Originally posted on https://www.paulbarrs.com/website-design/wordpress-security-tips
Hi there, folks. My name is Paul Barrs. Hello and welcome. Thank you so much for taking the time to come and join with me with today’s monthly update.
Now, today we’re talking about website security, specifically WordPress website security being the most popular CMS these days. And in the past two weeks, my team and I have had to rebuild and repair three different websites who came under a hack attack. Now, if you’re a business owner, this can be devastating news as it certainly was for one of them, middle of the school holidays, tour operator. Bang. Website goes down due to a hack, something which could have been easily prevented. So today I’m going to give you some tips for step-by-step processes you can go through to secure your website and hopefully, hopefully slam the gateway shut to prevent hackers in their tracks. Grab your pen and paper. Let’s take some notes.Number one. The very first one is your hosting company. You have to choose a good hosting company. Now, there are some different variables here, but across the board, I can summarize this and say, “Don’t pick the cheapest one.” There’s probably a reason why it is the cheapest one. Also, you might want to find out how many other websites are also being hosted on that same shared server. Now, we will use shared servers. I run my own, but it is limited to my own customers’ websites, no more. You cannot get access otherwise, which means then the managed hosting that I provide, well, it’s very secure.
One of the sites that we had to repair came from a place where we couldn’t even package up the cPanel and just move it to our own secure hosting. We had to pull apart the elements of the website once we rebuilt it and guess what? They got hacked and their website was just turned off. No options. We’ll turn it back on once you pay this money and delete these files, then we’ll turn it back on. You need someone who’s going to work with you a little bit better, a little bit easier than that.
Number two on my list is your choice of theme and your choice of plugins. Don’t just use a free theme and try and avoid the free plugins when you can. Now, I know that’s not always possible, but when you’re purchasing the plugin, give it a test, give it a try. If there’s a pro version, upgrade so you get the updates all the time, so you get the notifications. And folks, just on this very quickly on the side, if you’re setting up a new WordPress website, please make sure that as you create the setup in place that you rename your database files to something unique, not just the standard because all hackers know just the standard.
The next one on the list. Number three is a good, strong WordPress security plugin. Now, there’s three or four really good ones there. My team and I, we use iThemes Security. And it does the job for us of what we need. The most important thing is you need to make sure that once it’s been set up that you change the login URL, so it’s not just wp-admin or wp-login.php. Every hacker in the world knows that these are the generic default logins. And WordPress comes with a whole bunch of generic default things that what? Every hacker in the world knows about. So you need to make sure that you change some of those.
Another thing you should do is limit login attempts. By default, WordPress will let you try and try and try again. You can do this with a good security plugin, and we have ours limited to three, which means if you get it wrong, your IP address will be tracked, logged, and blacked out so you can’t get access anymore.
You should also look at, if it’s appropriate, limiting your login times. Say for example, here in Australia, if we have a client who’s really only going to be working on their website during the day, during business hours, we will disable login attempts what? After hours, middle of the night. We don’t need someone from Russia coming in at 3:00 in the morning and hacking that website. So we take the precaution and limit the login times.
Another thing that you should do and these security plugins will take care of this for you which is why it’s so important is that you should hide your WordPress version number. Now, we’ll talk later about keeping things up-to-date, but more importantly, hide the version number. Not sure how to do this, you can use one of these security plugins or a quick Google search, a piece of code that you can put into your [com/feed 00:04:53] and it will just get rid of it. Why is that important? Because if a hacker knows what version of WordPress your running and maybe you’re not entirely up-to-date, they know how to get in. It’s simple, it’s obvious. It’s just the way that it is.
You should also look at disabling the plugin and theme editor options. People can come in and if they find a backdoor into your site, it’s your theme, your defaults that they are going to attack and edit and change. And as I found with one of the sites just recently created a redirect from theirs to the hacker site. You can prevent these types of changes from taking place by limiting or preventing edits to default files.
Also, the XML RPC file, again, that’s been created within WordPress so that people can gain remote access because, hey, it’s one of the benefits. If you are away, you need to update your site. This allows it to happen if you can’t just log in through normal manners. Well, you need to remove it, get rid of it. I think it should be gone now forever as far as security goes, but it’s an absolute minimum. Those and many other defaults, things that you need to change.
Now, number four on the list and yes, number three was quite a big one. Number four is much the same. Oh, boy. I don’t know why people don’t get this one right.
