Protect Your WordPress Site From Attacked – 10 Simple WordPress Security Measures

10 Simple WordPress Security Measures

How To Prevent Your WordPress Site From Being AttackedWell … it eventually had to happen!

When you are the world’s most popular content management system and the preferred online publishing platform for over 60 million websites around the world, used by millions of businesses and loved by thousands of  web developers and web designers, it’s inevitable that, at some point, WordPress will come under attack from hackers wanting to score a “big win”.

In early April 2013 a global “brute-force” attack began hitting WordPress installations across virtually every web host in existence around the world using botnets.

A “Botnet” is a network of private computers that has been infected with malicious software, which is then controlled remotely as a group, typically without the computer owners’ knowledge. Botnets are often used to send mass spam emails.

Below is a screenshot taken from an Internet Security monitoring site showing the locations of the command centers of ZeuS – a botnet that has been actively infecting computer networks all around the globe since 2009 …

How To Prevent Your WordPress Site From Being Attacked

The ongoing botnet attacks on WordPress are well-organized and highly-distributed. Over 90,000 IP addresses were identified by a number of webhosting companies just in the initial attack, when the web was flooded with millions of attempts to force their way into WordPress users administration areas. As this article is being written, over 30,000 WordPress sites are being hacked per day.

News of the April mass brute-force botnet attack was reported by all of the major webhosting companies, as well as the leading technology publications, such as Forbes, TechNews Daily, PC Magazine, Tech Crunch, BBC News, and even on the official website of the US Department of Homeland Security …

How To Prevent Your WordPress Site From Being Attacked

How To Prevent Your WordPress Site From Being Attacked – 10 Simple Steps

If your website is powered by WordPress and you’re not taking steps to harden your site, it’s practically guaranteed that your site will be hacked, or at least targeted by bots, because these attacks are systematically targeting WordPress sites around the world!

Typically, whenever a site is hacked, website owners will discover much to their dismay that they have been “locked out” of their own site, or that their content has been vandalized or even entirely wiped out. Often, sites will be infected with malicious software without the owner’s knowledge.

To help avoid the heartache of having your site being hacked into, we have published below 10 simple, yet essential steps that will help to protect your WordPress site from brute force attacks.

Warning

Note: Some of the steps listed below require some technical understanding of how to modify core WordPress and server files. If you are not technical, or don’t want to mess around with code on your site, then please [contact us / ask someone who knows what they are doing], or see our recommended software solution further down this page.

1 – Contact Your Web Host

Contact your webhosting provider and ask them exactly what they have put into place to help prevent your site from being attacked, and what they are doing to ensure that your WordPress sites are being regularly backed up. Check that your host is backing up your sites and that, if anything happens, you can easily get your site back.

2 – BackUp Your WordPress Data And Files And Keep Your Site Regularly Maintained

You should never rely only on your webhost for your site backups. Instead, learn how to maintain and manage your WordPress site and develop a habit of performing a complete WordPress site maintenance routine on a regular basis (e.g. weekly, monthly, etc …)

3 – Make Sure That Your User Name Is Not “Admin”

The mass brute-force botnet attack on WordPress is mostly attempting to compromise websites’ administrator panels by exploiting hosts with “admin” as their account name. If your site’s username is “admin” you need to change this immediately.

Since WordPress doesn’t allow administrators to change the username assigned during installation, the simplest way to fix this issue is to create a new User account with administrator privileges. Make sure your new username is not obvious and choose a very strong password (see next section below).

Once you have created a new user with a new username and assigned it the role of administrator, log out of your WordPress site and log back in using your new user login details.

Once you have logged into your WP admin area, delete the old administrator account (i.e. the account with username = admin)

If you need help with these steps, please contact us, or see our WordPress training tutorials for more detailed step-by-step instructions.

4 – Change Your Password

A “brute force” attack occurs when malicious software continually and persistently hits a login or password field with different strings of characters in an attempt to guess the right combination that will unlock it and give them access to your site.

Unless some measure is put into place to block the brute force attack (see further below for a simple and effective way to do this), the “bot” will just keep attacking your site until it eventually “cracks” the code.

Weak passwords are very easy targets for brute force attack methods. Make sure, therefore, that you change your password to something that is at least eight characters long, and that includes upper and lowercase letters, and “special” characters (^%$#&@*).

If you have trouble coming up with strong passwords or feel reluctant to set up different passwords for all of your online logins, then use a password management tool like Roboform.

5 – Prevent the wp-config.php file from being accessed

If a hacker breaks into your site, they will look for the wp-config.php file, because this is the file that contains your WordPress database details.

