30 Jul

WordPress Security: Tips To Secure A WordPress Website

WordPress, the most popular Content Management System(CMS) in the market, which powers almost 34% of all the websites on the Internet. This popularity also brings some problems to your room making it the most targeted CMS by hacker to get benefited using a site. If you are serious about your website, then you need to pay proper attention to your site and WordPress security best practices. Keeping your WordPress site secure takes a little effort but should be top of the agenda for anyone serious about their website.

Hacker uses two approaches to hack WordPress websites. They target individual sites as well as large clusters. Nothing in this world is hack-proof but what We can try is make this as difficult as possible, so they go elsewhere.

In this tutorial, We will share our Best Tips to keep your WordPress website secure.

1. Update your WordPress

WordPress is an open source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update. Not updating your themes and plugins can mean trouble. In most cases, WordPress-powered sites are compromised because their core software, files, themes, and plugins are outdated making them traceable. WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well. Every WordPress site administrator should regularly check for update and keep WordPress including plugin and theme files up-to-date.

How to configure automatic updates

You can configure automatic updates as well. To auto-upgrade WordPress core, insert this code into your wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', true );

For plugins, use:

add_filter( 'auto_update_plugin', '__return_true' );

For themes, use:

add_filter( 'auto_update_theme', '__return_true' );

2. Install a WordPress Security Plugin

Many users find it easier to rely on a one-stop security solution. If that is the case with you, one of the following WordPress security plugins might be suitable:

iThemes Security – available in both a free and premium version, iThemes provides over 30 different ways to improve the security of your website.

WordFence – is another security plugin that offers both a free and premium version. With just over 11 million downloads, WordFence has a strong user base who depend on this plugin for their security needs.

Sucuri – While Sucuri maintains a free plugin in the WordPress repository, they also provide a more comprehensive service that includes: malware and blacklist scanning, DDoS protection, malware cleanup, firewall protection and more. One of the great features of the Sucuri service is that it includes cleanup in the event that you site is compromised.

3. Install SSL Certificate

SSL (Secure Sockets Layer) is a protocol which encrypts data transfer between your website and users browser. This encryption makes it harder for someone to sniff around and steal information. For instance, our hosting service comes with free SSL on all plans which customer can avail from cPanel >> Let’s Encrypt SSL.

4. Use a Strong Password

The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin account, but also for database user, WordPress hosting account.

5. Disable File Editing

If a user has admin access to your WordPress dashboard they can edit any files that are part of your WordPress installation. This includes all plugins and themes. It can be accessed by going to Appearance >> Editor. Another way you can find the plugin editor is by going under Plugins >> Editor. If you disallow file editing, no one will be able to modify any of the files – even if a hacker obtains admin access to your WordPress dashboard.

To make this work, add the following to the wp-config.php file (at the very end):

define('DISALLOW_FILE_EDIT', true);

6. Change your WP-login URL

By default, the URL We use to log into our dashboard is either wp-login.php or wp-admin, added after your site’s main URL. For instance, YOURSITE.com/wp-login.php and guess what, those two are also the most accessed URLs by hackers who want to get into your database. If you change that URL, you reduce the chances of finding yourself in trouble. Guessing a custom login URL is way harder for hackers.

The iThemes Security plugin does this trick. For instance, your login URL can turn into something like YOURSITE.com/my_site.

7. Securing wp-includes Folder

The wp-includes folder contains only the files that are strictly necessary to run the core version of WordPress, one without any plugins or themes. Remember, the default theme still resides in the wp-content/theme directory. Thus, no visitor (including you) should require access to content of the wp-include folder. You can disable access using this following code snippet by updating your default .htaccess file:

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

8. Hide wp-config.php and .htaccess files

While this is an advanced process for improving your site’s security, if you’re serious about your security it’s a good practice to hide your site’s .htaccess and wp-config.php files to prevent hackers from accessing them. We strongly recommend this to be done by an experience developer because a slight mistake can take down your site. You should start by taking backup of the files as well. To hide the files, there are two things you need to do:

Go to your .htaccess file and add the following code,

<Files wp-config.php>
order allow,deny
deny from all
</Files>

<Files .htaccess>
order allow,deny
deny from all
</Files>

Another security measure that you can take is to restrict wp-config.php file permission. Set the file permissions to 600 so that only true owners can edit the wp-config file. To change the file permission of wp-config, select the file from cPanel >> File Manager and then choose the option ‘Permission’.

9. Disable PHP File Execution in Certain WordPress Directories

Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed such as /wp-content/uploads/.

You can do this by opening a text editor like Notepad and paste this code:

<Files *.php>
deny from all
</Files>

Next, you need to save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using File Manager or FTP Client.

