1 / 17

An Ultimate WordPress Security Checklist 2020

An Ultimate WordPress Security Checklist 2020

sapkotabiku60
Download Presentation

An Ultimate WordPress Security Checklist 2020

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Ultimate WordPress Security Checklist 2020  > SEO Audit > An Ultimate Wordpress Security Checklist 2020  Orka Socials -  3 months ago -  SEO Audit -  0 Comments Back in 2019, I had a WordPress website that was seriously attacked. Luckily, I was able to recover my login credential, but I lost my entire site data. That was pretty awful. Securing the site was the least of my concerns. As a result, I got a nice slap from hackers. So from the day onwards, when it comes to site management, WordPress security comes ?rst into play.  Everyone should be concerned about security, whether you are at home, of?ce, or any working environment. WordPress security is similar to home security. An analogy could be when you leave your home, you will lock all your doors and windows. Locking will reduce the vulnerability of being stolen. WordPress security is similar to home security that helps to reduce being vulnerable to hackers. What if your site security is similar to ?

  2. According to statistics from 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks. Still, the security of the WordPress site is not taken seriously in 2020. WordPress can be hacked anytime, so you must take preventive actions by implementing our Updated WordPress Security Checklists to Secure Your WordPress Site. Hackers only attack a vulnerable website that is easy to hack. Dear people, don’t let your website be feed by hungry hackers. If your WordPress site is secured correctly, no hacker will have fun spending days and days to ?nd the security loophole that would give access to them. What's Inside? Do I really need to care about securing my website? How can I secure my WordPress website? #Basic Security Con?guration Checklists Backup & Scheduling Keep Your WordPress Up to Date Keep Plugin Up to Date Keep Theme Up to Date Make Your Password Super Strong Delete plugins, themes that are not in use #Advance Security Con?guration Checklists

  3. Change Login Path Limit login attempts Change ?le permissions (Server Side) Disable ?le editing via the dashboard Create Custom Secret Keys for wp-con?g.php ?le Change the Database Pre?x Hide Your WordPress Version Protect Critical Files wp-con?g.php, .htaccess, etc Install and Con?gure WordPress Security Plugin/ Adding 2FA authentication Automatic Email noti?cation for Security and Updates Final Thought  Do I really need to care about securing my website? While WordPress core system is very secure. It’s audited regularly, and updates go time to time, minor bug ?x, security patches by hundreds of developers. A bitter truth, there is no 100% security guarantee in the internet world. A minor loophole on your website can welcome hackers anytime. Security is not just about risk elimination; it’s all about taking an action that will help you to secure your website in the future. It’s all about risk reduction. On the other hand, security ?aws on your website can directly affect your SEO rankings. If you are optimizing a website’s technical aspects of SEO, you should be more aware of hardening a website. During my college life, there was a presentation on Cyber Security. In the introduction, the presenter said something that was a memorable quote, still hitting on my mind. It was “There are two systems: One is hacked, and one will be hacked.” This makes sense to me after a while.  Let me show you staggering hacking statistics summed up by WebARX. A study was made that stated that there is an attack every 39 seconds on average on the web, and the non-secure usernames and passwords that are being used give attackers more chance of success. (Source: Security Magazine) Hackers steal 75 records every second. (Source: Breach Level Index) 73% of black hat hackers said traditional ?rewall and antivirus security is irrelevant or obsolete. (Source: Thycotic.com) Hackers create 300,000 new pieces of malware daily. (Source: McAfee) On average, 30,000 new websites are hacked every day. (Source: Forbes)

  4. Do I still need to say something evaluating above statistics? Do I still need to explain why securing a website is crucial? Well, its time to dive into security procedures and dealing with basic to advanced security stuff that will help to strengthen your website How can I secure my WordPress website? With all of the above scary statistics in mind, I want to make sure that you will be familiar with all the essential tactics securing website after reading the entire post. Go through every checklist and implement it one by one.  Here’s my checklist of ALL the things you should do. This checklist is broken into two parts: The ?rst part includes basic measures like maintaining a strong password, updating WordPress website, and so on. The second part includes advanced measures for those who really care about sites more than a wife. No more kidding . A second checklist is basically for admins. For kind of a person who wants to lock the bicycle and even put a chain around the bicycle with something attached. Here we go:  #Basic Security Con?guration Checklists Backup & Scheduling WordPress Update Plugins Update Themes Update Update Password Delete any plugins or themes that are not in use #Advance Security Con?guration Checklists Change Login Path Hiding username from the author archive URL

