Posted at September 12, 2018 at 7:26 pm by Ylber Popaj
WordPress is a powerful platform. In fact, it’s so powerful that it runs 25% of the all the websites today. Given how easy it is to build a website with WordPress, it’s no surprise that the platform is popular with beginners.
Due to the nature of how simple it is to start a website with WordPress, many beginners often ignore performing basic security measures to keep themselves safe from being attacked by hackers.
As a business owner, you can’t overlook how important security is for your website. With over 90,000 attacks happening per minute, it doesn’t matter whether you’re a huge online retailer or a small blog, having a secured WordPress website should be a major priority.
In this article, we give you some of the basic and beginner tips that you should know AND follow in order to improve your WordPress security. If you follow all the tips below, short of performing human error, your WordPress website will be safe from the majority of attacks.
The best part? You don’t need to be a technical wizard to perform any of the tips below. So without further ado, here are the beginner tips for improving your WordPress website security.
There is a myriad of ways for your site to be attacked but one of the most common methods is called brute force hacking. Brute force is essentially when the hacker attempts to figure out your site’s login details by guessing it multiple times.
One of the ways to overcome it is to create unique passwords but if you really want to ensure your website’s safety, you’ll need to put in a lockdown feature for your website.
The way a lockdown works is that, when a hacker attempts to log into your site at multiple times with wrong passwords, then the website will automatically lock out anyone from logging in and you’ll get a notification regarding the suspicious activity.
To set a lockdown feature, you can use a number of plugins available on WordPress. Some of the ones that we recommend are iThemes Security, which lets you put a lockdown feature, set the number of failed login attempts, and even to automatically ban the hacker’s IP address.
The other one to check out is Login Lockdown, which also offers a number of customizable configurations for your WordPress website.
Show of hands, how many of you are still using “Admin” as your username?
Using “admin” as a username is quite possibly one of the biggest mistakes that beginners often make. When you create a WordPress website, they will automatically set the username for an administrator account as “admin”.
You need to change this as soon as possible. Why?
Think of it this way. Your username and password both serve as locks to your door. When you use a predictable username such as “admin”, you’re practically leaving one of the locks on your door unlocked to intruders. All that’s left to do is to figure out your password and your website will be compromised..
Change your username by logging into your WordPress dashboard and head over to the Users section to create a new administrator account with a better username. Once you’ve done that, delete the old “admin” user account immediately.
If you’re running a website for your business, then having a 2-factor authentication (2FA) is an absolute necessity for your security measure. Not only does it provide you with an extra layer of security by requiring users to provide login details for separate components, it’s also very easy to set up.
Given that the fact that you can dictate the two different components, you can have a mix of regular passwords along with either secret/specific questions, specialized characters, or even a set of codes.
To set up a 2-factor authentication for your website, you can easily use the Google Authenticator plugin, which allows you to set it up with just a few simple clicks.
You might not realize this but your WordPress login page URL can also be a security liability.
Consider this, your login page serves as a door to your website. When you use a common login page such as wp-login.php or wp-admin, you’re basically showing intruders the front door of your website with a huge neon sign.
With such an easy-to-access login page, you’re practically inviting hackers to come and brute force their way into your website. Don’t let something as simple as an admin URL be the reason for your website getting compromised.
Changing your login URL can be done manually, however, it’s not recommended for those who are beginners since it requires accessing and changing your site’s files directly. Instead, you’d be better off using plugins to do all the work.
Plugins such as WPS Hide Login can easily and safely change your login URL to whatever you want it to be. Since it doesn’t change or rename your core files, you won’t have to worry about it affecting your site’s data.
A report from WP White Security states that 41% of WordPress attacks happened due to a security vulnerability from the host. This means that sometimes, regardless of much security you put on your website, if your web host provider has terrible security then you’ll end up getting attacked either way.
Given the high number of attacks that occur on web host providers, it’s clear that you need to go for the best WordPress hosting that you can afford so that you get the best security available.
When it comes to WordPress websites, going for a managed hosting provider that focuses on WordPress is recommended as they will offer the best security measures possible with WP firewalls, regular scans for malware, servers that are optimized for WordPress, and up-to-date PHP and MySQL.
