10 Security Measures for every WordPress site

WordPress is a highly popular, powerful blogging and website-design platform; web statistics show that it runs on one in five websites. Although it is a very effective tool that is used by millions, it is notorious for falling short in strong security – either due to lack of security knowledge on the developer’s part, or because of the vast number of potentially insecure plugins that are available. This therefore makes WordPress sites an attractive target for all kinds of hackers, as well as vulnerable to the installation of malware. In 2013, 90000 WordPress sites were hijacked for use in a botnet.

wordpress-security

The following are 10 basic steps that can be implemented to tackle some security issues or malpractices that are present in thousands of WordPress Sites.

1. Run the Latest Version of WordPress

Over 86% of WordPress installations are running outdated versions. Each update will bring new features plus security fixes and bug patches that will ensure better security against many threats.

2. Run the Latest Version of Themes and Plugins

Site plugins and themes could still be vulnerable despite WordPress updates. This is evident when, recently, an older version of the widely-used Slider Revolution plugin, allowed malicious users to steal database credentials.

3.  Prevent Directory Listing

When the web server cannnot find an index file, and directory listing feature is enabled, the server will show an HTML page with its contents which can be used to exploit any present vulnerabilities in a WordPress theme, plugin or web server.

4. Remove Inactive Users

Users, particularly administrators and those who can edit or change content, form part of the weakest points of any site. This is because users tend to make passwords that are not strong enough. If it is very necessary to retain inactive users in your database, changing their role to ‘subscriber’ will restrict their abilities.

5. Turn on HTTPS for Logins and wp-admin

HTTPS should be used in all cases where a user is providing and receiving private information to and from the web server. It is not necessary for use across the whole site, as TLS/SSL may use a huge amount of server resources based on the amount of traffic.

WordPress’s login form and admin area are considerably the most sensitive areas of a site and, it is therefore here that TLS/SSL should be enforced.

6. Restrict Direct Access to Plugin and Theme PHP Files

There is potential risk in enabling direct access to PHP files. It may lead to release of information, as some plugins can hold PHP files that are not supposed to be directly called.

Furthermore, limiting direct access to PHP files makes it more difficult for hackers to get through security measures (ie. authentication) when the coding is divided into littler files.

7. Use Complex Security Keys

WordPress makes use of long, random and complex security keys. Security keys function similarly to a very strong password. and should contain elements that make it more difficult for hackers to crack it. Although it is often more tough for users to remember, it plays a key role in establishing maximum security of your site. You can implement this strategy by creating your own set of random keys, or by using WordPress’s online key generator.

8. Choose your Plugins and Themes Wisely

Hackers can easily determine the plugins that are installed on your WordPress site through Plugin enumeration. The risk of attacks on your site can be significantly reduced by avoiding unnecessary plugins. Remember to check the number of times they were downloaded and their last update date.

9. Limit Access to wp-admin Directory

Another way to prevent attackers from cracking the password is to enable password protection on your WordPress admin area with a layer of HTTP authentication.

10. Turn off File Editing

In many cases, the first thing a hacker looks for is PHP files of plugins and themes. WordPress allows admin users to edit these PHP files of plugins and themes inside the account; since this functionality allows code execution to the server – disabling it will improve security.

It is highly recommended to implement all of these security measures in order to keep your WordPress sites attack and threat-free. They form an ideal foundation on which to begin building your site’s security.

Increase WordPress’ speed with these tricks

“Time is of the essence”. A quote that could not be more relevant in today’s world. The Internet has given us the opportunity to access information almost instantaneously with a few key words and the click of a button. This was bound to cause low-levels of patience in users due to high-expectations when loading web pages.

speed-critical

According to the Aberdeen Group, a mere 1-second delay in your page’s load time causes:

  • 11% less views of your page
  • 16% drop in customer satisfaction
  • 7% loss in conversion

It is therefore essential to meet these expectations by building a website that has optimal response time. You can start doing this by:

Considering your Host Provider

Most hosting companies provide a series of plans to prospective users. Those who are new to the system may be more inclined to choose the cheapest hosting option – and they end up paying for it later on. Spending a little extra on your ideal plan in the initial stages will save you from potential headaches in the long run.

It is not recommended to sign up with a newly-launched service, as the provision of consistent, quality service will be questionable. That said, I’ve had great success with Intergrid for Australian hosting, who are relatively new players to the market.

