Improve WP Security Disable Comments and Hotlinking


(Ananova News) January 20, 2023.

Often spammers leave malicious links in comments or use someone’s else image without permission (hotlinking). Miscreants very conveniently steal images and use the image URL directly on the website, which is served from the original location. Most images have licensing restrictions attached to them like no commercial use under any circumstances. Without paying for the license, the hotlinking allows them to use the image. Digital assets need proper attribution to the original creator.

To disable comments and hotlinking, log in to your WordPress dashboard and navigate to the “Settings” section.

  • From there, click on the “Discussion” tab and scroll down to the “Other Comment Settings” section.
  • Uncheck the box next to the “Allow people to post comments on new articles” option and click on the “Save Changes” button.

To disable hotlinking, you will need to add a few lines of code to your website’s .htaccess file.
WordPress.com uses CDN to speed up the delivery of your assets with hotlink protection.
Technical experts always suggest keeping software (theme, plugins, third-party add-ons, and WordPress Core) updated and up-to-date with the latest fixes. Always use strong and unique logins and passwords to secure accounts. Hence, it is always suggested to have managed WordPress hosting, as the provider monitors website security, takes regular backups, and keeps them up.

Companies like WordPress.com have the expertise to protect hosted websites from cyber attacks, breaches, hacking, identity and access management (IAM), malware and vulnerabilities, and phishing. They take care of updating WordPress core, themes, plugins, and PHP, disabling external URL requests, and implementing SSL. They keep regular backups, which ensure business continuity. A secured website has a good online reputation, so businesses prioritise security. Every eCommerce store and business website needs protection against cyberattacks, malware, and viruses. Businesses want to protect data as well as sensitive information and thus want to ensure website functionality and online reputation. Hence, it asks for crucial security measures. Google penalises or blacklists malicious or phishing websites.

Disable PHP Error Reporting


(Ananova News) January 20, 2023.

PHP error reporting feature displays errors and warnings on the website when something goes wrong. For debugging purpose, it is very useful, but pose a security threat, when reveals sensitive information. Furthermore, looks unprofessional if errors or warning messages displays on the website.

Thus, the feature is disabled, by inserting the following code in the wp-confifg.php file.


ini_set('display_errors','Off');
ini_set('error_reporting', E_ALL );
define('WP_DEBUG', false);
define('WP_DEBUG_DISPLAY', false);

Technical experts always suggest keeping software (theme, plugins, third-party add-ons, and WordPress Core) updated and up-to-date with the latest fixes. Always use strong and unique logins and passwords to secure accounts. Hence, it is always suggested to have managed WordPress hosting, as the provider monitors website security, takes regular backups, and keeps them up.

Companies like WordPress.com have the expertise to protect hosted websites from cyber attacks, breaches, hacking, identity and access management (IAM), malware and vulnerabilities, and phishing. They take care of updating WordPress core, themes, plugins, and PHP, disabling external URL requests, and implementing SSL. They keep regular backups, which ensure business continuity. A secured website has a good online reputation, so businesses prioritise security. Every eCommerce store and business website needs protection against cyberattacks, malware, and viruses. Businesses want to protect data as well as sensitive information and thus want to ensure website functionality and online reputation. Hence, it asks for crucial security measures. Google penalises or blacklists malicious or phishing websites.

Disable External URL Requests


(Ananova News) January 19, 2023.

External URL requests are requests made by your website to external websites or servers. For some functionality and a better experience, there may be a need to tap into other sites or services. While these requests can be useful, they can also present a security risk if they are not properly configured or may respond slower than intended. If external sources respond slowly they might affect the website’s performance. The website is being held back by the external resources it’s trying to load.

To better enhance the security of your website, you may want to consider disabling external URL requests.

To disable external URL requests, you will need to edit your website’s wp-config.php file. Insert the following code into the file:

define(‘WP_HTTP_BLOCK_EXTERNAL’, true);

  • This will block external URL requests on your website.
public function block_request( $uri ) {
	// We don't need to block requests, because nothing is blocked.
	if ( ! defined( 'WP_HTTP_BLOCK_EXTERNAL' ) || ! WP_HTTP_BLOCK_EXTERNAL ) {
		return false;
	}

	$check = parse_url( $uri );
	if ( ! $check ) {
		return true;
	}

	$home = parse_url( get_option( 'siteurl' ) );