Please, please, please use a strong password. Now, there’s a great website out there, Strong Password Generator. Just Google it if you have to and it will create passwords, use randomized characters, all sorts of different things that will make it nigh impossible for people to be able to guess, figure it out, work out, crack that particular password.
Now, I do have some rules with my own passwords, and they are simply that if I cannot explain it to someone over the phone, i.e. if you look at some of the characters and coding characters that are used in some passwords, if I don’t know what that is or if my customer is not going to know what that is, I won’t include it simply because I need to sometimes tell them over the phone what that particular password is. But you must use strong passwords.
I’m also going to recommend that you don’t use your administrator, your admin account for publishing of content. Have you noticed on many blog posts, certainly, probably most of them, sometimes pages also published by, and there’s your admin username? Why would you give that to hackers by default? Instead, keep your admin logins safe and secure and away from that day-to-day work and create an editor login, which is the one that you then use for publishing content.
And just on that, this has got to be obvious these days, but not to some. Please, don’t use admin as your username. It’s the default when you set up a new WordPress website. We’ve been saying this for . . . how long has WordPress been around for? Now, nearly 10 years. We’ve been saying it for that long. If you’re still using admin as your login username, you are a fool and you deserve to be hacked. Stop it right now, change it. As soon as this video is done, go and change it.
How do you do that because you can’t actually change the username? You log in, create for yourself a new admin account with a unique admin username and a strong password, then you log out, login through the new one and delete the old. At the same time, of course, transfer content to your new one. Now, forgive me if that’s a little harsh, but it is so important, so important that you actually do that.
I’m also going to suggest that you change your passwords every 90 days. “Oh, come on, Paul. I can’t do that every 90 days. Are you kidding me? How am I supposed to remember that?” You’re not. You’re not supposed to remember it unless, of course, you use what you’d call a long keyword password. Something like . . . no, I left or it could be the line of a song or it could be something from, “When I was five, numeral five, I wanted to be a giant.” And you might use capitals for the word giant. That could be a strong password. That is actually a very strong password. Easy to remember, takes a while to type but gets to the point. But change your password every 90 days.
Now, I do this by remembering easily enough just through my CMS, a quick task comes up, “Hi, Paul. Time to change your passwords.” If you don’t have access to a CMS or a reminder system, you could use your calendar. Google calendar will work every 90 days. You could even just set up an email reminder for your customers if you’re running an agency or servicing others, reminding them to change their passwords unless you’re managing their security, not your job, it is theirs, but you give them the reminder. So that’s a very, very quick one to do.
Another thing, which is a great idea, is just change the error message. If there’s a database error if you know of this, you can’t do that one, but I’m thinking more of the login. We’re talking about logging at the moment. So changing the login error message. “Hi, your username is incorrect.” No, let’s not tell them that. Simply something like, “That’s not quite correct.” It doesn’t say username, it doesn’t say password, it doesn’t tell the attempting hacker which is wrong. It just says, “Hey, not quite correct. You need to try again, buddy.” And of course, you’ve got your limit login attempts on, so after three times, they’re gone, they’re banned, no chance.
And lastly, another suggestion on this is you could use two-factor authentication simply where you log in and maybe an SMS code gets sent to you. Google have that facility, easy to set up on a website or you log in and then there’s a secondary question, your mother’s maiden name, your cat’s best friend, the auntie down the street, something like that. You customize it, you decide what it should be. But these are important things for security.
And seriously, folks, if you’re running an online business or if your business, this is its online persona, you need to take care of this. It’s just as bad when your website gets hacked as your store down the road, getting a window smashed and having to close down for the day while it gets fixed. And all the vandalism and the trash and the problems, it’s the same kind of thing.
Okay. Let’s continuing on a couple more things on this list. Much shorter in content, those that first half, very, very important that you do them and do them today, if you haven’t. The next ones on the list, you can easily quickly Google and find out how to do them. I won’t go so much into the detail, but first of all, I suggest that you disable, I mentioned this early, but disable the file editing. Because one of the things that hackers do once they get in, they implement and inject code into these default files. You need to disable that. It’s not likely that unless you’re a developer that you’re going to be in there editing once your site’s gone live. So you disable. I believe that’s done through the wp-config file, maybe htaccess. Can’t remember off the top of my head, but just Google it. You’ll find it how to do that really quite easy.