To prevent the wp-config.php file from being accessed, insert the following code into your .htaccess file:

How To Prevent Your WordPress Site From Being Attacked

Note: Editing your .htaccess file can seriously mess up your site. Make sure that your site is fully backed up before you modify any system files. If you don’t know what you’re doing please [contact us / ask someone who does], or see our recommended solution further down the page.

6 – Rename or delete your install.php, upgrade.php and readme.html files

These files are completely unnecessary after installation and can be removed. If you don’t want to delete these files, then just rename them.

7 – Upgrade your WordPress installation, plugins and themes to their latest version

Hackers look for vulnerabilities they can exploit in older versions of WordPress, including outdated versions of WordPress plugins and themes. Ensure that all of your WordPress files, plugins, themes etc. are always up to date.

8 – Disable Your WordPress Theme Editor

When you log into WordPress, you can access your WordPress Theme Editor (by selecting Appearance > Editor) from the dashboard menu. This means that anyone who logs into your site can see all of your WordPress files and make changes or cause havoc on your site.

The WordPress Theme Editor can be easily disabled by adding the line of code below to your wp-config.php file:

How To Prevent Your WordPress Site From Being Attacked

Once again, please don’t modify any files on your site if you don’t know what you are doing and always backup your data before making changes. See our recommended solution further down the page if you need help with this step.

9 – Remove Access To Your WordPress Uploads Folder

The “uploads” folder stores all the media that gets uploaded to your WordPress site. By default, this folder is visible to anyone online.

Adding the line below to your .htaccess file will prevent online users from viewing your Uploads folder:

How To Prevent Your WordPress Site From Being Attacked

It’s worth repeating this warning once again: back up your site before making changes to core files and don’t edit files if you don’t know what you are doing.

Useful Tip

Tip: You can add a blank “index.php” file into any directory that you don’t want people to look into. This will display a blank page to visitors. (The downside to this method is that you have to add a blank “index.php” file into every folder that has content or files you don’t want people to access.)

10 – Use WordPress Security Plugins

Currently, a number of WordPress security plugins are available that address many of the common security issues that most WordPress website owners face (e.g. preventing hackers from accessing your site, protecting your site from malicious software, etc …)

We provide detailed WordPress Security step-by-step tutorials to our clients on all aspects of using WordPress, and these also include tutorials on WordPress security.

Many WordPress plugins address some but not all areas of WordPress security. One WordPress security plugin that seems to do a comprehensive job of scanning, fixing and preventing issues that could lead to hackers accessing your site files and damaging your site is SecureScanPro.

SecureScanPro - WordPress Security Software

SecureScanPro is easy to install and easy to use, and does a great job of addressing most of the security areas and fixing the issues that WordPress users need to address.

Here are some of the main features and benefits of this plugin:

  • It requires no technical knowledge to use and is easy to install.
  • It scans, fixes and prevents your site from being attacked in around 2 minutes.
  • It scans for 33 known risks and vulnerabilities and automatically corrects 12 known vulnerabilities on WordPress sites with a click of the mouse.
  • It does all of the recommended “code” fixes suggested earlier
  • Each test is accompanied by a detailed explanation of the risk and the solution provided.
  • You can schedule scans on a daily or weekly basis that will regularly monitor your site and notify you in seconds via email if someone tries to log into your site using incorrect login details, or executes a brute-force attack on your site.
  • It ensures that unauthorized IP addresses are not permitted entry to your site and will automatically ban intruders after a number of failed logins.
  • Free technical support and upgrades are provided.

Here are some screenshots of SecureScanPro in action …

The plugin adds important protection features on your WordPress login screen. This includes removing any references to the username during unsuccessful logins (WordPress tells you what the username isn’t, so if someone guesses the username correctly, all they have to do is try to work out your password), as well as adding an IP ban after a number of specified failed login attempts, and a simple challenge that only human beings can solve …

How To Prevent Your WordPress Site From Being Attacked

Once installed, the plugin performs a comprehensive scan and returns the results in an easy to understand report (green = good, red = bad) …

How To Prevent Your WordPress Site From Being Attacked

You can automatically correct a number of issues found by the plugin scan simply by clicking a “Fix It” button …

How To Prevent Your WordPress Site From Being Attacked

The plugin also lets you schedule scans to run automatically and email you the results …

How To Prevent Your WordPress Site From Being Attacked

You can also block the IP addresses of known spammers, botnets, content harvesters and malicious attackers from various locations around the world …

How To Prevent Your WordPress Site From Being Attacked

After recently installing the plugin on client sites, the software immediately went to work and began sending reports of one site that was being brute-force attacked without the owner even realizing that this was happening …

SecureScanPro - WordPress Security Software

At the plugin’s documentation states, there are no guarantees that your site will not be hacked if you use the SecureScanPro plugin. However, when used as part of a comprehensive WordPress site security strategy, you should find that your site will no longer be an easy target for attacks, especially from people looking for any obvious or know weakness and vulnerabilities.

