WordPress Plugin Security Vulnerabilities
This post is about WordPress plugin security vulnerabilities. It’s great having WordPress plugins that extend the functionality of your WordPress site. They allow you to do many useful things – duplicate Pages or Posts, lock down your membership content, SEO your posts and many other things.
Realistically, no WordPress site can afford to not benefit from the functionality that plugins bring.
But there’s a problem.
What Are WordPress Plugin Security Vulnerabilities?
Many WordPress sites have a whole host of plugins. And they get updated quite frequently. Sometimes the reason for this update is to add functionality, sometimes it’s to work with a new WordPress version. But most often they’re updated when the authors discover vulnerabilities in them.
As a result, when you manage a WordPress website, you have to ensure all your plugins are up to date. If they get out of date, you’re leaving potential security holes in your site. Holes that hackers can exploit.
Don’t Hackers Just Guess Your Password?
Many people think that hackers gain access by guessing your username and password. And yes, this does happen. You can protect yourself against this by having hard to guess passwords and not having ‘admin’ as your username.
But more frequently, hackers make use of plugin vulnerabilities in your out of date plugins.
So Why Are Plugins Vulnerable?
Let’s have a look at the components of a WordPress site. As well as the core WordPress files, you have a Theme and you have one or more (often a lot more) plugins.
A WordPress site has one version of WordPress, which may or may not be current. Most sites now auto-update WordPress when a new WordPress version is released. So now, unless your WordPress version is seriously out of date, WordPress auto-update will cope with WordPress core updates.
WordPress Themes
You will have one active theme, and this may be a free theme or a paid theme. I always recommend getting a paid theme from a reputable developer who updates his theme regularly and offers support if you can’t get something to work.
With free themes, you’re on your own. If it breaks, tough luck – you have to fix it yourself (are you any good at PHP coding?
Reputable vendors of paid themes – like WooThemes – offer support that you can call on in times of difficulty.
WordPress themes don’t get updated that often, and you’ll normally stick with one – as this determines the look and feel of your site.
That leads us to plugins.
WordPress Plugins
Many sites have a whole host of plugins, each of which providing a piece of needed functionality. Because the average site has so many, there are many opportunities for a plugin to get out of date and have vulnerabilities. Hence the need to keep them regularly updated.
And unlike WordPress core files, plugins do not get updated automatically.
This in turn means that if you manage a WordPress site, you need to log into it regularly to check if any plugins need updating. The alternative is to leave your site exposed to hackers.
How Often Are Plugins Updated?
I manage many sites on behalf of my clients and myself. Every single day I see multiple cases of plugins that need to be updated. Often I will need to update plugins on sites twice or three times a day.
So What Should You Do?
If you don’t want – or are unable – to log in to your WordPress site every day, I provide a service to do this for you. It will also take care of your WordPress core and any theme updates – though these require updating far less frequently.
Next Steps To Address WordPress Plugin Security Vulnerabilities
If you believe that I can help you with keeping your WordPress websites up to date with your WordPress plugins as well as WordPress core files and your theme, contact me here.
WordPress Security Plugins – The 3 WordPress Security Barriers
Do you know the three biggest WordPress security barriers that frustrate most WordPress website owners? Are you aware that you can resolve a number of these just with WordPress security plugins?
If you're a WordPress website owner who wants to avoid security barriers and take practical steps to make your site hacker-proof, then read this article immediately.
Barrier No.1: I Don't Know If I Have a Problem!
Let’s deal with the most fundamental problem first. Many people suspect that they might have a problem with security but don’t realise the scale of the problem. They don’t know if they are a likely target for hackers or not. They don’t know whether or not their site is already under attack.
Why is it a Barrier?
Ignorance is not bliss. Turning a blind eye to a prevalent problem will not make it go away. Pretending it’s not a problem will not help. Hacking is one of the biggest and most costly problems out there for a website owner. It's vital you take action today to safeguard your site tomorrow. And that starts with discovering whether or not you have a problem.
What is the Real Problem Here?
The reality is that if you have a WordPress site, and especially if it gets a fair amount of traffic, that it may well already be under attack! In fact it's more than likely you site's under attack. You just can’t see it.
