WordPress Security – Security Blog https://blog.siteguarding.com Tue, 31 Oct 2017 05:48:11 +0000 en-US hourly 1 https://wordpress.org/?v=4.7.4 https://blog.siteguarding.com/wp-content/uploads/2016/07/cropped-Logo_sh_last_2_last-32x32.jpg WordPress Security – Security Blog https://blog.siteguarding.com 32 32 How to harden WP security https://www.siteguarding.com/security-blog/how-to-harden-wp-security/ Wed, 26 Jul 2017 09:36:48 +0000 https://blog.siteguarding.com/?p=439 Read More]]>
Many have seen reports that another site was hacked. Perhaps someone personally came across this. How can a site be hacked, and what protection measures can be taken? We will talk about what needs to be done to protect your site and not become a victim of hackers.

Hacking a site is getting unauthorized access to the site files or to the administration panel of the site management system.

In this article, we will not consider hacking hosting on which the site works, and will focus only on hacking the site itself.

First of all, note that if you do not do anything, then sooner or later the site will be hacked!

The fact is that modern sites on WordPress have about 500 thousand lines of code. Also this code is for the most part open and anyone can analyze it, including the vulnerability. In such a huge array, sooner or later they will find an error, and the attackers will want to use it.

A site on a sample platform, such as WordPress, can be recognized by its signature features. Having crawled your site on a set of signatures, you can find out a lot of details: the name and version of a typical platform, what plugins and extensions are installed and their versions, the list of users, and so on.

There is a huge number of different online scanners that constantly scan the network in search of sites based on this platform. When your site is scanned by one of the scanners, this is a matter of the near future.

In order to make it difficult to scan your site, you can install plugins that will hide the version of WordPress.

It is extremely important for WordPress Security to make periodic updates. Updates not only cover the vulnerabilities found, but can also contain new improved functionality, improve the site’s performance. However, before updating, you should make a backup copy of the site in case there was an error in the update by the developers or something went wrong. It is also important to check the site after the next update.

A common way to hack a site is to get passwords to the administrative panel of the site. How do hackers get passwords? intercept the password that has been transmitted through unprotected HTTP protocol, pick the password by brute force, decrypt the password by accessing the site database.

The best way to protect against this type of attack is to use a secure HTTPS protocol instead of HTTP. To protect yourself from such an attack, you need the entire site or at least the administrative panel of your site to be accessible only through the secure HTTPS protocol. This requires an SSL certificate. Certified certificates cost money and have a finite period of validity.

Attack by brute force – is a very common method of attack on the network by WordPress sites. Of course, no one will pick up passwords manually. For the selection of passwords there are special programs.

To ensure security, you need to set a password for the wp-admin folder, rename the page address to enter the administrative menu, grab the input and the forgotten password page, disable the error message for the wrong password, prohibit the enumeration of all users.

Unfortunately, you will not be able to completely secure your site from hacking. The fact is that you need to close all possible loopholes, and the attacker must find only one single one. However, do not be discouraged. If you follow the security rules, then it will be extremely difficult and long to hack your site.

]]>
WordPress Security and Website Antivirus https://www.siteguarding.com/security-blog/wordpress-security-and-website-antivirus/ Fri, 16 Dec 2016 08:50:02 +0000 https://blog.siteguarding.com/?p=388 Read More]]> website security new

In this article, we take a look at the importance of WordPress security and some of the basics of keeping your WordPress website secure. With the technology industry ever-growing, more and more hackers are praying on vulnerable websites and with that, WordPress security is as important as ever. If you don’t take the time to set up your website security in a way which not only protects your website, but protects the data flow between your website and your visitors, then you are putting a lot of things at risk. Not only that, but you are leaving your website open to unauthorized users who can cause some serious damage. So with that in mind, let’s jump right in.

Website Backups

Before we dig into how you are able to protect your website, let’s first discuss website backups. Nobody likes to imagine suffering from data loss. It’s bad enough to lose valuable data, but it’s worse if you don’t have a backup to retrieve that data.

If you were to fall victim to WordPress hacking, you never know what the hacker’s intention is. Whether it’s to obtain data or to simply cause mischief; you simply won’t know.

With this, it’s a good idea to take a backup of your website’s data at least once a week so that if something does go wrong, you can simply restore the backup and have as little data loss as possible.

How to Keep Your WordPress Website Secure

Below are some of the best ways possible to keep your WordPress website secure, none of which requires too much technological knowledge.

Updating WordPress. This is the number one basic step to take to keep your website secure. While many opt to have WordPress update automatically, if you are on the other side of it then it’s important that you update your WordPress when prompted. WordPress updates often contain security updates based on issues that they have found or have been found and by not keeping your website up to date, you’re willingly putting your website at risk.

