- August 22, 2020
- No Comments
WordPress Security for Begineers
We all are concerned about our Online Business, whether it’s an online shopping, travel, news or your personal website. There’s always a risk of your website being hacked or infected with a malware. How are you going to deal with it ? Are you prepared for it ? Our staffs has collected their personal and experienced point of view details which will help you in the coming days, or even if your site is hacked or infected.
Most of the websites become vulnerable due to poor hosting service. Shared hosting has a higher change of getting attacked time to time which will affect your site’s overall up time. If you want affordable hosting for your business, you can contact us for more details.
- Secure each computer that has admin access to your website – anti-virus, anti-malware, etc.
- Install the free Bulletproof Security plugin. Your main defense is your .htaccess file and many of the other “security” plugins do NOT adjust this file accordingly.
- Use SFTP never FTP
- Use LastPass or a similar utility to generate and save a unique complex password for EACH website you access with a username and password. Then run the LastPass Security Check to identify which sites are using the same password and then CHANGE them.
- If you have multiple domains make sure EACH DOMAIN is installed in its own cPanel (you can do this with subdomains too). Then make sure the cPanel password is unique for EACH DOMAIN. Otherwise, if your cPanel password is hacked, the hacker will have access to ALL your domains (especially if you have used free Addon domains).
- Make sure you always have a recent full backup, know where it is and how to do a restore BEFORE you need to.
- Take advantage of all security features offered by your DNS registrar to SECURE YOUR DOMAIN NAME.
- Use two factor authentication whenever possible.
What if your website is powered by WordPress ??
The best strategy for securing your WordPress website is to implement a layered security approach.
- Protect your domain name :
Domain Name System Security Extensions (DNSSEC)
- Protect server communications :
Domain Security (TLS/SSL)
HTTP Strict Transport Security (HSTS)
- Protect your website :
Use a reverse proxy to filter all traffic to your server
Use a Web application firewall (WAF)
Implement secure access to lockdown login
- Protect your server :
ModSecurity web application firewall (WAF) for Apache web server
Secure hosting – avoid shared hosting if possible
Avoid hosting your email and web on the same server
Use SSL/TLS for email and unique passwords for each account
- Protect WHM/cPanel :
Limit access and permissions
Install each domain AND sub-domain in it’s own cPanel (so if one is compromised, others aren’t affected)
Keep WHM/cPanel updated to latest stable release
- Protect remote file access and email :
Avoid ftp and use either cPanel File Manager or Secure FTP (SFTP) plus secure your email
- Protect WordPress :
Keep WordPress updated to the latest release version
Limit plugins and themes, less is more in terms of security
Keep all plugins and themes updated to the latest release version
Whenever possible, opt for premium plugins and themes that are regularly updated and supported
If a plugin is no longer used, don’t just deactivate, delete it
Install a reputable WordPress security plugin
BACKUP – schedule regular automated backups. Keep at least one copy on server and one copy off server