30 Jul

WordPress Security: Tips To Secure A WordPress Website

WordPress, the most popular Content Management System(CMS) in the market, which powers almost 34% of all the websites on the Internet. This popularity also brings some problems to your room making it the most targeted CMS by hacker to get benefited using a site. If you are serious about your website, then you need to pay proper attention to your site and WordPress security best practices. Keeping your WordPress site secure takes a little effort but should be top of the agenda for anyone serious about their website.

Hacker uses two approaches to hack WordPress websites. They target individual sites as well as large clusters. Nothing in this world is hack-proof but what We can try is make this as difficult as possible, so they go elsewhere.

In this tutorial, We will share our Best Tips to keep your WordPress website secure.

1. Update your WordPress

WordPress is an open source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update. Not updating your themes and plugins can mean trouble. In most cases, WordPress-powered sites are compromised because their core software, files, themes, and plugins are outdated making them traceable. WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well. Every WordPress site administrator should regularly check for update and keep WordPress including plugin and theme files up-to-date.

How to configure automatic updates

You can configure automatic updates as well. To auto-upgrade WordPress core, insert this code into your wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', true );

For plugins, use:

add_filter( 'auto_update_plugin', '__return_true' );

For themes, use:

add_filter( 'auto_update_theme', '__return_true' );

2. Install a WordPress Security Plugin

Many users find it easier to rely on a one-stop security solution. If that is the case with you, one of the following WordPress security plugins might be suitable:

iThemes Security – available in both a free and premium version, iThemes provides over 30 different ways to improve the security of your website.

WordFence – is another security plugin that offers both a free and premium version. With just over 11 million downloads, WordFence has a strong user base who depend on this plugin for their security needs.

Sucuri – While Sucuri maintains a free plugin in the WordPress repository, they also provide a more comprehensive service that includes: malware and blacklist scanning, DDoS protection, malware cleanup, firewall protection and more. One of the great features of the Sucuri service is that it includes cleanup in the event that you site is compromised.

3. Install SSL Certificate

SSL (Secure Sockets Layer) is a protocol which encrypts data transfer between your website and users browser. This encryption makes it harder for someone to sniff around and steal information. For instance, our hosting service comes with free SSL on all plans which customer can avail from cPanel >> Let’s Encrypt SSL.

4. Use a Strong Password

The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin account, but also for database user, WordPress hosting account.

5. Disable File Editing

If a user has admin access to your WordPress dashboard they can edit any files that are part of your WordPress installation. This includes all plugins and themes. It can be accessed by going to Appearance >> Editor. Another way you can find the plugin editor is by going under Plugins >> Editor. If you disallow file editing, no one will be able to modify any of the files – even if a hacker obtains admin access to your WordPress dashboard.

To make this work, add the following to the wp-config.php file (at the very end):

define('DISALLOW_FILE_EDIT', true);

6. Change your WP-login URL

By default, the URL We use to log into our dashboard is either wp-login.php or wp-admin, added after your site’s main URL. For instance, YOURSITE.com/wp-login.php and guess what, those two are also the most accessed URLs by hackers who want to get into your database. If you change that URL, you reduce the chances of finding yourself in trouble. Guessing a custom login URL is way harder for hackers.

The iThemes Security plugin does this trick. For instance, your login URL can turn into something like YOURSITE.com/my_site.

7. Securing wp-includes Folder

The wp-includes folder contains only the files that are strictly necessary to run the core version of WordPress, one without any plugins or themes. Remember, the default theme still resides in the wp-content/theme directory. Thus, no visitor (including you) should require access to content of the wp-include folder. You can disable access using this following code snippet by updating your default .htaccess file:

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

8. Hide wp-config.php and .htaccess files

While this is an advanced process for improving your site’s security, if you’re serious about your security it’s a good practice to hide your site’s .htaccess and wp-config.php files to prevent hackers from accessing them. We strongly recommend this to be done by an experience developer because a slight mistake can take down your site. You should start by taking backup of the files as well. To hide the files, there are two things you need to do:

Go to your .htaccess file and add the following code,

<Files wp-config.php>
order allow,deny
deny from all
</Files>

<Files .htaccess>
order allow,deny
deny from all
</Files>

Another security measure that you can take is to restrict wp-config.php file permission. Set the file permissions to 600 so that only true owners can edit the wp-config file. To change the file permission of wp-config, select the file from cPanel >> File Manager and then choose the option ‘Permission’.