SSL (or Secure Socket Layer) certificate is a popular security measure that’s becoming more important for those who have a website.
Why is it so important?
For starters, it helps to encrypt any data that are transferred between your servers and a user’s browser. With all the data being encrypted, this makes it harder for hackers to try and disrupt your connection to steal any pertinent or sensitive data.
The other big reason to apply for an SSL certificate is due to Google. Recently, Google has started to identify sites without any SSL certificates as “not secure”. This reason why this is important is because a website that’s “not secure” will be severely punished in Google’s ranking and it makes your website appear untrustworthy.
To apply for an SSL certificate, you can purchase it from sites such SSL Comodo or SSL.com which offers a range of certificates and security measures for all kinds of websites, such as blogs, eCommerce stores, company websites, and so forth.
Some web host also offers SSL services as part of their hosting plan, so be sure to check them out. Hosting companies such as InterServer, give SSL certificates for free as part of their hosting plans.
The ultimate failsafe for any website owner is to have a backup offsite that you can load up and revert back to. That way, regardless of what happens, you won’t have to rebuild your website and all of its data from scratch.
The advantage of having a backup is that you can always return your website to a working state should something bad happens, such as getting a virus in your system or experiencing a malware attack.
In most cases, your web host provider will offer some form of backup for your website, but if you want to be extra safe, you can use plugins such as BackUp Buddy to perform automatic backups for your website.
WordPress security is more than just using a couple of security plugins and calling it a day. There are many ways that a hacker can exploit your website’s security if you’re not careful and did not plug all of your leaks.
With all the WordPress security tips we’ve given you, it can be the major difference between having a website with a mediocre security and a website with a impenetrable security.
Written by Azreen Azmi
Azreen Azmi is a writer with a penchant for writing about content marketing and technology. From YouTube to Twitch, he tries to keep in touch with latest in content creation and finding out the best way to market your brand.
Plesk has recently added a few Plesk Toolkits that might have a massive influence on your customer experience. Here is a breakdown on what’s new.
Lets get started!
This toolkit is one of the most outstanding features of them all. First and foremost, it utilizes the world’s most popular CMS, WordPress. Plesk describes it as, “the most complete, secure and versatile toolkit for WordPress.” The most notable CMS feature is its user-friendliness and simplicity; the Plesk WordPress toolkit takes that even further.
The toolkit offers a one-click installer which helps deploy your first WordPress site. Upon installation, you can even stage and test all your creative ideas in a sandbox tool which requires no plugins! This helps make efficient deployment of any new content to your live site. Additionally, there is a built-in security feature that helps protect your website along with a security scanner.
Need more? The toolkit helps make processes like staging, cloning, syncing, updating, migrating, and other high risk tasks easy with one click. If you have multiple WordPress sites, you can even singularity or mass-execute updates across your sites.
If the process seems to be over simplified, the toolkit offers a unique feature that lets you get into the nitty and gritty details for the high level developers out there. You will be able to access WP-CLI, maintenance mode, debug management, search engine index management and more.
The Joomla toolkit is similar to the WordPress toolkit. It offers a relaxing feature that allows users to build, secure and run all your Joomla! instances. Just as the WordPress toolkit, there is a one click installer which helps ease the process of initialization and ultimately getting started! Built-in security features and security scanner are all preconfigured and require no security expertise. Lastly, you can update and monitor all of your Joomla! Sites via one single dashboard.
When it comes to search engine optimization, it may be unclear to many developers as to what exactly needs to be done. What should be focused on? What should be improved? The SEO toolkit becomes your guide to optimization.
It helps improve your search engine ranking by testing, analyzing and monitoring your website and competitors. The included SEO Advisor generates a task list which provides insight on your websites ranking. Also, you can run a Site Audit feature to calculate an Optimization Score based on standard SEO rules and practices. All these tools are very effective when assessing your SEO progress. The toolkit even offers a rank tracker to detect domain popularity in search engines, an awesome tool to monitor your progress. Last but not least, the toolkit offers a defense mechanism that helps track bots! The log file analyzer helps detect any bots that are visiting your site with some extra insight per bot.
