10 Advanced Security tips for WordPress

WordPress security and protection
Secure your WordPress blog from hackers!

WordPress is a commonly used CMS for building websites and blogs online. It’s a secure platform and offers plenty of themes free & premium to build your website or blog easily. You should never have to worry about security as long as your WordPress installation, plugins and themes are always up to date and you are using a strong password.

WordPress is so popular, it’s a regular target for brute force & spam bot attacks and other security vulnerabilities. Insecure WordPress installations are commonly used to launch DDoS attacks on other sites or send large amounts of spam email causing IP blacklisting issues etc. These attacks are automated and target installations that are using default usernames, weak passwords or outdated plugins/themes and wordpress installations with security vulnerabilities .

Most website owners are unaware their website or blog has been compromised until it’s too late and they start losing site traffic, their site gets blacklisted in Google and their search engine rankings start dropping.

Implementing these simple 10 advanced security measures will secure your WordPress blog or website and prevent hacking attempts.

1. Make a new user account

First create a new user account different from the default ‘admin’ account, then delete the default ‘admin’ account. This is commonly targeted by bots and attackers to gain access to your WordPress installation. Don’t use common usernames such as ‘admin’ when creating the new user. You can easily setup a new account by navigating to “Users” and then “Add new” from your WordPress dashboard menu.

2. Always use secure & strong passwords

Never use easy to guess passwords or simple passwords such as your name, date of birth etc. They might be easy to remember but they are also easy for hackers to crack. Always choose a strong and secure password with eight or more characters, numbers, special characters, uppercase and lowercase letters. You can use an online password generator such as Norton’s Identify Safe password generator.

3. Change your author nick name

Don’t use the author name as your username, this will be displayed on every blog post. Change your WordPress account’s author name to something other than your username from your WordPress dashboard menu under “Users” and then “Your profile” by editing the ‘Nickname’ field. After you have selected a new nickname, select your new nickname under “Display name publicly as”.

4. Install a security plugin

There are several widely popular WordPress security plugins that can protect your WordPress blog or website by scanning for malicious code and blocking hacking attempts.  The two most popular plugins which are regularly updated & maintained are WordFence security & iThemes security. Both of these plugins do plenty of things to increase the security of your WordPress site such as Brute force protection, strong password requirements, security & malware scans and blocking of bad bot traffic. You can also enable two-step authentication using Google with these plugins.

5. Block all IP addresses except your own from logging into wp-admin

Another great way to increase security for your Blog is by only allowing wp-admin access from your whitelisted IP addresses. You can do this by adding the following code inside the .htaccess file under your wp-admin directory through cPanel file manager or FTP.

order deny,allow
deny from all
# whitelist home IP address
allow from 22.33.44.55
# whitelist work IP address
allow from 22.33.44.55
# whitelist holiday IP address
allow from 22.33.44.55

Add this code onto your .htaccess file and make sure to replace ‘22.33.44.55’ with your own IP addresses (search “what is my IP” in google to determine your IP address). You can add more IP’s to the .htaccess file if your IP changes quite often or if you move around a lot. This is not suitable if you have a dynamic IP which is constantly changing or if you travel a lot and use the internet from different locations.  Anytime someone tries to access the wp-admin directory from a non-whitelisted IP, they will be presented with a Forbidden page. If you do this make sure to update the whitelisted IP each time your IP changes before accessing your wp-admin dashboard.

6. Change the URLs for WordPress dashboard areas including login, admin

Using the iThemes security plugin mentioned above, you can also change the URLs for your wordpress dashboard areas including wp-login and wp-admin. This means if an attack bot stumbles upon your website and attempts to login to your wp dashboard, they will not be able to access your login page.

7. Don’t allow guest user registrations

If your WordPress blog or website is not membership based, there is no reason to allow visitors to register a guest account on your site. To disable guest registrations, navigate to “Settings” and uncheck the “Anyone can register” option.

8. Disable ‘pingback’ option in WordPress

WordPress websites or blogs which have the pingback option enabled are commonly targeted for DDoS attacks. This option is enabled by default in WordPress so you must disable it manually by navigating to “Settings” then “Discussion” and in “Default Article settings” uncheck “Allow link notifications from other blogs (pingbacks and trackbacks)”.

9. Monitor your Google Webmaster Tools

Google Webmaster Tools is a valuable asset when it comes to monitoring your website security. The “Security Issues” section of your Webmaster tools account notifies you if Google detects malware or any other security vulnerabilities with your site. Keeping an eye on your Google webmaster tools prevents your site from blacklisting issues and your search engine rankings from plummeting.