9. Disable PHP File Execution in Certain WordPress Directories

Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed such as /wp-content/uploads/.

You can do this by opening a text editor like Notepad and paste this code:

<Files *.php>
deny from all
</Files>

Next, you need to save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using File Manager or FTP Client.

10. Change Security Keys

It is recommended that you change the WordPress Secuity key periodically so that if someone/something got login credentials, resetting the security keys will log them out immediately. You can generate a new set of security keys and place them in the ‘wp-config.php’ file and here is the URL where you can generate new set of keys. It’ll help secure your WordPress site. Its generate new keys every time someone browse the URL.

11. Choose a Good Hosting Company

You should find/choose a good hosting provider who has up-to-date security system deployed on their servers. You might look for Cloudlinux, Litespeed, Imunify360 Scanner etc. A company with good support and daily backup system will help you to run your WordPress site properly.

12. Don’t Use Nulled Themes

We have seen, people are using nulled theme for their website which is one of the main reason for security breach of a site. You should try to get the premium theme by paying the charges to actual seller. Nulled themes contain hidden malicious codes, which could destroy your website and database or log your admin credentials very easily.

13. Monitor your site – to find any unusual activity.

14. Back up your site regularly – in-case of emergency.

15. Use Latest PHP Version – PHP is used for backend coding and using latest version of PHP will enhance the site security parameter.

16. Use Clever Usernames and Passwords – do not go with the common ones, think and use harder.

17. Captcha Protection – Protecting your site with google captcha protection.

That’s all, we hope this article helped you learn the top WordPress security best practices as well as discover the best WordPress security plugins for your website.

23 Feb

WordPress Update Released v5.1, Update Your WordPress NOW!


WordPress has released an update on Thursday, 21 February, 2019. We urges all our client to update their WordPress developed site to latest released version.

In order to update, please login to your WordPress Admin Panel >> Dashboard >> Updates >> here you should find with an option to update WordPress to latest Version or you can use “Re-install Now” button to have latest version installed for your account. Sites that support automatic background updates are already beginning to update automatically.

More information on the latest update is available on the following URLs:

Version 5.1

WordPress 5.1 Release Candidate

If you face any trouble updating your WordPress to latest version feel free to contact us. If you want us to update your WordPress, please create an support ticket with your WordPress Admin login details and We will update them for you.

Thank you for choosing TetraHost

Support Desk, TetraHost
M: +880 191 3377417 | E: support@tetrahostbd.com
https://www.tetrahostbd.com

13 Dec

WordPress Update Released v5.0, Update Your WordPress NOW!

WordPress has released an update on 6th December, 2018. We urges all our client to update their WordPress developed site to latest released version.

In order to update, please login to your WordPress Admin Panel >> Dashboard >> Updates >> here you should find with an option to update WordPress to latest Version or you can use “Re-install Now” button to have latest version installed for your account. Sites that support automatic background updates are already beginning to update automatically.

More information on the latest update is available on the following URLs:

Version 5.0

WordPress 5.0.1 Security Release

If you face any trouble updating your WordPress to latest version feel free to contact us. If you want us to update your WordPress, please create an support ticket with your WordPress Admin login details and We will update them for you.

Thank you for choosing TetraHost

Support Desk, TetraHost
M: +880 191 3377417 | E: support@tetrahostbd.com
https://www.tetrahostbd.com

04 Aug

WordPress Update Released v4.9.8, Update Your WordPress!

WordPress has released an update on 2nd August, 2018. We urges all our WordPress client to update their WordPress to latest released version.

In order to update, please login to your WordPress Admin Panel >> Dashboard >> Updates >> here you should find with an option to update WordPress to latest Version or you can use “Re-install Now” button to have latest version installed for your account. Sites that support automatic background updates are already beginning to update automatically.