	// Don't block requests back to ourselves by default.
	if ( 'localhost' === $check['host'] || ( isset( $home['host'] ) && $home['host'] === $check['host'] ) ) {
		/**
		 * Filters whether to block local HTTP API requests.
		 *
		 * A local request is one to `localhost` or to the same host as the site itself.
		 *
		 * @since 2.8.0
		 *
		 * @param bool $block Whether to block local requests. Default false.
		 */
		return apply_filters( 'block_local_requests', false );
	}

	if ( ! defined( 'WP_ACCESSIBLE_HOSTS' ) ) {
		return true;
	}

	static $accessible_hosts = null;
	static $wildcard_regex   = array();
	if ( null === $accessible_hosts ) {
		$accessible_hosts = preg_split( '|,\s*|', WP_ACCESSIBLE_HOSTS );

		if ( false !== strpos( WP_ACCESSIBLE_HOSTS, '*' ) ) {
			$wildcard_regex = array();
			foreach ( $accessible_hosts as $host ) {
				$wildcard_regex[] = str_replace( '\*', '.+', preg_quote( $host, '/' ) );
			}
			$wildcard_regex = '/^(' . implode( '|', $wildcard_regex ) . ')$/i';
		}
	}

	if ( ! empty( $wildcard_regex ) ) {
		return ! preg_match( $wildcard_regex, $check['host'] );
	} else {
		return ! in_array( $check['host'], $accessible_hosts, true ); // Inverse logic, if it's in the array, then don't block it.
	}

Courtesy: https://developer.wordpress.org/reference/classes/wp_http/block_request/

Technical experts always suggest keeping software (theme, plugins, third-party add-ons, and WordPress Core) updated and up-to-date with the latest fixes. Always use strong and unique logins and passwords to secure accounts. Hence, it is always suggested to have managed WordPress hosting, as the provider monitors website security, takes regular backups, and keeps them up.

Companies like WordPress.com have the expertise to protect hosted websites from cyber attacks, breaches, hacking, identity and access management (IAM), malware and vulnerabilities, and phishing. They take care of updating WordPress core, themes, plugins, and PHP, disabling external URL requests, and implementing SSL. They keep regular backups, which ensure business continuity. A secured website has a good online reputation, so businesses prioritise security. Every eCommerce store and business website needs protection against cyberattacks, malware, and viruses. Businesses want to protect data as well as sensitive information and thus want to ensure website functionality and online reputation. Hence, it asks for crucial security measures. Google penalises or blacklists malicious or phishing websites.

Maintain WP Security Implement SSL for WordPress Website


(Ananova News) January 19, 2023.

Secure Sockets Layer (SSL) security protocol encrypts the data transmitted between your website and users’ browsers. It ensures that the information coming to and from your website is secure. Thus, helping to prevent hackers from intercepting sensitive information. SSL-secured websites contain a certificate that verifies a secured connection. 

SSL is an important aspect to maintain security and a must for every website – Rohit Kumar (Ananova Expert Team). Let’s Encrypt provides free SSL, so, there should be no hesitation to implement the same.

It’s recommended to purchase premium SSL from a reputable provider like Instant SSL, cPanel.net or Namecheap. It’s easy to install and configure on the most cPanel control panel.

An eCommerce customer wants to read HTTPS in the website URL, to consider it secure. SSL encryption is a must for websites collecting sensitive information such as Credit Card numbers, entering user names and passwords, health data, financial accounts, or any other private information.

Most browsers like Google Chrome and Firefox warn the visitor if the website doesn’t have an SSL certificate or has mixed content. 

“This website might not be secure.” – for websites that do not have SSL.

The browser displays a small lock image before the URL when clicked provides information about the certificate holder, the issued by, the expiration date, the issuer’s public key and a digital signature of the certificate issuer.

There are three different types of SSL certificates: domain validated (DV), organization validation (OV) and extended validation (EV). 

  • DV SSL for personal websites is the least expensive option. It requires that the website owner verify that the domain is registered to the domain owner, which is done through the WHOIS database.
  • OV SSL for business or nonprofit websites, and requires a higher level of verification. The SSL certificate issuer verifies the address and location of the owner.
  • EV SSL for e-commerce businesses and businesses exchanging financial data as it offers the most amount of protection. The certificates offer the highest monetary warranties to any website viewers affected by an SSL failure.

