WordPress security – The pyramid

/0 Comments/in

WordPress Security is like a Pyramid

the pyramid of WordPress security

The Base is WordPress
At the top of the pyramid, it all begins with the programmer/designer who sets up your WordPress website.

Securing Just One Part is Useless!

Focusing on one aspect, such as having a good programmer/designer, secure passwords, or the latest updates, won’t be enough. As you can see from the pyramid, it’s just one part of the whole.

A Truly Secure WordPress Website

To achieve a genuinely secure WordPress website, you need to secure all aspects.

We will help you, step by step, to make each part of the pyramid secure so that your WordPress website is truly protected!

  • The Programmer/Designer
  • The Theme
  • The Plugins
  • The Hosting
  • The User
  • WordPress Itself

The Programmer/Designer

A good WordPress website developer will use no more than 8-10 plugins. Each additional plugin is an opportunity for hackers, as not all plugin developers are experts in security.

This is where knowledge comes into play; the programmer/designer needs to be aware of the risks associated with each additional plugin and should consider coding certain features instead of relying on plugins.

However, bear in mind that a programmer/designer may take longer to create functions without using plugins, so the budget may need to increase! You can’t expect a programmer to build a fully functional website for a small amount (150-300) and also ensure top-notch security. (Also, not every programmer who charges a lot of money is necessarily good!!)

The Theme

Whether it’s premium or free, it doesn’t matter.

Really?

Premium themes are more frequently targeted by hackers because they prefer to hack sites that involve money. Premium plugins are commonly used, and hackers know that.

In short, being premium is not a guarantee. Do some research to see if the theme is listed in this database.

The Plugins

As shown in the pyramid, plugins play a significant role in the website’s security, with more than 36.3% of the website’s security depending on them.
Plugins are “third-party made,” which means they are developed by individuals in their basement or by teams launching a plugin.

Do you know who made your plugin? And do they have expertise in security?

There are 44,273 plugins available for free download on WordPress.org.

This is a fantastic offering! Plugins such as:

These are excellent plugins that can transform WordPress into an online shop or marketing machine!

However, once they gain popularity, hackers download the plugins and search for vulnerabilities. Once found, they create a script that scans websites for the presence of the targeted plugin and then executes a script to fill your website with ads, advertising the hacker’s products. Often, these products are related to Viagra, as it apparently sells well??

The Hosting

Hosting is where your website resides. This is known as a “data center.”

Sounds cool, and it is. High-tech computers are running to serve your website.

Well, high-tech… they are actually expensive stripped-down computers!
Powerful processors and ample storage ensure that websites are served quickly when a visitor requests them.

What is the host’s responsibility?

The host must ensure that the server software is up to date. The websites are displayed via a computer running Linux or Windows, and these should not get infected/hacked. This rarely happens, which is why this accounts for only 9.09% in the pyramid.

What does a good host do?

A good host wants to keep their high-tech computers fast, meaning they ensure that websites are being visited while hacker scripts are not active. Sometimes, a hosting company might ask you to keep all WordPress plugins up to date.

Or they might even take your WordPress website offline!

If your website is busy sending spam or launching attacks on other servers/computers of the host, they may take your website offline to stop this disruptive behavior.

The User

wordpress user you

What You, as a User, Can Do

  • Keep your plugins, theme, and WordPress up to date
  • Choose passwords that are not easy to guess
  • Don’t leave unnecessary plugins or themes on the server
  • Avoid clicking on links while logged in as the website’s administrator

WordPress Itself

The developers behind WordPress, who continue to offer it for free, are very active. They release new WordPress updates on a monthly, and sometimes even more frequent, basis to address new hacker tricks.

WordPress itself is a good and stable system! It was launched in May 2003 and has been in development for over 10 years.

Did You Know?

There is a Dutch security plugin that takes care of 80% of these aspects for you!

iThemes Security PRO NL

This plugin helps you set up

the server/hosting, enforces the use of strong passwords, keeps hackers out, secures directories, stops brute force attacks, secures your admin area, and provides an overview and control over your website!

Please note that some Dutch words/phrases (e.g., programmer, theme, plugins, hosting, user, WordPress) have been left untranslated for context and clarity.

