Tag Archives: WordPress
Why Your Website Security Matters Now More Than Ever
Cybersecurity, hacking, data breaches — these are the words that every business dreads. A report earlier in the year, by cybersecurity firm Shape Security, revealed that 80%–90% of the login attempts made on retailers’ websites are hackers using stolen data. No wonder business owners like you are wearier and more aware of website security than ever before.
According to a study by KPMG, 19% of consumers would stop shopping at a retailer altogether following a breach; 33% would take a break from shopping there for an extended period. With these stats, online retailers can’t afford to take a relaxed view towards website security, especially with Black Friday and Cyber Monday coming up.
Your customers value security: to trust your brand, they need to feel safe when browsing your products online. Just as they need reassurance, we want to reassure you that you can easily achieve website security and safety.
5 Ways We Ensure Our Clients’ Website Security
1) iThemes Security Pro
The security of the websites we manage on behalf of clients is underpinned by the reliable WordPress Security Plugin, iThemes Security Pro, designed by WordPress security experts.
The powerful tool boasts features such as malware and harmful files detection, lockouts of malicious IP addresses, who may be generating a lot of 404 errors by using a bot to scan your website for vulnerabilities, and limits on the number of failed login attempts permitted per user with WordPress brute force protection.
2) Nightly Website Backups
It would be a nightmare if you were to suddenly lose all your valuable website content. That’s why we make backups every night. In the highly unlikely event that anything should go wrong, we can restore clients’ websites with the previous night’s backups.
We provide further peace of mind with our state-of-the-art cloud hosting platform. It is incredibly resilient and therefore very rarely takes client websites offline.
3) SSL Certificates
Now an industry standard, businesses shouldn’t underestimate the value of the reassuring padlock next to the ‘https://’ bit of your website URL — a.k.a. an SSL certificate. Without an SSL Certificate, your website is likely to be labelled ‘Not Secure’. I don’t know about you, but that would deter me from browsing a website any further!
We can set up SSL certificates, enabling customers and website visitors to trust our clients’ brands online. You can read more about the benefits of SSL certificates, which include warranty protection for online transactions, increased online safety and higher conversion rates here.
4) Strong Random Passwords
Gone are the days where you could use the same password again and again — despite it being easier to remember! We take the time and make the effort to use randomly generated passwords that are impossible to guess. Such passwords include a random combination of upper- and lower-case letters, numbers and symbols.
Password manager and digital wallet, LastPass, has a great password generator which you can find here.
5) Two Factor Authentication and Strong Logins
For an added layer of security, we don’t just have unique usernames and randomly generated strong passwords. We also either have codes emailed to us or temporary access codes generated in real-time by the Google Authenticator app on our phones. We need these codes, as well as usernames and passwords, each time we log in to work in the ‘back-end’ of a client’s website or add a blog post.
What’s more, the ‘nicknames’ we use, which appear as the ‘authors’ of blog posts, differ from our login usernames. This makes it harder for hackers to guess them and gain access to client websites.
Secure Your Customers Trust by Protecting Them on Your Website
If you would like to enhance your website security, or you have any concerns, contact us on 01484 290 100 and we’ll be happy to help!
Pivotal owner and lead developer, Phil, shares his views on Gutenberg, the latest WordPress plugin
I’m sure all fellow WordPress lovers will have heard the news about the impending integration of the Gutenberg plugin to the future release of WordPress Version 5.
Gutenberg is a page builder that allows users to manage their WordPress websites with extra formatting capabilities without any knowledge of HTML or CSS coding.
WordPress users will have already started to see on their Dashboards:
“A new, modern publishing experience is coming soon. Take your words, media, and layout in new directions with Gutenberg, the WordPress editor we’re currently building.”
However, looking at WordPress users’ reviews, Gutenberg is showing a poor average rating of only 2.3/5 (as at 20/08/2018).
With few ratings in the middle, it appears people either like it or loathe it (with an air towards loathing), but I can’t understand why.
I’ve been testing and playing with the Gutenberg plugin for several months now. It seems like a perfectly reasonable and organised page builder to me, that will no doubt be further and further developed to everyone’s advantage.
As a WordPress trainer, personally, I’ve never been a lover of Page Builders. Some of them are so complex you may as well book yourself onto an HTML course. I would always prefer to use HTML and CSS, but I recognise that not everyone wants to have that level of knowledge or may simply want to design a page or post layout that helps make it more readable and engaging.
A simple-to-use but comprehensive page builder that can replace many a plugin for adding content and creating a nicely laid out page.
Plus there are some really nice options allowing users to easily have 2 or more columns of text in a row. This is not easy for a layman in current WordPress. Gutenberg also allows you to easily embed items from YouTube, Instagram, etc.
And then there is still the option to revert to Classic Editor for people like me, and to view revisions. So, what’s the beef?
My simple view is that we should embrace the changes. They are for the better, and I’ve no doubt that WordPress’ team will just make it even more so, as they always do.
Thank you WordPress and congratulations!
Well, it depends on two things:
- Do you want to be able to manage the content and layout of your website yourself?
- Would you prefer a professional to do it for you?
