WordPress Security: Keeping your website safe from hackers

Last night I watched a youTube video by Wordfence Security showing how quickly and easily hackers can login to your website through outdated versions of plugins.  The security specialist, Chloe Chamberland showed how a hacker can use a search on Google called “Google Dorking” to search for any websites that use specific plugins such as BBPress.  A list appeared that showed the version of the BBPress plugin. Using that, Chloe could see which website is using an outdated version of that plugin to gain access (already knowing the vulnerabiltity of the plugin and how to break in). Chloe showed how quickly she added a new user id to the wordpress admin asking for ‘subscriber’ access. Before she submitted it, she used a program to stop the code before executing and then added a script that changed her userid from subscriber to administrator. She then submitted the sign up form which created a new user account with administrator access, with full access to the entire website. All within 5 minutes.

So I have mentioned to many of my clients how important it is to run the updates regularly on your WordPress (and Joomla!) websites.  I give instructions for those who wish to do it themselves and I also provide a service where i will go into the website, run a backup, run all of the updates and test the website afterwards to make sure none of the updates caused a problem with the website.

I recommend running updates bi-monthly at the bare minimum, monthly is better, weekly is the best. 

Having added security is also very important to protecting your website. Over 1/3 of websites on the internet are built on WordPress. Hackers figure out where the loopholes are and very quickly can attach one or many sites for their own purposes.

Some hosting companies provide higher security with the hosting such as Siteground Hosting. It’s the number 1 recommended hosting company by WordPress.org. I have spoken to their technicians and have been advised that if the plugins are kept up to date, there is little room for hacking of their system. Other hosting companies offer added Security services. Godaddy offers Website Security Essentials which scans websites daily looking for malware and will clean up your site if they find it. If your website has been hacked, don’t despair, once you purchase the Website Security Essentials, you submit the website scan and submit a ticket to have the website cleaned. Within 6 hours your website is cleaned and back online. You can also purchase the pricier service of a Firewall which will block all hackers from accessing your website.

There are 2 free plugins you can install directly onto your WordPress website: Wordfence Security or All In One WP Security. I use both (not at the same time on the same website). Both offer a firewall, added login security, can be set up to run scans for outdated versions of plugins, will allow you to block IP addresses (All in One does this, it’s a premium feature on Wordfence Security), and a host of other security features. All in One WP Security also allows you to change the login URL.

The premium version of Wordfence Security will also clean a hacked website and then provide protection to your website for 1 year. If a known attack is hitting websites, they will provide an immediate update to protect against the hack. The free version will get the update after 30 days.

How to run updates through your WordPress Dashboard

  1. Sign in to your WordPress Admin dashboard.
  2. Run a backup of your website either through a plugin that allows you to roll back your website if you encounter a problem, or within your hosting account. Siteground Hosting cPanel offers Softaculous software to install WordPress applications. You can run a full database and file backup within Softaculous. Godaddy WordPress Hosting automatically runs a daily backup which you can restore in the hosting account.
  3. Hover over ‘Dashboard’ in the upper left, then click ‘Updates’ or at the top of the page there will be a circling arrow with a number that tells you how many updates are available. Click this to go to the updates page.
  4. Select one plugin at a time and click Update. I always write down the plugin and the version so if I encounter a problem with the update, I know which version was working before the update.  You do have to be careful running updates, if they were installed with your theme package, you should update your theme first, then update the plugins through the theme interface, otherwise it could cause a problem with the theme.
  5. Some plugins will state their is an update available, but because it was packaged within a theme, the new update might not be available until it comes with a new version of the theme. The Bridge theme comes packaged with the WP Bakery plugin. This is a premium plugin and updates are only available within the Bridge theme update.
  6. After plugins and themes are updated, test your website to make sure it is still functioning properly. If you encounter any problems, it might be best to contact your website designer or host to troubleshoot what went wrong and how to fix it.  There are occasions where plugins have to be deactivated to figure out which one broke the website.

Another Way of Hacking Your Site

In the same Wordfence Security video, Chloe Chamberland, Security Specialist, showed how a hacker can use the Comments feature to gain full access to a website. She used a test website and added a seemingly harmless comment on a blog post.  She had Scott Miller, another analyst sign in to the website and click a link she had included in her comment … something like ‘I really like your post, maybe you can like mine too’ with a link to another website. When Scott went to her website from his link, he clicked a button on the website which said ‘enter site’…. nothing visual happened. Let me reiterate nothing VISUAL happened. In the background when Scott clicked the link to Chloes’ fake website, he inadvertently ran a script which created a user account on his own website, Chloe now had full administrator access to Scott’s website. It was really scary to see how quickly it could be done. Thank goodness Chloe is on our side and uses her knowledge to protect us and update the Wordfence Security plugin to stop hackers from gaining access to your website. Chloe also showed how having Wordfence Security plugin installed on a website would prevent this hack and the first one I mentioned in the beginning of this post from even happening.