  5. Limit login attempts Change ?le permissions (Server Side) Disable ?le editing via the dashboard Create Custom Secret Keys for wp-con?g.php ?le Change the Database Pre?x Hide Your WordPress Version Protect Critical Files wp-con?g.php, .htaccess, etc Install and Con?gure WordPress Security Plugin Installing WordPress Security /Con?guring 2FA Authentication Automatic Email noti?cation for Security and Updates #Basic Security Configuration Checklists Backup & Scheduling Backup means simply making a copy of your entire site for further use. This must be everyone’s topmost priority while making any changes in a website. There are two types of WordPress backup: Manual Backup and Scheduled or Automated Backup. Whatever you are adopting, creating a backup in time to time is a must.   I already mentioned earlier that one of my sites hit so hardly by intruders, I was not able to recover my site data. I recovered login credential but entire site content was long gone. It could have easily restored to the previous version if I had backup my site. Dear readers, I don’t want you to make the same blunder I did years ago. So be mindful, schedule your backup time to time. Before making changes to your site, make sure to backup ?rst and head towards your update. Thankfully there are

  6. tons of ways you backup a WordPress site. You can either do a manual backup or using plugins. Here are my favourite plugins for quick and easy backup:  UdraftPlus All-in-One WP Migration ValultPress BackupBuddy Duplicator    Keep Your WordPress Up to Date You might have heard of people who disable WordPress core updates, assuming that update will break your entire site and plugin. This is seriously ?awed. Are you compromising on a hacked site rather than updating your core WordPress? I have been using WordPress for a decade, and this doesn’t make sense. Updating your WordPress core is mandatory for maintaining site health. Interestingly you don’t need to be a tech ninja to update your core WordPress site. It’s just a few clicks away.  WordPress is an open-source software which is regularly maintained and updated. Update means an improved version that can further incorporate into an existing system. By default, WordPress automatically installs minor updates. For major releases, you need to initiate the update manually. WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by expert developers, which regularly release updates as well. Fixing minor bugs, security patching can happen from time to time.  Thus, WordPress updates are crucial for the security and stability of your WordPress site. Make sure that your WordPress core is up to date. Keep Plugin Up to Date

  7. One of the mistakes I notice on WordPress users is ignoring to update a plugin. Updating a plugin is just a few clicks away. You don’t need to be tech-savvy to do that. Updates are crucial for the security and stability of your entire site. The outdated plugin will make your site vulnerable to hackers and signi?cantly impact your site’s health and performance. Make sure that your WordPress plugin is up to date. Keep Theme Up to Date The same things apply to themes like updating WordPress core and keeping plugin up to date. Securing WordPress means that all themes need to be kept updated to their latest versions. Otherwise, any security loophole that exists in your theme will remain an issue on your site. Now you may probably be thinking about all of the changes you’ve done to the theme and how these will break if you perform a theme update. In reality, changes to themes can be done via child themes, rather than directly to the actual theme. This will allow you to get the latest ?xes and security updates without breaking your changes. Make Your Password Super Strong

  8. The most common WordPress hacking attempts use stolen passwords. You can make that dif?cult by using stronger passwords. Not just for the WordPress admin area, but also for FTP accounts, database, WordPress hosting account, and your custom email addresses. Many users don’t like picking up strong passwords because they’re hard to remember. The good thing is that you don’t need to remember every password anymore. You can use a password manager. Find more on the top available password manager; you can try to store multiple login credentials. Even more, you can use a password generator to make all passwords super hard. Another way to reduce the risk is not to give anyone access to your WordPress admin account unless you have to. If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user accounts and authors to your WordPress site. Delete plugins, themes that are not in use Does it make sense to keep those plugins and themes that don’t give any value to your website? Absolutely not. Keeping outdated plugins, themes that are not in use makes your site more vulnerable and does more harm than good. Even more, it will unnecessarily occupy your hosting storage. Make sure to delete unused plugins and themes completely. It will help to improvise overall site health and performance.  #Advance Security Configuration Checklists Change Login Path