I see the results of hacking attacks every day. If you saw what I see, you'd realise the need for urgent action!
How Do You Get Around This?
You need to know a little about WordPress security plugins. You can get around this lack of knowledge simply by installing a free (yes, free!) security plugin.There's one I recommend to all my clients as a first line of defence. It's called WordFence.
Go to your WordPress Dashboard and search for the (free) WordFence plugin. You will need to configure this plugin to change some of the default options. But once you do, you’ll see the scale of the hacking activity that threatens your website.
For example, you’ll be notified about login attempts where hackers attempt to guess your WordPress username and password. This alone is worth getting this plugin for. If you're a bit overwhelmed by the options, just contact me and I can help you.
Barrier No.2: I Don't Know Where To Start
The next barrier I see is people who really don’t know where to start with security issues. Let’s say they have identified there are regular and persistent attempts by hackers to guess their WordPress administrator username and password.
Why Is It a Barrier?
It should be obvious this is a problem that needs to be resolved, but many people don’t know where to start. Again we need to start with objective facts. Your new WordFence plugin will give you loads of information if you let it. But security is not just about installing WordPress security plugins.
How Do You Get Around This Barrier?
After you’ve become aware of the hacking threats that face you by installing WordFence, you can start to configure it to meet your needs. The WordFence plugin will help you here by pointing to your likely security vulnerabilities.
Let’s say, for example, you have left the WordPress administrator username at the default value: ‘admin’. This is the most hacked username, as hackers realise that they can make their lives easier by hacking sites that leave their username as ‘admin’.
With WordFence, you’ll be able to see just how many hackers are trying to gain illicit access to your site in this way every day! You can see if hackers are trying 'admin' as a username. You'd be amazed how many do. This can be frightening and sobering, but there is a solution.
You Get Around This By ...
The way to get around this barrier is straightforward. Set up a new administrator user with a username other than ‘admin’. And give it a secure password – WordPress will do this for you. Now delete the 'admin' username so it can no longer be used.
If both your administrator username and your password are hard to guess, this is likely to block all but the most persistent hackers.
Barrier No.3: I Don't Know What to do After I'm Hacked
Why Is It a Barrier?
It’s best to know the route to sort out a problem before you come across it. That way you don’t waste time and potentially make costly errors.
If you don't know what to do when you’re hacked it can also mean your website is offline for longer than it needs to be. In the worst case, not knowing what to do could mean the loss of your site!
How Do You Get Around This Barrier?
You get around this by initially approaching your hoster. If they’re professional, they will have a service to clean up your site. This may either be included in your hosting fees, or may be an extra charge. Either way it may be cheaper than going to a specialist.
Failing that, there are a number of professional service providers who specialise in WordPress website cleanup. I use SiteLock and WordFence, and some of my clients use Sucuri. There are others out there, but I’d recommend checking out these providers first.
The service you’ll require depends on the nature of the hack, but if you know what cleanup is likely to cost beforehand and where to go, you’re in a much better position.
WordPress Security Plugins
WordPress security is a big and complex topic and can be a bit overwhelming to the uninitiated. There are many services available - and a lot of them are costly. The whole area can be a minefield! If this article has whetted your appetite to discover more about WordPress security plugins and what they can do for you, read on ...
Taking This Further …
Now you know the top three WordPress security barriers website owners face and how to bypass them. So I'd like to invite you to cut to the front of the line to discover what further steps you can take to increase your security of your WordPress site.
As there's more information here than I can cover in a short article, I've put together an free online training to help you. So if you want to make your website secure - so that it doesn’t get hacked - join me on this FREE online training.
This could be the first step in making your site hacker-proof! Click on the link now.
Protect Your WordPress Website From Hackers Online Training
Protect Your WordPress Website - FREE Online Training
This FREE online training contains valuable step-by-step instructions on how to:
- Discover how to protect your WordPress website
- Learn how to speed up your website
- What plugins to choose - and why
- Where to find them
- How to install and configure them
Join me, Alun Richards, as I reveal the secrets of increasing your security against hackers.
Just click on the graphic or click here for immediate access to my online training.