Technical experts always suggest keeping software (theme, plugins, third-party add-ons, and WordPress Core) updated and up-to-date with the latest fixes. Always use strong and unique logins and passwords to secure accounts. Hence, it is always suggested to have managed WordPress hosting, as the provider monitors website security, takes regular backups, and keeps them up.

Companies like WordPress.com have the expertise to protect hosted websites from cyber attacks, breaches, hacking, identity and access management (IAM), malware and vulnerabilities, and phishing. They take care of updating WordPress core, themes, plugins, and PHP, disabling external URL requests, and implementing SSL. They keep regular backups, which ensure business continuity. A secured website has a good online reputation, so businesses prioritise security. Every eCommerce store and business website needs protection against cyberattacks, malware, and viruses. Businesses want to protect data as well as sensitive information and thus want to ensure website functionality and online reputation. Hence, it asks for crucial security measures. Google penalises or blacklists malicious or phishing websites.

Improve WP Security: Disable PHP File Execution


(Ananova News, January 19, 2023.
Disabling PHP in specific writeable directories stops the PHP execution process. While it’s enabled with proper configuration in some directories. The hackers attempt to break the website by uploading backdoor access files or malware in the PHP code of WordPress files to gain access to the website. The.htaccess file can be used to disable PHP execution.
Insert the following code into the .htaccess file in a directory:

php_flag engine off
<Files *.php>
deny from all
<Files>

Technical experts always suggest keeping software (theme, plugins, third-party add-ons, and WordPress Core) updated and up-to-date with the latest fixes. Always use strong and unique logins and passwords to secure accounts. Hence, it is always suggested to have managed WordPress hosting, as the provider monitors website security, takes regular backups, and keeps them up.

Companies like WordPress.com have the expertise to protect hosted websites from cyber attacks, breaches, hacking, identity and access management (IAM), malware and vulnerabilities, and phishing. They take care of updating WordPress core, themes, plugins, and PHP, disabling external URL requests, and implementing SSL. They keep regular backups, which ensure business continuity. A secured website has a good online reputation, so businesses prioritise security. Every eCommerce store and business website needs protection against cyberattacks, malware, and viruses. Businesses want to protect data as well as sensitive information and thus want to ensure website functionality and online reputation. Hence, it asks for crucial security measures. Google penalises or blacklists malicious or phishing websites.

Secured WordPress Hosting


(Ananova News) January 11, 2023.

Choosing a secured WordPress web hosting provider is a must, and with that, a business website may need security plugins like Jetpack or Wordfence. Along with the provider, a business also purchases security software as an essential aspect of maintaining website security. It’s expected of a web hosting provider to prevent cyberattacks and malware or virus threats. So, Ananova always recommends going with well-known hosting companies. You can check their track records and security features, such as SSL certificates, firewall protection, and malware scanning, by looking them up online or doing some research.

Technical experts always suggest keeping software (theme, plugins, third-party add-ons, and WordPress Core) updated and up-to-date with the latest fixes. Always use strong and unique logins and passwords to secure accounts. Hence, it is always suggested to have managed WordPress hosting, as the provider monitors website security, takes regular backups, and keeps them up.

Companies like WordPress.com have the expertise to protect hosted websites from cyber attacks, breaches, hacking, identity and access management (IAM), malware and vulnerabilities, and phishing. They take care of updating WordPress core, themes, plugins, and PHP, disabling external URL requests, and implementing SSL. They keep regular backups, which ensure business continuity. A secured website has a good online reputation, so businesses prioritise security. Every eCommerce store and business website needs protection against cyberattacks, malware, and viruses. Businesses want to protect data as well as sensitive information and thus want to ensure website functionality and online reputation. Hence, it asks for crucial security measures. Google penalises or blacklists malicious or phishing websites.

Disable Access to wp-config.php on WordPress


(Ananova News) January 04, 2023.

Ananova technical experts recommend disabling access to wp-config. PHP to secure WordPress thus preventing unauthorized access. The file contains sensitive information like database credentials, configuration settings and security keys. The administrators can change table prefixes, relocate core WordPress file folders like wp-pluginswp-uploads, and wp-content, and perform other advanced configurations.