Overall, the SEO toolkit is an extremely useful tool that performs a great task. It organizes, studies, and asses your road to SEO success.
The extensions offered on Plesk are publicly available independent modules that serve as specific task handlers. On your Plesk panel you can choose to install as many as needed. Via the extensions catalog you can select one that will match your needs. Providing a wide array of features, you can select a specific category or even use the search bar on https://www.plesk.com/extensions/.
We offer Plesk across all of our services. As a part of our Windows or ASP.NET web hosting package, Plesk is automatically included. On our VPS and Dedicated Server options, Plesk can be purchased additionally via the customer portal. If you have any questions or concerns, please contact our support team at email@example.com or by calling our toll-free number; 1-877-NJ-COLO-1.
Two Factor Authentication is a super effective and easy to setup security measure. This cPanel feature provides an additional layer of security by requiring a code authentication upon a successful login attempt. So, after logging into WHM with the correct username and password, you would be prompted to input a code generated by an authentication application like Google Authenticator. In this blog post, we will help you activate Two-Factor Authentication and explain the benefits of using it.
The initial process begins in your Web Host Manager (WHM). In the search bar located on the left panel of the page you should type “Two-Factor Authentication”. Click on the Two-Factor Authentication tab and proceed to click “Manage My Account”. You will be prompted for a step by step guide that looks like this:
You will then need an authenticator application installed. In this specific example we used Google Authenticator on a mobile device. The application will offer a “Scan Barcode” option of which you would scan the barcode displayed on WHM. Once scanned, the authenticator option will present to you some information about your service along with a temporary authentication code. Use this code to fill out the steps on WHM and you will see:
The status is then set to configured and your Two-Factor Authentication (2FA) is active! Try logging in and you should be prompted the following:
The major benefit of using Two-Factor Authentication is more security. Security is extremely important when it comes to protecting data. 2FA offers a solid solution to a worst case scenario; if your password was stolen. Generally, if your password was stolen and cracked, the hacker would have full access to what is in your account, assuming they have cracked the root or admin user password. With 2FA active, a hacked password is not sufficient enough for a hacker to access your information/data. They would physically need the device setup with your 2FA account to view the generated security code. This feature makes it extremely difficult and almost near impossible to hack your account via WHM. As a team devoted to making your online hosting journey the best it can be, InterServer highly recommends the use of Two-Factor Authentication on any cPanel/WHM accounts.
Without a GUI, servers must be configured and operated through SSH, which requires extensive knowledge of command line syntax. Control panels provide a centralized and intuitive way to manage your servers.
InterServer’s customized control panel is designed for maximum usability and cost savings. While competitors often charge additional fees for control panel access, Bread Basket allows users to easily deploy hundreds of cloud applications at no extra cost. Between our flexible pricing model and Bread Basket’s versatility, there’s a perfect VPS for every need.
Suitable for running both websites and applications, our virtual servers are well-received within the hosting community. With Bread Basket, we are able to provide a more intuitive, secure, and versatile control panel that significantly lowers the barriers of entry to cloud VPS management.
One of the most popular control panels on the market, cPanel is designed with beginners in mind. The Linux-based interface dates back to 1996, making it one of the earliest server control panels available in the hosting market. Like cPanel, Bread Basket was created with simplicity in mind. On the other hand, Bread Basket relies on fewer resources and is specifically designed to work with our servers, allowing users more freedom and capabilities for management. For customers switching over from cPanel, a comprehensive guide for importing archives can be found here.
Another widely used control panel, Plesk allows for improved instance clustering for both Windows and Linux systems. Because of the compatibility with Windows, Plesk is favored by many webmasters and ASP.NET developers. At the same time, less-experienced users may be intimidated by its text-heavy interface, as well as the premium price other hosting providers often tack on the platform.
In short, Bread Basket is for those who want to save money and need a more beginner-friendly way to streamline website management and application deployment.
Bread Basket is designed for easy scaling, allowing you to add and manage multiple servers directly from the interface. You can also add additional storage and RAM with a few simple clicks. Best of all, Bread Basket is web-based and therefore compatible with your favorite operating systems, including Debian, Windows, and Ubuntu.
