Whenever you talk about WordPress security, every gig hands you a list of security plugins. My point of view and approach are different. I am not saying that using security plugins will not provide you efficient security. All I am saying is that only using security plugins will not completely secure your website. You have to take actions out of the box to tackle any kind of security breach in your website.
Always update your WordPress, as older versions have more loopholes. If you think an update can crash down your site, just make a backup. Here, the most important thing is that you update. Newer updates mostly try to cover older security loopholes, so it is recommended you keep your WordPress up-to-date.
The same parameters are for plugins and themes. Keeping them up-to-date will not only make those plugins and themes perform better but also keep them safe from any kind of security breach.
If you’re not using a plugin or theme, what is the point of keeping it? Delete it and get rid of it, as there is the possibility that those plugins have not been updated in a long time. These kinds of plugins can allow direct access to a hacker in the backend of your WordPress website.
Always prefer plugins and themes from the sources you know. Plugins and themes from an unreliable source can give malicious software access into your account, and it can create a hell of a blunder. So, always check the source of a plugin before downloading it.
If you’re configuring directories with 777 permissions, change the permissions to 755 or 750. You can further set files to 644 or 640. Configure wp-config.php with 600 permission.
Always avoid using the username as “admin” because it is a default setting of WordPress and you will not like Mr. Hacker to guess your username.
The alphanumeric sequence of special characters and a mix of small caps and large caps can keep the hacker from guessing your password.
One of the most effective methods to stop any brute force attack is set two-step authentication. This enables you to first enter your password and then receive an authorization code that’s sent to your cellphone via SMS. This bolsters your security and certainly minimizes the threat of any brute force attack.
Always activate the firewall on your computer. This adds an extra layer of security for your website to prevent you from any kind of hacking.
There are plugins that allow you to limit the login attempts from a certain IP address. It is advised to use them, for doing so will help sabotage any hacking attempt.
So, these are some common practices one should go for in order to immunize a website against brute force attacks. These actions are essential and very much effective, as well.
Now that those methods are out of the way, I want to give you some practices that you may not have thought of before. These practices are very efficient and provide robust solutions to your website’s security issues.
Before you start making these changes in your functions.php file, please make sure that you create a child theme.
Now, you might think this the same point we made earlier but I want to clear up one thing here. Uninstalling useless plugins is an effective step; however, avoid installing useless plugins in the first place can be the best move. So, strategize your plugin usage.
Make a list of which kind of plugin you might be using, then think about the long-term use of those plugins. Remember one important consideration: the number of plugins you use is directly proportional to the number of ways that can give a hacker access your WordPress website.
I can understand that budgets are one of the important assets of a website. However, I also understand that a security breach is even more important than budget. What is the point of saving money at the cost of your website’s security?
If there is a need for a premium plugin, never download it illegally. It is also unethical. In addition to that, this action may lead to serious consequences. A premium plugin with clean code from a free download link can make a way for a hacker into your website’s back-end.
I have mentioned this point above, but I want you to know one important thing. Updating your WordPress is not a one-time event; it is a recurring process. Site maintenance should be one of your habits. Try to automate these updates.
The same applies to all the plugins and themes, as they are also a part of your website. You should not leave any loopholes in the matter of security. Constantly update your themes and plugins.
Many of you are familiar with the term PHP error reporting – they are good for troubleshooting purposes. Ever notice that these reports contain details of your server path? My point is that if a hacker wants to get into your website, he just needs to look into your error reports to find the server path. So, it is advised that use this code snippet in your wp-config.php.
Leaving your WordPress credentials intact is extremely dangerous. Everyone who uses WordPress knows those default credentials, and so does Mr. Hacker. The main Author is also the administrator of the website; hence, it is crucial to hide the author’s username. In order to hide it, you just need to put these code in your functions.php.
Securing a WordPress site is not just about installing a number of security plugins. It should be a well-executed plan covering all the loopholes and limiting the number of ways to cause a security breach.
On – 27 Apr, 2017 By Emily Johns
Prior to the 1990s, networking required business owners to put on their business attire, shove on dress shoes, drive to a pre-determined location at a pre-determined time, walk into a room full of people who didn’t know each other, go through introductions, explain their business, hand out business cards and hope people remembered to call later. Building relationships required handshakes, eye contact and, at minimum, picking up the phone and having a conversation. While a strong argument can be made that these steps still must be taken in order to build strong relationships with other business owners, a new form of networking has catapulted its way to the top.