5 ways to stop brute force attacks

/0 Comments/in

The iThemes Security PRO NL plugin offers five ways to prevent brute force attacks on your WordPress website:

1. 404 Detection: Bots and hackers often try to access non-existent pages or files on your website in search of vulnerable plugins or themes. iThemes Security PRO NL tracks the number of attempts an IP address (bot/PC) makes to retrieve unavailable pages or files. After a certain number of 404 errors, the security feature denies access to the website temporarily, and if the attempts continue, the IP address is blocked in the .htaccess file, preventing access to the entire website.

2. Brute Force Protection (Automated): This feature focuses on the login panel. Failed login attempts are recorded, and after a certain number of incorrect login attempts, access to the login page is temporarily denied. You can set a maximum number of attempts and the time required before new attempts are allowed. Afterward, the IP address attempting the logins is blocked, preventing continuous login attempts through brute force.

3. Disabling XML-RPC: XML-RPC can be exploited for various login attempts. This feature allows you to disable XML-RPC via the plugin if you do not use Jetpack or external apps to access WordPress.

4. Absent Mode: If you typically update your WordPress website only during certain hours of the day, you may not need the login page accessible 24/7. The Absent Mode feature lets you set a specific time when the login page is or isn’t reachable.

5. Blocking Brute Force Attacks per IP: The plugin provides a field where you can enter IP addresses to block. If you discover many brute force attacks coming from specific regions or countries where your website’s target audience is not located, you can add those IP addresses to the ban list, preventing them from launching brute force attacks on your website.

For more information about this plugin and how it prevents brute force attacks, you can follow the provided link.

SSL for WordPress

/0 Comments/in

Securing your website with SSL can be beneficial in certain situations when it comes to protecting a WordPress website from hacking attempts.

Does SSL have any use in securing a WordPress website?

When it comes to automated attacks from hackers and scripts that target WordPress plugins, themes, and users directly: No

When it comes to hackers personally targeting your WordPress website: Yes

Why SSL may be necessary to secure your WordPress website

If there is a significant interest in hacking a website, a hacker may personally focus on your website. This doesn’t happen frequently, as in most cases, hackers use automated scripts to gain access to websites. However, in cases where automated methods fail, hackers may resort to other methods, making encrypting the connection between you and your WordPress website necessary.

SSL becomes essential when there is valuable information or money involved.

The moment you log in to your WordPress website

Logging in to your WordPress website involves a series of exchanges between your computer and the WordPress login panel. Here’s a simplified breakdown of the process:

  1. You send a command from your computer by typing the admin address. (Make sure to have good antivirus software)
  2. This goes to your router (Ensure it has good encryption and a strong password)
  3. Then to your internet service provider
  4. It travels through several intermediary steps
  5. To reach the server (a computer running on Linux or sometimes Windows)
  6. The server responds and sends the admin page back to your PC & browser. (Beware of browser malware/trojans)
  7. Then you enter your username & password, which travels back through all the previous steps without encryption.

Now you understand why doing this through SSL encryption is important!

  • This is why you should not click on pop-ups from web pages (they may contain malware)
  • This is why you need a good browser (avoid using outdated Internet Explorer)
  • This is why your WordPress website must be secured to prevent data from being sent to hackers

The internet is a serious place, just like you wouldn’t leave your house key lying around or your windows open, you need to take security seriously on the internet. Or you could end up waiting until someone has copied your key… CLICK

What is a Brute Force attack (WordPress basics)?

/0 Comments/in

A Brute Force attack can be translated to “een aanval met brute kracht” in Dutch.

In this type of attack, the attacker uses sheer force rather than clever tactics.

A Brute Force attack on WordPress is often executed on the login page.

inlogpagina
If you don’t have proper security measures in place, an attack can continue until the attacker successfully breaches your website.
As this attack involves computers, it can be very fast, with thousands of login attempts fired at your login page every minute.

Preventing a Brute Force attack

You can prevent such an attack by securing your WordPress site with a specialized plugin or by hiring our services.

Securing WordPress properly

/0 Comments/in

To properly secure WordPress, you need to address multiple points.

  1. Choose a unique username and a long password
    Explanation: The username should be unique, not something common like your first name or website name. The password should be at least 8 characters long and can include a combination of uppercase letters, lowercase letters, and numbers. Learn more about the importance of a strong password here.
  2. Ensure your server permissions are set correctly
    Explanation: Only the uploads folder and its subfolders should be set to 777/writable, all other folders should be set to 755, and the wp-config.php and .htaccess files should be set to 444. You can check and adjust these permissions using a free FTP program.
  3. Regularly update plugins and WordPress
    Explanation: WordPress releases updates regularly, some of which may cause issues with plugins. It’s important to focus on updates that address security issues and enhance security. You can check the “release notes” to see if security issues are being resolved.
  4. Use one good security plugin
    Explanation: There are several security plugins available for WordPress. These security plugins are essential to block brute-force attacks, hide the admin area, and protect files and data.

