Top 4 recs for WordPress security and additional resources

WordPress is already a very secure platform but it is also the target to a lot of attacks because of its popularity. Security has been covered in great detail by the resources below, but here’s our top recommendations.

Secure passwords!

Secure passwords should be over 8 characters and include numbers and symbols. We know it’s a pain! Services like LastPass and 1Password can help. Or if want to use a simple password, enabling 2 Factor Authentication (2FA) will add enough security that a simple password is fine. We recommend Google Authenticator and WP Google Authenticator.

Backups

You know this already, but having a backup is the best way to recover from an attack. Malware can be cleaned up, but it’s better to use a backup. Here’s an easy way to backup WordPress.

Updates

WordPress core should already be setup to update minor versions automatically. The Core team releases fixes really quickly so it’s important to make sure that setting is set.

Plugins and themes are also important to update often. A lot of attacks focus on out of date plugins. As a side note, you should only use reputable plugins and themes. Do some research on a plugin before you install it.

Hosting

Good hosting might be the most important thing on this list. You want to find a hosting company that keeps their servers up to date and follows the hardening recommendations for hosting WordPress sites. The Hosting WordPress[https://codex.wordpress.org/Hosting_WordPress] guide has lots of good info if you want to do it yourself.

Resources

If want to dig deeper here are a ton of resources to take a look at.

Hardening WordPress – Basic steps you should consider to make your site more secure.

Hosting WordPress – If you’re hosting is yourself on a VPS, this guide will get you started on securing the server.

Ultimate Guide To WordPress Security– A really in depth look at security with a bunch of good recommendations.

WordPress Security – A high level look at why WordPress sites are targets and the top attacks people use.

These are recommended by the WordPress Hardening Guide.

Tim Easley

Configuration & setup for new WordPress sites

When you setup your new WordPress site, there are a couple of things that will help make things more secure. You can do them later too, but it’ll require a bit more work.

First, use a different table prefix from the default ‘wp_’. It’s easy to change this is from the setup screen, but a bit harder later. Either way, it’ll make SQL injection attacks harder. The table prefix is a prefix WordPress uses for it’s database tables names. Using something like ‘wp_234a2234_’ is perfectly fine.

Secondly, don’t use ‘admin’ as the username. This was the default early on and now attacks often try this username. If you already have an ‘admin’ user, I’ll show you how to change it at the end of this post.

Now that the site is setup, you’ll want to do some additional cleanup by removing some of the install files that are no longer needed, updating the wp-config.php file, and adding some code to the functions.php file. Sounds like a lot, but it’s pretty easy once you have SFTP setup.

On the server

You’ll need SFTP access for these next steps. This guide will help you get going if you don’t already know how to use SFTP. I recommend FileZilla, it works on Window, Mac, and Linux You should use SFTP over FTP if you can. Most hosting companies have SFTP available. What’s the difference? Security!

Make sure you take a backup now!

The easy part… deleting the following files.

  • readme.html
  • wp-config-sample.php
  • wp-admin/install.php

Now you’ll want to setup custom salts and disable debugging support in the wp-config.php. This file is in the root of your website, usually in a http_docs or public folder.

Download the current file and edit in with a text editor. In the section that starts with define(“AUTH_KEY”), look to make sure there is random text for all the values. It should NOT look like this:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

If it does, go here https://api.wordpress.org/secret-key/1.1/salt/ to create your own random values and replace the ones in your file.

Turn off debugging & web based file editing.

While helpful when developing or initially setting up your site. You should turn the following options off when you’re not using them. They can give attackers helpful information and access to files.

The add the following to the end of wp-config.php file, but before the /* That's all, stop editing! Happy blogging. */ line.

## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);

// Enable WP_DEBUG mode
define( 'WP_DEBUG', false );

// Enable Debug logging to the /wp-content/debug.log file
define( 'WP_DEBUG_LOG', false );

// Disable display of errors and warnings
define( 'WP_DEBUG_DISPLAY', false );
@ini_set( 'display_errors', 0 );

// Use dev versions of core JS and CSS files (only needed if you are modifying these core files)
define( 'SCRIPT_DEBUG', false );

Here’s a quick video showing how to make these changes w/ FileZilla.

