Basic WordPress Website Security & Maintenance
Some basic security issues and how to fix them.
WordPress is an awesome CMS (content management system) that is presently powering (or should I say, empowering) 39% of the websites on the internet. That means that 455+ million websites worldwide are powered by WordPress! That also makes it a very large target for hackers and troublemakers. Keeping your site secure and error free takes some time and attention, but is absolutely necessary.
WordPress itself is very secure when it is used appropriately. It has a solid record of correcting any issues that arise quickly and with transparency, but being a large target, there are a lot of bad apples attempting to exploit vulnerabilities in order to compromise as many sites as possible. Any website host can speak to the massive amounts of bots that poke at WordPress websites constantly, whether in an attempt to guess passwords and gain access that way, or through numerous other fairly easy to implement attack methods that seek the smallest security crack though which to manipulate or damage the website within. Sometimes these bots win. They deface a site or insert malware into the files to display ads or links unrelated to the compromised websites content, or even redirect traffic to other sites.
It is not just WordPress that faces these attacks. All websites are exposed to them – that is now just a part of the game when providing content on the internet. However, we seem to hear more about WordPress hacks just because of the sheer numbers of WordPress sites that exist. But nearly all of these successful site compromises could have been easily avoided. Most from the clients (website owners) side.
The majority of web hosts today are serious about security and work hard to keep the sites they host secure. The very few who come along that do not have the ability to keep their servers secure don’t last long, and although it doesn’t take a lot of technical knowledge these days to run a couple of servers and call your self a web host, those without true resources and abilities behind them cannot stay in business. Websites that get hacked due to insecurities on the server side are few, but it does happen. Yes, hosts should work hard to be secure, but your website’s health and well being should not only be left up to your host. As a site owner, there are things that you can do to ensure your websites security, but if you are busy running a business it may become more of a headache to take these duties on yourself, or become too expensive to do in-house.
There are many companies that can manage your site for you at reasonable monthly or annual rates (including Ice & Fire) and this is often a purchase that more than pays for itself in freeing up your time and allowing you to break away from your website and focus on other things. Running a business comes with headaches. Your website maintenance should not be one of them.
Have you ever used a password like “admin” or your cats name? Have you left the administrator username of your WordPress site as “admin”? Have you done both? Don’t worry – you are not alone. Sometimes we even use a password that we plan to change later, but never get around to it. So you end up with a username of “admin” and a password “fluffy”.
This is one of the top reasons for a site being compromised: Weak password security. You should be sure you never use “admin” as a username and your password should be something that uses a combination of mixed case letters, characters, and numbers. If WordPress tells you that your password is ‘weak’, you can translate that into ‘easy to guess’ by a script.
These considerations should be applied to all of your passwords, from your hosting account with your service provider, to your database passwords. The more secure they all are the better off you will be.
A key component of keeping your website secure is making sure WordPress itself is updated as soon as new released become available. This can be automated from your dashboard or through Jetpack if you use that. No matter your method, you should always keep your CMS up to date. Not doing so can lead to trouble in the long run.
There are times when you may want to wait before upgrading to a new major version, such as when WordPress 5.0 was released. There was a lot of panic and chatter about the new Gutenberg editor and the rather substantial changes it brought with it. In a case like that auto updates would have plunged you into the new editing environment – ready or not! Even though the whole thing was made out to be more of an issue than it really was since it was very simple and obvious from the dashboard how to install the Classic Editor, it does show that sometimes automatic core updates can be frightening. Knowing how to turn them off temporarily would be a good thing. If you are interested in the details on how to configure your automatic updates, you can read this entry in the WordPress Codex if you are comfortable digging under the hood. Elegant Themes also has a very informative post on this subject.
Hacked sites are just as frequently (likely more frequently) a result of outdated plugins or themes. Most themes and plugins have regular updates, and often these updates are security related. If you fail to update to the new versions after a security concern has been identified, you leave your site open to the bad stuff! This is the stuff that often gets overlooked in small businesses where there is no one person designated to website maintenance, and the business owner is so busy themselves that the website gets pushed to the back burner. Really though, who can blame them? They are running a business and trying to grow it. Updating plugins and themes seems like busy work that can wait until later!
Outdated themes, especially those that are no longer being maintained, are a hazard to any website. You need to be sure the software you trust to run your site is being actively supported, and you need to keep them updated to ensure compatibility issues don’t creep in, or worse – security issues.
Your WordPress settings, including your database name and database login credentials are contained in your wp-config.php file. So it is obvious that this file should not be accessible to the public. Many hosts take care of your file permissions for you, and when WordPress is installed on your account the permissions are good to go. If you are not sure, try calling the file directly in your browser. Just type in https://your-site-dot-whatever/wp-config.php and see what happens. The result should be something like the following image:
If you actually see the contents of the file, you should immediately contact your web host. if that is not an option, you can try to correct the file permissions yourself via SFTP. If you want to go directly to the source for information on how to correct your file permissions, this support article on wordpress.org is the place to go.