WordPress hacking, child’s play?

/0 Comments/in

WordPress gives away a lot of information about the active plugins, the theme, and even the version of WordPress your website is running on…

The WordPress version number is visible in the source code of many websites and in the readme.html file that is placed on the server with every WordPress update.

With this specific information about plugins, themes, and the WordPress release, hackers and scripts can hack any insecure WordPress website.

Both automated scripts and novice programmers can then target your WordPress with specific code to hack the website and display their own ads on your website!

This brings us to the first question,

Can you hide the source code and specific information?

The source code will always remain visible to everyone.
And with specific server requests, it is always possible to check which plugins are active.

example of WordPress dataOnly as a programmer, you can make plugins invisible to hackers, which means excluding updates.
Interested in going a step further? It takes time and costs some, but if you’re interested, we can make your plugin unrecognizable: feel free to contact us.

What information does your WordPress website reveal to hackers??

It’s important for everyone with a WordPress site to know how their website’s security stands and how much information is actually visible to hackers and hackbots.

We have found 2 websites where you can check for free if your WordPress site has already been hacked and if it gives away information that could lead to your website being hacked.

The free security check for your WordPress website

  1. sucuri scanOne of the best websites for WordPress security and hacks is Sucuri’s Malware Check
    The Sucuri malware scan shows if your website is infected and if your website is currently blacklisted. This way, you can find out if your WordPress site has not been hacked yet.
  2. The second website we recommend is the Hackertarget Security Scan
    wordpress scan
    The Hackertarget security scan shows what information your website gives away. This includes usernames, active plugins, and the theme your WordPress site is using.

Knowledge is power

Now you know that hackers can easily discover which plugins and WordPress version you are using, which is a weak point of WordPress. You also know the steps you can take to secure your website.

Or not? WPbeveiligen.nl is filled with articles and tips on securing your website!

A professional who truly cares for your WordPress site

wordpress

If your website is essential to you, it’s best to let a professional work on it. We’ve been working with WordPress full-time since 2007.

Feel free to contact us, either by phone or email. We can tell you how your WordPress website is doing and what can be improved!

And even better, we can take all your worries off your hands and get to work right away if you fill out a form.

 

Securing WordPress, a necessity!

/0 Comments/in

It is necessary to have your WordPress website secured, even if you have a small website or a website for a select audience. Every WordPress website found on Google will be tested for leaks by hackers and automated scripts.

View this short instructional video.

Keeping WooCommerce secure

/0 Comments/in ,

WooCommerce is an extremely popular e-commerce platform, powering approximately 39% of all webshops worldwide. Its popularity can be attributed to its integration with WordPress, its free availability, and the ease with which users can set up an online store with just a few clicks. WooCommerce also offers a wide range of free plugins that allow users to customize their webshops according to their preferences.

However, the simplicity of setting up a WooCommerce webshop has also led to the proliferation of insecure webshops on the internet. These insecure webshops can become targets for hackers and may face various consequences, such as being hacked, sending spam to customers, leaking email addresses to third parties, transmitting credit card information without encryption, displaying unwanted links and advertisements, receiving Google’s “red flag” for security issues, and more.

If you are unable to invest in professional website security, following these four important rules can help you keep your WooCommerce webshop secure:

1. Install only one website per hosting package: Hosting packages are like closed spaces where your website resides. If multiple websites are hosted within the same package, a hacker or a hack-bot gaining access to one site could put all other sites at risk. Hosting each webshop separately minimizes this risk.

2. Regularly update WooCommerce: WooCommerce being a free platform, it is susceptible to hacking attempts. The developers behind WooCommerce regularly release updates with security fixes to counter such attempts. Keeping your WooCommerce installation up-to-date is crucial.

3. Use HTTPS: Having an SSL certificate and enabling HTTPS is not just about showcasing security; it is vital for securely transmitting sensitive data, such as payment information.

4. Limit the number of plugins: Although there are numerous plugins available to enhance WooCommerce, every plugin introduces a potential security vulnerability. Keeping the number of plugins limited to 3-5 WooCommerce addons can reduce the risk.