Plugins. Not only should you keep your plugins up to date, similar to keeping WordPress up to date, but on top of that there are several security plugins available for free use. The most common WordPress security plugin is Website Antivirus; a necessity to maintaining a secure website. Although there are premium plugins out there, the free version is more than enough.

Using Clef. Clef is one of the newest and securest resources out there. Not only does it work alongside WordPress to ensure a secure account login, but it can be used for many other services too. With Clef, you are removing the need to enter a password thus eliminating the risk of your password being obtained through keylogging.

Setting Up WordPress. When initially setting up the WordPress platform, there are a few things that you can do to further benefit your security setup. A few of these things are:

  • Change the default database prefix. By default, it is “wp_”, although this makes it easier for hackers to pinpoint your table name.
  • Change the login page. Rather than the standard domain.com/wp-admin/ login page, change it to something that only the required administration will know. On top of that, customize the page to make it somewhat different to the default page. By doing so, you are making it harder for bots to target your logins.
  • Have someone else setup WordPress for you. Lastly, if you aren’t sure on how to set up WordPress from a secure standpoint, have someone else take a look at it for you. There’s no shame in asking for help!

To Conclude…

Taking everything that we’ve discussed here into account, there’s no reason for you not to take the time to secure your WordPress website. Not only does it take only a short amount of time to do, but by securing your website there are absolutely no downsides in doing so. You are benefiting yourself, and you are benefiting your users.

]]>
WORDPRESS SECURITY AUDIT https://www.siteguarding.com/security-blog/wordpress-security-audit/ Fri, 16 Dec 2016 07:51:50 +0000 https://blog.siteguarding.com/?p=380 Read More]]> wordpress security

You probably don’t know this, but every day, there are probes trying to get into your WordPress account; they are always searching for security weaknesses and if you fail to do some WordPress security audit on your site, you never can tell, they might eventually get it. These probes are generally looking for weaknesses, and most times, the location of your webmail or your website’s MySQL database. There are chances that they might also be looking for a previous hacker’s file located on your website server space in order to gain full control of your website.

Therefore, the security of your website falls in your hands. So, if you are there thinking the security of your website is the responsibility of your hosting provider, then you need to have a rethink. Your website host, WordPress in this case, is majorly concerned about the security of their servers and all of the applications they run on them. They don’t care a bit about the scripts and applications you run.

Since the people probing your website barely use an IP address more than once, it will be difficult for you to block them by banning their IP addresses from gaining access to your website. Probes use different proxy servers and different names; some common ones include, Toata, Wantsfly and Morfeus. In one session, a typical probe can take up to 50 attempts in order to locate different combinations of directory folder names or common locations. So, in order to minimize the risk of the probes getting what they want, you need to run a WordPress Security Audit.

One of the most effective ways to do this is to utilize the services of the WordPress security exploit scanner plugin.

WORDPRESS VIRUS SCANNER

This plugin is one of the best scanners when it comes to detecting signs of suspicious activity on your website. It scans every database and file, searching for compromised files that have been uploaded or left on your website by hackers. To keep your website safe you have to scan website for malware at least once a week. Hackers leave a trail of modified contents and scripts whenever they compromise a website. These contents and scripts can be found by searching through every file on the website, manually. Some methods used by hackers to hide their spam links or codes are very obvious. For instance, they make use of CSS to hide text; these strings are the things we can search for. Contents can also be hidden in the database, and codes can also be run in the database. Spam links are sometimes placed amongst the comments and also on blog posts. Search engines will notice them but the visitors of your website will not see them because they are hidden by CSS. In an attack launched on WordPress some time ago, hackers exploited the WP plugin system in order for them to run their own codes. Files with the extension of image files were uploaded and added to the list of active plugins. Therefore, despite the fact that the files didn’t have a .php extension, the codes that had been written in them were still able to run.

This plugin goes through your website and tries to bring out all of these changed database records and files. It is the perfect plugin for the audit of your WordPress.

CHECKING YOUR WEBSITE’S SECURITY?

One easy way to check WordPress security is to check WordPress’ stats for 404 file not found errors. If you notice a lot of errors for file locations and files that literally don’t exist on your website, then your site is being probed for weakness that could be exploited. You need to make routine checks of your own website folders and file so as for you to determine the ones that you haven’t installed. If you should find anything, make sure to first check with your website host in order to ascertain that they haven’t installed what you found before deleting them. Sometimes these files cannot be deleted by you, you will need the help of your site’s administrator in order to delete them.