If the file permission allow other users or the webserver itself to access this file directly, your configuration is not correct and you need to immediately harden your WordPress installation. If you are familiar with chmod you can quickly change the permissions on the file to 440 or even 400 while you contact your host and / or read the support article on wordpress.org we linked to above.
One more method that works is editing your .htaccess file in your web root, if that is available to you. Adding this code will keep anyone from gaining access to your configurations in a situation where the file is accessible via the browser. Actually, I can’t think of a reason not to do this anyway… if someone has one, please let me know!
deny from all
Using https (Hyper Text Transfer Protocol Secure) is now something that should be automatic for anyone building a website. It means all communications between your browser and the website are encrypted.
Once Upon A Time purchasing a secure certificate was an expensive, complicated process. I remember taking a form from the certificate issuing company to a lawyer, having it notarized, and then faxing it back to the cert company before I could even pay and have the certificate generated. Doing that every time you built a site that needed to be secure was an expensive, time consuming pain in the… neck. Oh how far we have come since then! Now with free SSL Certificate tools like Let’s Encrypt, there is no excuse for not having your website on https instead of http. It has also become the standard, with browsers like Google Chrome marking non-https sites as ‘Not Secure’.
That doesn’t mean you necessarily should use a free SSL Certificate. There are many advantages offered by the various SSL certificate companies, such as insurance against a data breach. You should investigate according to your specific circumstances and requirements.
A further benefit to https is the ability to take advantage of the fairly new HTTP/2 protocol (wikipedia link). HTTP/2 is faster that its predecessor and requires https in order to be implemented for your site. Most hosts now offer HTTP/2 support. Without going into detail, be assured that the newer protocol makes for faster websites. If your site is not available via HTTP/2 you should check with your host to change that. There are several websites that allow you to test your site. One is http2.pro
Being able to edit your theme and plugin files from the WordPress dashboard is a very convenient feature, especially for those who are unfamiliar with FTP and uploading files, or are not tech savvy. However, it should be turned off and only on when you need to edit something. In many situations there is no need to have file editing on at all, and you can disable it for all users with one simple line of code in your wp-config.php file.
There is an old saying that goes something like this: “No one needs backups, until they do.”
Backup your site regularly, including your MySQL databases. See this article on WordPress.org – Backing Up Your Database for more complete information.
You should make frequent backups of your site and be familiar with the process of restoring your site from a backup. Daily, sequential backups means you always have something close to perfect to restore your site back from if something bad happens.
At Ice & Fire Hosting all of our hosting accounts are automatically backed up daily, with at least 14 days worth of saved backups kept at all times. Nobody wants to have bad things happen to their website. It it does happen though, you want to be able to recover quickly – from backups.
Well, kinda. This post is likely going to have more content added to it over time. But for now, I hope you have gained an idea or two about how to ensure your site is healthy and clean!
As important is the fact that you don’t have to manage your site yourself. You don’t have to be the one performing security scans and plugin updates. You don’t have to worry about updates breaking your site. You don’t have to allow your website to cause you more stress. There are a multitude of companies who perform these services, allowing you to focus on your business and stop worrying about your website. Relax and let someone else worry about your site!
If you would like more information on Ice & Fire’s WordPress Site Care Plan, you can drop us a line using the contact form below, or visit this page to sign up or get more information on what our package provides.
To get information faster, click here to start a conversation with us in FaceBook Messenger!
We also offer more complete site management plans. Whatever the level of management you need, we can help you stop worrying about your website!
Our Site Care Plan Is Risk Free!
We are so confident that our Site Care Plan will save you time and worry, we give you your first month free!
So you have absolutely no risk! Try us out for a month, and if you don’t want to continue, just cancel within thirty days and you pay nothing!
From Our Blog
WordPress Site Care Plans 50% Off For a Limited time!
Take advantage of this special offer and your pricing will never increase. You get (at least) 50% off for life! You will be paying $19.99 a month per site or less!
That’s not much to pay for peace of mind!99 a month ( or less ) paid annually
Do you have a business that could take orders online and mail or otherwise deliver your products, but doesn’t do so? Our new plan can help you do just that, with low monthly payments instead of the usual, large upfront costs. We build your site, add your products and manage it all for you! You simply fill your orders!
LiteSpeed has become our choice to replace Apache on all of our shared hosting servers. The performance and optimization advantages made the choice easy! Once we tested on one live server there was no question that we had found our new main server software for our managed WordPress hosting environment.