10. Change Security Keys

It is recommended that you change the WordPress Secuity key periodically so that if someone/something got login credentials, resetting the security keys will log them out immediately. You can generate a new set of security keys and place them in the ‘wp-config.php’ file and here is the URL where you can generate new set of keys. It’ll help secure your WordPress site. Its generate new keys every time someone browse the URL.

11. Choose a Good Hosting Company

You should find/choose a good hosting provider who has up-to-date security system deployed on their servers. You might look for Cloudlinux, Litespeed, Imunify360 Scanner etc. A company with good support and daily backup system will help you to run your WordPress site properly.

12. Don’t Use Nulled Themes

We have seen, people are using nulled theme for their website which is one of the main reason for security breach of a site. You should try to get the premium theme by paying the charges to actual seller. Nulled themes contain hidden malicious codes, which could destroy your website and database or log your admin credentials very easily.

13. Monitor your site – to find any unusual activity.

14. Back up your site regularly – in-case of emergency.

15. Use Latest PHP Version – PHP is used for backend coding and using latest version of PHP will enhance the site security parameter.

16. Use Clever Usernames and Passwords – do not go with the common ones, think and use harder.

17. Captcha Protection – Protecting your site with google captcha protection.

That’s all, we hope this article helped you learn the top WordPress security best practices as well as discover the best WordPress security plugins for your website.

17 Jun

How To Fix: cPanel User, Over Quota Causing Internal Server Error 500

Sometime our cPanel user account can get over quota which might cause webmail to stop working. cPanel user can free up disk usage by deleting unwanted data or upgrading the hosting package so that it can have more free space.

Sometime on performing these two action, user might still not be able to access webmail and showing following error message:

“User is Over Quota” or “Internal Server Error 500”

On such occasion the server admin needs to manually remove cPanel overquota file.

What you have to do is remove cpanels overquota file manually. Let’s say that user “domain1” is having issue described above.

root@server [~]# cd /var/cpanel/overquota/
root@server [/var/cpanel/overquota]# ls
./ ../ domain1 domain2 domain3 domain4
root@server [/var/cpanel/overquota]# rm domain1

After you deleted the file located at /var/cpanel/overquota/domain1, webmail should start to work again.

23 Feb

WordPress Update Released v5.1, Update Your WordPress NOW!


WordPress has released an update on Thursday, 21 February, 2019. We urges all our client to update their WordPress developed site to latest released version.

In order to update, please login to your WordPress Admin Panel >> Dashboard >> Updates >> here you should find with an option to update WordPress to latest Version or you can use “Re-install Now” button to have latest version installed for your account. Sites that support automatic background updates are already beginning to update automatically.

More information on the latest update is available on the following URLs:

Version 5.1

WordPress 5.1 Release Candidate

If you face any trouble updating your WordPress to latest version feel free to contact us. If you want us to update your WordPress, please create an support ticket with your WordPress Admin login details and We will update them for you.

Thank you for choosing TetraHost

Support Desk, TetraHost
M: +880 191 3377417 | E: support@tetrahostbd.com
https://www.tetrahostbd.com

13 Dec

WordPress Update Released v5.0, Update Your WordPress NOW!

WordPress has released an update on 6th December, 2018. We urges all our client to update their WordPress developed site to latest released version.

In order to update, please login to your WordPress Admin Panel >> Dashboard >> Updates >> here you should find with an option to update WordPress to latest Version or you can use “Re-install Now” button to have latest version installed for your account. Sites that support automatic background updates are already beginning to update automatically.

More information on the latest update is available on the following URLs:

Version 5.0

WordPress 5.0.1 Security Release

If you face any trouble updating your WordPress to latest version feel free to contact us. If you want us to update your WordPress, please create an support ticket with your WordPress Admin login details and We will update them for you.

Thank you for choosing TetraHost

Support Desk, TetraHost
M: +880 191 3377417 | E: support@tetrahostbd.com
https://www.tetrahostbd.com

15 Oct

18 Inexpensive Ways to Promote Your Website

These days, anyone can build a website. Fun fact: there are more than 1 billion websites around the world, with new ones created every second.

Among all that internet noise, your website and ideas deserve to stand out else your site will be left behind. And that means you’ve got to advertise or promote! Fight to get your name and your brand out there and then draw visitors to your site.

Effectively promoting your website will bring traffic to your site, boost up your sell! Here are Eighteen(18) website promotion tips you need to follow to get your website up to the top of the search engines.

1. Focus on Website SEO Keywords
First of all use/trust SEO services. Search Engine Optimization techniques can increase your website traffic and visibility in search engines.

2. Mobile Friendly Website
Most of the people are using mobile phones for browsing, so create mobile friendly websites.

3. Search Engine Listing
When you create your website or add new content, within a week or so, it will be found and indexed by major search engines and show up in search results. If you are anxious to be indexed sooner (or want to check and double check that your site is found), you can manually submit URLs for free to Google, Bing, and Yahoo (Yahoo uses the same Search Engine as Bing. Great news, submission to Bing means submission to Yahoo).