]]>
How to Secure Website from Hackers https://www.siteguarding.com/security-blog/how-to-secure-website-from-hackers/ Thu, 29 Sep 2016 09:00:57 +0000 https://blog.siteguarding.com/?p=336 Read More]]> secure website

Do you get padlocks and locks for your home? Only if you are homeless, you won’t answer yes to this question. On this article, we will learn how to get padlocks and locks for your home page, which is equivalent to how to secure your website from hackers.If you use sensitive information, like your customer’s names and credit card information, then you are enforced by law to have a secure site. How to make website secure  becomes more relevant, and you could have legal problems if you fail to protect others information.

Other consequences include severe reputation damage, to be banned from search engines and to be an instrument to spam porn. In the worse cases, you can get in troubles if your site is used for illegal activities.

Prevention is your best choice, and we will explore how to secure your website from hackers to prevent any undesirable consequences from happening to your home page.

Discourage the Hackers

Going back to padlocks, which home is more likely to get robbed? A home with no padlocks, or one with a tiny padlock at the entrance? Of course, a thief will prefer to get into a home with no padlocks, since it will be easier to get in.

The same occurs with websites. If you learn how to secure your website from hackers, even if it is the smallest and most basic security measure, the hacker will go to the site with less protection. There are many unguarded sites around, and applying some tools on how to make website secure is just a simple way to discourage the hackers.

The Basics on How to Secure your Website from Hackers

Tiny padlocks are the basic security measures you can take on how to make website secure from hackers. This include:

  1. Keep your updates up today.
  2. Strong user names and passwords for everybody: admin and basic
  3. Set a password policy, which should include:
    • Limited attempts to log-in.
    • Periodically changing passwords.
    • Never send passwords by mail.
  4. Set an expiration time to logins when they are inactive.
  5. Change default settings, like:
    • The default prefix (wp_) of your database.
    • Use a plug-in to change your default admin
  6. Use tools to de-index your admin page. A common trick is to use the robots.txt file.
  7. Set uploading limitations, such as:
    • Eliminate the possibility to upload files if your site does not require this feature.
    • Store any uploaded file outside your root directory.
    • Use scripts to gain access to uploaded information.
  8. Remove the auto fill option of all your forms.

All these are settings any basic user who has put a website on his own can do. They are best practices you should consider when building a new website.

Administration Tools to help on How to make Website Secure

Before we go to the advanced tools and services to assist you on how to secure your website, let’s take a look at some other basics you should follow. These administration tools are not directly related to your home page, but they are useful and can help you avoid hackers attacks.

Especially if your server is located in your office, the following are simple advice you cannot miss. If you host it somewhere else, then, they are not as critical. However, this advice will keep the computer accessing your administration panel safe, and that can prevent your information from being stolen at this point.

The minimum administration tools to set on website security are:

  1. Get a Firewall for your network.
  2. Scan all your computers, not just your host server. Scan your website with website scanner to detect backdoors and preinstalled viruses.
  3. Get security applications for all endpoints on your network. Even the free options are better than nothing.

Backup your site when it is healthy. It might be of use if you need to recover from an attack. It will also protect you from hardware failures. The best is to backup every day at the lowest traffic time on a separate machine. To backup multiple times a day for sites with lots of activity is recommended. If you have a host service, ensure that your contract includes regular backups. Most vendors do it.

Advanced tips on How to secure your Website

There are some other things you can do in your search on how to secure your website from hackers. This is a list of just some of the advanced things you can implement on your web page:

  1. To use SSL certificates for encryption is a must if you are dealing with personal information.
  2. Don’t trust any application claiming that they can hide your code. The code to your website is how the page is displayed in the web browser. Most likely you will get an infection.
  3. Test your site for SQL and XSS injections. You can use the free tools on sites like NetSparker.
  4. Use a debugger to manually compromise your site or other automated tools which are available online. If you can, then hackers will. Be careful, because some sites using this sort of tools are just for fishing.
  5. Install security plugins. Your host vendor might give them up for free. Other sites also give up plugins to cover the most common vulnerabilities.

These are just some of the advanced things you can do to help on how to secure your website from hackers. There are much more. To get your hands on how to make website secure from hackers can be time-consuming. It is better to look for a professional service and save some time.

There are dedicated companies that will assist you with all the security issues for your website. A complete offer can be found on www.siteguarding.com. But there are many others. Your current vendor of antivirus service might help. Search for options and evaluate the benefits.