So a few final thoughts:

  • Run your updates regularly
  • install a firewall through your hosting company or install Wordfence Security or All in One WP Security and make sure the firewall is enabled
  • disable user registration on your website if you don’t need it
  • watch the following video for more info from the pros at Wordfence Security

 

 

 

 

Coles Notes version of Boosting SEO

Search engine optimization collingwood

Today I had someone email me how to help them achieve online presence with Google. After typing my answer I realized it was a great post that I could share with others!
Here was my response:

  1. Have descriptive page titles. When designing a site and setting up SEO I always ask my clients “how would people search you?” for instance if you wanted a chiropractor in Collingwood then that is what you would type in google “chiropractor collingwood”. So if this is how people will find you, then you need to make sure all the page titles have this included in the title.
  2. Narrow your selection. Don’t try to be the best across the province, narrow your location to a main town and surrounding area.
  3. The more pages you have with excellent titles, the better you rank.
  4. The page content has to match the titles… so if your page is about cutting wood… somewhere on the page you should mention that you cut wood.
  5. Each page url needs to be descriptive: here is the url for one of my pages : https://wannawebdesign.com/services/modify-websites-collingwood-barrie/ see how the url is set up?
  6. You need lots and lots of content. Good content.
  7. Your content should be typed on the page… not in a jpg or pdf. Google can’t read jpgs.
  8. Google does not use keywords anymore.
  9. Add a Google presence: Google Business, add your address to Google Maps
  10. Single page websites are not great for SEO. You only have 1 shot at google finding you, across the whole entire internet. You are competing with companies with multiple pages and very specific locations. Websites with structured SEO.
  11. Google likes Blogs. So create a blog with posts that are relevant to your theme. If you play music weekly have weekly posts with where you are playing: “Live Jazz music this Friday night at XYZ Bar & Eaterie”. Update it regularly. Google likes current blogs.
  12. Name your photos… don’t upload 1234.jpg. Change the name to reflect what you are promoting.

So this is the Cole’s Notes version of SEO. But if you follow these practices, you should be able to rank higher.

If this seems overwhelming, contact me!

Cindy

Wordfence Email message alerts

If you have Wordfence Security plugin installed in your WordPress website, chances are you are getting emails from WordPress with the subject :

[Wordfence Alert] Problems found on yourdomainnamehere.com

Do not worry! This is actually a very good indicator that something needs to be updated on your website.  If you open the email (it is safe) it will tell you which plugin or theme needs to be updated or if the WordPress system has an update.

If the WordPress needs to be updated the best way to do this is through the hosting environment:

Updating WordPress through GoDaddy or Wanna Web Design Hosting

If you are hosting with GoDaddy.com or Wanna Web Design Hosting (hosting.wannawebdesign.com), you can sign in to your hosting account, click My Account, Click Web Hosting, then “Launch” and sign in to the CPanel.  Under Options and Settings, Popular Apps click the WordPress Icon. Now on the right hand side it will say ‘Manage my applications’ Click this link. You will then see a link that says ‘install new version’ click this link, and follow through the prompts. Then ‘install now’. This will take a backup of your database and files and install the new version. If there is a problem with the install you can back out of it. You will get an email when install is complete. Don’t modify your website while doing the install.

If you ever have trouble or don’t want to bother with this yourself, feel free to contact Wanna Web Design and I can do it for you for only $25.

Updating WordPress & plugins through the Dashboard

Otherwise, you need to sign in to your WordPress admin dashboard.  At the top of the dashboard screen on the left you will see a swirling circle with a number next to it. (If it says 0 you don’t have any updates).

Click this circle, it will take you to the WordPress updates page.

At the top it will notify you if you have a current version of WordPress. If it is out of date it will say Update Now. Click this link and just wait, don’t navigate from the page. Wait until the wordpress install has completed.

Then return to the WordPress updates page and continue updating all plugins and themes.  Be careful of the themes!  Some themes have been customized for your install and updating them will override your customizations.  Double check with your web designer if you are unsure of your theme name.

To update plugins: Click all of the links at once and then click ‘update’.  This will install all new plugin versions.

Do the same with the themes …. but again, do not update themes if you aren’t sure which one is yours. 