More information on the latest update is available on the following URLs:
https://codex.wordpress.org/Version_4.9.8
https://wordpress.org/news/2018/08/wordpress-4-9-8-maintenance-release/

If you face any trouble updating your WordPress to latest version feel free to contact us. If you want us to update your WordPress, please create an support ticket with your WordPress Admin login details and We will update them for you.

Thank you for choosing TetraHost

Support Desk, TetraHost
M: +880 191 3377417 | E: support@tetrahostbd.com
https://www.tetrahostbd.com

07 Jul

WordPress Update Released v4.9.7, Update Your WordPress!

WordPress has released an update on 5th July, 2018. We urges all our WordPress client to update their WordPress to latest released version.

In order to update, please login to your WordPress Admin Panel >> Dashboard >> Updates >> here you should find with an option to update WordPress to latest Version or you can use “Re-install Now” button to have latest version installed for your account. Sites that support automatic background updates are already beginning to update automatically.

More information on the latest update is available on the following URLs:
https://codex.wordpress.org/Version_4.9.7
https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/

If you face any trouble updating your WordPress to latest version feel free to contact us. If you want us to update your WordPress, please create an support ticket with your WordPress Admin login details and We will update them for you.

Thank you for choosing TetraHost

Support Desk, TetraHost
M: +880 191 3377417 | E: support@tetrahostbd.com
https://www.tetrahostbd.com

04 Jul

SSL, Google’s ‘Not Secure’ warning and your website

Starting from July, 2018 Chrome Browser will mark a website without SSL certificate or HTTPS as “NOT SECURE“. This means that when potential customers visit a website without the HTTPS in the address bar, they will see that their website is not secure. So what can you do? You can simply install SSL certificate and have your site secured.

We at TetraHost offers free SSL certificate with our hosting service and to install SSL for your website, simply login to your cPanel >> Security >> Let’s Encrypt SSL >> here you will find option to install SSL certificate.

For assistance, please check following article:

Announcement: Free Let’s Encrypt SSL With Hosting

More about the Google Announcement:
https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

If you are having any issue with SSL install or want us to install the certificates for you, please submit a ticket to support [at] tetrahostbd.com

20 Mar

Important: Password Security Policies

The password is the single most common security measure for digital systems, both online and off-line. The problem is that it is becoming increasingly less secure as hackers gain more and more powerful tools to simply crack them. A great deal of attention has gone towards the creation of secure passwords, what constitutes them, and whether or not it is feasible to retain a bunch of random alphanumerical strings inside your head all the time.

How are passwords cracked?

Most accounts that have their passwords compromised are not done so by another human being directly. Instead a computer will be tasked with guessing your password, so planning should go in to understanding and then deterring a computer from cracking your password. A hacker has a variety of malicious tactics available to them when trying to crack your password. These would be the two most common attacks you see on the Internet today:

  • Brute Force Attack: The attacker runs a script that tries again and again to randomly crack your password by sheer brute force. A long password with multiple character sets is the best protection. The higher your password entropy the less likely your password will be compromised by a brute force attack.
  • Dictionary Attack: The attacker utilizes dictionaries of known words or passwords and a script to try them in thousands of combinations until one matches up with the correct password. Don’t use common words, or keystrokes such as anyone’s name or phone number. Use a combination of multiple character sets to reduce the likelyhood of multiple entries pulled for a dictionary matching up successfully.

In recent time, We have been working on having more security on our cPanel servers and have applied few new security policies.

Password Strength – An password of any kind must set to 80% strong at least. System will not accept your password until it matches the security policy. To setup an strong password, you can use Lowercase/Uppercase letter, signs/symbols and number.

Password Age – Passwords must be changed every 90 days. Our system will automatically ask user to change their password every 90 days.

These two measures should allow you to secure your cPanel and related services. In the meantime, if you have any questions about account security, please contact us at TetraHost Support.

07 Mar

Announcement: Free Let’s Encrypt SSL With Hosting

We’re delighted to announce that Let’s Encrypt certificates are now available at TetraHost.

