Tag Archives: WordPress Security

05.15.14
by

WordPress hosting unlimited speed with security


WordPress Hosting Security

It comes as no surprise that the WordPress hosting has dominated the interweb space for since its launch. The WP package offers speed, security, capability and surely delivers hands on what is promised with no false underlying statements. The services when hired do not come cheap for a WordPress portal but then you need to pay the best to get the best and the easy maintenance that comes as a guarantee.

When it comes to breaching in web portals, an in depth look at the security offered by the Web hosting company’s is a pre-requisite requirement. There have been doubts raised on the security of the WordPress web portals. WordPress has been considered as one of the most secure platforms that one can choose for his site, and the platform of WordPress offers protected plug-ins which has been its leverage against the Windows and Linux platform. The security offered by the WordPress even though questioned came out clean through offering strong set of passwords and the site running on the latest version of the WordPress platform security is kept intact with the vigilant WordPress security staff. If you still are skeptical towards the kind of security WordPress offers CMS platform which is one of the most secure networks on the Internet. In the year 2009, the WordPress company took some hard knocks in the Web publishing as some of its security vectors were exploited, that was years ago but as soon as the company heard of the breach, the core team added up the patches soon enough and the WordPress codebase began to look like the Fort Knox.

WordPress offers new security patch every few weeks which can fight against the latest software attacks and viruses. Since Updating WordPress is easy enough the updates every few weeks does not become overbearing. WP takes the site security so seriously that the company has even put its own money on stake. What more can a person can ask and it that does not satisfy your yearning than the portals hosted on WordPress comes with free of cost cleaning of viruses and that no doubt give a lot of customers peace of mind.

Daily back-ups and one click go back to the secure time restoration offers are the couple of brownie points that comes with the guarantee that even going back in time can fix your current problems. The third party plug-ins are installed for your site by the back-end support system of WP and the also accentuates the protection system.

Another feature that the WordPress system boasts of is staging area where when you need to update a plugin or change the theme or the look of your site, the system tests it beforehand in the staging area before uploading that on the internet ensuring that the breakage is not done to your live site if a plug-in is not working one and the problem can be rectified.

WordPress takes care of the information on the average number who visits your site and bandwidth use as well as the host’s system status, links to the WP Engine blog and the

company’s latest tweets. The account is simple with settings like domain, CDN, redirect rules, backup points, error logs and phpMyAdmin and the portal becomes easy to use even for a non-technical person because the settings are very basic and the company takes care of the technicalities.

When it comes to speed, WordPress Engine’s uptime and response times were almost faultless. The site is up 99.99% of the time, with downtime of just 8 minutes. The web hosting package comes with integrated features like SEOMoz API, complete with automatic links, sitemaps and SEO optimization in the WordPress setup and nothing else compares or matches well with the hefty feature line up, WordPress package definitely proves to be the safest and the steadfast tortoise in the industry.

05.15.14
by

WordPress Security


  • Upload the wordpress files and folders in directory with some other name hard to predict like cpweb or here or anything else. A trick can be done to hide this directory, to make it appear as it is installed in home directory. Go to Settings-> General and delete the sub-directory name from the field site address(URL). Site address is the perceived address and WordPress address(URL) is the physical address. Copy the .htaccess and index file on the root of the domain, edit them and change the last line showing:
    require(./wp-blog-header.php)
    to
    require(./<directory-name>/wp-blog-header.php)
  • Change the table prefix while creating the configuration file, as it makes tougher for hackers.
  • Put unique phrases in the salts of wp-config.php file. It can be generated using wordpress
    http://api.wordpress.org/secret-key/1.1/salt/
  • Don’t use admin as user name, while setting up your site, as admin is the default user, so every hacker might like to attack this user. So choose other name apart from admin.

  • It is very important to secure wp-config.php file and wp-content directory, rest of the files you can delete and upload them again. All the uploaded files are stored in the wp-content folder and database connectivity is saved in wp-config.php file.

08.28.12
by

Quick security tips for a WordPress Site – CPWebHosting


WordPress Site Quick security tips – CPWebHosting

1. Stay Updated : The most important tip for securing the self hosted WordPress websites is also the most obvious; WordPress provides updates with security fixes all of the time. When you get the notification in admin panel, don’t ignore it! It’s the single most effective way to secure your site from attacks, and yet so many people leave their site (and their client sites) un-updated for fear of breaking their themes and/or plug-ins.

2. Create Custom Secret Keys for Your wp-config.php File : All of the confidential details for your WordPress site are stored in the wp-config.php in your WordPress root directory. Secret keys are one of the bits of information stored in that file

3. Change the Database Prefix : A lot of the basic setup stuff for WordPress is the same across lots of sites… especially if you use a one-step install wizard through your webhost. This is super convenient, but lots of common setup values like, your database prefix (es), are known to hackers as a result.

