Hosting Migration: Hughes Precision

Hughes Precision is a small Michigan based company specializing in custom manufactured gun parts such as barrel thread protectors, thread adapters, muzzlebrakes, bolt knobs, etc. They had an established website but they also had a problem: the website was down for extended periods, the website was not very responsive when it was available, their web hosting provider didn’t seem able to correct the issues, and they were experiencing high levels of payment fraud.

Everyone was frustrated with the situation and Hughes Precision was losing potential customers.

Fixing Site Performance/Availability

Cardinal Acres Web Development migrated their website to a new and reliable web hosting provider (KnownHost). The migration retained all their existing prior order data and customer data so their business could refer back to that information if/when needed in the future. The responsiveness of the site on the new web hosting provider was “night and day” compared to the old web hosting provider.

Below are 24 hours of Uptime Robot monitoring of the website before and after the site migration illustrating the difference:

Site Performance

These are pre- and post-migration summaries of uptime performance as evaluated by UptimeRobot. Pre-Migration (on the left): the site is quite unresponsive with an average response time of over 4 seconds. Additionally, over the previous 5 days the site experienced 11 outages totaling over 17 hours of downtime (approximately 87% uptime, which is terrible). Post-Migration (on the right): site responsiveness is much improved at less than 0.5 seconds and there has been no downtime.

Note that the above changes are due only to switching web hosting providers. The website is using the same theme, plugins, etc. as before.

Fixing Payment Processing Fraud

Previously, the website had permitted indiscriminate user registration. This made it easy for legitimate customers to create an account on the website but it also made it easy for fraudsters/hackers/criminals to do the same. There are very few cases where it is necessary to allow unconditional user account creation on a website.

The first order of business was to configure WooCommerce to force website visitors to place an order before an account would be automatically created for them with a subsequent email containing a link to set a password for the new account. The removal of open user account registration alone will deter many ne’er-do-wells but the additional requirement of placing an actual order to create an account will filter out even more. Fraudsters that are determined enough to place an order to create an account will also need to respond to the follow-up email to set a password before they can using it for further illegitimate reasons.

Second order of business was to install and configure a WooCommerce anti-fraud plugin. We choose YITH WooCommerce Anti-Fraud for its flexible settings and reputation of YITH as a longtime developer of WooCommerce related plugins. One drawback quickly surfaced: the plugin would flag orders as potentially fraudulent which were manually entered via the WordPress dashboard. This is due to two fraud checks that YITH WooCommerce Anti-Fraud implements:

  • maximum number of orders in a specified time span from the same IP address — intended to prevent a “flood” of fraudulent orders but instead flags manually entered orders since they are, of course, tied to the same IP address
  • multiple billing details linked to the same IP address — intended to prevent a single IP address from submitting orders with multiple billing addresses but again inadvertently flags manually entered orders

A support ticket has been opened with YITH requesting the ability to bypass these fraud checks for manually entered orders. Hopefully, YITH will quickly respond with an update to the plugin.

Fixing Site Security

Before Cardinal Acres Web Development took over, the Hughes Precision site was utilizing the Solid Security Basic plugin (formerly iThemes Security). This plugin was pretty quickly swapped out for Wordfence Premium, the leading WordPress security plugin and the one I use on all my other client websites. Solid Security Basic may well be a decent WordPress security plugin but I have no experience using it and, given the situation in which Hughes Precision found themselves, it was better to go with a known plugin.

Wordfence was configured to tightly lock down the site:

  • only 3 failed login attempts allowed
  • only 3 password reset requests allowed
  • immediately block those attempting to login with an invalid username
  • block any access attempts from foreign countries (Hughes Precision sells only to customers in the United States and its territories)

Site security this tight has the potential to ensnare legitimate customers; at some point in the future these measures will be relaxed to some degree reducing the likelihood of flagging legitimate customers.

Implementing a multi-layer approach to site security:

  • only allowing account creation after placing an online order
  • implementing an anti-fraud plugin
  • implementing a site security plugin

provides the best overall site security.

Next Steps

Obviously, it will be important to monitor the website going forward for security and fraud issues and to address any issues that are found as soon as possible. Additionally, the Hughes Precision website has other issues, not the least of which is missing/corrupted content resulting from the removal of a content builder plugin (apparently Fusion Builder, possibly due to a previous version of the website using the Avada theme which includes Fusion Builder). The website is currently built on the Divi theme which includes a content builder, so it is odd that a second content builder plugin was installed. This is definitely not a recommended practice due to the potential of plugin conflicts; WordPress by default already includes a content builder (Gutenberg or just “block editor” for short) and adding two more is not a “good idea”.