4. Email Signature Branding
Create a signature for your email account, text messages, and forums that include your website URL. This is a great way to get people to recognize your brand, and it will get people to click on the URL.

5. Reciprocal Linking
The more sites that link to yours, the more important search engines will assume you to be — and the higher your website will rank in search results. Including a link to another site in exchange for them including a link to yours can build traffic and post search engine juice, particularly when done with reputable sites relevant to your business and content.

6. Focus on Quality Content
Creating quality content is vital to your website, and to your overall ranking. Write the kind of content that other people want to read and promote on their own blogs/websites and on social media.

7. Use Google Local Business
List your business for free with Google My Business, so when potential customers search local businesses or look on Google Maps, your business will show up, complete with hours, location, reviews, etc. Make sure your listing includes a link to your website. Bonus: registering with Google’s business directory can improve your search-result visibility.

8. Bing Places
Google may be the big kid on the block, but, believe it or not, other search engines and directories exist, and people — maybe your potential customers — use them too. Don’t forget to list your business with Bing Places, another freebie promotion tool.

9. Google Adwords
These days We use Google Search to find products of our wish. Promote your website product using Google AdWords, you can set a budget and either pay for clicks or pay when people see your ad.

10. Facebook Promotion
Facebook Ads are a great bet. You can create a targeted ad that reaches users based on location, age, gender, interests, and even options like friends of current followers or people who like specific pages.

11. LinkedIn
Depending on your website’s purpose and brand, LinkedIn might be the perfect social tool to drive traffic. Leverage it by completing an interesting profile and creating connections. Follow influential people in your field and read what they share

12. Email Marketing
Email Marketing is the best way to promote your business.

13. Blogging
Blogging is another way to attract people to your website. Write attractive content for blogs.

14. Create Shareable Media
Memes, videos, and more are all fair game for Twitter/Instagram/Pinterest and other social media sharing. Brand your content and include a link to your website, and encourage your followers to share with their friends.

15. Quora
Quora is a searchable online place for people with questions and people with answers to mingle. Follow, ask, and answer questions in your area of interest, and include the address of your blog in your profile and answer credentials.

16. Press Releases
Press releases of your business will help get your name out there and establish you as an expert in your field. Free Press Release Site: PRLog and 24-7 Press Release

17. YouTube
Creating videos and uploading them to YouTube can spread your content (and links to your website) around YouTube itself — and from there, Google will index and make searchable your content.

18. Join a relevant online community and contribute
Everyday keep active in top social media sites and your active participation in forums and groups can also increase visibility and more reach out of your website.

08 Aug

HOW TO: Change PHP Version, Module and PHP Variables

All of our cPanel Servers are running on CloudLinux OS with cPanel/WHM.

PHP Selector is a CloudLinux feature that allows each cPanel user to select PHP version, module and php variables based on their needs.

You can easily switch between several different PHP Versions such as 5.6, 7.1, 7.2 as well as enable or disable many PHP modules, such as apc, mysqli, gd, pdo, soap and etc, entirely based on your needs. It also allows user to change the PHP Variables/Settings such as: max_execution_time, upload_max_filesize, memory_limit and etc.

You can find PHP Selector by login to cPanel >> Select PHP Version. The default php version of any cPanel is set to NATIVE version, which doesn’t allow any modification. But user will be able to set another version from the pull down menu and make modification. Once another version is selected, please click on SAVE button and that specific cPanel will run on the selected version.

Users will be able to enable/disable module by checking and unchecking the modules. Once done, please SAVE again.

Users might want to change php variables as well, for example, If a user wants to increase the memory limit or max upload size, they should be able to increase the value from SWITCH TO PHP OPTIONS menu from top right corner. Once new values has been set, please SAVE the settings.

We have prepared a Video Tutorial which will help our user to understand PHP Selector feature better and use with their hosting account.

Please check video below:

If you are having any issue with PHP Selector feature or want us to setup them for your site, please submit a ticket to support [at] tetrahostbd.com

04 Jul

SSL, Google’s ‘Not Secure’ warning and your website

Starting from July, 2018 Chrome Browser will mark a website without SSL certificate or HTTPS as “NOT SECURE“. This means that when potential customers visit a website without the HTTPS in the address bar, they will see that their website is not secure. So what can you do? You can simply install SSL certificate and have your site secured.

We at TetraHost offers free SSL certificate with our hosting service and to install SSL for your website, simply login to your cPanel >> Security >> Let’s Encrypt SSL >> here you will find option to install SSL certificate.