10. Regularly update your WordPress, plugins and themes.

Always keep your WordPress installation, themes and plugins up to date with the latest version. The #1 cause for compromised WordPress websites is outdated core install, plugin or theme with a security vulnerability which was not patched with an update. The reasons developers update their software code for plugins, themes and wordpress core files is when security vulnerabilities are discovered through Security audits or other means. WordPress has made it incredibly easy and simple to update your installation, plugins & themes with a single click from your WP dashboard. When a new update is available, you will see a notification in your WordPress dashboard as “WordPress X is available! Please update now”. There should be no excuses or reasons for you to not update your WordPress installation, you can also enable Automatic background updates .

If you are not upgrading your WordPress installation because one of your plugins might break because it’s not compatible with the latest release of WordPress, please switch to an alternative plugin which is actively being developed and updated with support through the developers.

We do not recommend installing plugins or themes from unknown sources or 3rd parties other than the official WordPress plugins directory and official websites for premium wordpress themes. Always check recent reviews of any plugin or theme you are installing, also make sure it has recent updates, is actively developed and has a high number of downloads.

BONUS TIP!! Backups, backups and BACKUPS!

Downloading regular backups of your content and database is very important! Any upgrade, security vulnerability or hacking attempt on your WordPress website could possibly lead to unforeseen circumstances. Although our shared & reseller hosting servers are regularly backed up, you are ultimately responsible for maintaining your own regular backups as well.

Each WordPress website consists of two parts

1. Database, this is where all your settings, pages, posts and comments are stored.
2. Files, this is where all your media, attachments, themes and plugins are stored.

We always recommend downloading a full backup of the entire account from cPanel which includes your database and files. In case of a catastrophic event, we can restore your entire backup to revert your website to the way it was.

You can also install a backup plugin on WordPress to create automated backups of your files & databases and email them to you or upload them to a 3rd party service such as Dropbox or Amazon S3 . There are plenty of choices when it comes to Backup plugins, two popular plugins are BackWPup and Dropbox backup & restore. Activate these plugins to create automated scheduled weekly backups of your installation and either upload to your backup storage or emailed to your address.

Implementing these simple security steps will make your WordPress blog or website much safer and secure from hackers.

Five common beginner WordPress mistakes

FrustratedWordPress is a great platform for building your first website. However since the platform has relatively low barriers for entry for beginners, a lot of folks make these common mistakes. Let’s see what they are and how you can avoid them to prevent frustration from the early stages of your online career!

These are the six most common WordPress mistakes you should avoid for a beautiful functional website.

1. Do not choose a poorly coded or outdated theme

When you start looking for the perfect theme for your website, you will come across thousands of themes to choose from. Which theme is the right one for your website?

Sometimes you may stumble upon a beautiful theme developed by an unknown developer with little to no reviews. We do not recommend using this theme, if you would rather use a free theme choose from the WordPress approved theme developer list.

The best course of action is to use a premium theme! Although they will cost you upfront, you will receive dedicated support & updates in case anything goes wrong.

2. Use strong and Secure login information

During WordPress installation you will be asked for a username & password. To prevent hackers from easily gaining access to your website, you MUST choose a strong & secure password and username. Simple passwords such as your pets name or date of birth are not secure.

We recommend using a password generator to create a very strong password with combination of characters, symbols, and uppercase and lowercase letters.

3. Don’t forget the basic page elements

When building your website, it’s easy to neglect common website features such as an about or contact us page. With these pages your visitors will be able to learn about what you do and how to get in touch with you.

4. Update your permalinks

The default link structure for WordPress sites is usually something like http://www.yourdomain.com/?p=99 – give your website a memorable appearance by using Permalinks to make your posts appear as http://www.yourdomain.com/first-post

Log into your WP dashboard and browse to Settings > permalinks. From there you can change your permalink settings, for most websites the fifth option “Post name” will be sufficient, make sure to save changes.

5. Search Engine Optimization plugin

You have a beautiful website, now you need traffic! Getting search engine traffic is crucial for your online business. If your WordPress content & pages are not optimized, you could miss out on potential traffic. Luckily there are plenty of plugins that make search engine optimization simple. Just install a highly recommended plugin such as Yoast SEO and follow their documentation to set it up.

WordPress makes it easy and simple to build beautiful websites. Always remember to keep your WordPress core, themes & plugins up to date at all times.

How to properly SEO your WordPress site

SEO has evolved quite a bit from the olden times when you could keyword stuff your content / title and rank for any desired keyword. That combined with the fact that the market was no where near as saturated as it is today, people were able to rank and rake in quite a bit of profit from their internet marketing (SEO) projects. Since the latest Google updates however, no one is certain what factors actually contribute to website rankings as there are far too many anomalies in ranking data for many profitable keywords.