Bear in mind that no hosting company will be 100% trustworthy, and it is possible that there will be instances of misconfiguration issues and connection problems. If you see that your site isn’t running as it normally would, opening a ticket with your hosting provider is a good place to start in finding a solution.

Another tip: Configure a continuous ping to the website by using the command prompt with the command: pingnameofwebsite.com –t

Doing this will show any internet carrier or hardware malfunctions that could be affecting your website speed. Note that if you see any odd or sporadic pings, they should be reported to the hosting company.

Taking a Look at Your WordPress Theme

WordPress’s 2015 theme is designed with maximum speed and performance in mind. It was intentionally developed to be simple and lightweight, with no additional code that could slow the theme down.

Unluckily, this is not the case with all themes. If you are unhappy with your theme’s speed, consider searching on Google to determine if any other users with the same theme are experiencing similar difficulties. WordPress forums is also a great platform on which you can open a dialogue to other users on the topic.

Using a Secure Caching Plugin

It is highly beneficial to use caching plugins to speed up your website. Make sure that you do your research on them before downloading, though, as many plugins have been discovered to have vulnerabilities as a result of XSS and SQL injections. Once you have installed a secure caching plugin, you should begin to notice quicker page loading times.

A good recommendation is the Zen Cache plugin for WordPress.

Optimizing Your Images

Having images on your website offers many advantages. They make the site look more appealing, professional and will, essentially, attract users. No matter what your needs for bandwidth and images are, it is always a good idea to optimize your images for downloading.

WP-SmushIt is a plugin that can help to optimize your images for fast load times.

Reviewing Your Site’s Homepage

Do you have a particularly busy home page? Decluttering any unnecessary elements, while keeping your home page exciting and appealing, will definitely work in your favour when it comes to site speed.

Here are some further tips:

  • Show only an extract of blog posts instead of their full content.
  • Set the number of posts per page to a few, ideally 5-7.
  • Ensure that sharing plugins and widgets are only present on the blog pages, and not on your home page.
  • Ensure that there are no inactive plugins on your website.

To the Point…

When in doubt, review your hosting provider. Establish contact with them and share your concerns. If you are certain that the provider is not the main cause behind the problem, take a look at your site’s structure and design. Keep your site clean, simple and easy to navigate.

Choosing a SSL certificate

A Secured Socket Layer, or SSL, is a standardised tool that is used to allow the secure, encrypted exchange of information between the web browser and the web server.

In order to create this secure connection, an SSL Certificate is installed on a webserver for the purpose of authenticating the identity of the website and encrypting the data that is being sent and received.

Different SSL Certificates Can Include:

Domain Validation (DV)

A Domain Validated SSL certificate is given once the owner has given proof of rights to use the domain.

The CA usually sends the owner of the domain (as is recorded in a WHOIS database) an email. The certificate s issued upon receiving response from the owner. Further fraud checks may be performed in order to reduce the occurrence of a certificate being issued to a domain that is close to a high value domain (example: g00gle.com, yah00.com, Micros0ft.com)

The certificate only contains the domain name, and is therefore usually issued faster than any other kind of certificate due to the few checks that are done. Even though the browser shows a padlock, the certificate, the company name would not have been validated and hence would not be shown to the user of the browser.

Organizational Validation (OV)

For OV certificates, CAs have to check the company and domain name as well as other information by using public databases. Additionally, CAs may use other methods to ensure the accuracy of the information added to the certificate.

The certificate will show the company and domain name, and hence is the minimum type of certificate that is suggested for ecommerce transactions as it supplies the consumer with further information about the business.

Extended Validation (EV)

EV certificates are only given after an entity advances through a rigorous authentication process. The checks that are performed on this kind of certificate are considerably stricter than of those performed with OV certificates.