Shoving face-to-face interactions and business cards out of the way, websites have taken center stage and become the way for small business owners to gain exposure, explain their business and make sure that products and services are memorable. No longer are there pre-determined locations at pre-determined times. Google has helped take the work out of networking by connecting potential customers to potential business owners twenty-four hours a day, seven days a week.
In the twenty-first century, there is no way a business owner can sustain a profitable business without having some way to advertise and communicate to their customer base through the internet. This means that there are a lot of small business owners who find themselves in a tough situation: They have to create a good without any experience with web design or five figures (or more) to invest in a website.
Yet, for many businesses, their website is the face of the company. First impressions are created and potential customers and clients make decisions in a matter of seconds when scanning a website. For small business owners who must move forward with building their own websites, there are a few key elements they must consider.
Define the main purpose of the website being built. Is the goal to build an email list? Focus on products? Share more information about the company? No matter what purpose the website serves, it must be clear to the website visitor in just a matter of seconds. Tony Haile, author of Time’s “What You Think You Know About the Web Is Wrong,” shares his surprising statistic that 55 percent of website visitors spend fewer than 15 seconds actively on a page. Therefore, with just a few seconds to catch a visitor’s attention, the purpose of the website must be clear.
The most memorable domains, or web addresses, are the most simplistic ones. For instance, Nike.com is simpler than NikeShoes.com or NikeAthleticShoes.com. Small business owners tend to overthink their domain names rather than just focusing on something that is easy to remember for their clients and potential customers.
Websites must be hosted and stored on a server. Small business owners are fortunate enough to have easy access to web host providers. According to Freeservers.com, “There are literally thousands of web hosting services available today, ranging from free services with limited options to expensive, specialized business web hosting services. Which option you choose depends primarily on how you plan to use your website and how much you want to spend.”
Cheap doesn’t mean better, and taking the time to compare signup versus renewal pricing will pay off in the long run. In their article, “Low-Cost Hosting Guide: Find Cheap Web Host That Doesn’t Suck,” Web Hosting Secrets Revealed points out that “Some budget hosting companies now allow customers to lock in at low renewal price upon signup.”
The last website decision is which content management system to use. Often times the most user-friendly systems are also the most limiting. On the other end of the spectrum the most versatile systems require a larger learning curve.
Joomla, WordPress, and Droopal make up 58.4 percent of the market share of content management systems. Make A Website Hub created an in-depth info graphic to show the pros and cons of each.
Websites are no longer optional for the small business owner. Customers and clients expect to be able to find companies on the web. Although in-depth sites can require a large investment from the budget, most small business owners are able to create a more affordable solution with a website that starts small and is able to grow with the company.
On – 07 Apr, 2017 By Katherine Keller
Security researchers at Wordfence first determined that something noteworthy was happening when they witnessed an unusual spike in attacks originating from Algeria against its customers’ WordPress websites.
Looking deeper into what was happening, the researchers discovered that the attacks were being launched from more than 10,000 IP addresses. 97% of the attacking IP addresses found in the country were owned by customers of the state-owned telecommunications provider, Telecom Algeria.
The researchers determined that the attack was more sophisticated than normal, evading detection by only using each IP address for a short period of time:
These IPs switch on, perform a few attacks and then switch off and aren’t heard from again for a month. What we have found is a botnet that is distributed across thousands of IPs. Each IP is only performing a few attacks, those attacks are spread across many websites and the attacks only last a few minutes or hours.
The attacker controlling this botnet is using several evasive techniques. They are spreading their attacks across a very large number of IP addresses. They are using low frequency attacks to avoid being blocked. They are also spreading their attacks across a large number of WordPress sites.
Surveying the IP addresses, the researchers discovered that many were connected to a router manufactured by Zyzel, running Allegro RomPager 4.07, an embedded web server.
And therein lies the problem.
Way back in 2014, Checkpoint alerted the world to a critical vulnerability in RomPager that they dubbed the “Misfortune Cookie” which could allow an attacker to remotely hijack a router and use it to attack home and business networks.
At the time, Checkpoint said it had “detected approximately 12 million readily exploitable unique devices connected to the Internet present in 189 countries across the globe, making this one of the most widespread vulnerabilities revealed in recent years.”
What’s more – the bug had been there for some time. The bug was first introduced into RomPager’s code back in 2002. Yes, this bug has been around for 15 years.
It would be great to think that by now internet-connected devices had been updated by now against a critical vulnerability that has been known about for three years, and been in existence for so long, but clearly some routers have been left to fend for themselves.
And it’s not just a problem for Algerian computer users. Wordfence produced a list of 28 ISPs around the world who it says have been the launchpad for attacks which suggest compromised routers.