WordPress Security Tips – Avoid The 3 Biggest Problems
Want some usable WordPress security tips? Hacking is on the increase. You only have to watch the news to see that even major corporations are not immune. If they can be hacked so easily, what chance do you have?
Do you know the three biggest security barriers that block so many WordPress website owners? The ones that leave their websites - and business - at risk?
If you're a WordPress website owner who wants usable WordPress security tips and also wants to avoid these barriers to good WordPress security, read on ...
Barrier No. 1: Thinking You Won’t Get Hacked
Perhaps the most pressing problem with security is denial. Believing that that you won’t get hacked – that it just happens to other people. The unfortunate fact is your website probably will get hacked at some stage.
So the first of my WordPress security tips is: the choice is to take preventive action now or pay the price in having your website totally disappear tomorrow. And if you rely on your website for revenue, exposure or credibility, where will that leave you?
Why is it a barrier?
Thinking you won’t get hacked is a barrier because it prevents you from taking the action you need to take.
What is the real problem here?
Let’s be honest here. If you don’t take responsibility for the security of your websites, then regrettably, it will cost you in terms of money, reputation and time. And most probably all three.
How do you get around this problem?
You get around this problem firstly by adjusting your thinking. It probably will happen sooner or later, so it’s best to put steps in place to cope with it without impacting your business.
Then you need to assess the risk and then taking appropriate action. To assess the potential risks you can research the prevalence of hacking online. You can discover the results of your website being hacked. And you can see how often it happens these days. Then you can assess what steps you need to take to prevent these types of action.
How do you deal with this if you’ve already been hacked?
If you've already been hacked, there may be things you can do about it. Your hoster may have a single backup of your site, taken in the last week. If this is uncorrupted and hack-free, then you could be in luck. But don’t rely on it. It is not a replacement for a robust backup strategy.
In the worst case, if you have no backups and neither does your hoster, you may be faced with getting your site recreated from scratch.
Barrier No. 2: Not Putting Basic Protection In Place
Why is this a barrier?
You don’t leave your house door unlocked when you leave your house, do you? Yet so many people have insecure passwords, no firewall and no protection against brute force hacking attacks.
If you leave your site in this state, the sad reality is that you will get hacked, sooner or later.
What is the real problem here?
If you have no real protection, easy to guess passwords and no backups, it’s like leaving your door wide open. It’s inviting hackers in.
How do you get around this problem?
You get around this by at least taking the most fundamental steps toward security. I’ve blogged about these issues before, but in summary:
- Don’t use Admin as your administrator username.
- Have hard to guess passwords (WordPress will generate these for you).
- Keep your WordPress version, themes and plugins up to date.
- Install a security plugin like WordFence.
For more detail on each of these, check out my other articles on security on my blog: http://wptrainingnow.com/blog
How do you cope with the problem if you've already been blocked by it?
If you've already been hacked, then this how you get started again. First, take a deep breath and don’t do anything precipitative.
You first need to establish the extent of the hack. You can use the free scanner from Sucuri: http://sucuri.net/scanner . This will let you know if there is any malware on your site. If there is malware, at least you know in which direction you need to go. You will know that you have to get it cleaned up. But you need to be cautious - just because there is no malware does not mean you have not been hacked!
Secondly get in touch with your hoster, as if your site has been defaced, you will need them to take it offline. Your hoster will then either be able to clean up your site, or recommend specialists to do this for you. A word of warning - this may well be chargeable. Two reputable specialist cleanup organisations are Sucuri and SiteLock.
Barrier No. 3: Not Having a Robust Enough Backup Strategy
Why is it a barrier?
This is a barrier because no matter what preventative measures you have, hackers may still be able to get through your protection.
What is the problem here?
If you don’t have a robust backup strategy, if you get hacked, you can lose everything. It's the reason cars have a spare tyre in the boot. You will eventually get a puncture and if you have no spare, your journey is over. If you do have a spare, it's just a case of swapping the tyre out.
It's exactly the same with backups. You just use the backup to overwrite your hacked site, leaving it clean and ready to use.
How do you get around this?