]]>
WordPress Malware Removal https://www.siteguarding.com/security-blog/wordpress-malware-removal/ Wed, 14 Sep 2016 15:22:50 +0000 https://blog.siteguarding.com/?p=320 Read More]]> wordpress malware removal

The malware is not good for the computer as well as the websites. It can create problems for the owners of the website or computers. The malware can help hacking of a website as well as the computer. The hackers use malware particularly to hack the websites or PCs and introduce their mean activities. The malware can increase the cyber crime. The suspicious activities indicated on the web sites by the host servers, antivirus, and firewalls are due to the malware that is downloaded to the computer or website.

Malware is a term that is used to define the problems that the websites and computers face. It could be in the form of the intrusive and hostile software. It includes;

  • The viruses,
  • Trojan horses,
  • Worms,
  • Spyware,
  • Adware,
  • Ransomware,
  • Scareware,
  • And other malicious activities.

The malware can take other forms that might include;

  • Executable code,
  • Active content,
  • Scripts,
  • And other software.

Penetration of the Malware

The hackers and cyber criminals know various techniques to introduce or inject the malware into the system of the target owner. The malware is introduced into the PCs as well as the websites that can cause enough damage.

These viruses are introduced into the system in two ways;

  • Social engineering technique
  • And system infection without the knowledge of the user.

Removing the Malware on Wordpress CMS

The webmasters can remove the malware through different means. There are different techniques and methods involve that is in the knowledge of experts only. We do  offer services to the websites to remove the malware. We have been providing enough information to the website owners and webmasters how to protect their websites from hackers and viruses. As well as we offer services to the websites that include website data backups, website protection and safety, WordPress antivirus, WordPress monitoring tool and WordPress security extensions. These services combined will reduce the risk of the website from getting hacked or losing the data.

Importance of Malware Removal

It is extremely important to remove the malware. The website is your business, and the computer is your property. You do not want anyone to interfere with your work. The hackers usually hack the websites or enter into the computers because they are on a mission of hacking the high profile or WordPress sites. And the hackers these days want to prove their capabilities in the field of cyber crime. The hacking of the websites and computers is common these days, and it is usually done through the malware incorporation. The webmasters might lose all the important data, files and content that may cause enough damage to the business. Some of the important and confidential information can be breached, and the login credentials can be available to the hacker. So it is important to remove the malware.

Malware Removal Ways

There are different ways in which the malware can be removed from the particular website or computer. The siteguarding.com offers the services to remove the WordPress malware by providing WordPress antivirus, WordPress monitoring tool, and WordPress security extensions. The different ways include;

Cleaning the Basics

You need to start from the scratch. The cleaning of the website is important as it will remove the malware that is in the content or files of the website. It can be hidden or open to the tools installed in the computers. The cleaning involves different steps that need to be followed.

Using the Live Scanners

The live scanners are important that help the website to scan for the malicious activities or malware on the website. The live scanners are important as the false positives are the risks that are accepted by the webmasters other than the false negatives that are web malware. Review the website regularly. You can indicate particular areas to check other than missing them that can cause damage to the website.

Default WP Structure of File

The WordPress is always organized and featured in a default state. The core files and directories must be checked that can help indicate the issues regarding the hidden malware content. It is extremely important to use the file monitoring tools that will help the website to gain any information regarding the malware files.

File permissions

The WordPress provides useful information regarding the file permissions and specific permissions to install the WordPress. The file permissions must be limited, and it must be changed according to the proper technique.

Disabling the Plug-ins

A very important step includes disabling the plug-ins. It will help the scanner to identify and find the location of the malware. It is usually found in the plug-ins directory that is why you are advised to disable the plug-ins. Disabling means that you cannot use it. Do not confuse it with the removing of the Plug-ins.

WordPress Malware Removal Steps

The malware removal includes proper steps that have to be followed to remove the malware and restore the WordPress site.

  • You must lock the WordPress by the WPSecurityLock that will keep the criminals out of the territory.
  • Set your passwords according to proper guidelines given by the host servers and companies.
  • Scan the website and locate for any of the malware in the data.
  • Remove the malicious codes and files that are incorporated into your website.
  • Use the backup to restore the website and revert it to the last and latest position before hacking.
  • Use new and unique authentication keys to disable the cookies.
  • The permission sets must be corrected for the directories and files of the server.
  • Aware the users about the website maintenance on the website interface.
  • Final check-up of the website’
  • Remove the malware warnings from the search engines.
  • Scan malware for about a month.
  • Receive a diagnostic report by the secure server.

The wordpress malware removal can be achieved through the services offered by the siteguarding.com. The malware removal is important and follows the steps to remove it properly and get rid of the malicious activities.

