A rack of computer servers.

Worried about Course Security? Start with Your Website.

By: LearnDash Collaborator May 6, 2021
Filed Under:

Protecting your intellectual property is important, but securing your website should come first.

A common concern for many course creators lies in how they can protect their content from being stolen. After putting all that work into developing course content as an intellectual property, no one wants it to be scraped and shared elsewhere. However, many of those concerned about a content stealing are actually behind the ball when it comes to the security of their own websites, and this poses a much more significant risk both to their learners, and to their business.

Securing your content on the front end, where learners access it, will do you little good if someone can steal it by breaking into the back end of your site. It would be like locking your front door while leaving your back door open. But more importantly, most online security threats have nothing to do with your course, and everything to do with stealing user data, injecting malicious code into your website, or holding your site content for ransom.

Security is a complicated topic, and there are many steps beyond those we are about to discuss that may apply to your specific situation. Our focus for the moment is on the measures that new users should be taking from the beginning to establish a secure foundation for their website, and their business. If this sounds like what you need, here are the most important actions you can take right now to keep your course and your learners protected.

1. Choose reliable hosting.

What’s the most important thing to look for in a good web host? Price? Bandwidth? Reliability? Customer service? All these factors are important, but nothing is more important than security.

Hosting plays a major part in online security. Vulnerabilities in your hosting environment are especially concerning, because they are at the highest level of access. This makes them harder to detect, and hard to root out once they take hold.

The best defense is to do your due diligence when choosing a web host. Make sure your web host is following secure practices, such as keeping their software, hardware, and PHP version up to date. They should also monitor their networks for suspicious activity, and have a recovery plan in place in case of a disaster or a security breach.

Another thing you should consider carefully is whether the lower costs of a shared hosting plan are worth the security tradeoff. Let’s take a closer look.

Shared, VPS, or dedicated hosting?

When you consider your hosting options, there are three main services available: shared hosting, a virtual private server (VPS), and dedicated hosting.

  • Shared Hosting. Shared hosting means that your website is on the same server as several others. This is the most affordable option, but it also means more shared resources. A spike in traffic to one of the other websites on your server may slow your site down. A security breach on a shared host can also affect your site.
  • VPS. With a VPS, you’re still sharing a server, but the resources on that server allocated to your website are not shared. This means whatever is happening on one of the other websites sharing your server is less likely to affect your website.
  • Dedicated Hosting. On a dedicated server, you aren’t sharing any hardware or resources with other websites. This means you have more control over the hardware configuration, and don’t have to worry about any other site affecting yours. However, it is the most expensive, and can be overkill for smaller businesses.

There are more security concerns with shared hosting than with your other options, but that’s not to say you can’t use it. There are high-quality providers out there who offer good services with extra safeguards in place to protect sites that use their shared hosting platforms. But you should understand the tradeoffs you’re making. If you can afford a VPS or dedicated hosting, this is not a place to be penny wise but pound foolish.

DDoS protection.

One more thing, while we’re on the topic of hosting security: DDoS protection. Distributed Denial of Service (DDoS) attacks made major headlines in 2016, when one took down Dyn, a major Domain Name System (DNS) provider. The DNS is what translates the human-friendly domain names we are all familiar with into IP addresses, which are computer-friendly. The attack resulted in major disruptions for some of the biggest Internet sites, including Netflix, Amazon, The New York Times, Airbnb, PayPal, Visa, and Reddit.

DDoS attacks harness large bot swarms to flood a domain with traffic, sometimes at rates exceeding a terabit per second. The pressure this places on a network can effectively shut it down, preventing any visitors from accessing page content.

The best way to mitigate this threat is through a DDoS mitigation service, such as Cloudflare or Akamai. These services protect sites by differentiating legitimate traffic from bot traffic, and then blocking illegitimate traffic while still allowing your learners through. Most reliable web hosts will offer DDoS protection as part of their services.

2. Install SSL authentication.

Ever wonder what the difference between websites that begin http:// and https:// is? That “s” in there plays a big role. It indicates that the website you’re visiting is using Secure Socket Layer (SSL) encryption, which is a way to protect data as it travels from the host server to your browser.

Without SSL encryption, hackers can intercept that data and inject malicious scripts into the code. From the perspective of a web user, this can mean that they’re suddenly seeing strange ads on your site, even though you never placed them there.

More sophisticated versions of this attack can add form fields or CTA prompts to your website encouraging learners to give away personal information. Because it looks like it’s part of your site, learners will have their guards down and will be more likely to fall for the bait.

Fortunately, installing an SSL certificate on your site is an easy way to eliminate this risk. Google is also cracking down harder on sites that don’t have SSL certification, by highlighting that pages are unsecure in their browser search bar (if you’re using Chrome), or by penalizing them in search engine rankings.

You can get free SSL certification from Let’s Encrypt, which is supported by Automattic. Many hosts now also come with free SSL certification as a standard part of their services.

3. Install a security plugin.

We’re about to get into a number of specific security measures, most of which can be achieved through WordPress security plugins. When choosing a security plugin (or plugins), look at what features they provide and choose ones that are well-regarded in the WordPress community. A few of the best-known names include:

  • iThemes Pro. Enforces strong passwords, allows for login masking, defends against brute force attacks, and detects suspicious file changes.
  • Sucuri. Offers site monitoring to detect malware, firewall protection, and backup services.
  • WordFence. Provides malware scanning and firewall protection.
  • Defender. Enables two-factor authentication, login masking, and IP blocking, among others.
  • VaultPress. Part of JetPack. Primarily for backups.
  • Google Authenticator. Primarily for two-factor authentication.

