MyHost.IE - Internet Services

WordPress – How can I make it more secure?

wp

WordPress is great at what it does, but dont use it unless you are prepared to maintain it. If you are going for a wordpress site then do factor in the costs, both financially or in your time, for site maintenance. Its one of the most popular and flexible Content Management Systems (CMS) today, but this also brings with it alot of unwanted attention.

To help, here are some pointers to help you on the way,this is by no means a comprehensive list.

 

Build:

 

Do you need a WordPress site, will you need to add/change content on a regular basis, have multiple users, provide discussions etc, or do you just want a website that will remain pretty much static apart from the odd update of information? If its the latter you are looking for then take a look at our Web Presence Builder http://www.myhost.ie/website-builder/

 

Themes:

 

Avoid free themes from unknown sources, research them. Many free themes come with malicious code hidden in them. If you are looking for a free theme stick to themes available from wordpress.org. While free might sound good now, think about how it will be maintained and updated as WordPress updates. Themes must be compatible with WordPress as WordPress releases new versions, this means that themes must be maintained in order to stay compatible. Can you depend on a free theme for this?

 

Plugins:

 

Research the plugins you decide to use with your install. Check for issues on forums etc. Again source reputable plugins that have good support, as these also have to be maintained to stay compatible with new WordPress releases.

The basic wordpress core install is secure, vulnerabilies creap in through the use of badly maintained themes and plugins.

 

Logins:

 

Do not use the ‘admin’ login. Most hackers try to get your password by trying to bruteforce your admin username. If you have already installed your website and you chose “admin” as your username, don’t worry about it. There’s still a way to change it. Register another user and then give that user admin permissions. Then, login with that new username and delete the old “admin” username.

Review and Install one of the following Plugins:

http://wordpress.org/plugins/login-security-solution/

http://wordpress.org/plugins/limit-login-attempts/

or the more comprehensive:

http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

 

Passwords:

 

Use complex passwords, a mix of capitals, lower-case and symbols is best. You would be amazed at the amount of people that still use password1 as a password

Password Examples:

Terrible

OK

Good

password

Brian1968!

M”N(Ndzm@5Bh>Q5

admin

GriffinB68$

5!#4bbS9[@nfLv]

brian

*brian68griffin

(*Hv3Zvq6r#}KJS

briangriffin

BrianG6819

x3ZG87}4~5?E:m,

Use a password repository to manage your passwords;

https://www.dashlane.com/

http://keepass.info/

 

Backups:

 

Use a backup system while developing your site, this has the advantage that if you break it, you can always roll it back. Remember to test that it works and test it on a regular basis.

Suggestions on backup plugins would be:

http://wordpress.org/plugins/ready-backup/

http://wordpress.org/plugins/updraftplus/

On a regular basis take a backup of the files and the databases from the host server, this can be invaluable in the case of a catastrophic failure on the site. FTP down the files and export the database and store on long term storage. Date your backups!

 

Updates:

 

Updates are contineously being released for the wordpress core, this can result in your theme and plugins requiring updates. ALWAYS research the compatibility of updates and themes with each other and new versions of WordPress before applying updates. If WordPress is updated to version 7 then check that your theme and plugins are compatible with that version and update them if necessary.

 

Security:

 

Security on websites is an ever growing issue. WordPress’s popularity has caused it, its themes and plugins to be scrutinised by hackers for secuity holes. We wont cover this issue in depth as there have been books written on the subject but here are some pointers:

 

Create Custom Secret Keys for Your wp-config.php File

All of the confidential details for your WordPress site are stored in the wp-config.php in your WordPress root directory. Secret keys are one of the bits of information stored in that file… so make sure you change the default secret keys to something else. Use this link to generate values for you:

https://api.wordpress.org/secret-key/1.1/salt/

 

Change the Database Prefix

A lot of the basic setup stuff for WordPress is the same across lots of sites… especially if you use a one-step install wizard through your webhost. This is very convenient, but lots of common setup values like, your database prefix(es), are known to hackers as a result. If you don’t change the database prefix, the table names of your site’s database are easily known to the person who trying to hack your site.