For more details, visit this website: SecureScanPro

What Doesn’t Kill You Makes You Stronger

As cybercrime grows worldwide and cybercriminals develop more sophisticated mass methods to identify and exploit vulnerabilities online, WordPress security is becoming increasingly more important. Hackers range from individuals who carry out attacks on sites out of curiosity, for entertainment, or to earn “bragging rights” with their peers, all the way to sophisticated, co-ordinated and highly organized criminal networks and cyberterrorists.

As stated earlier, WordPress is a target for hackers because it is the most widely used platform for publishing websites and managing content online. We have covered some of the steps you can take to protect your WordPress site, now let’s take a quick look at why you should still consider using WordPress if you are currently looking to start your own website.

There are some people who argue that WordPress is not the most secure platform for running a website or blog because it is “open source” (i.e. free), which means that hackers can easily access the software to find and exploit holes and weaknesses in its coding and security.

While it’s true that WordPress is free and hackers can easily access it and study the code for weaknesses and vulnerabilities (hackers can do the same with any program), the fact that WordPress is a free, open platform makes it actually more secure in many ways.

The reason for this is that WordPress has the support of a huge community of thousands of people such as software programmers, plugin developers and theme designers who are constantly working to help improve the program.

WordPress evolves through the effort of a huge community and benefits from thousands of minds who are dedicated to improving the software and making it safer for every user. As soon as an issue, weakness, vulnerability or problem is discovered, therefore, it is almost immediately reported to the software creators and addressed by the WordPress development team. This is why WordPress releases new security updates so often, and why you need to keep your WordPress site constantly updated and maintained.

Contrast the above with other proprietary web development platforms and technologies which are developed by one company with a limited number of employees, and whose updates are therefore much less frequent, and you will quickly realize the value and advantages of using WordPress to power your website or blog.

Like many modern software packages, WordPress is updated regularly to address new security issues that may arise. Improving software security is always an ongoing concern, and to that end – and as we have been stressing throughout this training program – you should always keep up to date with the latest version of WordPress. Older versions of WordPress are not maintained with security updates.

And just one last thing …

It’s important to note that in the case of this recent mass brute-force botnet attack there is actually no WordPress vulnerability being exploited (the same script is also attacking Joomla sites).

In a recent interview, Mike Little – the co-founder of WordPress with Matt Mullenweg, said the following about the attacks:

It is a “simple” script that attempts to login using the admin login and a generated password. So if your password is too short or based on dictionary words it will be guessed and then the script can login legitimately and do whatever it wants including installing scripts (as plugins) or editing files. The attack tries to guess your password, if it succeeds, the most secure site in the world is wide open because they have your password.

Hopefully this information will help to keep your site protected. Please contact us if you need any further help or assistance with WordPress security issues.

***

 

 

 

How To Protect WordPress Post Page Content

How To Protect WordPress Post Page Content

How To Protect Content In WordPress Posts And PagesDepending on your needs and online objectives, WordPress post, page content can be made inaccessible for public viewing.

There are several ways to prevent general site visitors and unauthorised users from accessing content on your site, or viewing sections of some of your WordPress posts pages content while giving access to the same content to others.

In this tutorial, you will learn how to use the built-in methods WordPress provides for protecting content on your site, as well as some other options and methods, involving WordPress plugins.

Please watch the video below, or complete the step-by-step tutorial to learn more about creating private and password-protected posts and pages using the WordPress built-in content protection methods …

How To Make Your Content Inaccessible For Public Viewing

There are a number of ways to protect content on your posts and pages from being easily accessed by anyone visiting your site, or unauthorized users.

Below are some of the more common reasons for protecting content on your site:

  • You want to provide information to users only after they have made a purchase on your site (e.g. Downloadable info products)
  • You want to provide information only to certain groups of people (e.g. Wholesale price lists and trade catalogues, confidential forms and business documents, updated member’s lists or databases, private company data, etc…)
  • You want to start a private membership site where members must register first before they can view or access your content
  • You want to offer discount coupons or “how to” information that can only be unlocked or revealed to users with a special password, or after performing a specific action (e.g. Sharing your post with others on social networks)
  • And so on …

Built-in WordPress Content Protection Method #1 – Password-Protecting Posts And Pages

WordPress lets you easily create a password-protected post or page, so that only those people with the correct password can view the content on that specific post or page.