You need a backup strategy that backs up your site on a regular basis, and that holds those backups away from your site. That way, if your site is totally wiped – and this does happen – you can restore from the last viable backup that your backup system has available.
The alternative – storing your backups on your site is convenient until you lose your entire site!
How do you proceed if you have no backups?
Sadly in this case you may well be looking at rebuilding your site from scratch. And this will undoubtedly involve time and money.
Of course, you may not have to start from nothing. You may still have your hosting, your autoresponder account and some of the content of your site held locally on your PC. So it may not be quite as painful as recreating it absolutely from scratch.
Summary: WordPress Security Tips
Now you know the top three WordPress security tips that WordPress website owners can benefit from. You know what the biggest problems are, and you know how to build momentum again if you've already been stuck down by one of these problems.
If you’ve been affected – or just want to make sure you’re not affected, I'd like to invite you to cut to the front of the line to find the protection you need for your website. I’ll give you a free security consultation, identify your potential liabilities and recommend changes.
All complementary – just contact me here: https://www.wptrainingnow.com/blog/contact/
WordPress Security Scan – 3 Fundamental WordPress Security Tips
Do you have a WordPress website and want to know what the major security vulnerabilities are? Do you know the three minimum viable steps towards WordPress security that every WordPress website owner should know? Ever had a WordPress security scan?
This article is about WordPress security and getting the maximum protection for the minimum outlay.
You're a WordPress website owner and you’re probably concerned about hacking – and who wouldn’t be? In this article I share vital tips you must know to be properly protected against hackers. To ensure your website is not hacked and you lose everything, you need to read this article immediately to take your WordPress security to the next level.
WordPress Security Tip No. 1: Get the Free WordFence Plugin
Why is this important?
You need something to stop brute force attacks – the repetitive trying of different passwords over and over again. This is a very common tactic amongst hackers. The great thing is that you can protect against this sort of attack for free.
What is the tip?
The tip is to get hold of the WordFence plugin. WordFence does a number of things for you to improve your security, and one of them is to act against brute force attacks. It limits hackers guessing your password by locking them out after a number of failed attempts.
It also detects changes to your WordPress code, plugins or theme – which can be a sign of a malware attack. It monitors access attempts and the paid version even allows you to block specific countries and IP addresses which show signs of repeated hacking attempts.
How to implement WordFence
To implement WordFence, just go to the WordPress plugins site, search for the free WordFence plugin, download it and install it. You can even do this from within your WordPress site. Just go to the plugins tab, click ‘add new’ and search for Wordfence. When it shows up in the search results, click to install it.
This tip is priceless because …
For the outlay of precisely zero Dollars, Pounds or Euros you can protect your website against hackers. It’s not the whole solution, but as a zero-cost option, it’s one you should have in place.
WordPress Security Tip No. 2: Have Hard to Guess Usernames and Passwords
What is the tip?
This tip is simply to have hard to guess usernames and passwords for your WordPress backend. Yes, I know, am I really spending time sharing this with you? Yes I am, because it’s vital.
Why is it important?
This tip is important as it’s a security tip that won’t cost you anything, yet will pay dividends. And it’s the first thing a hacker may try to gain access to your site, as it’s the least amount of effort for them.
It’s frightening how many sites have an admin username of ‘admin’ and a password of ‘password’ or ‘test1234’ or even ‘12345678’. If you have a username and password this easy to guess you may as well have no security at all.
You may not see this as a problem, but as soon as you install WordFence, you’ll see just how many failed attempts at guess your password you get every day.
So how do you implement this tip to get better WordPress security?
WordPress will generate a very hard to guess password for you – you just need to ask it to! And if you have an admin user called ‘admin’ set up another admin user with a harder to guess username then delete the original one called admin.
WordPress Security Tip No. 3: Get Your Site a Robust Backup Plan
Why is this important?
No matter how good your security, a determined and skilled hacker can still get access to your site. Therefore you need a robust backup strategy so you can quickly and easily restore your site.
The alternative, once your site has been wiped out, is to rebuild your site from scratch, with all the cost, inconvenience and delays associated with that.
And this does happen, regrettably with increasing frequency.
What is the tip?