WordPress SEO

Most people believe that it is easier to manage on-page SEO factors with a HTML website than WordPress — this is a misconception as it is just as easy (if not easier) to automatically SEO your entire WordPress installation with the use of a few innovative and easy to use plugins. Since WordPress is very user friendly, it is a very popular CMS amongst novice and professional bloggers — in fact, WordPress powers approximately 50% of websites on the web.

If you’re a blogger or taking part in any form of internet marketing, chances are you’ve heard of or even personally used WordPress to build websites. I’ve personally used WordPress to build all of my blogs and set them all up in the same manner SEO wise — not one has ever failed me. The reason people believe that WordPress is not sufficient for SEO purposes is because some individuals are still in the mindset of ancient SEO. Nowadays, search engine optimization has evolved drastically and having keywords in your content (or following a specific set of “rules”) will not ensure high rankings; in reality, over optimization actually incurs penalties from Google and other search engines.

In my blogging career, I have built several websites with WordPress and set all of them up in the exact same manner SEO wise — it has never failed. The trick here is to cater your content / titles to people rather than search engines; this is what marketing is all about, but we’ll get more into that topic in a later post. Now, without getting too far off topic (I can ramble on at times), let’s get down to business.

Before you install any plugins or themes, the first change you want to make is to your native permalink structure. WordPress uses an extremely ugly default permalink structure which is not only not good for SEO but also doesn’t appear too attractive to your visitors.

WordPress Permalinks Set your permalink structure to either custom: %category%/%postname% or keep it set to the “Post Name” setting — either is perfectly fine.

Tags vs. Categories

WordPress offers users two ways to organize their posts — through tags or categories. It is recommended that you use either one or the other for your website. If your categories are descriptive, there is no need for tags (and vice versa). Since tag clouds are now depreciated for SEO, my personal recommendation is to just use categories and not put too much focus on adding post tags as they are not essential nor important.

The only time I use tags is when the category keyword is not enough to describe the post (usually when the post has several sub-topics).

WordPress SEO Themes

Most WordPress themes now a days are designed with on-page SEO in mind, including the basic themes that come native with WordPress. When choosing a theme for your website, there a few things you need to look out for:

  • Is the theme attractive and suited to your website’s niche? (this is not for SEO necessarily but important nonetheless)
  • Is the post title in H1 tags? Is the website title in H1 tags (on home page)

People go into far too much detail in an attempt to SEO their WP theme when in reality, all you need to make sure is that the post title is wrapped in H1 tags. Since the post title describes what your article will be about and in most cases contains the keyword you are trying to target, the H1 tag helps ensure the search engines know what your post / article is about.

Again, as I’ve mentioned before, do not write your title with search engines in mind but rather your audience — you want to make the title attractive yet descriptive with the keywords you are trying to target. As an example, let’s take this post into account; the article is trying to target the keywords “WordPress SEO” but as you can see, the title doesn’t necessarily focus on that keyword. “SEO” and “WordPress” are mentioned separately and the use of the word “properly” intriguse users to click through to read the article. Old minded SEO’s may argue that the title needs to contain “WordPress SEO” in that exact order to achieve desired results — but a simple search on Google will reveal that is not the case.

When trying to find a theme for your website, don’t worry too much about the SEO aspect of it. Instead, as stated above, focus on finding a theme that will attract viewers and prosper conversions (which is the ultimate goal).

WordPress SEO Plugins

There are plenty of free and premium SEO plugins available on the market for WordPress — but there is one that stands out above the rest (and it’s free). The WordPress SEO by Yoast plugin is the best (in my opinion) and I’m sure many other users will agree.

The plugin is quite self-explanatory with an extremely detailed guide to help users properly SEO their WordPress sites. The plugin can be easily setup with the detailed explanations available under each individual setting — but I will still go over some of the more important settings that need to be configured.

Yoast SEO Titles The main settings allow you to set the titles for each individual post type as well as the homepage. Go to Help tab to view available variables. Make sure setting in picture to left is set (click to enlarge).
Yoast SEO Social Adding OpenGraph meta data to your site will ensure that socially sharing your website pulls the right content. Make sure to set your homepage logo as well as a default image in case there is none for your post(s). Set your site’s Twitter username (optional).
SEO XML Sitemap The sitemap helps Google easily see the structure of your website (for better rankings according to them). Make sure to create an XML sitemap and submit it to your Google Webmaster Tools account.
WordPress SEO Permalinks Use the settings outlined in the picture. The first option will merely strip the word “category” from your category archives. The second checked option will make sure all the link juice flows to your posts instead of attachment URL’s.
Internal Links Breadcrumbs are not a necessity but make it easier for your visitors to understand the structure of your website (and easily navigate back and forth between internal pages). If your theme does not come with breadcrumbs, you can enable them here and embed them manually into your theme files.

