WordPress Security Tips to Protect Your Website

WordPress Security

As WordPress is one of the largest and most popular blog platforms in the world, it makes sense that hackers would try to infiltrate its security to gain access to millions of unsecured websites on the web. We frequently see complaints all over the web regarding WordPress security vulnerabilities and webmasters requesting help regarding their hacked WordPress installations. Usually, once a hacker has infiltrated a WordPress installation, they will either delete all files causing you to lose your website or use PHP modules to send out massive spam — which will get your hosting account suspended no matter where you host your website(s).

It is important to keep personal backups of your account and to take all necessary precautions to ensure that your WordPress installation is secure and invulnerable to hackers. For this reason, we have compiled a few WordPress security tips for you below which should help make your site immune to any hackers.

Keep your WordPress Installation Up to Date

WordPress updates their platform quite frequently to not only make improvements, but also patch any security vulnerabilities that could be exploited. That is why it is extremely important that you keep your installation up to date with the latest release.

If you’ve installed WordPress using WireNine’s automated installer Softaculous, you can easily upgrade your installation by logging into your cPanel. If you’ve installed it on your own, you can upgrade from the WordPress dashboard automatically, or do a manual upgrade by overwriting your old files with newly downloaded ones from their website. For more information, check out the WordPress codex.

Set a custom username and password

The default username for any WordPress installation is admin and all hackers are well aware of that fact. When installing WordPress, make sure to choose a uncommon username — in most cases, using your name or initials will be fine.

If you are using Softaculous to install WordPress, check the screenshot below (click to enlarge) to see where to set your username.

Softaculous WordPress

As important as the username is, it is equally if not more important to have a complex password — choose a password with a mixture of letters, numbers and even symbols if you prefer. If you’re worried about losing your password, you can use a password manager such as LastPass to store all your logins; and WordPress does have a “Forgot Password” function which you can also use to reset your password in case you ever lose it.

Ensure your file permissions are set to 755 or lower where necessary

If you are an intermediate or even advanced user of WordPress, you may sometimes need to modify file permissions to make file edits from the back-end or in some cases, to allow a plugin to function. As most individuals forget to reset their file permissions afterwards, their files are usually left readable / writable for hackers who can use the file as a doorway to into the users account.

Make sure you set appropriate permissions for your files / directories (755 or lower) — always reset to the WordPress default permissions after making edits to any file.

Regularly backup your websites / databases

Although WireNine does create daily backups for all accounts on our servers, it is always recommended that clients also make their own backups from within cPanel in case their site data is ever compromised. Maintaining daily backups will help ensure that you can immediately restore your website in case of an emergency. To create a full or partial backup of your account, simply navigate to cPanel, click on “backup wizard” and choose which elements of your account you would like to backup (refer to the picture below).

cPanel Backup

Keep all plugins and theme files up to date (free and premium)

Since WordPress has such a vast amount of available themes and plugins (both free and premium), its important to make sure that you only select plugins and themes from trustworthy sources. Most premium theme and plugin purchases will include free lifetime updates to patch any security holes — but free plugins and themes are sometimes not updated for long periods of time. This not only causes the themes / plugins to break with new WordPress updates, but also leaves tons of security vulnerabilities for hackers to exploit.

It is important to use the latest WordPress compatible version of each plugin / theme to ensure there are no security risks to your website. Fortunately, WordPress’ free plugin repository has plugin and theme ratings which can help you decide which plugins would be the best and most secure for your blog / website. If you wish to invest in a premium theme or plugin, make sure the seller is a verified source before you make any purchases.

Use a WordPress Security Plugin

WordPress security plugins are not always necessary if you follow all the security tips listed above; however they do help make your installation more secure. If you are worried about any hack attempts on your blog, its always better to be safe than sorry and install one of the following highly recommended security plugins:

Bulletproof Security

Bulletproof security was created to mainly protect your website through your .htaccess file which hackers commonly use to gain access to an account. With the bulletproof security plugin, you can protect your WordPress website against against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL injection hacking attempts.

