Table of Contents

Table of Contents

One of the most common issues that we are seeing as a web hosting company is that the sites are getting hacked and used to send spam or send out DDoS attacks or to host phishing sites.  In this article,we are trying to outline an idea on how to make your sites more secure, what are the best practices and how to secure your sites without compromising the speed. Like every hosting company, WordPress is the most used platform to build the sites in FlexiCloud Hosting as well. That amplifies the importance of this article.

A regular web user, even without technical knowledge, can do many things to significantly improve website security. Google reports between 30,000 to 100,000 websites every week for malware or phishing attacks. These reports impact the websites’ reliability and visitor trust, which in turn affects their business. To understand more, check out Google’s Transparency Report on safe browsing.

In this article, we’ll explore the security risks and vulnerabilities associated with WordPress. Then, we’ll provide all the steps you need to take to ensure your WordPress site is secure and safe.

Regular Updates to WordPress

One of the most important rules for WordPress security is to keep your core WordPress updated regularly. Even if you don’t do anything else, this is crucial. Since WordPress is a community software, there are frequent major and minor updates that need to be applied to keep your site running smoothly.

Why are updates important? Because the code is open, making it easy for hackers to find websites running on vulnerable versions of WordPress or specific plugins or themes. Once they identify these vulnerabilities, they can attack those websites. Therefore, always apply updates when they become available. To be safe, you can back up your code and database before updating the core or plugins to avoid potential issues.

To keep your WordPress site updated and secure, follow these steps:

Before going to update you have take a complete site backup

Update WordPress Core:

  • Automatic Updates: Enable automatic updates for major and minor releases.
  • Manual Updates:
    • Go to your WordPress dashboard.
    • Navigate to Dashboard > Updates.
    • If an update is available, click the Update Now button.

Strong Passwords

Brute force attacks are a common method hackers use to gain access to a site. They deploy bots that attempt thousands of username and password combinations per second until they find the correct one.

There are a lot of online and offline tools available these days to generate a very strong password. I normally recommend to use Password generator or LastPass or PassPack for online password generating and saving or you can use KeePassX for offline

Not only your administrator password is important, but your cPanel password, your client area password, your FTP password and your email passwords are equally important when it comes to the security.

Remove Unwanted themes and plugins

Regular housekeeping is important for your sites. You need to make sure that your sites have intalled those themes and plugins that your use. If you do not use a plugin, you can deactivate and delete it.

Not only it will improve the security, it will also helps your site to speed up.

Regular Backups

We need to make sure that our reactive measures are working before we implement a proactive system. The first and most efficient way to implement reactive protection is to keep your backups safe. There are a lot of Plugins that you can use which take your backups and send them to a safe location.

FlexiCloud Hosting takes your backups daily and saves it for 14 days before we purge the older ones.

There are tools like code guard which will alert you when a modification on your files are noticed.

Disable File editing

You can disable the default code editor inside WordPress by adding the following code into the wp-config.php.

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Disable the default login page

We recommend the plugin WPS hide login so that it will create a custom login URL for you and disable access to your default wp-login.php page.

Disable file execution in uploads folder

Add the following line in your uploads folder’s ( normally wp-content/uploads)  .htaccess file, so that PHP files cannot execute under the folder, and increase the security.

<Files *.php>
deny from all
</Files>

Do not use the default admin username

By default, the admin username is ” admin ” and most people do not know that it can be any name. Using admin as the administrator username is a potential risk, and we recommend not to use it.

Use Latest PHP version

The version of PHP plays an important role not only in the speed of the site, but also the security. Now that the PHP 7.3 is almost released, you should stop using PHP5.x. We at FlexiCloud Hosting, have the default PHP in all our servers as 7.2, with an option to change the version to your required one from cPanel.

Disable XML-RPC

XML-RPC in WordPress allows mobile apps and some plugins like JetPack to communicate with your site. However, it can also be a potential security risk. Until WordPress shifts entirely to an API-based communication system, you can reduce the risk by disabling access to xmlrpc.php.

To block XML-RPC access, add the following code to your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 11.22.33.44 
</Files>

Conclusion

Security never ends, Its an ongoing process. We will keep you posted with the updates that we have on this area.

TRENDING OFFER

add-image

Trending Posts