So, how do you prevent these security blips – this post aims to show how.
Regular data backup can save you lots of frustration and headache, and especially after a hack. Taking the necessary measures to ensure information on your WordPress site or blog is backed up before making any significant changes, and doing the same after updates are recommended.
Although most people prefer to backup their data manually, using a plugin can make your work much more manageable. Plugins provide a convenient way to handle data backups at set times or intervals. Backup buddy (a plugin) is pretty good at this.
Although a paid option, this plugin exports everything on your WP from settings, files, images, and content on the database. You could also opt for free plugins as well.
Updating your blog/site to the latest WP version can also save you lots of trouble. The regular updates are not only meant to make your experience much better but also patches security loopholes that could otherwise be manipulated by hackers.
You can simply follow WordPress feeds to find out about new updates, or just log in to the blog as admin. Be sure to follow WordPress Development blogs to get the latest updates on when the next patch or fixed will be released.
Only used plugins and themes with continuous support and updates. It is through the continued support that developers of the same can release patches to make their plugins hacker-proof.
Any outdated or plugins/themes that no longer receive updates should be avoided, or uninstalled altogether. Most developers only provide support for about a year or two, then discontinue support for the same.
Be sure to look for themes or plugins with active support, receives frequent updates, well-rated, and customer support. You will be surprised to know most of the top-selling themes are outdated or longer receive updates. Look at the comment section for red flags and other indicators of flaws in the same before making an order.
Most of the premium WordPress themes will come bundled with third-party plugins. Some of the plugins bundled with the theme may or may not receive frequent updates.
Revolution Slider is an excellent example of plugins that come bundled with lots of themes on ThemeForest. This plugin had a major vulnerability back in 2014.
The thousands of sites that used this plugin were hacked with most of the hacks redirecting traffic to malicious sites. Although the developers of the same were pushing out updates for their themes, one loophole cost many websites a fortune.
As a precaution, consider investing in plugins that aren’t bundled with extra ‘freebies’. If need be, buy each plugin individually to reduce vulnerabilities to your site. You also need to turn on updates on these plugins to keep your site safe as well.
The admin directory in WP should always be password protected at all times. It holds the key to every function and security of the site. Password protecting the WP-admin directory helps keep hackers and other malicious people at bay.
This also means the admin will be required to enter two passwords to access the admin directory. The first password gives access to the login page with the WP-Admin directory still protected. The fun part about password-protecting this directory is that you get to control all aspects of the site, including unlocking various parts for access to authorized users only.
One way to protect the WP-admin directory is by installing the AskApache Password Protect plugin. The plugin configures enhanced security file permissions and encrypts the directory with a .htpasswd file.
Using the SSL certificate to secure the Admin panel is not only wise but a smart move. This certification ensures data transfer between the server and user browsers is encrypted and almost impossible to breach.
This enhances data security on the site. Getting an SSL certificate is easy too. You can have your hosting firm for one, or just buy the certificate from a dedicated company.
The Let’s Encrypt SSL certificate is available for free and is an open source product as well. This means it does a pretty good job of keeping your site and data secure. Using an SSL certificate on your WP site can also help boost the site’s rankings on Google
Changing the default WP login address to a different one gives your site an extra layer of security. You can do this by accessing the site’s admin URL.
Renaming the URL makes it hard for hackers to brute force their way into the site. Test the new login details with GWDb to see if anyone can guess your login details.
Although a simple maneuver, this trick helps restrict unauthorized entry to your login page. Only individuals with the login URL and details can access the dashboard. You could also use the iThemes Security plugin to rename your login address.
Although public Wi-Fi may seem convenient, it poses multiple threats to your devices, sites, and online activity. Any malicious person on the same network or running packet sniffing software can sniff out any personal data you send via the same. If you have to log in to your WP site admin panel, then ensure you have an SSL certificate installed, or better still, use a virtual private network (VPN).
Have a VPN service installed on your computer or any other device just in case you need to log in to your site. It would also be a good habit to have the VPN running even with the SSL certificate installed. Never underestimate the skills of a black hat hacker targeting your site.
Users with admin access to your WP site or dashboard can edit or even change files on the site. This includes themes and plugins already installed in the same.
Disabling file editing on the site means only you can make changes to the site, and also helps make it almost impossible for hackers to change anything on the site. Any hacker that gains access to the WP dashboard will find it hard to change or modify files already on the site. Consider disallowing other users adding content and scripts to the site as well.
To do this, add these commands to the wp-config.php file located at the very end.
Define (‘DISALLOW_FILE_EDIT’, true);
According to matthewwoodward.co.uk you should only connect the server through SSH or SFTP when setting up the site for the first time. SFTP has more security features enabled as compared to the traditional FTP protocol. These security features are also not attributed to FTP, thus enhanced security.
Connecting the server via SFTP and SSH guarantees secure file transfer. Most web hosting providers can provide this service on request, with some offering it as a part of their packages. You can also enable these features manually too. Some expert knowledge may be needed to connect such safety and without much struggle.
Ali Qamar is a tech and security enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. Currently, he is the chief editor at Cyberogism.com, an ultimate source for tech, security and innovation. To be frank and honest, Ali started working online as a freelancer and still shares the knowledge for a living. He is passionate about sharing the knowledge with people, and always try to give only the best. Follow Ali on Twitter @AliQammar57
(Security Affairs – hacking, WordPress)