Protect the wp-config file

The wp-config.php file contains all the confidential details of your site. An easy way to protect this file is to simply place the following code in your .htaccess file on your server.

<Files wp-config.php>

order allow,deny

deny from all

</Files>

Limit The Number of Failed Login Attempts

Useful in case of someone is trying to guess your password manually or using a bot (automated script). Also known as a brute-force attack these are automated attacks that try a sites login page and keeps hammering it with words from a pre-defined list (dictionary) in order to ‘guess’ the password. This is the most common attack on wordpress sites that we see. This can result on a high load on the server on which the site is hosted, which results in us banning access to the wp-login.php file.

There are many plugins available to prevent brute force attacks e.g. http://wordpress.org/plugins/limit-login-attempts/

A more comprehensive security plugin would be http://wordpress.org/plugins/wordfence/

Disbable xmlrpc.php

There’s a vulnerability in WordPress’s XMLRPC implementation, that permits trackback spam – even when you disable trackbacks. The only way to prevent this spam is to disable XMLRPC entirely. Some people have suggested renaming or deleting the xmlrpc.php file, which if using trackbacks is not essential to your site may be an option.

Trackbacks can be disabled using the following plugin: http://wordpress.org/plugins/prevent-xmlrpc/

 

Malware Protection:

 

Keep up to date on security issues: http://code.tutsplus.com/categories/security and http://blog.sucuri.net/

We are happy to be partnered with a company we believe to be one of those at the forefront of website protection services, sucuri.net.

Currently we offer two main security services from them, Malware monitoring and removal and CloudProxy:

 

Malware monitoring and removal:

Your site is scanned every 3 hours. If malware is detected then you are notified, the malware removed and if your site is blacklisted because of this then they will assist in removing your site from the blacklists. http://www.myhost.ie/hosting/malware-removal/

 

CloudProxy:

In short, it protects your web site from attacks, malware and the dangers of getting blacklisted. It also supports any type of platform, from WordPress, Joomla, vBulletin to Magento, ASP.net and even custom designs. It uses a proprietary approach to application profiling, malicious URL filtering, and anomaly detection on all traffic. All logs are maintained within the Sucuri infrastructure and monitored by our security operations team.

This service provides:

  • Website Firewall (WAF)

  • Detect, Filter and Block Attacks

  • DDOS and Brute force protection

  • Intrusion Prevention System (IPS)

  • Prevent malware and blacklisting

If your website is your business then this is what you need to protect your interests. It can also aleviate the need to perform updates regularily as it can virtually update your content management system for you. There is more information here: http://www.myhost.ie/hosting/malware-removal/#firewall

 

Quick Check List:

 

What happens if you dont?

 

Your site WILL be compromised, it WILL get blacklisted, it WILL loose its SEO standing, and if it causes an issue on the server then it WILL be suspended.

 

How can we be so sure?

Because hacking websites is a business and an ever growing one. Redirecting your sites visitors, gathering your visitors information, using your site to attack another, send illegal spam are just some examples of what compromised sites are used for.

This article is about WordPress in particular but the ethos can be applied to other CMS systems like Joomla, Drupal etc. We hope to do another post about Joomla in the near future with information targeted at hardening a Joomla install.

 

Hopefully this will help protect your site and give you some helpful pointers on working with WordPress, as I say this is by no means a comprehensive article on securing your site, but its a start.

 

We also find that many people are building websites based on WordPress that really don’t need a CMS behind them. The popularity of WordPress urges beginners to use it to develop their site, when many would prefer a static site that they can update once a year (if even), so do consider your requirements. An alternative would be a non CMS solution like http://www.myhost.ie/website-builder/ if all that is required is a static site that needs little to no maintenance.

Christmas Opening Hours 2013

While we are taking a few days off to relax over Christmas, everything will be monitored 24×7 as normal and our helpdesk will remain open during the holidays .