For assistance, please check following article:

Announcement: Free Let’s Encrypt SSL With Hosting

More about the Google Announcement:
https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

If you are having any issue with SSL install or want us to install the certificates for you, please submit a ticket to support [at] tetrahostbd.com

20 Mar

Important: Password Security Policies

The password is the single most common security measure for digital systems, both online and off-line. The problem is that it is becoming increasingly less secure as hackers gain more and more powerful tools to simply crack them. A great deal of attention has gone towards the creation of secure passwords, what constitutes them, and whether or not it is feasible to retain a bunch of random alphanumerical strings inside your head all the time.

How are passwords cracked?

Most accounts that have their passwords compromised are not done so by another human being directly. Instead a computer will be tasked with guessing your password, so planning should go in to understanding and then deterring a computer from cracking your password. A hacker has a variety of malicious tactics available to them when trying to crack your password. These would be the two most common attacks you see on the Internet today:

  • Brute Force Attack: The attacker runs a script that tries again and again to randomly crack your password by sheer brute force. A long password with multiple character sets is the best protection. The higher your password entropy the less likely your password will be compromised by a brute force attack.
  • Dictionary Attack: The attacker utilizes dictionaries of known words or passwords and a script to try them in thousands of combinations until one matches up with the correct password. Don’t use common words, or keystrokes such as anyone’s name or phone number. Use a combination of multiple character sets to reduce the likelyhood of multiple entries pulled for a dictionary matching up successfully.

In recent time, We have been working on having more security on our cPanel servers and have applied few new security policies.

Password Strength – An password of any kind must set to 80% strong at least. System will not accept your password until it matches the security policy. To setup an strong password, you can use Lowercase/Uppercase letter, signs/symbols and number.

Password Age – Passwords must be changed every 90 days. Our system will automatically ask user to change their password every 90 days.

These two measures should allow you to secure your cPanel and related services. In the meantime, if you have any questions about account security, please contact us at TetraHost Support.

08 Jul

Compose an HTML Message in Web Based Mail

cPanel Webmail provides instant access to your email without the use of a local email client. You will need to login to cPanel and use the tool “Email Accounts” to view the username for your specific email account. The password needed to login should be already noted. If not, the password will need to be reset.

Visit the following URLs to access cPanel Webmail directly:

http://www.domain.com/webmail
http://www.domain.com:2095
http://webmail.domain.com

We provide three different web based mail client which you can use to access mails. The Three mail clients are:

Squirrelmail
Horde
Roundcube

The mail client will allow you to incorporate typical word processor functionality such as Bold, Italic, bullet points, images, font color, etc. By default HTML Compose options isn’t enabled and to enable it, follow the steps below for your preferred web based mail client:

Inside Roundcube:
1) Click the plus icon to create a new message
2) Select HTML from the “Editor Type” dropdown(available below Subject Line)

Inside Horde:
1) Click “New Message”
2) Enable “HTML composition” by ticking the option from right side.

Unfortunately, cPanel do not have HTML Composing enabled for Squirrelmail thus it is not available. We request our client to use Roundcube or Horde to have the ability to use HTML compose.

21 Jul

Using a Custom PHP.ini File and Make PHP Changes

The php.ini file is the default configuration file for running applications that require PHP. It is used to control variables such as upload file’s size, timeouts, and resource limits. We use suPHP(pronounced sue-p-h-p) environment in all our servers which allows our user to have their own custom php.ini file and change certain PHP settings as per their CMS requirement.

Below are some of the most common lines that are altered when making custom PHP changes:

  • memory_limit
  • upload_max_filesize
  • post_max_size
  • max_execution_time
  • max_input_time
  • register_globals
  • magic_quotes_gpc
  • date.timezone

 

To being creating your very own custom php.ini file:

php.ini Setup Process:
1. Create a file called php.ini from your local machine with the PHP values you want to modify.
2. Upload the newly created php.ini file to your cPanel account under the public_html folder.

Note: Make sure the file name is correctly setup which is php.ini

suPHP Path Setup Using .htaccess:
Create a .htaccess file and put the following code: suPHP_ConfigPath /home/username/public_html and upload the file to your cPanel account under the public_html folder.

Note 1: Make sure to change the cPanel username with the actual account username.

Note 2: If you already have an .htaccess file then you can just modify the .htaccess file by accessing it using File Manager and setup the path. FYI .htaccess is an hidden file so please make sure you enabled the option that says “Show Hidden Files(dotfiles)” while accessing File Manager.

 

Once you have completed the above steps your php.ini file will be active. Any entries you placed in the file will be used in place of the entries from the server’s main php.ini file.

Some examples of what may be changed by using a custom php.ini file are:

upload_max_filesize = 10M
post_max_size = 10M
max_execution_time = 30

Should you require any further assistance with creating a custom php.ini file then check in with one of our fantastic support people at http://tetrahostbd.com/contact.