]]>
Top security issues in WordPress CMS https://www.siteguarding.com/security-blog/wordpress-cms-issues/ https://www.siteguarding.com/security-blog/wordpress-cms-issues/#respond Tue, 23 Aug 2016 12:49:46 +0000 http://blog.siteguarding.com/?p=149 Read More]]>

wordpress security

WordPress is the most popular Content Management System available to build websites. As every popular tool, it has been addressed by hackers, and attacks are not rare. As an open source, a secure WordPress is a utopia, and improvements are not addressed as fast and accurately as most users would want. In particular, the less rated security issues are not addressed, but most vulnerabilities get listed eventually.

A listed vulnerability is a major security risk because even amateur hackers can use it since it is already known problem. It is like leaving the WordPress backdoors wide open. Luckily, there is a plug-in developed for each problem by several companies dedicated to protecting your website. We’ll go through the top security issues in Word Press Content Management System, and if it is available, we will target the right plug-in to address the problem.

Keep WordPress Updated

Before we start our list of vulnerabilities, there is a simple and at times forgotten thing you can do to get your WordPress secured. Just keep it updated. Major vulnerabilities are subject to updates, and most updates are to address a particular vulnerability. WordPress backdoors get closed with every update.

If you don’t update WordPress on a regular basis, then it is impossible to get protected from the most known vulnerabilities that older versions have. If a hacker gets the information on which WordPress version you are using, he will automatically gain access to its vulnerabilities and has more chances to break in.

secure wordpress

Attacks To The Login Page

Attacks on the administration login page are perhaps the most common way to invade your website. Brute force is the most common attack to “guess” your password. They work by testing all possible combinations until they get the lucky one. Automated bots are used to guess passwords, and over time they are successful.

There are several things that you can do to prevent these attacks. The first one is to camouflage your admin login page. As a standard, all websites have the same syntaxes for the administration pages. You can use a specially designed plugin to make the changes. To download the plugin, you can visit www.siteguarding.com/en/wordpress-admin-protection.

The plugin available in siteguarding.com to secure WordPress admin passwords changes the default address to a new place that you will only know. Then, it will notify you on every attempt to access the default admin web page. This way you can find out when someone is trying to force it. The last security layer on this plugin is a Captcha. Even if the invader guesses the new address to log in, bots will face with a code designed for humans.

For additional security, you can use the WordPress Admin Graphic Password Plugin. It is an extra security layer to authenticate real people are trying to log in. You can download it at www.siteguarding.com/en/wordpress-admin-graphic-password. The essential features of the plugin are free, but to get more customization options you need to pay less than 10 EUR per domain. If you can’t afford the paid version, use at least the free plug-in to secure WordPress and close your WordPress backdoors.

The last tool to address attacks on the main web page and secure WordPress is the plugin to get a user access notification. It works more on the corrective side than for prevention. This monitoring tool can send you an email anytime there is an attempt to log in, both, successful and unsuccessful. When a Brute Force attack takes place, a complete report is generated with information about the location and time it occurred. If despite all your security measures, the hack is successful, you also get notified. If that happens, to only change the password will start the process of hacking all over again.

There is a free version of this tool available at www.siteguarding.com/en/wordpress-user-access-notification. You can download it for free. All important features are enabled, and only the notification options are restricted to all.

website antivirus

PHP Code Vulnerabilities

Unfortunately, there is not a single way to address PHP code vulnerabilities, and they are the second most exploded ways to hack a website. WordPress backdoors are open through plugins, themes or other applications on your site. Depending on the tools you are using, are the vulnerabilities to look for to secure WordPress. Again, to maintain all components to its latest versions is the best advice we can give.

User’s Privilege Escalation

A typical WordPress backdoors for sites open to some registration is privilege escalation. A hacker can create an account as a user, and use some WordPress vulnerabilities to grant access to administration features. If you don’t have a way to register to your page, then you are safe, but if you enable this feature, be sure to add a plug-in to monitor privileges on users, to raise awareness and secure WordPress by continuously monitoring user’s accounts.

Keep Temporary Folders and Files non-public

A common way for hackers to get sensitive information from your website and violate the most secure WordPress is by taking advantage of some loose ends.

Temporary files and source code can be a mine of gold for hackers. If you edit your website files, the temporary files will contain sensitive information, like your login credentials. Don’t do this unless you have hidden from public eyes the repository of these files.

To store your source code in public places will also open not only the WordPress backdoors but also the main doors. It is common for developers to store code in public sites like GitHub, but that is not advisable since anybody can download it and get valuable information to successfully further attack your site.

To get a professional expert to advise you of in security matters is the best way to keep all these problems out of sight. I’ve consulted the tech support team successfully from siteguarding.com, and my site has run free of problems.

]]>
https://www.siteguarding.com/security-blog/wordpress-cms-issues/feed/ 0