  1. The Subscriber Role

This role is typically used for subscription-based sites. Subscribers usually have access to a diminished WordPress dashboard, where they’ll be limited to managing their own profiles. This role can be useful if your aim in having users sign up is to have them gain access to specific content.

Why User Roles Matter

As a website grows and your backend features multiple people working on your site, a way to manage these users without getting overwhelmed is definitely required. User roles are important for two reasons. The first is that they can simplify your workflow, and especially when you have a developer maintaining plugins and themes, a team of writers, and an editor making sure content is accurate and visually appealing.

The best choice is to assign them specific roles based upon the jobs they been instructed to take on. This will make their jobs easier, as well as preventing them from accessing parts of the site not related to their work. Secondly, they make your site more secure. Defining user roles makes it so that you’re giving people access to limited portions of your site. That’s recommended at all times.

How to Use WordPress User Roles to Improve Security

Assigning different roles to different users based on how they’ll be using your site will help to beef up your overall security. Giving every single site user an admin role means you are essentially giving them full site access. Even though you might trust these individuals, there are possible scenarios where the security of your site can be compromised. A poorly chosen weak password is a good example. Next, you never know if another person’s computer is infected, and in truth they might not even know themselves. Their computer could have malware or another virus installed, and if you give them admin access instead of a defined user role, your site will be at risk.

In conclusion, by specifying user roles you enhance site security and help to safeguard it against any user errors. Defining and utilizing user roles exclusively within themselves will not only improve your overall workflow, but will also improve overall site security.