Once you’ve setup the WordPress SEO plugin by Yoast, you’re ready to move onto configuring the other plugins to make your website completely search engine optimized. Fortunately, the next few plugins won’t require much configuration — they just need to be installed and activated.

  • Broken Link Checker

    • Broken link checker will scan all the links on your website and alert you via email (as well as on the main dashboard) if any broken links are found. You can then easily go to the post / page where the link is located and either replace it or remove it.

  • Related Posts

    • The reason I did not link this is because there are quite a few related posts plugin to choose from. Personally, I prefer the Efficient Related Posts plugin as it is lightweight and easy to configure, but you can pick whichever one you would like (just make sure it doesn’t slow down your website). Showing related posts will not only foster further visitor interaction but it will also create internal links that will pass link juice to other relevant content on your website.

  • WP Super Cache

    • WP Super Cache will store static content in cache so that it can load faster for your site visitors. This will drastically improve load time and help improve your rankings as Google has clearly stated that page speed is a factor in search engine rankings. You can always check your page speed here: https://developers.google.com/speed/pagespeed/.

  • WP No External Links

    • This plugin is optional but still helpful. When you write a post and link out to another website, you are passing link juice to that URL. This plugin will let you mark external URL’s as internal URL’s or automatically add a rel="nofollow tag to your outgoing links. Personally, I prefer the second option as masking your external links can hurt your rankings.

Besides the plugins stated above, the only other plugin you should consider installing is the Google Analytics for WordPress plugin to help track your website with Analytics. Tracking is extremely important to understand how to optimize your traffic for higher conversion rates (but more on that later).

Before I close, here are just a few more WordPress SEO tips:

  • Use the WordPress SEO by Yoast plugin to write individual meta titles and descriptions for each of your posts (the description should summarize the post)
  • Write engaging content aimed at users and not search engines. This will nurture natural link building to your website
  • Set a featured image for each of your posts. This image will be the one used every time your article or post is shared socially
  • Organize your website structure properly. Group posts into appropriate categories so visitors have an easy time navigating your site.

That’s about it guys and gals, I hope you found this post helpful! Look forward to more SEO and marketing related posts in the near future.

Comments, questions or suggestions? Leave a comment below.

Boxing Week 2012 Web Hosting Deal

Boxing Day 2012 Web Hosting Sale

Merry Christmas and happy holidays from everyone here at WireNine! To keep up with Canadian traditions, WireNine is having a boxing week sale — users will receive 80% off their shared hosting plans along with a free domain (for the lifetime of their account).

Black Friday was a little messy with tons of different coupon codes for different discounts, so we decided to clean it up a little bit this time with a single coupon code. Without getting into too much detail, here are the details for the coupon:

80% Off Shared Web Hosting Plans + FREE Domain*. Use coupon:

holiday2012


Click here to see all web hosting plans

*FREE Domain only eligible with 1, 2 or 3 year billing cycles.

You won’t find a better web hosting deal than this! With 80% off, you can get our Starter plan for only $35.64 for 3 full years WITH a FREE domain name for the lifetime of your account. Don’t miss out, this deal is only valid from December 26 – December 31.

NOTE: New and current customers are both eligible for the boxing day sale. Offer not valid for renewals — new accounts only.

Cyber Monday Special 80% OFF Web Hosting extended!

Even though the 80% off coupons ran out, we’ve extended the deal until the end of Cyber Monday! Hurry this offer expires November 27th at 12 AM. Sign up now 🙂

Shared Specials

80% OFF all plans for the first year, coupon code “bf2012sh“.
50% OFF all plans for the first invoice on any billing cycle, coupon code “bf2012sh50“.
20% OFF recurring discount on all plans,  coupon code “bf2012sh20“.
50% OFF semi-dedicated plan for the first invoice, coupon code “bf2012sd“.

Click here to order now!

Reseller specials

80% OFF all plans for the first 12 months, coupon code “bf2012rh“.
50% OFF all plans for your first invoice, coupon code “bf2012rh50“.
20% OFF recurring discount for all reseller plans, coupon code “bf2012rhrd

Click here to order now!

VPS specials

80% OFF all VPS plans, coupon code “bf2012vps”— First month only!
20% OFF recurring discount for all VPS plans, coupon code “bf2012vps20”.

Click here to order now!

Domain specials

New .INFO Domains for $3.99 for the first year, coupon code “bf2012domaininfo”.
New .com, .net, and .org domains for $5.99 for the first year, coupon code “bf2012domains”.

Click here to order now!