One of the most common issues that we are seeing as a web hosting company is that the sites getting hacked and used to send spams or send out DDoS attacks or to host phishing sites.  In this article, I am trying to outline an idea on how to make your sites more secure, what are the best practices and how to secure your sites without compromising the speed. Like every hosting company, WordPress is the most used platform to build the sites in FlexiCloud Hosting as well. That amplifies the importance of this article.

There are many things that a normal web user, who is not a tech-savvy person can do, by which the security of the site will be increased considerably. Google reports between 30000 to 100,0000 websites every week for malware or phishing attacks and these reports directly affect their reliability and visitor confidence, thereby affecting their business. Read about the transparency report on safe browsing by google.

Regular Updates to WordPress

This is one most important rule for security, even though you are not doing anything else.  You, no matter what, have to keep your core WordPress up to date regularly. WordPress is a community software, and for that reason, there will be major and minor updates regularly which need to be applied to make the sites run smooth.

Why the updates are important? Because the code is open. It’s not very difficult for a hacker to find websites working on a vulnerable version of WordPress or a particular plugin or theme and initiate an attack on those websites. So whenever there is an update, apply them. You can take the backup of your code and database if you think that may break while you update the core or plugins.

Strong Passwords

The most basic way to hack your website or any online property is to try possible passwords. You should not be keeping your passwords weak, and open an easy way for the hacker to take control of your site.

There are a lot of online and offline tools available these days to generate a very strong password. I normally recommend to use Password generator or LastPass or PassPack for online password generating and saving or you can use KeePassX for offline

Not only your administrator password is important, but your cPanel password, your client area password, your FTP password and your email passwords are equally important when it comes to the security.

Remove Unwanted themes and plugins

Regular housekeeping is important for your sites. You need to make sure that your sites have intalled those themes and plugins that your use. If you do not use a plugin, you can deactivate and delete it.

Not only it will improve the security, it will also helps your site to speed up.

Regular Backups

We need to make sure that our reactive measures are working before we implement a proactive system. The first and most efficient way to implement a reactive protection is to keep your backups safe. There are a lot of Plugins that you can use which takes your backups and sends them to a safe location.

FlexiCloud Hosting takes your backups daily and saves it for 14 days before we purge the older ones.

There are tools like code guard which will alert you when a modification on your files are noticed.

Disable File editing

You can disable the default code editor inside WordPress by adding the following code into the wp-config.php.

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Disable the default login page

We recommend the plugin WPS hide login so that it will create a custom login URL for you and disable access to your default wp-login.php page.

Disable file execution in uploads folder

Add the following line in your uploads folder’s ( normally wp-content/uploads)  .htaccess file, so that PHP files cannot execute under the folder, and increase the security.

<Files *.php>
deny from all
</Files>

Do not use the default admin username

By default, the admin username is ” admin ” and most people do not know that it can be any name. Using admin as the administrator username is a potential risk, and we recommend not to use it.

Use Latest PHP version

The version of PHP plays an important role not only in the speed of the site, but also the security. Now that the PHP 7.3 is almost released, you should stop using PHP5.x. We at FlexiCloud Hosting, have the default PHP in all our servers as 7.2, with an option to change the version to your required one from cPanel.

Disable XML-RPC

The XML RPC feature was enabled in the wordpress to help the mobile apps to communicate with your site. Some plugins like JetPack also uses the feature.

I am hoping that the WordPress will soon move towards an API based communication than xml rpc based. Till then there are chances for a potential attack through it.

I would normally suggest disabling access to xmlrpc.php via htaccess rule.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 11.22.33.44 
</Files>

Conclusion

Security never ends, Its an ongoing process. We will keep you posted with the updates that we have on this area.