Here are our opening times over Christmas 2013:

Monday 23rd December 2013 – normal opening  hours

Tuesday 24th December 2013 – closed

Wednesday 25th December 2013 – closed

Thursday 26th December 2013– closed

Friday 27th December 2013 – closed

Saturday 28th December 2013 – closed

Sunday 29th December 2013 – closed

Monday 30th December 2013 – 9:00 – 14:00

Tuesday 31st December 2013 – 9:00 – 14:00

Wednesday 1st January 2013 – closed

Thursday 2nd January 2013 – normal opening  hours

We would like to use this opportunity to wish all our customers a Merry Christmas!

Mobile – Your Business’ First Mobile Web Presence

Your customers are mobile
With more than one mobile phone subscriptions for every man, woman and child in Ireland, the mobile internet is now. According to the Irish Independent, almost two-thirds of Irish adults shop online at some point and plan to increase their online expenditure.

Central Statistics Office figures show that the average household spends around 10pc of its annual budget online. According to Indecon, an economic consultant group, 54pc of us already research products online.

Your customers are searching on mobile
Mobile usage is set to further penetrate every aspect of our lives from searching for nearby products and services in the moment, to researching future products and services. Various Google studies tell us that mobile is increasingly used in combination with other screens 81% use our mobile phones while watching telly.

77% of mobile searches are done while at home and we search for everything from arts and entertainment info (15%) to shopping (7%), food (7%), tech, healthcare, restaurants and more.

All the data your mobile customers can eat – 10 times faster
Following in the footsteps of Eircom, who became the first Irish operator to launch a 4G mobile network, this month Vodafone is launching it’s 4G mobile phone service in Dublin, Cork, Galway, Waterford, Limerick and Kilkenny as well as other large towns in the South West and East. 4G gives faster mobile broadband speeds to smartphones, tablets and dongles and is up to 10 time faster than existing 3G mobile services.

The combination of O2 Ireland and Three Ireland, with a total subscriber base of 2 million, has 4G services coming online in Dublin, Cork and Galway over the coming weeks. Some subscribers will already have a 4G enabled handset requiring only a new SIM card. Eircom is offering 4G data free until March 2014.

Now is the time to get a mobile web presence.
With the goMobi mobile website publishing platform you can;

  • put your business online with a professional mobile web presence quickly and easily.
  • create a beautiful mobile site that works on any mobile device, anywhere.
  • market and transact payments from mobile devices.

All with no coding required.

Check out our goMobi package.

goMobi powers hundreds of thousands of mobile websites in over 65 countries worldwide.

Resources:

research indicates that almost two-thirds of Irish adults shop online at some point, with the same number saying that they plan to increase online expenditure.

Half of all Facebook traffic is mobile

According to an article published by Mobile Marketer, half of all Facebook traffic is from users on mobile devices.

This strengthens the argument for a mobile first web development strategy. If over half of Facebook users are accessing the web via a mobile device, businesses cannot afford not to have a mobile optimised website.

Check out our affordable Mobile Website packages or contact us for more information.

Special Offer: 50% Off Pro Hosting

For the month of June we are offering a huge 50% off our Pro Hosting package reducing the price to €44.98 , normally €89.95.

This popular package comes with:

  • 15GB Storage for your files
  • 100GB Data Bandwidth
  • Host up to 20 domain names
  • Webmail / Spam and Virus Filtering

How much am I saving ?

The Pro Package is normally €89.95 , you get it for €44.98 – that is a saving of €44.97!

How do I get it ?

Check out the full package details here and simply use the promotion code PRODEAL when ordering to receive your 50% discount or simply click this link to order now.

Terms:

  • Discount is for 12 months only and not the lifetime of the package. After 12 months normal fees apply.
  • Discount is only valid for annual payments.
  • Discount applies to new and existing customers.
  • Discount applies to new orders only not existing orders.
Next Page »