If you answered yes to number 2, then that’s an easy fix. Email me at firstname.lastname@example.org and we’ll sort you out with a support package.
If you answered yes to number 1, then there are a couple of things you need to think about before launching yourself straight into your website.
Do I need to go on a WordPress Training Course?
We all know that in business time is money. While WordPress is easy to use, it does require a bit of a learning curve to really get to grips with it. And, obviously, being able to find the exact section of your website that you need straight away will save you time in the long run.
People who attend WordPress training courses have sometimes tried to teach themselves using online resources or muddled through YouTube videos and have, in the end, had to give up. This is because WordPress is so easy to customise by plugging things into it or adding new themes that not all WordPress websites will look exactly the same in the back end. Through face-to-face training, you get professional help with your own website.
Always pick a WordPress training course that mixes practical work with theory. See whether the trainer provides laptops for you to log in to your own website and make changes in real-time.
One-to-One Tuition or Group Courses?
Group training is beneficial when everyone is working at the same level and can help each other out. It also allows for longer sessions to cover more ground and it is not quite as intense.
One-to-one tuition sessions are mainly for people who have attempted to set up their WordPress websites and started putting content on it but have hit a brick wall. They just don’t know where else to go to make the changes they need. These are intense sessions but are tailored to the individual and their website.
As hacking becomes more commonplace, it is becoming more and more important to increase security on your own website to protect your own personal details and your website.
Security is not just about strong passwords. There are lots of things you can do to help keep your WordPress website secure.
Here are some tips on how to increase your WordPress website security (and some cheesy stock photos to go with it!).
Choose a good host.
Some hosting companies are more secure than others. Your host should maintain and manage a lot of things you don’t want to or don’t know how to do yourself. For example, keeping your website’s PHP version up to date will help with reliability and reduce the vulnerability of your site. To run WordPress it is recommended (at the time of writing) that your PHP version if 5.6 or greater and MySQL version is 5.5. If that means nothing to you, ask your host!
Choose quality software.
If you install your own plugins are you picking ones that are developed by a security conscious developer? Always check star ratings of plugins and the number of reviews it has received. Checking the support section is also a good indicator as you can see whether the plugin developer regularly answers questions or acknowledges bugs and is working to fix them.
Free computer software can also affect your website by adding hidden software to your computer. This hidden software can slow your computer down, modify your security settings and occasionally steal passwords saved onto your computer to sell onto third-party companies, including your website login. Always check your software is coming from a reliable source; avoid installing ‘bundled’ software – where the install screen asks you to install other programmes as well as the one you want; and don’t click on popups about your computers performance!
Use a password manager.
A good password manager, like KeePass, makes it far easier to have long, random passwords. You should have different passwords for all your applications and any websites you sign up to, including your website. Many password managers include a random password generator (although WordPress has its own) so you don’t have to think of a new one each time.
Use two-factor authentication.
More and more websites are using two-factor authentication to increase security. Two-factor authentication is a process that uses two bits of information before allowing you to log in to your website. Some need you to enter your password and username and then complete an extra step on your phone or tablet before you can log in. Others will require you to enter a personal pin number in addition to your password and username.
It does make the login process slightly longer but it makes a big difference to security. Unless you have a high-profile site with millions of visitors a day, hackers and bots trying to access your site will likely give up if they can’t break in right away.
Two-factor authentication is fairly easy to add to WordPress. There are many plugins that are available, all offering different two-factor authentication options. Google Authenticator is popular, as is Clef and Duo WordPress.
Back up your website!
By far the most important thing to do! WordPress is the most popular platform for websites and so it is very attractive to hackers. Despite putting all these security measures in place, it is still possible to be hacked so make sure that your website is backed up on a regular basis, either through a plugin or by asking your host to do it for you.
In June, I attended WordCamp Vienna, a huge conference that focuses on everything WordPress – not just an excuse for a holiday! It’s a fantastic conference for everyone from the casual WordPress user to core developers. I learnt lots of new things, some of which I hope to share through our blog and on LinkedIn.
One of the first talks I went to was by the wonderful Maurizio Pelizzone, an Italian WordPress Developer who whizzed through ten tips in ten minutes for hardening WordPress. After working through what Maurizio said and tweaking some of the code so it works better for us, below is what we found.
Disclaimer! Some bits require adding code to the .htaccess, wp-config.php and functions.php files of WordPress. If you don’t know how to do this, ask your web developer (or — shameless plug — call me at Pivotal Web Solutions J).
Why harden WordPress?
All systems are vulnerable. No matter what. And because WordPress is used by over 25% of all websites on the web (July 2016), it is by far the biggest platform to attack. There are five main dangers that could put your website in danger:
- Human errors. These are things we forget to do (because we’re human after all!). Removing the admin username, forgetting to add a strong password and forgetting to update to the latest version of WordPress are some of the most common.
- Exploitation. Attackers find an unpatched vulnerability in a plugin or theme and access your site this way.
- Social engineering. This is when hackers collect personal information from your website and using it against you.
- Brute force attack. A trial and error method used by bots that attempt to decode passwords and usernames to access your website.
- Write & execution permission. When permissions are left open it leaves a back-door for attackers.