And, if you do a search on Shodan, you’ll find that over 41 million home routers world-wide have port 7547 open to the public internet.
The folks at Wordfence have produced an online tool that can tell users if their router is vulnerable to attack or not.
Clearly if routers were being patched properly with security fixes then this would help to eradicate this particular attack. But owners of vulnerable routers are either oblivious to the problem, don’t know that they should close port 7547 to outside access, or are simply not able to disinfect and update their systems.
Furthermore, maybe some of the affected ISPs have dropped the ball when it comes to properly defending their customers from such flaws too.
Wordfence’s research team has a message for those ISPs:
Exposing port 7547 to the public Internet gives attackers the opportunity to exploit vulnerabilities in the TR-069 protocol. ISPs should filter out traffic on their network coming from the public internet that is targeting port 7547. The only traffic that should be allowed is traffic from their own Auto Configuration Servers or ACS servers to and from customer equipment.
There are already a large number of compromised routers out there. ISPs should immediately start monitoring traffic patterns on their own networks for malicious activity to identify compromised routers. They should also force-update their customers to firmware that fixes any vulnerabilities and removes malware.
But what about the other side of the attack? How can owners of WordPress sites protect themselves from brute-force attacks that attempt to break into their admin consoles.
It’s not as though there is a small pool of potential victims. WordPress is the software that powers around a quarter of all websites, making it a hot target for online criminals.
For more tips on securing your WordPress website from attack, read this guide.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc
On – 13 Apr, 2017 By Graham Cluley
We are in the golden age of mobile. Nearly every person in this world uses a mobile device when looking for information online. For this reason, small- and medium-sized businesses (SMBs) have catered to the needs and behaviors of these mobile users worldwide to ensure satisfying, positive experiences. In fact, Google gives a mobile-friendly site a boost in search engine ranking in relation to its recent algorithm update.
But once an SMB has gained a competitive advantage by making its website mobile-friendly, what should be next?
Page speed refers to the time it takes a specific web page to display its content — text, images and more.
Google uses a point-based system that ranges from 0-100 that considers two main components of page speed: time to above-the-fold load and time to full page load.
When optimized, page speed can work wonders for your brand — no matter what your business goals are. Fast loading sites, in general, receive 25% more views in ads, lower bounce rates and better reputations. Best of all, users stay longer.
That’s why your page speed directly affects your sales and conversions. The faster your web page, the more revenue you’ll make.
The first step to optimizing a website’s speed is to analyze its current performance. Then, after confirming a slow loading time, SMBs can get started with speeding up their sites by optimizing images, minifying code and using a caching system.
One excellent solution to guarantee fast website speed is to use a site builder that’s pre-designed with speed in mind. That way, you don’t have to optimize page speed yourself, which can take a lot of time and effort.
To date, there are known website builders that vary in speed performance, including Squarespace, WordPress, Weebly, Wix and Duda.
Google aims for a minimum speed of less than half a second. However, they have set the threshold to 2 seconds. Beyond 2 seconds, your site can be considered slow.
Because the most practical solution to building speed is starting with a platform that has already been tightly optimized, we need to look at the actual Google PageSpeed Insights test results of the abovementioned leading selected website builders in the market.
WordPress scored 62/100 on mobile and 83/100 on the desktop. The test was based on WordPress’ first theme (Edin) for businesses.
Weebly scored 48/100 on mobile and 58/100 on the desktop. The test was based on Weebly’s LoveSeat theme.
Wix scored 48/100 on mobile and 71/100 on the desktop. The test was based on its Barista theme.
Duda scored 91/100 on mobile and 97/100 on the desktop. The test was based on one of Duda’s websites. Among the four, Duda had the highest score on speed performance.
Small and medium-sized business have accepted mobile optimization and have therefore followed the best practices to gain loyal customers. The next critical ranking factor to capitalize on is page speed. While brands can tap into methods to speed up their sites, building their online businesses from the ground up while using a platform that’s designed to the latest speed advancements puts them far ahead of the curve.
Customers are making quick judgments about you the moment they arrive at your site. A few seconds of delay creates a strong negative impression.
Page speed is a critical element that online businesses cannot shove aside. Make your customers’ web experiences hassle-free and worthwhile. Don’t give them a reason to choose competitors simply because you failed to optimize for speed. Using a platform built for speed is the most sensible way for you to guarantee higher conversions, a better Google ranking, and top-notch customer satisfaction.
On – 28 Mar, 2017 By Segun Onibalusi