The goals in this process include:

  • Establish the identity of the legal body that controls a website: Provide the user of an Internet Browser with substantial affirmation that the website being accessed is headed by a legal entity that is shown in the certificate and identified by name, address, business location, jurisdiction of incorporation or registration as well as the registration number or other information specific to the entity.
  • Enable a Website with encrypted communications: Enable encrypted and secure communication to information between the user of a web browser and a website over the Internet. (This is the same as OV and DV certificates)

The other objective of an EV Certificate is to assist in determining the legitimacy of a business that claims to run a website or provide executable code, as well as to supply a vehicle for the purpose of helping in phishing, malware and other forms of online identity fraud. By EV Certificates Providing more authentic third-party identity and address information about the business, they help with:

  1. Enhancing prevention of mount phishing as well as other online identity fraud attacks through the use of Certificates.
  2. Providing companies who could possibly be the victims of phishing attacks or online identity fraud with a tool to increase their chances of being accurately identified by users.
  3. Providing law enforcement organizations with assistance in phishing and other online identity fraud investigations, which may include establishing contact with, investigation of or legal action against the cases in question.

Due to the rigorous evaluation processes used by CAs to assess the accuracy of the applicant’s information, the provision of EV certificates will typically take longer, as opposed to the time taken with other certificates.

A description of this process can be found here.  https://www.cabforum.org/vetting.html. The resultant EV SSL certificate will show the information here: https://www.cabforum.org/contents.html.

 

The Benefits of CDN for Bloggers

As someone who owns a blog, you are aware of how important it is to establish an appealing online presence.

What typically gets overlooked, however, is the potential gains available of using speed-enhancing technologies such as a content distribution network (CDN).

Therefore, we are going to provide you with the main benefits that all bloggers should consider.

Understanding Exactly What a CDN is

A CDN is a system of interconnected cache servers that use geographical data as a system for delivering content for internet users. The content is served up from a server that is positioned in a location that is as close to the user as possible.

As the served-up data is cached, fresh files are not needed to be accessed each time; so there are copies of the files and data on each of these servers in order to ensure speedy delivery. The purpose of this is to reduce your main server or database’s load.

CDNs don’t therefore count out your need for hosting. It provides a distributed network of servers from around the globe to assist your blog in loading requested pages from your readers.

Tips to Consider:

  1. Swift Serving of Your Content and Pages

A CDN allows vigorous improvement in speed for your readers by serving up all static content (ie. images, scripts, and stylesheets) from the nearest server to your reader. Essentially, this means that all the data that forms these segments of your site take the quickest possible route to your reader, whatever their location. This case study provides a detailed description of these benefits of using CDNs regarding speed.

  1. Boosted Uptime

Your blog users will have not only a quicker, but a more reliable experience as a CDN networks assists the central host by delegating out the work. Many modern CDNs promise more uptime and elevated availability. This results in better load times even during periods when your blog is experiencing a significant amount of traffic.

  1. Consistent experiences for your readers no matter where they are located

Your users’ ISPs are regularly confronted with different access points and fluctuating network conditions that can result in some users experiencing slower results. Using a CDN to run your static content off of will ensure that users around the world experience your blog as if they are sitting directly next to your server.

  1. Ultimate Scalability

Your blog will be able to grow endlessly without affecting your readers’ experience in a negative manner; this is due to the highly scalable make-up of a CDN network. Therefore there will be no more hosting or hardware upgrades needed. This is arguably the most significant CDN benefit, as you have the ability to provide a consistent experience for any amount of online readers.

In Conclusion

It is important for blog owners to have some knowledge about seamless experiences for your online readers. A CDN provider will supply a concrete network on which both publishers and users can rely.

 

Evaluating CDN Providers

Choosing a suitable CDN (content delivery network) can be a daunting task if you are unsure of what to look for. It is extremely important to keep both performance and support in mind when comparing CDNs. The provider that you choose should complement your IT team and be able to integrate a CDN system into your site.

It should also be able to help you with designing and implementation strategy to make sure you are receiving maximum benefits from the CDN provider.

Most businesses need to conduct research in order to choose the right supplier for them. There are many CDN providers out there with different price points. Note that one of the biggest mistakes professionals can make is automatically assuming that all CDN providers are the same.

You should always remember to evaluate:

  • The speed and reliability of the prover’s servers.
  • The number of servers that is handled by the provider.
  • The provider’s location.
  • Whether the provider offers 24/7 customer support, as well as FTP uploads, real-time CDN usage statistics and the means to override browser caching headers.
  • Whether Origin-Pull, gzip compression and custom CNAME for secure web pages are offered.
  • Whether the provider offers dynamic content hosting.

Use the MoSoW method in order to identify your specific requirements before purchase.

Determine:

1) What you absolutely need.