WordPress Bulletproof Security

Better WP Security

This plugin has a host of features that help secure your website — mainly by hiding and securing any locations of your website that are most vulnerable to an attack (such as the login page or admin panel). The plugin also creates a daily backup of your WordPress databases so in case you do somehow get exploited by persistent hackers, you can easily restore your website.

General Security Tips

  • Do not share your login. If you have hired a webmaster to manage your website, make them a separate account with the necessary permissions. It is not advised to share your username / password with anyone you don’t fully trust.
  • Enable Cloudflare. CloudFlare is a content delivery network (CDN) that improves the performance of your website but also offers a security scanning feature that comes in handy at times. CloudFlare is included absolutely FREE of charge with any shared, reseller or VPS hosting plans at WireNine and can be easily enabled from within cPanel.
  • Regularly change passwords. It’s important to change your password every once in a while to maintain security — you can use a password manager such as LastPass to make this easier

While the WordPress security tips listed above will help you secure your website, they do not guarantee that your website will be 100% immune to hackers. They do however drastically decrease the chances of your WordPress installation being hacked or tampered with in any manner. Remember, it’s important to maintain regular backups of your website / database so you always have a recoverable copy laying around in case of an emergency.

If you have any questions, don’t hesitate to ask by commenting below.

Google Introduces Link Disavow Tool to Combat Negative SEO

We’ve been hearing rumors for quite some time about Google working on a project to help combat negative SEO — and now, they’ve finally released the disavow tool to allow webmasters to take control of their backlink profiles. Since the most recent algorithmic updates by the search engine giant, a lot of webmasters and SEO specialists have been struggling to rank their websites in organic search results. Google’s Panda and Penguin update revolutionized search engine results by targeting and removing low quality websites from their index (or at the very least demoting SE rankings); these updates were made possible by the knowledge graph.

Although Google succeeded at removing low quality websites from search engine rankings, not everyone saw the Panda or Penguin update as a step in the right direction. Many marketers and SEO specialists criticized Google for these updates mainly due to the fact that their websites were affected — however, Google’s mission is to provide the most relevant search results to their users; they don’t cater to webmasters using spammy link building techniques to artificially rank their websites. Google believed (and does to this day) that their Panda and Penguin updates ultimately enhanced their search results and continued updates will only help to provide a better user experience.

Unfortunately, with these Google updates also came the idea of negative SEO — a tactic used by people to manipulate and lower the search engine rankings of their competitors. Anyone could point thousands of spammy links to a website and drastically drop their rankings and in some cases even get them de-indexed from the search engine altogether. The internet community was convinced that Google did not take into account negative SEO when developing their algorithm, especially for non-authority websites as many authentic webmasters fell prey to negative SEO.

SEO Disavow Links

With the announcement of the new disavow tool, SEO specialists are rejoicing at the fact that they can “disavow” their spammy backlinks — while others are claiming that the tool is useless and that Google should automatically disavow any links they believe to be spammy. In either case, webmasters now have complete control over their backlink profiles from within Webmaster Tools — making negative SEO harder but not impossible.

So, what does the disavow tool do actually? Well, it doesn’t actually “delete” the links that you submit but it does set them to nofollow so they have no direct impact on your SE rankings. In fact, Matt Cutts of Google recommends that you should try and manually remove as many links as possible before submitting any of your low quality links to the disavow tool. The tool was officially made available in WMT on October 16, so there are no reports yet as to how it performs (or if it even works). We will be doing a follow-up post in a few weeks regarding the effectiveness of the tool.

To learn more about the disavow tool, check out Official Google Webmaster Central Blog or watch the video by Google engineer Matt Cutts below. Comment below to share your opinion on the disavow tool.

Roundcube webmail gets a new look

If you are a user that uses webmail rather an email client of your own (Roundcube to be more exact), you may have noticed that the leading software just got a new look that’s supposed to greatly improve user experience.

I won’t get into too much detail about the new look but I recommend if you haven’t already, check it out from within your control panel. For anyone wondering how to access webmail from their browser, you can check out the help article: Where do I check my webmail?

[fancygallery id=’Roundcube’]