So whatever backup system you choose to use, you must have a reliable backup system in place. There are a number of systems around, but there will be one that suits your budget and needs.
How do they implement this tip to get better WordPress backup results?
For many people running WordPress, I now recommend VaultPress. It’s a backup system run by Automattic, the people who write WordPress itself. It’s robust, trusted and affordable.
Just seach for VaultPress, select the option that’s right for you, and once VaultPress takes its first backup, you’ll be protected.
Vital Bonus Tip - Get a WordPress Security Scan!
Now that you've got the three important tips for WordPress backup success down, I'd like to invite you to get even MORE advanced help with my bonus tip.
What is my bonus tip?
Many hackers gain access to your site through an out of date copy of WordPress. Older copies of WordPress have been found to contain vulnerabilities that hackers exploit. When WordPress identifies these vulnerabilities, a new version is issued. And, as with all WordPress code, this update is free.
If however your WordPress is not updated to the latest version, you can be leaving an easy access door available for any hacker. Many of the recent hacks are due to out of date WordPress code.
What’s true of WordPress versions is also true of your theme. Your theme, if not at the latest level, can be a source of attacks.
And what’s true of WordPress and your theme is even more true of outdated plugins.
Keeping Everything Updated
The trouble is, keeping WordPress, your theme and all your plugins up to date is a considerable drain on your time. If you miss an update, your site can be vulnerable. And the longer you leave it, the more threat it poses.
Is there an answer?
I response to this problem, I offer a cost-effective service to ensure your WordPress website is up to date. I carry out a WordPress security scan of your website. That’s WordPress itself, your theme and all your plugins.
And I don't just do this once, I do it regularly. I actively monitor your site and take action to update any component that is out of date and hence a vulnerability.
Next Steps - WordPress Security Scan
If you're a WordPress website owner who wants to ensure you always have the latest version of WordPress, each plugin and theme then get my WP Maintenance Service - NOW!
Click Here For More information: http://wptrainingnow.com/blog/wp-maintenance
WordPress Security Check – Security Tips For All Website Owners
Want a quick WordPress security check? Do you want to know the three vital WordPress security tips every WordPress website owner should know to have your site secured against hackers? This article is about taking the minimum viable steps to WordPress security. This means the minimum outlay with the maximum protection.
You're a WordPress website owner and you’re probably concerned about hacking – and who wouldn’t be? In this article I share three vital tips you must know to be properly protected against hackers. To ensure your website is not hacked and you lose everything, you need to read this article immediately to take your WordPress security to the next level.
WordPress Security Tip No. 1: Get The Free WordFence Plugin
Why Is This Important?
You need something to stop brute force attacks – the repetitive trying of different passwords over and over again. This is a common tactic among hackers. The great thing is that you can protect against this sort of attack - and for free!
What Is The Tip?
The tip is to get hold of the WordFence plugin. WordFence does a number of things for you to improve your security, and one of them is to act against brute force attacks. In simple terms it limits hackers guessing your password by locking them out after a number of failed attempts.
It also detects changes to your WordPress code, plugins or theme – which can be a sign of a malware attack. It monitors access attempts and the paid version even allows you to block specific countries and IP addresses which show signs of repeated hacking attempts.
How To Implement WordFence
To implement WordFence, just go to the WordPress plugins site, search for the free WordFence plugin, download it and install it.
You can even do this from within your WordPress site. Just sign in to your WordPress Dashboard, go to the Plugins tab, click ‘Add New’ and search for Wordfence. When it shows up in the search results, click to install it.
This Tip Is Priceless Because …
For the outlay of precisely zero Dollars, Pounds or Euros you can protect your website against hackers. It’s not the whole solution, but as a zero-cost option, it’s one you should have in place.
WordPress Security Tip No. 2: Have Hard To Guess Usernames And Passwords
What Is The Tip?
This tip is simply to have hard to guess usernames and passwords for your WordPress backend. Yes, I know, am I really spending time sharing this with you? Yes I am, because it’s vital.
Why Is It Important?
This tip is important as it’s a security tip that won’t cost you anything, yet will pay dividends. And it’s the first thing a hacker may try to gain access to your site, as it’s the least amount of effort for them.