2) What you should have if possible.

3) What you want to have but is not necessary.

4) What is low-priority and can be passed on for now.

In order to ensure accurate evaluation of CDNs, take note of the following:

Workable Contracts

It is typically not required by customers to sign extensive, long-term contracts; businesses can pair up with the CDN providers when support is needed, and stop during times when they are not. This ensures maximum website reliability in any conditions as changes can be made as and when needed.

Foreseeable Pricing

Flat-rate and pay-as-you-go pricing may be offered by certain CDNs. You’ll be able to pay only for bandwidth and storage. Based on the location where you serve your content, both options can be great cost-effective plans.

Reverse Proxy/Origin Pull

This feature allows simple and easy uploading by allowing you to delegate the task of automatically fetching non-cached objects to the CDN – simply by leaving your content on your origin pages and rewriting the URL such that it directs to the CDN.

Easy Integration and Swift Activation

The most important thing to remember when comparing CDNs is that you should have a sense of what you wish to achieve by using it. Will you be streaming live media or does your site contain mostly static content? Do you have specific marketing goals or are you simply wanting to generally improve the speed of your site? Ensure your chosen CDN will assist you in reaching your particular goals. CDN providers that offer simple configuration processes allow you to be up and running in a short amount of time.

Reporting in Real-Time

A CDN that has a quality reporting system that provides analytics about your network performance and bandwidth usage in real-time, will allow your business to get the maximum benefits of your investment in bandwidth and server technology. Be sure that the CDN you select also provides a predictable pricing choice, to ensure that your business won’t have to pay more during peak usage times.

Security

A CDN may also be able to provide your company with enhanced security. Anything that disrupts the pathway between a client-server connection will break or stop the flow of content.

The end user will be able to gain access to the most available server by means of a CDN. If it is developed so that traffic for the end users are only able to begin or end at its servers, the dropping of service to that particular server – due to a power trip/outage, telecom seizing, or even a DDoS attack –  would mean that your web service would stay online.

Scalability

A CDN is required to provide efficient scalability that enables companies to acquire the cost benefits of economies of scale as they develop and expand.

The most competent and valued CDNs are those that treat their clients equally – no matter the size and value of the company.

World Wide Pop Distribution

One of the most apparent cost benefits available to businesses who use CDNs is lower bandwidth pricing. CDNs that offer calculated access to main Points of Presence (POPs) near to the Internet’s main peering points ensures optimum bandwidth efficiency and enhances the deliverance of rich media content – that provide distinguishable benefits in terms of performance to your customers. The costs of your business’s bandwidth will decrease as efficiency is improved.

The Relevance of a Flawless Service Level Agreement (SLA)

An SLA is a form of measurement of a CDN provider’s network uptime. While various hosts pride themselves on 99.9 % SLAs, it is more ideal to use a provider that guarantees a 100% availability SLA. CDNs are designed to be equipped to deal with large amounts of traffic that other typical servers cannot cope with – this also means that if a CDN crashes and your website is linked to a CDN provider, nobody will be able to access your website.

Even though this is a disconcerting thought when comparing CDNs, you should essentially find a provider that has 100% uptime.

It is easy to tell if a provider is failing to meet their promise of 100% uptime as SLAs are a straightforward metric and are considerably standardized.

Throughput Performance

Although many CDNs talk about performance statistics and availability, not many talk about performance in regards to throughput, which is the genuine indicator of performance. Throughput is the rate at which files are transported to the end user.

Higher rates of transportation to the user mean higher thoroughput, which can be achieved by increased network speeds and optimized routing in order to elevate think time as well as propagation slow-down.

The best throughput-executing CDNs are those that use a routing method designed by CacheFly called TCP Anycast.

It is important to remember that not all CDNs are developed in the same manner. Content providers who are looking for the ideal CDN should evaluate them based on their specific needs and ask themselves the questions that are mentioned in the above paragraphs.

Many CDNs mirror infrastructure architecture and routing methods, and therefore, a CDN’s long-proven expertise and consistency should be noted.

Also, ensure that you are optimizing for throughput, whether you are looking for a CDN provider or already have one. Choosing the right CDN for your business can improve the performance of your website on a global scale.

© 2016 Morgan Canterbury

Theme by Anders NorenUp ↑

Contact Morgan

click here