Agentpoint Website Security

There are four main kinds of attacks observed on Agentpoint websites:

Opportunistic Brute Force – there are programs that scour the internet looking for websites with weak passwords. Agentpoint has systems in place which can detect and block these attacks across all servers automatically.

Spam bots – programs that find email forms that can be used to send spam or phishing emails. Website forms on Agentpoint websites are protected by a system that checks form submissions and detects nusiance submissions.

Credential Stuffing – This is where a valid username and password for a user is leaked (either by malware on the user’s computer or leaked by another website that uses the same credentials). Agentpoint’s monitoring systems can pick up when someone logs in from an unusual location an investigation is launched to determine if action is required.

DDoS / Denial of Service – This is where a flood of traffic is sent to a website with the intention to overload the servers and take the website offline. Agentpoint’s servers are over-specced which means they all have plenty of excess capacity for traffic bursts, and monitoring systems are in place to alert when there is a flood of traffic so it can be dealt with swiftly. For the most serious attacks we have hardware firewalls that can block DDoS attacks before it reaches the servers.

Website attacks are generally nusiance attacks – the hacked website is used to send spam or redirect traffic or show ads. The goal of the attackers is to gain access to as many websites as possible and they don’t care what those websites are.

As demonstrated by recent high profile attacks, hacking to exfiltrate personal information is on the rise. Agentpoint combats this by following the principals of “data minimisation” – the website does not store any information it doesn’t need in order to operate which includes most types of PII (personally identifable information).

Here are some tips that can help contribute to the security of your website:

Don’t share passwords – If multiple people need access to your website, don’t share a single login. Instead create one login per person so each person has their own password.

Use a strong password – Ideally use a password manager and on your website use a completely random password that is not used on any other website. WordPress can automatically generate secure long random passwords for you.

Reduce how many people have access – Don’t give access to your website to someone who doesn’t need it, and if somone has left the company ensure you remove their access.

Ensure everyone who has access follows these tips – Our customers do a great job following these tips and choose complex passwords that are stored securely. When a third party, like an SEO/Marketing company, it is important that they follow these same tips to maintain the security of your website.

Yes, Agentpoint uses multiple layers of security across our servers including hardware firewalls, and web application firewalls tailored to our WordPress websites to provide automatic blocking and alerting to any suspicious traffic.

It may not be obvious that these systems are in place, either by external scans or from inside the WordPress admin panel. They aren’t designed to be highly visible.

A CDN is typically a service used with a website to improve website performance.

Agentpoint does use a CDN for some website assets and real estate data (such as listing images, agent photos).

Note: Some free CDNs (such as Cloudflare) can have a detrimental impact on your website load times in Australia due to certain Australian ISPs having very expensive transit, causing Cloudflare to route their free traffic overseas first. Agentpoint’s servers are hosted domestiacally in Sydney so they will always perform faster in that situation. Agentpoint discourages the use of Cloudflare for a whole website without first taking this in to account.

Two factor Authentication (2FA) or Multifactor Authentication (MFA) is a method where a username and password, plus an extra factor (something you have) for added security. When multi-factor authentication is used accidentally losing a password still isn’t enough to let an attacker in to your account.

It is highly recommended multi-factor authentication is used everywhere possible, particularly extremely sensitive accounts such as email accounts, financial accounts and accounts storing PII (Personally Identifyable Information).

Agentpoint websites do not currently support multi-factor authentication due to technical limitations we currently have. Resolving these limitations so we can offer multi-factor authentication on our websites is on our roadmap and will be communicated to clients when it’s ready.