  9. The majority of the site’s login path seems like yoursite.com/wp-admin/ or yoursite.com/wp- login/. Don’t you think it could be vulnerable for hackers to gain access to your website? Keeping up the default WordPress login path is not recommended for security purposes. For instance, if someone steals your login credential for one of your sites. Next, what he/she will do is just go to your login path and access to your entire site. If you would have updated your login path to something very unique, there is a high probability hackers won’t be able to gain access.  Pro Tips: By using a Plugin called WPS Hide Login, you can simply protect your website by changing the login URL and preventing access to the wp-login.php page and the wp-admin directory to non-connected people. Limit login attempts By default, WordPress allows users to try to login as many times as they want even if someone entered the wrong password. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to login with different password combinations, which is called a dictionary attack.  This can be easily ?xed by limiting the failed login attempts a user can make. If you’re using the WordPress Security Plugin like Wordfence, then you just need a few steps for con?guring correctly. Wordfence is the most popular WordPress security plugin. It includes an endpoint ?rewall and malware scanner, as well as a suite of additional features. For basic security setup, a free plan is enough unless your site is not well established. Wordfence offers a range of premium plans, as well as its renowned free service. However, if you don’t have the ?rewall setup, then you can easily con?gure it using an excellent plugin called Limit Login Attempts Reloaded. First, you need to install and activate the Limit Login Attempts Reloaded. Change file permissions (Server Side) PHP and WordPress, in general, use a set of permissions associated with ?les and folders. Without going into depth, there are different types of permissions

  10. Publicly writable ?les and directories Files writable by the webserver only Read-only ?les The correct set of ?le and folder permissions allows WordPress to create folders and ?les. The following settings are recommended for most users. 755 for all folders and sub-folders. 644 for all ?les. For instance, wp-con?g.php should be 660. Warning: This is kind of a techie thing. It should only be handled by an expert having sound knowledge on WordPress security. Incorrect ?le and folder permissions can cause errors on your WordPress site Disable file editing via the dashboard WordPress comes with a built-in editor where you can edit WordPress Theme and Plugin directly from the admin area. It looks easy while editing without Cpanel, but it is not recommended to update via the admin dashboard for security reasons. If an attacker gets access to an “Administrator” account on your WordPress site, and if a ?le editor is available, then it’s super easy for intruders to change a plugin or theme with malicious code. Disabling theme and plugin editors in WordPress is quite easy. Simply edit your wp-con?g.php ?le and paste the following code just before the line that says, ‘That’s all, stop editing!  define( 'DISALLOW_FILE_EDIT', true ); You can now save your changes and upload the ?le back to your website. That’s all, plugin and theme editors will now disappear from themes and plugins menus in the WordPress admin area. Create Custom Secret Keys for wp-config.php file

  11. WordPress custom secret keys or SALT keys are the encrypted code that secures your login information. One way to enhance your WordPress security is by automatically changing your SALT keys, either manually or using a plugin.  How to do it manually? One way to stay ahead of this risk is to change your security keys manually from your wp-con?g.php ?le that is available in the root folder of your WordPress site. The security and SALT keys will look like this: Pro Tips: We recommend changing these codes in a timely manner to improve your website security (every 3 – 6 months). You can manually generate the Salt keys from WordPress.org secret-key generator. How to do it using a plugin? The ?rst thing you need to do is install and activate the Salt Shaker plugin. Once the plugin is activated, you need to go to Tools » Salt Shaker page in your WordPress admin to set a schedule for changing the SALT keys. Change the Database Prefix WordPress Database is like a storehouse for your entire WordPress site because every single information is stored in. Spammers and hackers run automated codes for SQL injections. Well, unfortunately, many people forget to change the database pre?x while they install WordPress. By default, all WordPress database pre?x starts with wp_ that makes hackers gain access. The smartest way you can protect your database is by changing the database pre?x, which is easy to do on a site that you are setting up. Warning: During changing DB pre?x make sure to handle with care. It takes a few steps to change the WordPress database pre?x properly for your site. Miscon?gured DB pre?x can break your entire site.