Remember, a webshop is like a physical store and requires proper security measures. WordPress, being the foundation of your WooCommerce shop, should be kept up-to-date and secured to ensure a safe and secure e-commerce environment.

Using Google webmaster tools

/0 Comments/in , ,

Google Webmaster Tools is a free service provided by Google that allows you to see how your website appears in search results. It offers various valuable information, including:

1. Search keywords and the number of clicks/visitors your website received for each keyword.
2. The number of inbound links to your website from other websites.
3. Indexing status with a graphical representation.
4. Blocked pages on your website.
5. Crawl statistics.
6. Potential security issues.

These are powerful tools typically used by experienced webmasters.

WPbeveiligen uses Google Webmaster Tools primarily to check whether clients’ sites have been approved by Google. Additionally, they ensure that the site appears in Google search results and that any red warning pages from Google are removed after recovery from malware.

Re-submitting your website for review through Webmaster Tools is crucial if your site has been infected with malware and its search results have been negatively impacted.

To get started with Google Webmaster Tools, you need a Google account. Once you are logged in, go to the Google Webmaster Tools page. Click on the “Add a property” button to add your website. You’ll need to verify that you are the owner of the website, and the easiest method is by downloading an HTML file and placing it in the root directory of your website using an FTP program.

Once the verification is successful, you can access various information about your website’s performance in Google’s search engine.

In the left-hand menu, you can choose the specific information you want to view. Google Webmaster Tools is a valuable resource for website owners and can provide insights to improve your site’s performance in search results.

Plugins, the weakest link in WordPress

/0 Comments/in ,

WordPress takes security seriously, and the company behind WordPress, “Automattic,” regularly releases security updates. Since 2007, we have been working with WordPress, and we can say that WordPress has always been one of the safest Content Management Systems, and it still is.

However, not every corner of the WordPress world is sunny. With 48,000+ free plugins created by unknown companies and developers, there are also many vulnerable plugins that become the weak link in WordPress’s watertight system.

Some Popular Plugins

Here are a few examples of popular plugins that have had security issues:

  1. All in One SEO – Improves Google rankings (2 vulnerabilities in 2016)
  2. W3 Total Cache – Speeds up the website (8 vulnerabilities in 2016)
  3. Contact Form 7 – Creates easy-to-use contact forms (last 3 vulnerabilities in 2014)
  4. Advanced Custom Fields – Enhances WordPress for advanced business websites (2 vulnerabilities since 2014)
  5. Akismet – Prevents comment spam (last vulnerability in 2015)

These are just five random plugins, but at the time of writing, there are 5194 known WordPress core, plugin, and theme vulnerabilities.

1 or 2 vulnerable plugins on my site are not a problem, right?

You might think, “Who would try those vulnerable plugins on my website?!” But here’s the bad news: at least 30,000 to 50,000 computers are actively hacking and processing 1000 requests per minute! Fully automated!

Calculation:
30,000 computers x 1000 requests = 30,000,000 x 24 hours
That’s 43,200,000,000 hacking attempts per day.

This only refers to home hackers who use programs to search the internet (Google) for injecting plugins. If we add the scripts running through servers, you wouldn’t believe how many websites are attempted and successfully hacked daily (to show advertisements).

All that effort for a little advertisement?

Indeed, once a site is hacked, the hacker will only display advertisements.

Consider what that does when a hacker can place their product on thousands of sites weekly, and some people end up buying it. The hacker exploits the trust that these sites have built with their customers. When a customer buys a product from the hacker’s webshop, the hacker earns good money. Usually, these products are expensive, and there’s uncertainty about whether they’ll arrive. In short, there’s a lot of money to be made in a short time without much effort.

Preventing Hackers from Exploiting Your Website

This antivirus plugin is specially developed for WordPress. The plugin is fully in Dutch and gives you a great advantage over hackers.

The plugin blocks injections, protects your server, and shows you who is attempting to log in to your WordPress falsely. This antivirus plugin combats hackers in over 200 ways and blocks many of their attempts.

All our sites run with this antivirus plugin because we don’t give hackers a chance!

More Tips to Protect Against Hacks

  1. Install a good antivirus for your WordPress website.
  2. Keep your WordPress up-to-date.
  3. Do not install unnecessary plugins and remove inactive plugins.
  4. Ensure your server is up-to-date.
  5. Regularly check if everything is running smoothly using Sucuri.
  6. Check the plugins you use for known vulnerabilities.