4. Protect your wp-config.php File : As mentioned earlier, the wp-config.php file contains all the confidential details of your site. So it’s pretty important that you protect it at all costs. An easy way to protect this file is to simply place the following code in your .htaccess file on your server.

5. Protect your .htaccess File : We can protect our wp-config.php file as mentioned above, but what about protecting the .htaccess file itself? Don’t worry; we can use the same .htaccess file to protect it from being preyed upon.

6. Hide Your WordPress Version : Another good idea is to remove the generator Meta for the WordPress. This Meta shows the version of your WordPress site. If you have enabled the WordPress version, then hackers will know the security lacking of your website.

7. Install WordPress Security Scan Plug-in : This is a good Plug-in which scans your WordPress installation and give the suggestion accordingly. This Plug-in will check for below things:

  • Passwords
  • File Permissions
  • Database Security
  • WordPress Admin protection

8. Limit the Number of Failed Login Attempts : This nice Plug-in can limit the number failed login attempts; Useful in case of someone is trying to guess your password manually or using a robot.

9. Ask Apache Password Protect : Here is one better Plug-in provided by the Ask Apache. You can protect your site with 401 authorizations in easy steps. All these you can manage from the WordPress admin panel.

10. Don’t Use “admin” As Your Username (and Pick Strong Passwords) : This one’s perhaps the easiest of them all – WordPress normally will setup your main admin account name as “admin”, so it’s usually the first username that hackers will try using. As of version 3.0 you can change this during the initial set-up, but it’s easy to forget that you can go back and change it even if you setup your site before version 3.0. So, pick a new name other than admin.

08.28.12
by

wordpress security vulnerabilities


WordPress Security

Wordpress SecurityAs we all know that running a WordPress-based website is often a pleasure, enabling you to focus on content and building relationships with readers and other websites.

Half of the WordPress sites out there are self-hosted, which means that the WordPress administrator carries the share of responsibility for a secure installation. Out of the box, there are several ways that WordPress security can be tightened down, but only a fraction of sites actually do so. This makes WordPress an even more popular target for hackers.

However, not everyone on the web is as friendly as you. Somewhere out there is a list with your blog’s name on it, where it sits, waiting to be targeted by hackers? When they get around to your blog, they’ll try various tactics to gain access to it, perhaps with the aim of selling legal drugs or infecting your visitor’s computers with malware.

Here is a list of top WordPress Security vulnerabilities:

1. SQL Injection & URL Hacking : WordPress is a database-backed platform that executes server-side scripts in PHP. Both of these characteristic can make WordPress vulnerable to malicious URL insertion attacks. Commands are sent to WordPress via URL parameters, which can be abused by hackers who know how to construct parameters that WordPress may misinterpret or act on without authorization.

SQL injection describes a class of these attacks in which hackers embed commands in a URL that trigger behaviors from the database. (SQL is the command language used by the MySQL database.) These attacks can reveal sensitive information about the database, potentially giving hackers entrance to modifying the actual content of your site. Many of today’s web site defacement attacks are accomplished by some form of SQL Injection.

Most WordPress installations are hosted on the popular Apache web server. Apache uses a file named .htaccess to define the access rules for your web site. A thorough set of rules can prevent many types of SQL Injection and URL hacks from being interpreted.

2. Access to Sensitive Files : Basically WordPress install has a number of files which you don’t want unauthorized persons to access. These files, such as the WordPress configuration file, install script, and even the “read-me” file should be kept private.
As with preventing URL hacking, you can add commands to the Apache .htaccess file to block access to sensitive private files.

3. Default Admin User Account : WordPress installs include an administrator user account whose username is simply “admin”. Hackers may try to log into this account using guessed passwords.

Any element of predictability gives hackers an edge. Instead, log into WordPress and create a new user with an unpredictable name. Assign administrator privileges to this user. Now delete the account named “admin”. A hacker would now need to guess both the username and password to gain administrator access, a significantly more challenging feat.

4. Default Prefix for Database Tables : The WordPress database consists of numerous tables. In many WordPress installs, these tables are named with a default prefix that begins with “wp_“. For hackers, the ability to predict anything can provide an extra advantage.

An easier way to change table prefixes for an existing WordPress installation is by using the plug-in named Better WP Security. This plug-in contains several defences including some discussed elsewhere in this article, with a simple point-and-click interface to change your table names to include a randomly-generated prefix.