To password-protect a post or page, log into your WordPress site, then find the post or page you want to password-protect …

How To Protect Content In WordPress Posts And Pages

If you have already created the post or page, then you don’t need to open your file. Just click on the Quick Edit link below the post or page you want to password-protect …

How To Protect Content In WordPress Posts And Pages

This will expand the in-line editor …

How To Protect Content In WordPress Posts And Pages

Enter a password into the Password field …

How To Protect Content In WordPress Posts And Pages

Click Update when finished to save your changes …

How To Protect Content In WordPress Posts And Pages

To see how your password-protected post will look to your site visitors, click on  Preview…

How To Protect Content In WordPress Posts And Pages

As you can see, the entire post is now password-protected. Only users with access to the password can unlock the post or page and view your content …

How To Protect Content In WordPress Posts And Pages

As you can see from the above screenshot, WordPress displays the word “Protected” to site visitors before the title of your password-protected Post or Page, and a password form asking users to enter the password to access the content.

How To Protect WordPress Post Page Content

Additionally, WordPress will not display your Post Excerpt when the content is password-protected …

How To Protect Content In WordPress Posts And Pages

You can also password-protect a post or page while you are working on the content by clicking on Publish > Visibility > Edit

How To Protect Content In WordPress Posts And Pages

Select Password protected, enter your password in the Password: field and click OK

How To Protect Content In WordPress Posts And Pages

Click Update to save your changes …

How To Protect Content In WordPress Posts And Pages

Your post or page is now password-protected …

How To Protect Content In WordPress Posts And Pages

Important

Additional Information On Password-Protected Posts

  • Only an Administrator, Editor, or the post’s Author can change a post’s password or visibility setting. To access the “Visibility: Edit” link, go to your Posts or Pages screen, find the Post or Page you want to edit and click on the Quick Edit link. (Tip: Use this method if you ever forget a Post or Page password).
  • When Password-protecting many Posts or Pages, WordPress will store your password in a browser cookie so your site visitors don’t have to re-enter passwords if they visit the same page a number of times. Also, if you add the same password to multiple Posts, the user will only have to enter the password once to access every post, except if two or more posts use different passwords. Because WordPress only tracks one password at a time, if two or more posts use different passwords, users will have to re-enter the password if they visit a Post that requires a different password to access the content, and then they try to revisit the previous post.
  • You can change the password of your password-protected posts or pages as often as you need to. This can be useful in situations where you don’t want people who have had previous access to the content to access the content again. For example, if you offer new discount coupons each week, if you reward a new subscriber every now and then with a different product or download, etc …

How To Protect WordPress Post Page Content

Built-In WordPress Content Protection Method #2 – Make A Post Or Page Private

By default, when you make a post or page private, only logged-in users assigned the role of Administrator or Editor can view the private post or page on your site. When anyone else tries to access a post or page marked private, they will not be able to see it …

How To Protect Content In WordPress Posts And Pages

To make a WordPress Post or Page private, log into your WordPress site, go to your Posts (or Pages) section, find the Post (or Page) that you want to make private and click on the Quick Edit link …

How To Protect Content In WordPress Posts And Pages

This will expand the in-line editor …

How To Protect Content In WordPress Posts And Pages

Tick the Private checkbox …

How To Protect Content In WordPress Posts And Pages

Remember to click Update to save your changes …

How To Protect Content In WordPress Posts And Pages

If you are adding a new post or editing your post content, you can make the post private by clicking on Publish > Visibility > Edit then selecting Private and clicking OK

How To Protect Content In WordPress Posts And Pages

Remember to click Update to save your changes when finished…

How To Protect Content In WordPress Posts And Pages

Your Post or Page is now private and can only be found by your logged-in Administrators and Editors …

How To Protect Content In WordPress Posts And Pages

Additional Ways To Protect Your Content

Password-protecting a Post or Page uses the WordPress password-protect feature offers some level of content protection, but it also has the following limitations:

1) All users share the same password

If you want each user to have his or her own password, then you will need to set up your site so that only registered users are allowed to view your content. This can be easily done using plugins that turn your WordPress site into a “membership” site.

How To Protect Content In WordPress Posts And Pages

WordPress “Membership” plugins are covered in a separate tutorial on How To Start A Membership Site Using WordPress.

2) All content on the Post or Page is protected.

