30 Jul

WordPress Security: Tips To Secure A WordPress Website

WordPress, the most popular Content Management System(CMS) in the market, which powers almost 34% of all the websites on the Internet. This popularity also brings some problems to your room making it the most targeted CMS by hacker to get benefited using a site. If you are serious about your website, then you need to pay proper attention to your site and WordPress security best practices. Keeping your WordPress site secure takes a little effort but should be top of the agenda for anyone serious about their website.

Hacker uses two approaches to hack WordPress websites. They target individual sites as well as large clusters. Nothing in this world is hack-proof but what We can try is make this as difficult as possible, so they go elsewhere.

In this tutorial, We will share our Best Tips to keep your WordPress website secure.

1. Update your WordPress

WordPress is an open source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update. Not updating your themes and plugins can mean trouble. In most cases, WordPress-powered sites are compromised because their core software, files, themes, and plugins are outdated making them traceable. WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well. Every WordPress site administrator should regularly check for update and keep WordPress including plugin and theme files up-to-date.

How to configure automatic updates

You can configure automatic updates as well. To auto-upgrade WordPress core, insert this code into your wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', true );

For plugins, use:

add_filter( 'auto_update_plugin', '__return_true' );

For themes, use:

add_filter( 'auto_update_theme', '__return_true' );

2. Install a WordPress Security Plugin

Many users find it easier to rely on a one-stop security solution. If that is the case with you, one of the following WordPress security plugins might be suitable:

iThemes Security – available in both a free and premium version, iThemes provides over 30 different ways to improve the security of your website.

WordFence – is another security plugin that offers both a free and premium version. With just over 11 million downloads, WordFence has a strong user base who depend on this plugin for their security needs.

Sucuri – While Sucuri maintains a free plugin in the WordPress repository, they also provide a more comprehensive service that includes: malware and blacklist scanning, DDoS protection, malware cleanup, firewall protection and more. One of the great features of the Sucuri service is that it includes cleanup in the event that you site is compromised.

3. Install SSL Certificate

SSL (Secure Sockets Layer) is a protocol which encrypts data transfer between your website and users browser. This encryption makes it harder for someone to sniff around and steal information. For instance, our hosting service comes with free SSL on all plans which customer can avail from cPanel >> Let’s Encrypt SSL.

4. Use a Strong Password

The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin account, but also for database user, WordPress hosting account.

5. Disable File Editing

If a user has admin access to your WordPress dashboard they can edit any files that are part of your WordPress installation. This includes all plugins and themes. It can be accessed by going to Appearance >> Editor. Another way you can find the plugin editor is by going under Plugins >> Editor. If you disallow file editing, no one will be able to modify any of the files – even if a hacker obtains admin access to your WordPress dashboard.

To make this work, add the following to the wp-config.php file (at the very end):

define('DISALLOW_FILE_EDIT', true);

6. Change your WP-login URL

By default, the URL We use to log into our dashboard is either wp-login.php or wp-admin, added after your site’s main URL. For instance, YOURSITE.com/wp-login.php and guess what, those two are also the most accessed URLs by hackers who want to get into your database. If you change that URL, you reduce the chances of finding yourself in trouble. Guessing a custom login URL is way harder for hackers.

The iThemes Security plugin does this trick. For instance, your login URL can turn into something like YOURSITE.com/my_site.

7. Securing wp-includes Folder

The wp-includes folder contains only the files that are strictly necessary to run the core version of WordPress, one without any plugins or themes. Remember, the default theme still resides in the wp-content/theme directory. Thus, no visitor (including you) should require access to content of the wp-include folder. You can disable access using this following code snippet by updating your default .htaccess file:

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

8. Hide wp-config.php and .htaccess files

While this is an advanced process for improving your site’s security, if you’re serious about your security it’s a good practice to hide your site’s .htaccess and wp-config.php files to prevent hackers from accessing them. We strongly recommend this to be done by an experience developer because a slight mistake can take down your site. You should start by taking backup of the files as well. To hide the files, there are two things you need to do:

Go to your .htaccess file and add the following code,

<Files wp-config.php>
order allow,deny
deny from all
</Files>

<Files .htaccess>
order allow,deny
deny from all
</Files>

Another security measure that you can take is to restrict wp-config.php file permission. Set the file permissions to 600 so that only true owners can edit the wp-config file. To change the file permission of wp-config, select the file from cPanel >> File Manager and then choose the option ‘Permission’.