Another if you’re not already. Number six. You should be running an SSL certificate to give you that green lock bar for the browsers that still show it, but https for secure. That secures data transfer between your website and your browser, not just for your customers but for you as well with your login details.
You should also scan your site regularly for malware. Number seven on the list. Malware, viruses, anything that’s ended up on the server. Now, I manage hosting for my own clients through a cPanel. I give them access for those who are doing it themselves, we do it for others, a virus scanning tool in cPanel. Chances are you’ve got this. If not, ask your host about this, and then once a month, every two weeks, just click as you’re walking away, go grab your morning coffee, something like that. It’ll scan your site and let you know if you’ve got any viruses anywhere on the server, in the site or even in your mail. And that’s absolutely important.
Next on the list is you should look at hiding your wp-config or your htaccess file. Now, if I’m saying this and you’re going, “Yeah. What are you talking about, Paul?” That’s not something you should be doing. You need to get someone like me or your current web developer to do that for you. Oh, but believe me, a good hacker, they know how to get into your configuration files and if they change these things, you’re in trouble. Now, why should you hide them? You hide them from view if they happen to get in there, into the server, just gone. Well, because they are default and they are the same pretty much for everyone and it’s where most of the hack redirects would take place.
Now, the one that you need to do, I believe we’re up to number 10 on the list, is you need to keep your theme and your plugins up-to-date. Now, I really shouldn’t need to even say that, but you need to. Funny how with one of the websites that we just repaired recently, the hack didn’t come through the website, it came through a plugin. So the plugin over there was what got hacked. But of course, it came through because the plugin on the website wasn’t up-to-date. So the hack came through that way. And it injected code out and caused a redirect problem. So these are the types of things you need to set yourself. I schedule to do this every single month at minimum, manual or in our case, we manage this for clients through our WP security package. So we take care of it all for them.
Next on the list. Back up, back up, back up. Let me say it again, back up regularly. So I’m going to suggest a full website, everything, back up at least once a month. Weekly database backups as an absolute minimum we have for our clients, we keep seven days of server backups as well in case there’s ever a problem and you’ve got to have it, folks, because here’s the difference. Let’s say that you haven’t quite locked things down, or even the hackers managed to get through at some point and they completely ruin everything, you’ll know or a good developer will know within 30-40 minutes. If man, maybe I just shouldn’t fix this. I’m going to grab the backup, and I’m going to put that out there instead because it’s so much quicker. A good backup can be restored, the whole website rebuilt, restored through a backup within a matter of, well, not minutes, 30-40 minutes. Then what? You go and lock down everything, find out how and why it happened, but at least the website is up and running when that happens.
All right. Folks, that’s my top 10 tips, let me give you one more bonus. Number 11 and I’m just going to scratch because I don’t know why people don’t do this one either. And this is to keep your computer safe and your devices, your phone, your mobile, all of these different things.
Now, what’s that got to do with website security? Would you access your website through these devices? Don’t you? So look at your emails, look at your passwords, the passwords you use to access your computer, the passwords to access email, change them every 90 days. Make sure they are strong passwords. Folks, I cannot reiterate that enough, it just must be. So run regular virus scans looking for malware, looking for viruses, and all of these things on your computer and on your devices as well.
And I probably shouldn’t even need to say it, but make sure you’re not using any cracks or whatever on your computer. Things which allow you to get access to themes because you’ve got a pro version but, hey, you didn’t pay for it or software because you’ve got a pro version and hey, you didn’t pay for it because you’re using an unlicensed copy, it’s being cracked, it’s using a serial code or something. Now, if you don’t know what I’m talking about, this is good news for you. No problem, but some of you, you know what I’m talking about, don’t you? All of these things can put your websites at risk.
Okay. Folks, I’m going to sign off there. Food for thought quite a bit of it. So what I need you to do is give careful consideration to these things. If you’re a customer of mine, come to me, we will take care of all of your WP security. We will take care of it with a 100% guarantee. If you get hacked, if, if, we fix it free, no-cost. Part of our WordPress security and backup package on our own server.
Folks, thank you very much for joining with me for listening. And I hope you’ve had a few questions answered here. You’ll see the list below on my website, infographic and step-by-step as well. Go through those different things. Secure your websites and have a fantastic day, great weekend, and a wonderful month. I’ll talk to you again soon. Bye-bye.