When you password-protect content on WordPress using the native WordPress function, everything on your Post or Page is protected.

If you want to make some or most of the content on a Page or Post visible to everyone, while protecting part of it (i.e. The “juicy’ bit containing the information that only those with access can view!), then there are plugins that you can install on your WordPress site that allow you to provide “partial-content” protection to site visitors.

One plugin that lets you protect selected content which includes text, images, video and links is the Password Protect Selected Content plugin …

How To Protect Content In WordPress Posts And Pages

The Password Protect plugin can also be used to hide information inside other short codes, such as video embeds and file download links.

You can also partially protect content with plugins like WP Share To Unlock (Free plugin) that will “unlock” the content when someone performs a social sharing action (like clicking a Facebook “like” button, or sharing your page or video on Twitter, for example. Some plugins that unlock content can even help you build your subscriber list!) …

How To Protect Content In WordPress Posts And Pages

Another great content locking plugin that combines partial content protection with viral social media sharing capabilities is Viral Outbreak PRO – a versatile content locking premium WordPress plugin designed to help drive viral traffic to your WordPress site quickly and easily …

Viral Outbreak PRO - Premium WordPress Plugin

Viral Outbreak PRO allows you to offer something of value for free to your visitors (e.g. a valuable tip, special report, a discount voucher, etc …) on your site. Your special content is hidden or “locked away” in your post and can only be unlocked when your visitor performs a desired action to get the free content such as liking you on Facebook, or posting a tweet about your site on Twitter or 1 on Google . This action then helps to drive free traffic to your site … virally!

How To Protect WordPress Post Page Content

Protecting Your Content From Being Copied Or Stolen

Important

Note: It’s practically impossible to prevent people from stealing content that is visible on your site (e.g. Text and images). The web was designed to share content online. The plugins presented below will simply prevent those who really can’t be bothered to dig deeper into the source code of your pages.

In addition to locking and hiding content, there are also plugins that try to prevent other people from copying / stealing your content.

For example, the Free WordPress plugin called Blog Content Protector stops people from selecting and copying text on your site or right-clicking on your images and saving them to their own hard drives by disabling the right-clicking and text selection function on your site.

Protecting Your Images

If you are worried about people stealing your images, there are a few options you can look at implementing.

One option is to add a “watermark” to your images using a Free WordPress plugin like Watermark Reloaded. Adding a watermark lets people know who the original owner or creator of the image is, and trace the image back to the originating domain.

Watermark Reloaded - WordPress Plugin

Another preventative measure you can take to stop people clicking on your images and saving them to their computer is to use the No Right Click Images plugin …

No Right Click Images - WordPress Plugin

Content Protection – Additional Tips And Information

Tip #1 – If, for whatever reason, you find yourself changing the visibility settings of most of your Posts or Pages to “private”, then install and activate the Private Post By Default WordPress Plugin.

This plugin automatically sets all the Posts and Pages you create to “private” by default. All you have to do then, is change the visibility settings of any Posts or Pages that you want to make visible on your site back to “Public”.

Tip #2 – As explained earlier in this tutorial, by default private posts are only visible to users on your site that have been assigned the role of Administrators or Editors.

What if you want to allow users who are not Administrators or Editors to view private Posts or Pages on your site?

For example, let’s say that you run a business consulting firm and you want your consultants to be able to distribute reports privately to clients through your site, or your children’s school wants to post class assignments privately to students online through their school blog.

One option would be to make everyone who needs to have access to private Posts or Pages on your site into an “Editor”. This is not a very good option, however, as they would then be able to modify your content.

Fortunately, there is an excellent free WordPress plugin called User Role Editor that lets you change the capabilities of any standard WordPress user role (to learn more about user roles, see this tutorial: WordPress User Management) …

User Role Editor - WordPress Plugin

With the User Role Editor plugin installed, you can assign the same capabilities for reading private posts and pages that “Editors” have, to users assigned the role of a “Subscriber” …

User Role Editor - WordPress Plugin

This would now let all registered users on your site assigned the role of “Subscriber” to access and view your private posts and pages without being able to modify the content.

There are a number of other options for protecting your content online in addition to what has been presented in this tutorial, but these options typically involve messing with code on your site or server.

If content protection is an issue for you and you require a solution that is not covered in this tutorial, then please contact us and we’ll advise you about other possible options.

WordPress is huge and can sometimes be overwhelming about where to start. As you move on to the next Page, you will have a clearer picture of where to start and progress to building a professional WordPress Site.

Related Tutorials

 

 

 

 

 

 

 

error: Content is protected !!