 

Advanced

This change after a site is setup require a bit more work. And are best done using SQL. What is SQL? It’s how you talk to databases. It’s not support complicated, but you can ruin your database, so make sure you have a current backup before hand!

Fixing admin login on an existing site.

WPBeginner has a good post with a few ways to change the username. I recommend method 3.

Changing the database prefix on an existing site.

WPBeginner has another good post outlining how to change the prefix.

You know backups are important, but do you have them?

Boring! I know. But you’ll regret not having them at some point.

Plus it’s pretty easy to get backups, either one-off or scheduled. You also want to make sure you store them offsite.

Offsite is more important than scheduled if you don’t make changes often. But you should make sure to run a backup after any significant changes to your site or content.

There are lots of ways to make backups. Plugins are the simplest way to get started. We recommend Duplicator and UpdraftPlus. Duplicator is the simplest solution for one off backups and migrations. Duplicator Pro and UpdraftPlus with some paid options allow for scheduled backups and offsite storage.

Why offsite?

Offsite just means not on the same server as your WordPress site. This is important because if the server is completely lost so are your backups. It’s also nice insurance if you want to change your hosting provider and they are not helpful in moving.

If you don’t make changes often, you can just run your backup and download the result after making changes. If you make changes often, you should do something scheduled and store them somewhere like Amazon S3 or Dropbox or any of the other storage options.

Here’s a quick video showing how to install Duplicator, create a backup, and downloading the backup files.

 

What does a backup contain?

Backups for WordPress consist of two parts. The files from the server, this includes WordPress, Plugins, and Themes. It also contains all your upload media. The second part is the database. The database contains all the configuration and content for your site. The database part is the most important part of the backup.

With backups you can make changes to your site without worrying too much if something goes wrong. It’ll be a bit of work to restore, but you’ll be able to get your site running again!

When should I backup?

The general rule is to backup before making any major changes AND right after making major changes. This includes adding content that you can’t easily recreate.

At WP Support HQ, we create daily backups for our clients and store them on Amazon S3. We also restore those backups when needed. Learn More


Patrick Lindenberg

How We Manage WordPress Sites at WP Support HQ

When a new site signs up we do a number of things to make sure it’s backed up, updated, secure, and running smoothly. We think our WP management service is a great value, but we also think these are things every WordPress site should do. So for the do-it-yourselfers out there, here’s how we do today.

Setup

First thing we do is make sure there are backups so we can fix anything that might go wrong. It usually doesn’t, but a back up is nice. We use UpdraftPlus for all our backups. It’s a great plugin and stores everything to Amazon’s’ S3 storage solution for safe keeping. We configure it to automatically run every day.

Now that’s done, we see what needs updated. If the site hasn’t been updated in a while, then we need to do some research to make sure the plugins and themes will work with the latest stuff. Check the Updates screen and many plugins will state whether or not they work with the latest.

Compatibility with WordPress 4.5.3: 100% (according to its author)

For those that don’t, we find the plugin in the WordPress.org Plugin Directory. Checking the reviews and support tabs will usually surface any issues. If WordPress itself is really out of date, then the Directory is helpful to see if the current version is supported.

Next we check the theme. Although we don’t automatically update themes, it’s good to know if there are updates available and if they’ll work. This is something we just report on.

Next we remove any disabled plugins. They aren’t running on the site, but WordPress still loads them and they can be a security risk.

Are there any active plugins that aren’t used on the site? It’s pretty hard to tell without doing a more thorough audit. But sometimes there are obvious ones, like Hello Dolly, the sample plugin installed with WordPress. We disable and remove those too.

Next up is Akismet. Comment spam protection. If comments are turned off everywhere, then this can be removed. If comments are on and Akismet not set up with an API key, we set it up.

Anti-malware. We love the Anti-Malware Security and Brute-Force Firewall plugin and set it up next. Not only is it an amazing anti-malware scanner, it repairs issues it finds and also protects from some very common attacks, including Brute-force logins. Brute-force logins, arguably the most common way sites are hacked, are a program that just tries to guess the password by logging in over and over very fast.

Automation

To keep up on things we setup some automation. We already have the backups running every day. But what about updates and security scans?