9. Disable PHP File Execution in Certain WordPress Directories

Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed such as /wp-content/uploads/.

You can do this by opening a text editor like Notepad and paste this code:

<Files *.php>
deny from all
</Files>

Next, you need to save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using File Manager or FTP Client.

10. Change Security Keys

It is recommended that you change the WordPress Secuity key periodically so that if someone/something got login credentials, resetting the security keys will log them out immediately. You can generate a new set of security keys and place them in the ‘wp-config.php’ file and here is the URL where you can generate new set of keys. It’ll help secure your WordPress site. Its generate new keys every time someone browse the URL.

11. Choose a Good Hosting Company

You should find/choose a good hosting provider who has up-to-date security system deployed on their servers. You might look for Cloudlinux, Litespeed, Imunify360 Scanner etc. A company with good support and daily backup system will help you to run your WordPress site properly.

12. Don’t Use Nulled Themes

We have seen, people are using nulled theme for their website which is one of the main reason for security breach of a site. You should try to get the premium theme by paying the charges to actual seller. Nulled themes contain hidden malicious codes, which could destroy your website and database or log your admin credentials very easily.

13. Monitor your site – to find any unusual activity.

14. Back up your site regularly – in-case of emergency.

15. Use Latest PHP Version – PHP is used for backend coding and using latest version of PHP will enhance the site security parameter.

16. Use Clever Usernames and Passwords – do not go with the common ones, think and use harder.

17. Captcha Protection – Protecting your site with google captcha protection.

That’s all, we hope this article helped you learn the top WordPress security best practices as well as discover the best WordPress security plugins for your website.

19 Aug

Important security tips to keep your website secure!

Security is of utmost importance to TetraHost and we have taken every step to ensure the integrity of your data. However, the fact is that web servers cannot be completely secured, particularly since it is always connected to the Internet. The world of internet security is an evolving landscape, and perfect security is nothing more than a pipe dream. There is always a “weak link” in a networked system and it needs to be protected. The weakest link in a web server is usually outdated scripts which have vulnerabilities or files which have incorrect permissions/ownership that are uploaded by an end user. Hence we wish to make you aware of the importance of keeping your scripts updated through this blog!

In a typical shared hosting environment, there are numerous attack vectors. TetraHost has deployed the best known softwares to keep the web server and various services running in the server secure from outside attacks. This includes firewalls, mod_security rules, disabling of potentially dangerous PHP functions, etc. which can limit compromises that can happen through an user’s script/file.

Be selective about the script You install:

Do not just install any script that you find on the internet, especially those scripts that are not often updated. Such old scripts might have been dumped by its developer and he/she might not be developing or releasing patches in the future. Many of them are not maintained, and may have potential security holes that won’t be fixed. When choosing which scripts to install in your account, look for applications that appear to be actively developed or supported by the vendor. No script will be perfectly secure, but some may be designed to minimize the potential for security problems. If you’re not sure about a script, don’t install it. Of course, if you have the capability and know-how, you can always look it over yourself.

Keep your scripts updated:

This is the most important tip and it is imperative that you follow it as soon as possible. When a vulnerability is discovered, most reliable script developers will patch the vulnerability and an update will be released. These script developers usually maintain mailing lists that announce when a new version of the script is available. Make sure that you watch for those announcements and update the script immediately. You can also try removing the version number of the script that you’re using from the footer file, as this is one method attackers can use to identify vulnerable sites by using search engines.

Maintain the correct permissions:

It is not a wise idea to assign full write permission for your scripts or folders, unless the script developer has a purpose and requires you to set that permission, like an uploads folder. Incorrect setting of permissions can allow a potential attacker to execute vulnerable coding and exploit your script.

Backups:

Backup is the only fool proof method to be completely secure against compromises. TetraHost uses innovative backup technology to protect your data in the event of a compromise. Even though we provide the best backup services, we always recommend the client to maintain backups of the data at their side too. You can utilize the Backup feature in cPanel to take complete website backups of your account settings, files, emails, databases, etc. Please make sure that you do not store your backup files inside “public_html” or any directories that are accessible from outside. These backup files can be downloaded by a hacker giving him/her access to your login details stored in it.

Nobody wants their hard work to be damaged or destroyed, so upgrade that script today! You never know when a potential attacker might come along, and you may as well make his task as difficult as it can be!