We have discussed security before, however with an ever-changing technological landscape, it never hurts to revisit the topic. As a website owner, you want your site in front of as many eyes as possible in order to cast the largest possible net for potential customers. With so many hackers and other nasty security issues out there, its hard to keep up. That’s why our security conscious team at WPEZI have put together some of the best security tips for your WordPress site. If you have any questions, we are down in the bottom right hand corner and more than happy to help.
In an average week Google find roughly 75,000 websites to blacklist for various security related problems. You don’t want your site blacklisted; generally blacklisted sites will lose 95% of their traffic and warnings are displayed depending on whether the site was blacklisted for malware or phishing. This could mean you lose all traffic to your site. If you suspect your site has been blacklisted you can check with Google’s Safe Browsing Tool by adding your website URL to the end of this: http://www.google.com/safebrowsing/diagnostic?site=.
So how do you keep Google from blacklisting your site? There are many different things you can do; the important ones are installing a firewall and anti-virus software, SSL Certificates, keeping your core WordPress files updated, having a good host, and not linking to spam sites. If you suspect you might have some malicious content on your site, you can run it through Sucuri Scanner. The scanning software will detect any malware, spam or if the site has been blacklisted and provide both a report at the end and ways to rectify any issues. There are fees involved so make sure you check those before signing up. What are some of the basic things you can do to keep your site secure from the start? We discuss these below.
We cannot stress this enough, make sure you have a system in place for regular backups of your site. Your web host provider, such as SiteGround, may include this in their plan or you can install one of the many WordPress plugins for backups if you want more control over the frequency. Always back up before and after any updates you make to your site and store a copy of them in a secure location, whether that is an external hard drive or cloud storage, or both, is up to you. This way, if something was to happen, you can restore your site, and hopefully start again.
Usernames and Passwords
Immediately change your default admin username and passwords upon set up. When creating the password, try to avoid any word in the dictionary as hacking systems will attempt recognised words first. Try to replace characters in a word with numbers that look like the letter instead. For example: 8!4cK is a more secure password than any default password created. When passwords are easy to crack, you have left your site open to a myriad of different attacks. Using the same password across multiple formats is the one thing everyone does because it’s easier to remember a password used all the time, not a stronger and unique password. If you are concerned about remembering different passwords, you can always use a password manager like LastPass or 1Password. You should also look to change your default username from admin to something more unique and look to password protect your WordPress admin directory as well. Just to cover all your password bases.
WordPress has regular minor updates which it automatically installs for you, however the core of the WordPress software usually also has major updates that you will need to complete when your site is ready, and you have the time. Of course, you need to back up your site first, in case one of the updates doesn’t agree with your set up and then of course once you’ve confirmed the update is fine, take another back up of your site after the major update. These updates are really important for security as they are updates to the core of your site and include a number of security updates and are crucial for the uptime of your site.
We have also talked about SSL Certificates before. An SSL Certificate stops Google from marking your site as insecure. The SSL certificate simply secures your website user’s connection with your server. Making it difficult for hackers to link into the discussion and steal private information. Google started marking sites that were not HTTPS in July 2018 and showed users warnings about insecure sites, so if you have noticed a drop in traffic, this could be the part of the reason.
As security is such a large issue across the web, there are so many different security plugins, and its easy to be overwhelmed by the choice. The WPEZI team, just like other WordPress specialists, have our favourites for most WordPress applications. Let us walk you through why we love and recommend the Wordfence Security plugin and Firewall.
Wordfence – The basics
Wordfence is one of the most popular security plugins across WordPress. With both paid and free versions, Wordfence offers its customers options to suit their needs. Wordfence not only comes with an inbuilt firewall, it also automatically scans for common threats across your site. Upon threat detection, Wordfence also provides the steps to fix the issues. The free version of the plugin offers malware scanner, threat assessment and detecting exploits across your site as standard. The plugin can also help with Denial of Service and Brute Force attacks on your site. In the premium version, you can also use tools to block certain countries, and schedule your scanning. The plugin even comes with a comment spam filter so you do not need to hunt down another plugin, it also monitors traffic in real time, helping to keep you alerted of suspicious activity as soon as it happens.
Installing Wordfence and Firewall
So now you’ve decided to install Wordfence, how do you do it properly for the most effective security solution? Read on for our step by step guide.
First things first, sign into your WordPress site, and head to the admin dashboard to select the plugins screen and then add new. Search for Wordfence and select the install now button. You will then need to activate the plugin and you are good to move to the next stage.
You should now see a new menu item for Wordfence in your dashboard admin bar. Select Wordfence to be taken to the plugin dashboard where you can customise the settings and run your scan manually. You should run a scan when you first install the plugin to get an idea of what’s happening with your site and to check if there is anything Wordfence can work to resolve straightaway.
Simply head to the Wordfence menu and select scan from the drop down. Initially the scan will look for malicious infections, backdoors and any changes to the WordPress core files. Once complete Wordfence shows you the results and recommendations. These scans are pre-set to every 24 hours in the free plugin and the premium version allows for you to set your own timing for scans.
The Wordfence firewall is included with the plugin and offers two layers of protection from threats. You will have the choice of whether to load the firewall prior to other plugins, which protects you from several threats but leaves you open to attacks designed to begin before WordPress themes are loaded. The extended version allows the firewall to run before any other component of the site. Providing you with the more advanced protection from security threats.
To change the settings for your firewall, select Firewall from your Wordfence drop down menu and select the optimise button and selection continue, so that Wordfence can discover your server’s configuration. You will then be prompted to download your backup file which Wordfence will now access, this is the important part, this file allows Wordfence to run before all else on your site.
You will now see your firewall is in learning mode, this is to prevent it from blocking legitimate users from the site. Once Wordfence has learned all it can about the users of your site, it will switch across to the protecting mode.
Now your security plugin and firewall are good to go, your site is much safer and stronger against malicious attacks from hackers and software attacks and your users can feel more confident in the knowledge their data is safe when using your site.
Fixing a hacked site is not always easy, and in most cases its always best for professionals to take over and repair your site. However, if you take these precautions and you still find yourself on the wrong side of a hacked site, the WPEZI team is here help. If you run into any trouble, please let us know, the WPEZI team are happy to provide WordPress support, whether you are a regular customer or it’s a one-off issue. Contact us via live chat today, it’s just in the bottom corner.