This isn’t an exhaustive list, but it will get you started. Whether you choose an all-in-one solution or pick plugins based on their specialization is up to you. Avoiding getting too many plugins with redundant features, however, as they can begin to interfere with each other.

Here’s what these plugins will provide.

Malware and firewall protection.

Just like on your computer, you can also get malware and firewall protection for your online course website. Malware protection will monitor your site for activity that raises red flags, like files being modified in a suspicious manner, or being moved to places they shouldn’t be. Firewalls will prevent users from being able to upload certain files and prevent ports to the server.

Strong usernames and passwords.

Is your admin username “admin?” Is your password “password?” Is your username and password neither of these, but you still have a default account where it is? Did you create an account quickly for someone with a password like “p4ssW0rd!” and then forget to change it to something more complex?

All of these instances are far too common, and they are major security concerns. If someone breaks into your site because they guessed your username and password combination, they can then potentially lock you out while they cause damage to your business and your learners.

The best rule of thumb is that you shouldn’t choose a password you have to remember. Instead, use a password locker to store your password, and then choose one that is an incomprehensible string of numbers and letters. Also, longer is better. The shorter your password is, the less secure—no matter how many @s, %s, and !s you add.

Multifactor authentication.

Do you know what’s even better than a strong password? Multifactor (or two-factor) authentication. You may have encountered this already, any time you’ve had to dig into your pocket to find your phone in order to enter a PIN that you just received by text. This may seem like a hassle, but it’s one of the best things you can do to protect your login.

The “multifactor” in this case refers to different ways to prove that you are who you are. These factors can be something you know (like your password or your username), something you “are,” like a fingerprint or a facial scan, or something you own, like your phone.

When you set up multifactor authentication, it means that someone can’t access your site just by knowing your username or password. They also have to somehow have access one of those other factors, which (as you can imagine) is significantly more difficult.

Site backups.

No matter how cautious you are, something can still go wrong. Having a regular backup will make it easy to roll your site to an earlier version if a virus manages to inject code into your system, and will also be helpful if something else happens to damage your site.

4. Keep WordPress and all plugins updated.

If you own a computer, you should already be familiar with the importance of maintaining your software updates. Updates exist to roll out new features, but they’re also there to patch up security flaws.

Building a site on WordPress, with its ecosystem of plugins, means you’ll have regular updates to maintain. Keep an eye on these, and perform any security-based updates immediately. For other updates, it’s usually OK to wait a couple weeks for some of the early bugs to be ironed out.

For any updates, be sure to have a recently backed-up version of your site in case anything breaks. Run your updates one at a time so that if something does break, you can more easily isolate the issue.

5. Limit user role access.

Choosing strong passwords and enabling multifactor authentication are both excellent ways to protect your site from being hacked. However, you should also take steps to limit the damage of a potential breach, so that if someone gains access to your site maliciously, they can only do so much. WordPress comes with six levels of predefined roles, ranging from “Subscriber,” which is a read-only role, to “Super Administrator,” which has complete control over the site.

Limiting user roles means that you only give each user the amount of permissions they need to do their work, and nothing more. For instance, an Editor can publish posts, upload files, and moderate comments, but they can’t install new plugins on your site or remove other users.

Obviously, you should never give someone you don’t trust access to sensitive functions on your website, but determining a user’s role is about than whether you trust them as an individual. It’s also about what might happen if that user’s account got taken over by someone you don’t trust. If you assume that might happen, and limit someone’s access to only the functions you need, you will protect your site and your users.

6. Set up ReCAPTCHA on forms.

If you’ve ever struggled to decipher a squiggly image of letters and numbers, selected which images in a grid contain trees, or been asked to solve a basic math problem in order to fill out a form, then you know what a CAPTCHA is.

Old versions of CAPTCHA (which apparently stands for “Completely Automated Public Touring test to tell Computers and Humans Apart—yes, we know it’s clumsy, we didn’t make it up) have been irritating to use at best, and at worst pose significant accessibility issues for many users. The difficulties using them have caused many users to avoid them, believing they’re more trouble than they’re worth.

Unfortunately, the Turing test is an essential part of website security. Authenticating human users prevents bots from bombing your inbox with fake form submissions, spamming your comments section with toxic backlinks, or conducting brute force attacks against your login portals.

The good news is that ReCAPTCHA removes these difficulties almost entirely, replacing the blurred images with a simple “I am not a robot” checkbox. It’s unobtrusive enough that most users won’t even notice it’s there, and it effectively blocks attacks, keeping your site secure.

Continue to educate yourself.

Finally, it’s always worth emphasizing that online security is a fluid field. Best practices change as new threats emerge and new technology becomes available to fend against them. If you’ve taken all the precautions listed above, the next step is to look over your site for any specific security concerns that may apply to you, but not others.

For instance, do you conduct a lot of webinars? Then you should look into the security of your webinar service to be sure your lessons don’t get interrupted. Are you working in a confidential field, where you may be handling sensitive information? There may be industry-specific compliance policies you have to follow.

Regardless, make it a personal policy to review your site security once a year, and read up on any new threats that may apply to you. Or, find someone with security expertise who can look over your online course and make sure it’s up to date.

Securing your online is essential for keeping your content safe. It’s also crucial for your online reputation. If your course gets hacked, it damages trust with learners, ad can undermine your own credibility as an educator. Finally, it’s the best thing you can do for your learners. If your site security is compromised, it will have a negative effect on their learning experience, and it may even lead to a loss of their digital privacy.

Protecting your business and your learners from online threats is within your reach, so long as you make it a priority. Don’t let it get overlooked.

LearnDash Collaborator

A LearnDash specialist wrote this article to help guide new and current LearnDash members.