  12. If you don’t want to touch your database or any manual process, then you can do it by using Brozzme DB plugin. Using this plugin, you can modify your database pre?x with just one click. Hide Your WordPress Version Imagine yourself as a hacker who wants to break into your site. A hacker’s life is made super easy if they know what version of WordPress you are using. For instance, if you are using an older WordPress version and intruders came to know there was a bug or loopholes that exist in a site. Just imagine yourself, what would be the consequences? You can completely remove your WordPress version number from both your head ?le and RSS feeds; you will need to add the following function to your functions.php ?le: function wordpress_remove_version() { return ''; } add_filter('the_generator', 'wordpress_remove_version'); By adding this version, you will remove the WordPress version number from all different areas on your site. Above is the right way to remove the WordPress version number. Note: Updating to the latest version of WordPress is highly recommended because that is the only guaranteed way to keep your site protected. Protect Critical Files wp-config.php, .htaccess, etc Protecting the WordPress critical ?les like wp-con?g.php, .htaccess is another way to harden your WordPress security. Wp-con?g.php contains very sensitive information about your WordPress installation, such as the WordPress security keys and the WordPress database connection details.  On the other hand, .htaccesss contains the high-level con?guration of your entire website. You certainly do not want the content of this ?le to fall into the wrong hands, so WordPress wp-con?g.php and .htaccess ?les are something you should take seriously. Install and Configure WordPress Security Plugin/ Adding 2FA authentication Updating WordPress core, themes, plugins, and other basic stuff is not suf?cient to protect your site from intruders. Con?guring the right security plugins is essential that will help to harden your entire site. There are tons of WordPress security plugin available, and I would like to recommend only those that are super-ef?cient and reliable. I have been using my top 3 plugins, namely: 

  13. Wordfence Security Sucuri Security  iThemes Security Some of the combined features include: Activity auditing Malware scanning & File monitoring Security noti?cations A web application ?rewall (WAF) A WAF that blocks malicious traf?c before it attacks your site Malware scanning to check ?les, plugins, and themes before they’re uploaded Two-factor authentication (2FA) and login limits to prevent brute force attacks Real-time live traf?c and analytics monitoring Instead of con?guring separate plugin like 2FA, limiting login attempts, it makes sense to set up a single security plugin that serves several security features in a single packaged plugin. These security plugins are widely used by top brands and have a decent level of trust in the users. Automatic Email notification for Security and Updates Keeping your WordPress up to date is essential for securing a website. By default, WordPress only shows an update noti?cation of WordPress core, themes, and plugins only after logging to an admin area. If you are a business owner or a developer, sometimes, you might not be able to log in to the admin dashboard. In such a case, there is an alternative; we can quickly get noti?ed using an email.

  14. Setting up an update noti?cation on your email helps you to collaborate with your team if you are unreachable. For instance, if you are somewhere else and get an update noti?cation on your email, then you can easily tell your team members to update quickly. Sounds great! You might be wondering how I can set up an email noti?cation for the latest update. No worries, you can easily set up using a plugin called WP Updates Noti?er. You simply need a checkmark on the right setting and later save it. Boom! You are done now.    Final Thought  Security is not about risk elimination; it’s more about risk reduction. Who knows what tomorrow may bring? On average, 30,000 new websites are hacked every day. I don’t want you to be on those hacked site list. Make sure to implement every checklist step by step. Adopting the right security measures that we discussed in my checklist will help you to harden your website.  That’s all; we hope this article helped you learn an essential WordPress security best practices. If you liked this article, don’t forget to drop your feedback in our comment section below. Happy Reading  YOU MIGHT ALSO LIKE SEO Site Audit: An Actionable Guide  4 months ago

  15. Leave a Reply Your Comment Here... Name (required) Email (required) Website Save my name, email, and website in this browser for the next time I comment. POST COMMENT Search RECENT BLOGS How to Write a better SEO Content? 2 WEEKS AGO / 0 COMMENTS Everything about Keywords: Things no one told you before | FAQs 1 MONTH AGO / 0 COMMENTS YouTube SEO tips 2020 1 MONTH AGO / 0 COMMENTS

  16. Copywriting Vs Content Writing- the actual difference 2 MONTHS AGO / 0 COMMENTS Google Core Web Vitals: What Business Owner Should Know? 3 MONTHS AGO / 0 COMMENTS SUBSCRIBE US Get all latest content delivered to your email a few times a month. Your Email GO INSTAGRAM Instagram has returned invalid data. Get 25% more traffic using “low hanging keyword method” on next 30 days  GET STARTED NOW Quick Links Company Home Career   About Services   Projects Hire Us   Blog Partner  

  17. Contact Sitemaps   Privacy Policy  Terms of Use  Our Headquarter Thulo Kharibot Marga Kathmandu, Nepal Mobile: +977 985 104 3251 Email: hello@orkasocials.com     © 2020 OrkaSocials

More Related