Improve Mobile Search PerformanceOctober 19, 2015
How To Protect Your Website From Brute Force AttackNovember 4, 2015
Over 30,000 websites get hacked every day. 22.5 % of all websites are powerd by WordPress; greater market share equals a bigger target for hackers. Weak passwords, plugin vulnerabilities and obsolete software are the most common reason why WordPress sites can be very easy to get hacked. Are you doing what you need to keep your business website safe?
WordPress is used by millions of people, and it powers millions of blogs and websites. WordPress as a simple blogging platform. Over the years, it has evolved into the most powerful and versatile Content Management System (CMS). It is still used for making blogs, but you can now create powerfully comprehensive websites and applications, also.
WordPress is now completely customizable and can be used for almost anything. A WordPress website is not limited to writing text – you can use images, audio, and video content, and even embed Tweets, YouTube videos, Instagram photos and much more.
It is an Open Source project, which means the source code of the software can be freely used, changed, and shared by anyone. Because it is community software, everyone can contribute by writing helpful reviews, create themes, help test existing plugins, report bugs, etc. Contributors from all over the world continue building upon WordPress. You do not even need to be an experienced programmer or designer to do it. Contributing to WordPress is the best way to learn about the platform. You can also get support from other community members.
WordPress is free software, which means you are free to download, install and use it. To run it, all you need is a domain and web hosting. There are 3 different ways to host your WordPress website:
- Hosting your site on WordPress.com – When having a website on WordPress.com you do not need to worry about the updates, the backups, and the security. However, you are limited in configuration options, themes, plugins, and other technical and creative aspects of content management that could negatively affect the growth of visitors and potential customers. This is the least expensive option and your site will be well-protected.
- Self-hosting your website on WordPress.org – When you move to a self-hosted WordPress site, you can use highly customized third party themes, even fairly simple to highly-complex free themes. To enhance or provide certain functionalities, you can upload free, paid or custom plugins. Securing web hosting and domain registration is your responsibility.
Managed WordPress hosting – Managed WordPress Hosting is a service where all technical aspects of running your WordPress website or blog are managed by the host. This includes security, speed, WordPress updates, daily backups, website uptime, and scalability. Support is provided by WordPress experts, and security is at a very high level (scanning for malware and blocking all hacking attempts – continually in real time). For many reasons, this is the ideal scenario for a business or commercial website, it is also the more expensive option.
What are themes and plugins?
WordPress Theme. Every WordPress website has a theme. The theme provides the aesthetic properties that affect the look and feel of the website or blog. The theme doesn’t necessarily affect the core functionality of WordPress. The theme allows you to change the font type, colors, upload your logo, change the background, create sliders and other aesthetic properties.
There are thousands of free themes to choose from, and there is a WordPress theme for just about everything. A good theme is one that not only looks nice, but is also easy to customize, flexible, actively developed and well supported. Making the appropriate theme choice can definitely determine many important aspects of your sites look, feel, functionality and security. Where security is concerned and before installation, check to be sure the theme is compatible with the latest version of WordPress. You’ll also want to check how well the theme has been rated by other users and when it was last updated. If it hasn’t been updated in the last 90 – 120 days, you may want to consider another theme.
A theme requires frequent updates as WordPress core code is updated and security vulnerabilities are identified and fixed within WordPress, certain code within a plugin, the theme or even browser updates. Updates can happen several times within the same month. It is rare for a theme to not require an update within a 90 day period.
WordPress Plugin according to WordPress Codex is:
“A WordPress Plugin is a program, or a set of one or more functions, written in the PHP scripting language, that adds a specific set of features or services to the WordPress weblog, which can be seamlessly integrated with the weblog using access points and methods provided by the WordPress Plugin Application Program Interface (API).”
In short, with the help of plugins you can add features to your website without even knowing how to code. They allow you to modify and enhance your website or blog. Thousands of plugins are free to download from the official WordPress plugin directory. Some of them are very good quality and some of them can cause your site to crash. It is very important to be very selective when choosing which plugins you want to install on your site. When selecting a WordPress plugin, you’ll use the same criteria recommended for selecting the theme; consider the ratings the plugin has received from previous users, its compatibility with the latest version of WordPress and the frequency with which it is updated, including how long it has been since the most recent update.
Security and your WordPress website
Over 30,000 websites get hacked every day and hackers are constantly trying to find different ways to compromise WordPress based websites. The best way to prevent these attacks is to understand them better.
The most common methods are:
Brute Force – This is the most common method that hackers use. They will create or use tools in order to crack or hack your site. Typically, hackers will use password cracker tools, which allows them to test millions of login combinations in a short period of time. These tools will not stop until the combination is cracked.
SQL Injection – The most common case is when hackers find a hole which is made by an active plugin or theme you use. These attacks can reveal sensitive information about the database, potentially giving hackers entrance to modifying the actual content of your site.