I read a report on computer security last week. It’s frightening how many sites have an admin username of ‘admin’ and a password of ‘password’ or ‘test1234’ or even ‘12345678’. In fact the most common username and password combination is 'username' and 'password'!
If you have a username and password this easy to guess you may as well have no security at all.
How Do You Implement This Tip To Get Better WordPress Security?
WordPress will generate a very hard to guess password for you – you just need to ask it to! Sign into your Dashboard and go to the Users tab. Click on the user you want to change. About half way down the screen is an option to change your password. Allow WordPress to recommend one for you. This will be neigh on impossible to guess.
And if you have an admin user called ‘admin’ set up another admin user with a harder to guess username then delete the original one called admin.
WordPress Security Tip No. 3: Get Your Site a Robust Backup Plan
Why Is This Important?
No matter how good your security, a determined and skilled hacker can still get access to your site. Therefore you need a robust backup strategy so you can quickly and easily restore your site.
The alternative, once your site has been wiped out, is to rebuild your site from scratch, with all the cost, inconvenience and delays associated with that.
And this does happen, regrettably with increasing frequency.
What Is The Tip?
So whatever site you have, you must have a backup strategy. And whatever strategy you choose to use, you must have a reliable backup system in place. There are a number of systems around, but there will be one that suits your budget and needs.
How Do You Implement This Tip?
For many people running WordPress, I now recommend VaultPress. It’s a backup system run by Automattic, the people who write WordPress itself. It’s robust, trusted and affordable.
Just open a web browser and search for VaultPress, select the option that’s right for you, and once VaultPress takes its first backup, you’ll be protected.
WordPress Security Check - Bonus Tip
Now that you've got the three important tips for WordPress security success down, I'd like to invite you to get even MORE advanced help with my bonus tip.
What Is My Bonus Tip?
Many hackers gain access to your site through an out of date copy of WordPress. Older copies of WordPress have been found to contain vulnerabilities that hackers exploit. As soon as WordPress identifies these vulnerabilities, they issue a new version. And, as with all WordPress code, this update is free.
If, however, you do not update WordPress to the latest version, you can be leaving an easy access door available for any hacker.
What’s true of WordPress versions is also true of your theme. Your theme, if not at the latest level, can be a source of attacks. And what’s true of WordPress and your theme is even more true of outdated plugins. Plugins are great, and add functionality to your WordPress site.
So you must keep your WordPress version, theme and all plugins updated to the latest level.
Keeping Everything Updated
The trouble is, keeping WordPress, your theme and all your plugins up to date can be a considerable drain on your time. If you miss just one update, your site can be vulnerable. And the longer you leave it, the more threat it poses.
Is There An Answer?
In response to this problem, I offer a cost-effective service to ensure your WordPress website is up to date. I will ensure your site stays up to date. That’s WordPress itself, your theme and all your plugins. I monitor your site and take action to update any component that is out of date and hence a vulnerability.
WordPress Security Check - Next Steps
If you're a WordPress website owner who wants to ensure you always have the latest version of WordPress, each plugin and theme then get my WordPress maintenance service - NOW! It's just £5 per month for each site.
Want a WordPress Security Check?
Click Here To Get Covered By My WordPress Maintenance Service:
http://alunloves.it/wpmaintenance
WordPress Security Practices – Thwarting The Hackers
Here's a short video on WordPress security practices. It covers what you can do to improve the security of your WordPress website. We all know that hacking is on the increase and you risk losing your entire site in a hack.
But is there really anything you can do to prevent a hacking attack? Watch my short video and decide for yourself!
WordPress Security Practices
Here is a summary of the actions YOU can take today to improve the security of your WordPress site.
- Keep WordPress up to date
- Keep your plugins and theme updated
- Avoid brute force attacks
Once you've watched the video, it may be obvious what your next steps are. In that case, just get those things implemented today, and harden the security of your site.
On the other hand, it may be that you need a little advice on the best way to go for you and your site. As WordPress security can be a complex issue, I'm happy to help you out.