<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the web site, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * Database settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/support/article/editing-wp-config-php/
 *
 * @package WordPress
 */
 
// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'database_name_here' );
 
/** Database username */
define( 'DB_USER', 'username_here' );
 
/** Database password */
define( 'DB_PASSWORD', 'password_here' );
 
/** Database hostname */
define( 'DB_HOST', 'localhost' );
 
/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
 
/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
 
/**#@+
 * Authentication unique keys and salts.
 *
 * Change these to different unique phrases! You can generate these using
 * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
 *
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         'put your unique phrase here' );
define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
define( 'NONCE_KEY',        'put your unique phrase here' );
define( 'AUTH_SALT',        'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
define( 'NONCE_SALT',       'put your unique phrase here' );
 
/**#@-*/
 
/**
 * WordPress database table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';
 
/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the documentation.
 *
 * @link https://wordpress.org/support/article/debugging-in-wordpress/
 */
define( 'WP_DEBUG', false );
 
/* Add any custom values between this line and the "stop editing" line. */
 
 
 
/* That's all, stop editing! Happy publishing. */
 
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
	define( 'ABSPATH', __DIR__ . '/' );
}
 
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';

Courtesy: https://jetpack.com/blog/wp-config-php/

How To Disable Access to wp-config.php Using .htaccess

# to protect wp-config.php
<Files wp-config.php>
order allow,deny
deny from all
</Files>

Here “deny all” will deny everyone access to wp-config.php.

Disable File Editing on WordPress


(Ananova News) January 04, 2023.

WordPress code editor enables editing theme and plugin files directly from wp-admin. Precautionary it is recommended to turn it off, as it is a potential security hazard. Version after 4.9 can catch fatal errors and does not parse the code till they are resolved. Furthermore, it stops the hacker with administrator access by changing themes or plugins and inserting malicious code.

How to Disable file editing in WordPress admin?

  • Log into the control panel.
  • Open File Manager under Files & Security.
  • Locate the file wp-config.
  • Click Edit in the menu bar at the top of your screen.
  • Search wp-config for ‘DISALLOW_FILE_EDIT’, and DISALLOW_FILE_MODS’ and set it to “true”
define('DISALLOW_FILE_EDIT', true);
define( 'DISALLOW_FILE_MODS', true );

Recently, a security alert revealed that WordPress websites on Linux were targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems. The targeted websites were injected with malicious JavaScript retrieved from a remote server. As a result, when visitors click on any area of an infected page, they are redirected to another arbitrary website of the attacker’s choice.

The disclosure comes weeks after Fortinet FortiGuard Labs detailed another botnet called GoTrim that’s designed to brute-force self-hosted websites using the WordPress content management system (CMS) to seize control of targeted systems. In June 2022, the GoDaddy-owned website security company shared information about a traffic direction system (TDS) known as Parrot that has been observed targeting WordPress sites with rogue JavaScript that drops additional malware onto hacked systems. Last month, Sucuri noted that more than 15,000 WordPress sites had been breached as part of a malicious campaign to redirect visitors to bogus Q&A portals. The number of active infections currently stands at 9,314. January 03, 2023, BleepingComputer reports thirty security vulnerabilities in numerous outdated WordPress plugins and themes are being leveraged by a novel Linux malware to facilitate malicious JavaScript injections. Dr. Web reported that malware compromised both 32- and 64-bit Linux systems, and uses a set of successively running hardcoded exploits to compromise WordPress sites.

You can look to the Ananova selected top hosting providers at: https://ananova.com/best-hosting-providers

The key players listed in the list include Liquidweb, WordPress.com, A2Hosting, GreenGeeks, Namecheap, Inmotionhosting, Resellerspanel, Hostgator, Interserver, Sitevalley, Webhostingpad, Bluehost, Hostmonster, Fatcow, IPower, Weebly, Shopify, Accuwebhosting, WPEngine, Cloudways, Hostens and many more.

WordPress Security on Stake


(Ananova News) January 04, 2023.

WordPress plugin flaws leveraged by novel Linux malware

Recently, a security alert revealed that WordPress websites on Linux were targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems. The targeted websites were injected with malicious JavaScript retrieved from a remote server. As a result, when visitors click on any area of an infected page, they are redirected to another arbitrary website of the attacker’s choice.

The disclosure comes weeks after Fortinet FortiGuard Labs detailed another botnet called GoTrim that’s designed to brute-force self-hosted websites using the WordPress content management system (CMS) to seize control of targeted systems. In June 2022, the GoDaddy-owned website security company shared information about a traffic direction system (TDS) known as Parrot that has been observed targeting WordPress sites with rogue JavaScript that drops additional malware onto hacked systems. Last month, Sucuri noted that more than 15,000 WordPress sites had been breached as part of a malicious campaign to redirect visitors to bogus Q&A portals. The number of active infections currently stands at 9,314. January 03, 2023, Bleeping Computer reports thirty security vulnerabilities in numerous outdated WordPress plugins and themes are being leveraged by a novel Linux malware to facilitate malicious JavaScript injections. Dr. Web reported that malware compromised both 32- and 64-bit Linux systems, and uses a set of successively running hardcoded exploits to compromise WordPress sites.

