Contact Me about this service.
Site Maintenance and Security Hardening (SMASH)
SMASH is a WordPress-centric service that keeps your website components up to date while monitoring and adapting your security stance against hackers. Time spent beyond the normal update and review process for a website might incur additional cost at the applicable rates, but you would be notified in advanced and the situation discussed before any additional invoicing is authorized.
Though all clients are required to agree to my Standard Contract (or modifications of it for your particular situation), the section on Future Proofing in that contract is directly relevant to SMASH.
RapidRollout Websites: $65.00 quarterly subscription.
All Other Websites: $35.00 monthly subscription + time for workflow testing. This will be individual to your website, depending on complexity.
If this service is requested on an ad-hoc basis instead of a subscription plan with constant monitoring, then it is really FlexSupport and not SMASH. In that case, the component updates and workflow testing can still happen at your standard FrequentFlexer Support rate.
Benefits of SMASH Subscriptions
- Monthly updates
- Security Monitoring and Reviews
- A 10% discount to your FrequentFlexer Support rate.
- Coverage of applicable software licenses. For RapidRollout, this tends to be 100% coverage.
- Ongoing monitoring for security and stability, with the option to issue blanket authority to FlexTech Media to take action without your explicit approval first if a serious and urgent threat is detected…or not. The choice is yours.
- Same day restoration of a compromised website when possible.
- Graceful update experiences for your website and visitors.
- Addresses Article 25 of the General Data Protection Act: Data Protection Design by Design and by Default.
- Preservation of site functionality related to the Americans with Disabilities Act of 1990.
- Secure backups for faster recovery in case a hack gets through. This provides a historical, redundant archive to your web host’s backup practices. It often provides recovery options that go back way farther than a web host’s generic backup of your website.
If Someone Else Built Your Website
If I did not build your website, an audit is first conducted to evaluate your current configuration against security best practices and your site’s compatibility with those approaches. I execute on those recommendations once authorized. The site is placed in a state of perpetual monitoring with safeties in place. Security audits are invasive and not entirely automated, as some things just have to be looked at closely by human eyes. It means I have to be able to get into the same areas of your website that your developer gets into, and that I must understand all your workflows and what aspects touch security concerns. Some websites require security exceptions where others do not, so I always use adaptive security approaches that require your approval to implement. Though I certainly do not expect you to understand the technical aspects of what I do here, it is important that you are aware how certain security approaches impact how your website is allowed to function. Conversely, it is important to understand if there is functionality that violates a security standard so we can decide together how to address it.
- Recommendations about modifications to your Terms and Conditions of Service and login area to bind agreement to your TOS with member logins.
- Evaluation of your web host’s ability to allow security best practices.
- Identification of existing workflows that violate security practices.
- Education about content management practices your content manager should avoid, and the introduction of alternatives to help them do their jobs.
- Evaluation of SEO practices that may need to be modified. For instance, using techniques that reveal premium content to a search engine or expose knowledge about the site’s architecture that could be used to compromise your website (such as abuse of the xmlrpc process).
- You get a dedicated professional who now has intimate knowledge regarding your website and is accountable to you for its ongoing health.
- Quantifiable knowledge about how secure your website actually is. You get on-demand access in a secure portal to your current security status reports.
- In most cases, an audit will provide a Site Integration Map to capture knowledge about your website’s functional architecture. This provides you with a professional technical document WordPress developers and integration experts can use as well to make sure their work does not compromise the established security stance.
- Shareholders, marketers, operations teams, and other stake holders can now be furnished with proof that you have taken the appropriate steps to protect the capital expenditure that is your website.
Additional Hosting Fees May Apply
If your website is as at least as complex as a Foundation build, then SMASH requires a clone of your site on a staging server for ongoing service. The hosting must match the hosting configuration of the live site, including the purchase of any additional SSL certificates. Websites that are as simple as my RapidRollout package are often excluded from this requirement, but not always.
Updating complex builds require regression testing of workflows and other functionality. Each the site’s code base is changed by an update, a full manual regression test is required to make sure all role-based security is preserved, as well as test to confirm no compromise to protected content, preservation of conditional navigation displays, and more. This testing must happen on the staging server first, then again once the site is live. Your sign-off that all is well is the last step in concluding any given update cycle.
My SMASH approach has stopped hundreds of thousands of attacks on websites across my portfolio, and continues to do so to this day. I created SMASH in response to what I saw almost a decade ago: WordPress gets implemented in an unsafe manner a lot by vendors who do not build such websites under a legal contract with an expectation of security. Now that the General Data Protection Regulation (GDPR) is upon us, a service like SMASH can go a long way toward GDPR compliance as well as it relates to Article 25: “Data protection by design and by default“.