WordPress core can automatically update itself and now that we’re starting from an up-to-date site, we make sure it does. In the wp-config.php file, we add the following if it’s not there.

define( 'WP_AUTO_UPDATE_CORE', ‘minor’ );

This allows WordPress to auto update any minor updates, this includes security fixes. We don’t enable everything in here, because major updates and plugin updates can break a site, we like to make sure that doesn’t happen.

For the rest of the updates we use MainWP. This keeps an eye on everything and lets us auto update plugins we’re confident won’t break a site. For everything else, we manually update and verify those once a month.

MainWP also includes some other great features, like fixing common security configuration problems and scanning the site with Sucuri.

Performance

Lastly we take a look at performance. The biggest things that affect performance are too many plugins, caching, and images.

We’ve already audited the plugins, but if there are still a lot, like 15 or more this could be an area of improvement.

Next is caching. Some hosting companies take care of this at the server level. For the rest a caching plugin is helpful. We use WP Fastest Cache. It’s easy to setup and works really well.

Lastly, images. Not everyone knows how to optimize images for the web, and big images can cause slowness. WP Smush will automatically optimize images and speed things back up.

Done. Almost!

With everything set up. We’re set until the next update cycle, except for one thing.

Watch for security alerts. These are usually bugs that allow attackers in so we want to catch them as soon as possible. Usually there’s an update that we can install, other times the plugin has to be disabled until an update is ready.

We hope you find this helpful to keep your site updated and secure. If you want us to handle it, you can sign up for WP Support HQ here.

Photo by Jamiecat *

What To Do If Your WordPress Website Is Blank

website design photo

Nothing is more frustrating than pulling up your WordPress website to find a blank page. The first thing that comes to mind is that someone is hacking your website. However, a serious issue such as that isn’t always the case. Often times, a blank website is the result of a corrupted plugin that is currently active.

Sometimes plugins become problematic when they are incompatible with the latest release of WordPress. This is especially true if they are no longer supported by their developers. Free plugins tend to have the problem of losing support while premium plugins are continually updated for each new WordPress release.

You can pinpoint which plugin is the culprit through a process of elimination. You will need FTP access to your domain which you can get from your hosting provider. Once you are inside of your FTP account using a FTP client, you will need to find the /wp-content directory. Once inside this directory, you will find the /plugins directory.

Rename the /plugins directory first to determine if it is one of the plugins you have installed that is causing the issue. When you reload your website in your web browser and it appears as it normally would, then it is for sure one of the plugins causing the blank page.

Now you can rename your /plugins directory back to its original name. Go into this directory and you will see a listing of all of your plugins. Move each plugin folder out of the main plugins directory one at a time. Test your website after each one you have moved. Soon, you will discover which plugin is having the issue. Once you have found the troublesome plugin, you can leave it off of your website. If you feel compelled, you can contact the plugin’s developers and ask if a fix is in the works.

Don’t worry if reading all of the above is over your head. You can outsource your WordPress support issues to professionals who can troubleshoot problems for you.

Contact us today. We work with numerous WordPress installations and have a deep knowledge of the platform, including common and not-so-common issues.

4 Helpful Ways to Avoid WordPress Security Problems

lock photo
Photo by Erwss, peace&love

With any business website, there are certain things you want to prioritize, such as making sure the load times are quick and that the website is completely secure.

Following helpful ways to maximize WordPress security will help you avoid security-related problems.

Stick with Reputable Themes and Plugins

Although there are plenty of attractive themes and unique plugins out there to choose from, you should stick to only downloading ones that are highly reputable. In most cases, you will benefit from this in a variety of ways as these themes and plugins are generally the most updated and secure options.

However, the most important part is to avoid security breaches upon installation.

Be Diligent with Staying Updated

WordPress, along with theme and plugin developers constantly strive to provide a better and more secure product, which is exactly why you should stay updated with all of them. As soon as you see an update for one of them get released, make sure to install it to enjoy a greater level of website security.

Use Complicated Passwords

Creating a complex password for both WordPress and the attached email is essential. Although you might be able to create a rather in-depth password on your own, you should consider looking into software that creates, stores, and encrypts highly complex passwords to maximize security.

Put a Limitation on Login Attempts

Although it will not stop every instance of someone trying to hack your website, you can put an end to some attempts by putting a limitation on login attempts that come from a single IP address.

If you want to enjoy even greater website security, please contact us today.