If you'd like a no-obligation chat about the security of your site and how it can be improved, contact me, Alun Richards, here: http://wptrainingnow.com/blog/contact
WordPress Security Best Practices – How To Thwart The Hackers
You hear people talking about WordPress security best practices - but what are WordPress security best practices? What do they involve, and can you implement them yourself?
You may of course be worried about people getting into your WordPress site. You should be! This article lets you know the ways hackers normally hack your website so you can safeguard against them.
Fortunately computer hacking is not really like you see in the movies. Hackers don't typically plug in a fancy computer and run a bunch of numbers. Usually the way people get into your website is through an out-dated version of WordPress, out-dated plugins or themes with vulnerabilities, and easy to guess usernames and passwords.
Did you know that Al Gore's blog has been hacked, CNN blogs have been hacked, and these all happened because they used older versions of WordPress. But as soon as these high profile blogs were hacked, the creators of WordPress released a newer version that prevented these kinds of attacks.
WordPress Security Best Practices
The good news is that having good protection against hacking is more about putting best practice procedures into place rather than spending a fortune with a security consultant. So what is my advice regarding WordPress security best practices?
1. Keep WordPress Up To Date
One of the biggest vulnerabilities, as we've just seen is with out of date copies of WordPress. That's why it's a very good idea just to keep your WordPress version up to date.
Usually when WordPress fix a problem, it's a small and obscure bug and you can upgrade the latest version in just one click. In your WordPress dashboard, go to the updates area and they will tell you either that WordPress is up to date, or that it needs an upgrade. Click that button and you are good to go.
Incidentally, WordPress is not especially vulnerable to hacking, it's just that as it powers about 25% of the websites worldwide, a lot of people know a lot about it. And hackers in particular, exploit the tiniest vulnerability again and again.
2. Keep Your Plugins Updated
It's no good having an up to date WordPress version if some of your plugins still contain those security holes. If you are really worried about it then do a few Google searches for the plugins you're using on your site and see if anyone has reported security holes or flaws with these plugins or themes.
A widely publicised security hole in the past was due to a WordPress plugin called Tim Thumb. This was a way to resize images in a theme so you could upload a picture or a logo to that theme. Unfortunately, the way that it resized that image allowed someone to gain access to the associated WordPress site.
If you happen to have one of those plugins or themes, all you had to do was do a quick search and update the latest version of that plugin or theme, that fixed the issue. Now on a very-very rare basis, some plugins are simply no longer updated, but if they aren't a Google search will tell you this, that you are using an insecure plugin that has no updates, and in that case it's a good idea to stop using it and find an alternative.
3. Avoid Brute Force Attacks
Even with the most up to date WordPress and most up to date plugins, most hackers gain access to your WordPress by simply guessing your username and password. Trying common usernames and passwords repeatedly is called a brute force attack. For example, by simply trying to login using the username Admin and password Admin, or username Admin and password Test.
So if you have an admin user called admin, we need to correct that. What you should do is delete that Admin user after setting up a user account using (say) your first and last name, and a password containing letters and numbers that no one will ever guess.
One of the security plugins I recommend is WordFence. This forces you to choose a hard to guess password and allows computers who have had repeated attempts at guessing your username and password to be locked out.
WordPress Security Best Practices Summary
In this article I've covered some of the easy ways that hackers use to get into WordPress - and how you can protect yourself against them. In short, keep your version of WordPress up to date, and keep your plugins and themes up to date too. Google the names of the plugins you're planning on using to make sure that there are no vulnerabilities in them. And above all use hard to guess usernames and passwords in WordPress.
Just by doing this you are making your WordPress site harder to hack. And it may be that a hacker will turn his attention to a site that's easier to hack. If you'd like to know whether your WordPress site has vulnerabilities, just contact me for a no-obligation chat here: https://www.wptrainingnow.com/blog/contact/
How To Make WordPress Safe Without Any Plugins
I don't know about you, but when I was first securing my WordPress blog, and I was researching to see what others were doing to keep their blog safe, I found so much information that I was completely confused. And some of the information was in fact over the top or supersticious. People told me to rename this file, rename this folder and install these ten plugins. It seemed to be quite a bit of work and effort.