5. Brute-Force Login Attempts : Hackers often rely on automated scripts to do their dirty work. These scripts can make numerous attempts to log into your WordPress administration page by trying thousands and millions of combinations of user-names and passwords.

A successful brute-force attack against a strong password effectively becomes impossible with these limits in place, because the hacker can never try enough variations (or rather, it would take many years of continuous attempts).

Two WordPress plug-ins which let you enforce a login limiter are Limit Login Attempts and the aforementioned Better WP Security.

WordPress is the peak prominent content management system of the online world. Although WordPress from the time of its starting did see the sorrow picture of denunciation. But within a few fraction of time WordPress was adopted by plenty of brands that gives new height to the famous content management.

The feature of open source makes WordPress exposed to hack attacks, hereafter webmasters were bound to consider WordPress Security Issues as a serious matter. Secure WordPress removed the display of or access to information, folders, and protocols that may be more likely to be used by hackers than site admins.

The first and foremost requirement of any WordPress website is its security. Due to outdated core files and /or plugins, website becomes much more Prone to hackers as outdated files are easily perceptible. Therefore,Wordpress Security is an important task and has to be followed in any case. Generally WordPress attacks are caused due to plugin vulnerabilities, weak passwords, and obsolete software. WordPress Security will hide the places where these vulnerabilities reside and thus avoid the attackers to know much more about the site and keeping them away from sensitive areas like login, admin, etc.

The process of Hardening WordPress is not hard or complex, It just requires that we should be well versed to be as webmaster/mistress and be able to understand what our exposures are, and how to minimize our risks for running WordPress on our own website.In other words Hardening WordPress means to Secure WordPress from external attacks.

WP Security scan checks WordPress Security Vulnerabilities and suggests corrective actions such as:

  1. Passwords
  2. File permissions
  3. Database security
  4. Version hiding
  5. WordPress admin protection/security
  6. Removes WP Generator META tag from core code

SQL injection is a code injection technique that exploits a WordPress Security Vulnerabilities occurring in the database layer of an application.

For Securing WordPress there are a number of plugins which assures us to give Secure WordPress and also to solve out WordPress Security Issues and they are as follows:

1. WP DB Backup : WP DB Backup is an easy to use plugin and by mean of few clicks we can backup the core of WordPress database tables .It can secure WordPress powered website easily.

2. WP Security Scan : This plugin can simply scan the wordpress powered site. It catches the vulnerabilities in the site and gives suitable guidelines regarding their removal.

3. Ask Apache Password Protect : This plugin doesn’t control WordPress or mess with the database, instead it utilizes fast, tried-and-true built-in features of WordPress Security to add multiple layers of security to the blog.

4. Stealth Login : The Stealth Login plugin will help us in creating custom URL addresses for login, registering and logout of WordPress.

5. Login Lockdown : Login Lockdown will help us to lock attempts for a period of time on logging in to the admin panel after a number of attempts.

6. WP-DB Manager : This is another great plugin which allows us to manage our WP database. It could be used as an alternative to the WordPress Backup Manager.

7. Admin SSL Secure Plugin : It is the another plugin which keeps our admin panel secure. It acts on the SSL encryption and is really useful against hackers or people who are trying to get unallowed access to the panel. It is the competitor of the Chap Secure Login Plugin.

8. User Locker : To avoid brute-force hacking the site, the User Locker plugin should be adopted. It works on the same system as Login Lockdown, however, it’s a 5-stars rated WP plugin which has a great fame among its users.

9. Limit Login Attempts : Limit Login Attempts blocks the internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.

10. Login Encryption : Login Encrypt is a security plugin. It uses a complex combination of DES and RSA to encrypt and secure the login process to the admin panel.

11. One Time Password : For Securing WordPress this unique plugin will help us to set a one-time password for the login, in order to prevent logging of unwanted users from internet cafes or such.

12. Antivirus : Antivirus is a pretty common security plugin which will help us to keep our blog secured against bots, viruses and malwares.

13. Bad Behavior : Bad Behavior is the plugin which helps us to fight with those annoying spammers. The plugin will not only help us to prevent spam messages on the blog, but also will try to limit access to the blog, so they won’t be able even to read it.

14. Exploit Scanner : It search the files and database of the WordPress install for signs that may indicate that the files or the database has fallen victim to malicious hackers.

15. User Spam Remover : It helps us to prevent and remove the unwanted spam messages.

16. Block Bad Queries : This plugin attempts to block away all malicious queries attempted on our server and WordPress blog. It works in background, checking for excessively long request strings (i.e., greater than 255 chars), as well as the presence of either “eval(” or “base64” in the request URI.

Thus WordPress Security is not only imperative but the core functionality of its conduct.