Before you even launch a WordPress site make sure you have a good host that will protect your server from attacks. Once you have done that, harden your WordPress website using the ten tips below.
Ten Tips for hardening WordPress against attacks
Before we even start the technical bits, ALWAYS keep your site updated. WordPress is constantly fixing security patches so having the latest version is a necessity.
1. Test your backup
You should be taking regular backups of your website. Make sure you test these occasionally before disaster strikes. This means you will be able to recover quickly if anyone does access your website. There are many plugins available to help you with your backup (for example, UpdraftPlus and VaultPress) or you can do this manually.
2. Prevent user enumeration
Deter hackers by removing username information. User Enumeration is a process WordPress uses to create author pages (visit http://mysite.co.uk/?author=1 on your WordPress site and see where it directs you to). It doesn’t take long to be able to find the actual username in Page Source even if you are using a nickname.
3. User permissions
Limit the number of users and the permissions they have to an absolute minimum. This means if hackers do manage to get into your Dashboard, they will not have full access to your site.
4. Hide your login
Move your login to a custom login page so the /wp-login and /wp-admin pages are unavailable. The plugin Custom Login URL plugin works well for redirecting the pages.
5. Don’t show errors & unnecessary info
Remove login errors, WordPress version and readme files to limit the amount of information provided to hackers.
6. Deny PHP execution
If hackers get access to your website, they can hide PHP files in folders that they should not be able to. For example, most access files disguise themselves in the /wp-content/uploads/ folder. By disabling PHP execution in this folder you will improve your security. To do this, you need to create a brand new .htaccess file to put into the contents folder.
7. Remove inactive plugins
Remove any useless or inactive plugins. If you have the knowledge you could integrate plugins functionality inside your child themes. In terms of plugins, less is more. The more plugins you have, the more you are relying on a third-party source to remove any vulnerabilities or problems that will allow hackers a backdoor into your website.
If you work on a website that has a few users, you can easily disallow front-end plugin and theme updates and installations to limit any problems.
8. Use a secure password
Everyone says this, but there really isn’t any excuse! Don’t be lazy, use a very strong password. You could use a password manager such as Keypass to keep them safe or use a method that is logical to you to remember them. For example:
Phrase + numbers + symbol e.g.:
- My son likes playing with his red ball = mSlPwHrB
- Addicted to WordPress = @ddic3d.2.WordPr3ss
9. Custom directory structure
WordPress comes in a standard structure (obviously) which you rarely see on the front-end of your website. The standard file structure is:
However, by applying your own custom structure, you can not only make it look nicer but it also means brute force attacks will fail. For example:
10. Set a black hole trap
A WordPress black hole adds a hidden link to your website’s robots.txt file that forbids bots from following the hidden link. Bad bots that ignore the robots.txt rules will fall into the trap and be denied access to the rest of your website. You can also choose to receive information about the blocked bots via email. I’d recommend using Blackhole for Bad Bots plugin for this but if you fancy a challenge, or don’t want to add an extra plugin, you can follow these instructions on Perishable Press.
So there you have it. By using these methods, you can harden your WordPress site against attacks. If you don’t know how to edit your .htaccess, wp-config or functions.php files that are mentioned above, ask a web developer. Changes to these files can bring your website down if not implemented correctly. If you have any questions about it, or you know of other ways to harden WordPress please share in the comments.
For more chatter about WordPress, follow me on Twitter @KarysPivotal. Thanks!
Christmas came early for all us SEO and web designer geeks, when the new WordPress Version 4.4 was released earlier this month.
According to expandedramblings.com a whopping 25% of all websites around the globe use WordPress and the popular blogging platform is the one we predominately run and maintain on behalf of our clients here at Pivotal.
With a name that pays homage to the late jazz trumpeter, Clifford Brown, the latest version of WordPress boasts numerous features that combine to help make sites more responsive and connected.
Features that have gotten us excited are:
Responsive Images- Images are able to automatically adapt their size to fit perfectly to whatever device you are accessing the page on, whether that be tablet, smartphone or PC. This is particularly handy given that Ofcom’s 2015 Communications Market Report found that 33% of internet users deem their smartphone to be the most important device for going online compared to 30% who are staying loyal to their laptops. This marks a significant rise in the preference of smartphones as in 2014 only 22% preferred accessing the internet via this device, with 40% being pro laptop and it’s a trend that’s set to keep rocketing in 2016…
New Theme- A modern interpretation of a classic blog design, Twenty Sixteen is WordPress’ new clean and crisp default theme that promises to look chic on any device. Benefits of this theme include a flexible header, fun colour scheme options and a fluid grid design to make your blog posts stand out from the rest!
Embedding Ease- Now you have the freedom to embed your posts on other WordPress websites and it’s easy to do! Paste a URL into the post editor section and you’ll be greeted with an instant embed preview, encompassing the title, excerpt and feature image (if you have set one) belonging to the post. Simple. Your site icon and links to enable commenting and sharing being added is a bonus!
Pivotal clients’ websites will be updated automatically and will enjoy the benefits that this great new version of WordPress has to offer. For more information click here.