Wordfence Security Scan

There is a plugin installed in your website called Wordfence Security. This protects your site from hackers trying to gain access to the admin area. You can also run a scan to see if the website is protected.  All plugins must be up to date or you will get an error in your scan.

Hover over Wordfence Security and then click Scan.  Click scan at the top. It will walk through all files (takes a few minutes) and then you will get result of scan.  You want the message to be ‘Congratulations…”.

 

WordPress Security Options set up

WordPress websites are one of the most used Content Management Systems on the web.  They are also one of the most attacked Content Management Systems on the web!  Hackers are constantly trying to find loopholes or backdoors to gain access to your WordPress site with the intent to insert code within your theme to link to their sites (most cases).  In most cases people don’t even know their sites have been compromised, you can’t see it and it the hacks are hidden in old theme files, image files or wherever they hope they will not be detected.

There are many security plugins that you can install in your WordPress site.  My favourite is Wordfence Security.

It is easy to install and set up.

Go to Plugins Add New

In the search field type Wordfence Security, then install.

You will be prompted to type in an email address to send notifications. This is how/where Wordfence will notify you if there are any alerts on your website.

Then Click Wordfence from the left side of the WordPress dashboard and select Options.

 

wordfence-2

These are the default selections when you install Wordfence.

wordfence-3

The Alerts let you know when there is any activity on your site. These are important especially when there is a global attack on websites. You will know when a hacker is trying to sign in and what admin user id they are trying to gain access with.

Now sometimes this can be a bit of a nuisance as repeated emails get sent to your inbox. But it is important to monitor and make sure they aren’t using a correct administrator user id.

wordfence-4

The login Security Options I set really tight so that once a hacker fails 2 times to gain access, they are locked out for 60 days.

Click save to save all your changes.

osCommerce Adding a page to information module

After a long struggle to find how to add several pages to the Information block and a few missed important details, I have decided to write my own tutorial!

With the proper information it is actually quite simple. These instructions are for version 2.3.3.4.

You need to have access to the files through an FTP client like Filezilla (search for Filezilla and download it for free).

Step 1

go into the /catalog/ folder and locate shipping.php file.  Copy this file to create your new page, for the purpose of this tutorial I will call it about.php

edit the about.php file and replace FILENAME_SHIPPING with FILENAME_ABOUT (2 occurrences)

save your file

Step 2

go into the /catalog/includes/ folder and edit the file filenames.php

copy the line

define(‘FILENAME_SHIPPING’, ‘shipping.php’);

and change it to

define(‘FILENAME_ABOUT’, ‘about.php’);

save the file

Step 3

go into the /catalog/includes/languages/english folder and copy the shipping.php file to create about.php

edit the new about.php file and change the following lines:

define(‘NAVBAR_TITLE’, ‘Shipping & Returns’);
define(‘HEADING_TITLE’, ‘Shipping & Returns’);

define(‘TEXT_INFORMATION’, ‘Put here your Shipping & Returns information.’);

to:

define(‘NAVBAR_TITLE’, ‘About Us’);
define(‘HEADING_TITLE’, ‘About Us’);

define(‘TEXT_INFORMATION’, ‘Put your about us information here… use html code to enter it like this :

<h2>About Us</h2>

<p>All about me, me me me!</p>

‘);

* note make sure you keep the final end single quote!

Step 4

edit the following file:

/catalog/includes/modules/boxes/bm_information.php

insert the following code where you would like to add the link to your page:

$data = ‘<div class=”infoBox infoBoxInformation”>’ .
‘ <div class=”infoBoxHeading”>’ . MODULE_BOXES_INFORMATION_BOX_TITLE . ‘</div>’ .
‘ <div class=”infoBoxContents”>’ .
‘ <a href=”‘ . tep_href_link(FILENAME_ABOUT) . ‘”>’ . MODULE_BOXES_INFORMATION_BOX_ABOUT . ‘</a><br />’ .
‘ <a href=”‘ . tep_href_link(FILENAME_CONTACT_US) . ‘”>’ . MODULE_BOXES_INFORMATION_BOX_CONTACT . ‘</a>’ .
‘ </div>’ .
‘</div>’;

save the file

Step 5

edit the following file:

/catalog/includes/languages/english/modules/boxes/bm_information.php

to include the following line:

define(‘MODULE_BOXES_INFORMATION_BOX_ABOUT’, ‘About Us’);

save the file

Upload all of the files into their respective folders and refresh your screen.

The new Link should be added beneath the Information section in the sidebar.

If you don’t see the sidebar, it might be turned off in the osCommerce admin panel….