Wordpress security, tips and tricks
Dear geeks and technology maniacs,
Today I would like to discuss with you some basic web security for both, shared hosting providers and end users.
Without a shadow of a doubt wordpress is becoming more and more popular everyday not just how it started like "Blogging platform" But with the help of a wonderful community support, developers and contributors it has turned to be the most popular or the number one internet CMS, which is now over 80% of the internet websites.
Often business owners and marketers are launching a blog in order to try to generate "Generic traffic" For their business.
Talking about all the above sounds great but of course it can't remain that simple, there are billions of hackers/attackers, waiting for any vulnerability you leave behind you, so that they can get into your website or take control of the whole server, in order to use it either for internet crimes, DDOS attacks, unsolicited e-mails or spam e-mails.
Your website might be really simple, it might even be about a charity or something really noble, but let me tell you this, hackers don't really care, so how do we stop this? That's not the easiest question to answer, but I will do my best in order to cover all what I faced in my day to day roles either at my full time job as a systems engineer, or in my spare time as a technology consultant.
If you're an end user:
You've got one of two ways depending on your schedule and time management skills, it all starts from hiring the right web developer as well as the skilled web master.
The right web developer will help your designer to get your website up and running with the least plugins possible, to achieve the look and feel you want also the expected features from your website, keep this as a side note, the more plugins you use the higher possibility you get hacked gets.
If you've got some spare time and you're not going to hire anyone then, I would recommend picking your hosting provider carefully due to many factors, cheap hosting providers slow down your website performance which in itself will lower down your SEO, also they hardly take any backups of their servers/clients websites due to the fact all what they care about is mainly packing their single machine with as much customers/websites as they can, so when you see a hosting package for 1$ don't just run into this, but expect you might lose your website and all the work you did overnight.
You should start reading some other blogs/websites in your field, to see how your target audience are expecting the layout of your website, to guarantee the best UI. I am not saying clone them or copy everything from there, but just the basics, for example your social media icons should be at the top alongside with your search bar etc.
Plan your budget properly no matter if it's couple of dollars to thousands, all of this at the beginning will determine the success of your website in the future, for the previous reasons, for example don't believe you'll ever get unlimited bandwidth on a shared hosting package, read the SLAs of the hosting provider carefully and know your rights.
I always recommend getting a cloud server or a VPS, so that you're not sharing the server resources with others (I am aware it happens on some virtualizations i.e OpenVZ).
Learn the basics of systems administration, backing up your database, your files and maybe even scheduling them.
If that's too much, then find an interested friend who's willing to help or hire a system administrator who will take care of all of this, or a web developer and a shared hosting package, some hosting providers also offer managed hosting packages for those who don't have the skills or the spare time.
Knowing what happens in the background, I am currently managing shared hosting servers, the majority of the attacks, are initiated from outdated wordpress version, outdated plugins, outdated themes, so try and keep everything up to date.
Files and directory permissions are so important, there are many many tutorials to setup the correct permissions for your website.
I highly recommend wordfence plugin, back in the old days, wordfence was pretty much just a burteforce protection plugin, oftenly developers had to change the login url of wordpress from wp-admin and wp-login to any other secret word, but not needed any more, wordfence gives you many nice features, even in their free version, it lets you scan your files, and block failed logins after x amount of tries, system admins. Will call it the wordpress fail2ban :)
Keep it simple, as I mentioned above, try and decrease the amount of plugins you use, just in case there's a vulnerability that's newly discovered you don't get to be the first person it's used against.
Ask your system administrator or your hosting provider to perform a penetration test, or you might as well get your hands dirty and give this a try yourself, all you need is a linux computer and internet connectivity of course, for this I regularly use wpscan, and metasploit, they're great and both of them are in the penetration testing distribution Kali linux (Formerly known as backtrack).
Schedule your automatic backups depending on your content update frequency.
I have also worked out a code that I added on my server that checks customer directories once a day if they've got any base64 encoded files/strings or not, most of the hackers nowadays try to disguise their malicious files in a very normal name i.e search.php and the content of the file is all encoded so you don't suspect it.
Once you find an infected file, you should start investigating how this file got there, and how the attacker implemented it into your website, find the vulnerability and get it patched.
Finally I hope you find any of the above tips any useful for your website/business, don't hesitate to comment or PM me for any questions.