Remote desktop access allows users to connect to servers directly. Similar to operating a virtual machine, users can access the server’s desktop from their own computer using a secure protocol. This also enables access to the server’s terminal, granting webmasters more liberty with licensed apps than when using a VPN.
Microsoft uses a proprietary protocol known as Remote Desktop Protocol (RDP), which powers Bread Basket’s VNC application. Our VPS customers — regardless of chosen OS— can access VNC through the control panel, which uses the browser-based HTML5 VNC client.
In addition to being OS-neutral, the HTML5 VNC also allows users to copy and paste from sessions, as well as print pages to a PDF file. As the client is still a new release, Microsoft plans to add additional features in the near future.
Implementing HTML5 VNC is just one way we try to incorporate innovation and user empowerment into our platform. In terms of hardware, our infrastructure is built using high-performance CPUs and speedy SSDs. As for Bread Basket, a wide range of frameworks and web servers are available to make running your website or deploying your apps a breeze.
Web servers such as Apache, NGINX, and Lighttpd include a number of optimization features to streamline the development and deployment of your web applications. For example, Apache’s Sendfile operation can bypass individual read and send instructions when transferring a file. As for NGINX, the web server excels at handling concurrent connections through an asynchronous, event-driven architecture.
Many people prefer to use the cloud when creating and storing backups — and with good reason. Cloud backups through Bread Basket provide peace of mind via redundancy and secure access protocols. Users can easily create and manage backup images from within the Bread Basket interface, keeping data safe no matter what. Automatic weekly backups are also available.
Bread Basket also features a massive library of more than 300 apps to choose from. These run the gamut from content management systems and eCommerce platforms to forums and wikis. Bread Basket uses one-click installs and automatic updates for each of these apps, taking the guesswork and tedium out of maintaining your VPS. Combined with our nearly-instant provisioning, this means you can have your server up and running within a matter of minutes.
We give customers full root access, which lets you optimize your VPS with customized software. Bread Basket is anti-bloat, meaning you get all the apps you want without being bogged down by pre-loaded ones. Multiple options are available for every application category, allowing you to freely install your favorites.
You may have become familiar with our InterShield blog posts. It has become a special security series of ours which serves of high importance to us and Web Hosting our customers. Due to its ongoing success and popularity, we have decided to describe the step by step process of which InterShield follows.
A request to access a website comes in, someone has entered http://domain.com into a browser.
Using litespeed web-server and the RBL rule, Interserver InterShield queries our own internal RBL blacklist. This blacklist contains known bad ips; ips that have been blocked for bad activity, hacking, uploading malware and a number of other activities. The RBL updates frequently, removing IP’s that have not been seen in a while and ensuring good bots like googlebot are not blocked. The request is made without a slowdown, and the request is cached so the lookup doesn’t need to happen again for some time.
Note: If the IP is in the RBL, we log the request for review later, and deny it. Otherwise the request passed.
Using request filter in litespeed, we quickly process rules without causing a delay from Atomic Got Root, a commercial mod_security ruleset, as well as interserver’s own internal rule. These update frequently and by using litespeed the rules process extremely quickly and do not cause a request delay. If the request is blocked, we log the request for review later, note the IP address that was blocked and deny it. Otherwise the request is passed.
Any request with a post content is scanned quickly by Clamav using a cluster of servers to quickly scan the request. This will either return a pass or fail result. If malware, is detected we log request and ip for review later, otherwise we pass it. To speed up the request further a checksum of the file is used first, and if the file has been scanned before the file does not need to be scanned again. Finally, the request is sent for processing. Scripts, like PHP scripts, have secondary rules that also scan the file as running if it is not a known file checksum to search for potential malware that may exist in an account already. Notices are sent the account owner through the contact email set in the contact section of the control panel.
Under cpanel, all accounts are isolated from each other. No account can see the files, process or memory – including temporary files of another account.
InterServer Exlusives: Addon domains are further isolated from each other with in the cpanel account.
Additionally the option for dropping PHP privileges is available so that the php scripts being called can not modify files with in your own account.