If you are on a shared server (a server that also hosts many other websites), your vulnerability is even greater. Shared servers are the least expensive form of hosting because the hosting company spreads the resources and the security across many, many websites. If any of these websites fail to perform real time updates or implement the latest security methods their inherent vulnerabilities create significant cracks in your website security – no matter how rigid your maintenance and security efforts.
Nuke – The hackers will check your site using tools to figure out whether you use a hosting provider or not. This attack is always targeting a private server and surprisingly, they are not classified as a hacking activity because the hackers are not targeting your data.
There are 3 simple ways to protect your WordPress site from these attacks:
Strengthen Your Password – The use of hard-to-guess passwords can make it difficult for a malicious hacker to break into your web site. You should definitely avoid dictionary words or common series of numbers in your passwords.
Delete and Update – Your site must always be updated to the latest version of WordPress, and the latest version of all installed plugins and themes. Also, it is best to delete any plugins or themes that you don’t use. Simply deactivating unused plugins and themes is not enough.
Limit Login Attempts – Blocking users that enter a wrong username and password too many times in a row is one of the best practices to secure your site against brute force attacks.
What is iThemes Security PRO and how to use it?
iThemes Security PRO is one of the top ranked WordPress security plugins. It is designed to help improve the security of your WordPress installation from many common hacker attack methods. This plugin is free to use and no extensions are needed. It includes malware scanning and it protects from brute force attacks and back door vulnerabilities. iThemes Security PRO is regularly updated and new security features are added.
iThemes Security PRO is not complicated to use and it offers many setting options. You can use this iThemes Security Pro Settings Checklist which will make it easy for you to set it up properly.
iThemes Security Pro Settings Checklist
This checklist begins with the assumption that you have clicked on the Security link on the left side admin menu region in your WordPress Admin Dashboard to open the iThemes Security menu.
- Before you begin, make a full backup of your WordPress
- Whitelist your IP address in the Dashboard
- Click on the Settings Tab at the top menu area.
- Check the option to “Allow iThemes Security Pro to write to wp-config.php.“
- Verify that your email address is correct.
- Check the box next to “Send digest email” to cut down on notification emails.
- Click Save All Settings button at the base of the Global Settings
- In the 404 Detection section, check the box next to “Enable 404 detection.“
- Click Save All Settings button at the base of the 404 Detection
- In the Banned Users section, check the box next to “Enable HackRepair.com’s blacklist feature.“
- Check the box next to “Enable ban users.“
- Click Save All Settings button at the base of the Banned Users
- In the Brute Force Protection section, enter your email address in the field next to “Get your iThemes Brute Force Protection API Key.“
- Check the box next to “Enable local brute force protection.“
- Check the box next to “Immediately ban a host that attempts to login using the “admin” username.“
- Click Save All Settings button at the base of the Brute Force Protection
- In the Strong Passwords section, click the box next to “Enable strong password enforcement.“
- We recommend setting the drop-down box next to “Select Role for Strong Passwords” to Subscriber.
- Click Save All Settings button at the base of the Strong Passwords
- Check ALL THE BOXES in the System Tweaks
- Click Save All Settings button at the base of the System Tweaks section.
- In the WordPress Tweaks section, check the box next to the following options:
- Remove the Windows Live Writer header
- Remove the RSD (Really Simple Discovery) header
- Reduce Comment Spam
- Disable File Editor
- Force users to choose a unique nickname
- Disables a user’s author page if their post count is 0
- Also in the WordPress Tweaks section, set the drop-down box in the XML-RPCsection to Completely Disable XML-RPC.
- Click Save All Settings button at the base of the WordPress Tweaks
- Click on the top Pro tab and in the Malware Scan Scheduling section, check the box next to “Enable scheduled malware scanning.“
- Make sure the “Email Contacts” are going to the people you want to receive alert notifications.
- Click Save All Changes button at the base of the Malware Scan Scheduling
- In the WordPress Passwords section, check the box next to “Enable Password Expiration“.
- Make sure the amount of days in the “Maximum Password Age” is set at the desired number of days before expiration.
- Click the Save All Changes button at the base of the WordPress Passwords
- In the Two-Factor Authentication section, check one or more of the boxes in the “Enable Two-Factor Providers” section.
- Follow the video to see the full demonstration on how to work with two-factor authentication.
- Click the Save All Changes button at the base of the Two-Factor Authentication
- Check to make sure your WordPress site is working as desired.
- Make a new full backup of your WordPress site.
We Are Serious About Your Business
We are business and online experts and strategists with a wicked knack for results.
We have the talent and the bench strength required to catalyze your online success.
If we can’t make a measurable, quantifiable difference, we won’t ask for your business.
Contact us. You have nothing to lose.