An easy way to keep WordPress safe is to use a few built-in tools. First of all, don't allow people to list the files in your folders, run a web host security scan and automatically backup your entire web hosting account.
By default, the latest version of WordPress is pretty darn secure. Anything that might have been added to any WordPress security plugins has been considered by the development team of WordPress. In the past, WordPress did have holes but now most of them are filled up.
The first thing you should do is check your various folders. For example, your WordPress blog has folders, such as wp-content, wp-admin, wp-includes. So if you went to your site /wp-content in a web browser, what shows up? Does it list all the folders and files in that folder? And if so, all you have to do is upload a blank file named index.html into that folder to make sure that no one can view it.
What if you go to wp-content/plugins, can you view that folder? If so, upload that blank index.html file into that folder as well so people can't view what plugins you have. Because even if your current version of WordPress is up to date, if you are using an old plugin or a plugin with a security hole, someone can use that to get access.
Next, most web hosts in the cPanel area allow you to run a security scan and see if anyone has injected any bad code that may be used to grant an authorized access, send emails, or something like that.
Just run that web host security scan and see what comes up, and if anything comes up that looks out of the ordinary or you are not sure of, contact your web host and see what they think. And whether or not you find anything bad, automatically backup your whole account. In cPanel you can backup your entire web hosting account and save it to your hard drive so that even if something goes wrong at some point, at least you have a back up copy of everything that's there.
Those are three very simple things you can do to keep WordPress safe without plugins. Put a blank index.html file in your folders, run your web host security scan and backup your entire account.
Avoid WordPress Security Vulnerabilities – Quick And Easy Tips
Want to know how to avoid wordpress security vulnerabilities? Here's a quick security question for you. If you have a WordPress site and the username and password you use to gain access to it are Admin and Test (or password!, are you at risk for your website being taken over?
The answer is yes. What is said is you can have all security measures, all the fancy security plugins in place, but if your password is something that they can easily guess then you are leaving the door wide open.
That's why it's important to have a secure and hard to guess WordPress login and password. What can you do? Make sure your username is not the name Admin or Adminstrator, change that WordPress password regularly and use different passwords than you use for other WordPress or FTP sites.
Don't Use Admin As a Username
By default, when you set up WordPress it uses it with the username Admin, which means that when you login you type in the username Admin and some password. But this is giving the hackers half of the information they already need. If they already know that you are using this Admin, all they have left to guess is the password. And don't use something obvious like your first name, your first name and your last name or the title of the site.
But if your username is something meaningful to you but not obvious to strangers, now they don't know where to start with the username. And now potential intruders they are guessing about two different factors - your username and your password.
That's why even though WordPress, by default, sets your username as Admin, the first thing you should do is create a new user account and name it your first and last name, save it and then delete that original Admin account, that will cut down on a lot of automated attempts.
Change Your Password Regularly
Something else that is easy to do is change your WordPress password regularly. For example, once per month. This means that you are always thinking of some new thing to type, and some new password that someone might never guess, because you are changing it every month. You would be surprised at how many passwords consist of someone's name, child's name, or pet's name but if you are changing a password on a regular basis, adding in letters and numbers to it, now that's a password that no one will guess which means that no one will have access to your site other than you and the people you choose.
Finally, set different passwords than other WordPress blogs you own. Set a different password other than your email address or your FTP account. The problem with setting the same password for different accounts is if someone gets access to your WordPress site, now they have access to your website, your other WordPress sites, your email, your FTP, and so on. But if you use different passwords for WordPress, for email and for FTP that means if someone happens to gain access to your WordPress they don't have access to your other accounts.
WordPress Security Vulnerabilities Summary
In this article, we've looked at a number of common WordPress security vulnerabilities. We've seen that setting a secure WordPress login and password is easy. We've covered why you don't want to use Admin as your username, and the importance of changing your admin password regularly.
We saw how we must use different passwords for multiple WordPress blogs, for your email account and for your FTP account.
If you've read this article and want to know the next steps to keeping your WordPress website secure, why not request a chat about your security and perhaps how I can help you? Just fill in the form on http://wptrainingnow.com/blog/contact , and I'll be in touch.