Let’s Encrypt is a free, automated and open certificate authority (CA) that offers free SSL certificates for the public’s benefit. Just like a paid for SSL certificate, a Let’s Encrypt certificate provides HTTPS protection for your website. You can find it by login into your cPanel and navigating to the Security section or simply by typing Let’s Encrypt in the search field.

What is Let’s Encrypt?

Let’s Encrypt is a free, automated and open certificate authority which provides domain-validated security certificates. Run by Internet Security Research Group (ISRG) Let’s Encrypts primary goal is to create a more secure and privacy-respecting web by making https more accessible and user friendly.

Here’s how Let’s Encrypt Certificates work:

  • – It’s free(Absolutely)
  • – Easy installation(Very)
  • – Enables https
  • – Domain validated
  • – Trusted by major browsers
  • – Renews automatically every 90 days

What is https?

Hypertext Transfer Protocol Secure (HTTPS), unlike its http counterpart is a communications protocol which provides a secure connection between a site and a visitor’s web browser, meaning any data shared is encrypted and safe from prying eyes.

Why HTTPS is important?

For security and Google.

First and foremost, https makes your website secure for your users. If your website does not use https, data sent between it and your users can potentially be intercepted, monitored or even altered by a 3rd party as it traverses the internet.

Security is a top priority for Google and back in August 2016 they announced https would to be used as a ranking single to encourage webmaster to use encryption. Continuing their mission for a safer web, from this month Google will highlight all sites which collect passwords and credit card data without https encryption as ‘Non-secure’ to visitors. You can learn more about this update here.

How to install Let’s Encrypt SSL?

With Let’s Encrypt you will be able to receive a certificate for your website without filling out any information details and by clicking a single button. Just choose the domain/subdomain you wish to cover with a certificate to and click on the Issue button next to it.

For more information about the Let’s Encrypt project and how it works, visit their official website.

If you are having any issue with SSL install or want us to install the certificates for you, please submit a ticket at support [at] tetrahostbd.com

03 Sep

Critical Update for Joomla! Users

If you are a Joomla user, you better start updating your sites now.

Joomla was updated recently! Joomla issued a new minor versions, v2.5.14 and v3.1.5, that patches some very critical security holes, so it is very important you update as soon as possible! We are urging all customers to log in to update their Joomla sites to the latest version to help keep your site secure! They didn’t provide much details, but by the summary is seems serious enough to allow users to bypass upload restrictions:

  • Project: Joomla!
  • Severity: Critical
  • Versions: 2.5.13 and earlier 2.5.x versions. 3.1.4 and earlier 3.x versions.
  • Exploit type: Unauthorised Uploads
  • Reported Date: 2013-June-25
  • Fixed Date: 2013-July-31
  • Description: Inadequate filtering leads to the ability to bypass file type upload restrictions.

More information on Joomla 2.5.14 update here: http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads

If you have any questions, feel free to email us at support[at]tetrahostbd[dot]com.

13 Apr

Global Brute Force Floor Attack on WordPress Sites

As I write this article, there is an on going and highly distributed, global attack on WordPress installations across virtually every web host in existence! This attack is well organized and again very, very distributed. The attack can be called as “brute-force” attack as well. Due to the nature of the attack, memory consumption on targeted servers has increased. In certain cases, this has resulted in degradation of performance!

At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website.  These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*).

The main force of this attack began last week, then slightly died off, before picking back up again yesterday morning.  No one knows when it will end. TetraHost started a thread on a popular forum where web host owner’s is sharing their experience with the attack and solutions. Here is the thread.

We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done. Again, this is a global issue affecting all web hosts. Our hope is that this attack ends soon, but it is a reminder that we must all take account security very seriously.

To ensure that your customers’ websites are secure and safeguarded from this attack, we recommend the following blog article and apply the security protection ASAP:

http://blog.tetrahostbd.com/2012/01/31/wordpress-protection

Other ways of Hardening a WordPress installation are shared here at:

http://codex.wordpress.org/Hardening_WordPress

The TetraHost support team has been hard at work with fighting the situation! We’ve taken proactive steps to reduce the impact of this event. We thank you for your patience.

Having trouble? You can always file a ticket at support@tetrahostbd.com.