Outdated and vulnerable plugins and themes

It involves weaponizing a list of known security vulnerabilities in 19 different plugins and themes that are likely installed on a WordPress site. These infected themes or plugins prompt the malware to retrieve malicious JavaScript from its command-and-control server prior to script injection. The hacker can deploy an implant to target specific websites to expand the network for phishing and malvertising campaigns, as well as malware distribution initiatives.

Doctor Web revealed the targeted plugins and themes –

  • WP Live Chat Support
  • Yuzo Related Posts
  • Yellow Pencil Visual CSS Style Editor
  • Easy WP SMTP
  • WP GDPR Compliance
  • Newspaper (CVE-2016-10972)
  • Thim Core
  • Smart Google Code Inserter (discontinued as of January 28, 2022)
  • Total Donations
  • Post Custom Templates Lite
  • WP Quick Booking Manager
  • Live Chat with Messenger Customer Chat by Zotabox
  • Blog Designer
  • WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
  • WP-Matomo Integration (WP-Piwik)
  • ND Shortcodes
  • WP Live Chat
  • Coming Soon Page and Maintenance Mode
  • Hybrid
  • Brizy
  • FV Flowplayer Video Player
  • WooCommerce
  • Coming Soon Page & Maintenance Mode
  • Onetone
  • Simple Fields
  • Delucks SEO
  • Poll, Survey, Form & Quiz Maker by OpinionStage
  • Social Metrics Tracker
  • WPeMatico RSS Feed Fetcher, and
  • Rich Reviews

Technical experts always suggest keeping software (theme, plugins, third-party add-ons & WordPress Core) updated and up-to-date with the latest fixes. Always use strong and unique logins and passwords to secure accounts. Hence, it is always suggested to have managed WordPress Hosting, as the provider monitors website security, takes regular backup, and always keep them up.

The companies like WordPress.com have got the expertise to protect hosted websites from cyber attacks, breaches, hacking, Identity and access management (IAM), Malware and Vulnerabilities, and Phishing. They take care of updating WordPress core, themes, plugins, and PHP, disabling external URL requests, and implementing SSL. They keep regular backups which ensure business continuity. A secured website has a good online reputation, thus businesses prioritise security. Every eCommerce store and business website needs protection against cyberattacks, malware, & viruses. Businesses want to protect data as well as sensitive information and thus want to ensure website functionality and online reputation. Hence, asks for crucial security measures. Google penalises or blacklists malwarised or phishing websites.

WordPress.com for Bloggers


(Ananova News) January 03, 2022.

By 2028, Global Blog Software on the basis of its comprehensive study reveals that the blogging industry will be around $8 billion. The study comprises of the macro and micro factors responsible for growth trajectory and restraining posting threat to the global blog software market. Their research is a consolidation of primary and secondary research and consists of both qualitative and quantitative detailing.

WordPress.com is the key market player in the Blog software market. The company has a huge global economic impact on the hosting industry. From personal to professional websites, WordPress.com provides fast and reliable hosting services to cater for each and every market. The provider takes care of the client’s website against online threats and offers a 100% uptime guarantee. The customers can scale up their WordPress website. Ananova considers its customer support services fast and efficient.

You can look to the Ananova selected top WordPress hosting providers at: https://ananova.com/best-hosting-providers

The key players listed in the list include Liquidweb, WordPress.com, A2Hosting, GreenGeeks, Namecheap, Inmotionhosting, Resellerspanel, Hostgator, Interserver, Sitevalley, Webhostingpad, Bluehost, Hostmonster, Fatcow, IPower, Weebly, Shopify, Accuwebhosting, WPEngine, Cloudways, Hostens and many more.

Technical experts always suggest keeping software (theme, plugins, third-party add-ons & WordPress Core) updated and up-to-date with the latest fixes. Always use strong and unique logins and passwords to secure accounts. Hence, it is always suggested to have managed WordPress Hosting, as the provider monitors website security, takes regular backup, and always keep them up.