Security for WordPress: How to have Security in WordPress


 
 

Security in WordPress?

You can’t believe it happened, but it’s true. Your WordPress website has been hacked. And, you didn’t even see it coming.

Imagine that happening to you

What would you do? Do you even backup WordPress?

A WP Security Fact: WordPress Websites Are Targets

If you own a WordPress website, it’s highly likely that your website has been the target of attack by hackers…many times over. And, you’re probably not even aware of it.

Are you asking why a hacker would want to hack your WordPress website? Or, are you thinking that you’d probably know about it if it was really happening? You’re not alone. Lots of people think that, too.

Automated Hacking…

While some hacker attacks are deliberately focused on a given website, most attacks are carried out by countless automated scripts working 24 hours per day. The scripts often are programmed to run through ranges of IP addresses (think of these as street addresses on the Internet). Other than the targeted attacks, your website is just as likely to get attacked as the next one.

And, as far as you being aware of hacking attempts on your WordPress website, it’s highly unlikely you would know unless:

  • You already have security measures in place that inform you
  • Your WordPress site has been taken over by a hacker…and it’s obvious (i.e., changes to website appearance, text, etc.)

You should know that your site can be compromised without you even knowing it. Everything may look the same, but your site could now be controlled by rogue computers on the web for the purpose of spamming or delivering viruses to the unsuspecting. Maybe, the hacker replaced your AdSense code with his/hers. Lot’s of possibilities exist.

As you read this entire article, you’ll discover:

  • How vulnerable your WordPress website is
  • An easy way to defend against certain types of attacks
  • What else you’ll want to do to secure your WP site against attack

WordPress – Is there Security In WordPress?

Image of Security for WordPress

Click to Get Security for WordPress

First of all, I believe that WordPress is a fantastic website platform for a number of reasons. My thanks go out to those that bring us WordPress…for free.

You likely already know that the WordPress team is constantly improving WordPress and fixing security problems. Even so, a standard WordPress installation offers several tempting targets for hackers to exploit, and the WordPress Admin dashboard does not inform you of the hacking assaults against your site on its own.

Most WordPress website owners are surprised to learn that their WP sites have several vulnerabilities and have been under attack since they were first published.

“The first my attorney friend became of aware of any hacking attempts on his business site was when it was taken over by a hacker. And, it was hacked so completely that the hosting company’s tech support could not even rescue the site…a total loss.” ~ Don Roberts

Imagine that happening to you

Security For WordPress: Login Attacks

One way hackers attempt to gain control of your WordPress website is to simply login on the Admin login screen. The bad guys need two pieces of information to make this happen…a username and a password. Hackers know that many WordPress website owners use the default “Admin” for the username. So, all they need now is the password. And, their automated scripts can keep trying passwords until they find the right one…then, login.

“Always change the ‘Admin’ username to something different, and use a strong password…let your password manager remember them.” ~ Don Roberts

WordPress Security Tips: Here’s Something You Can Do Right Now…

You’ll want to do this right away. It’s easy and it’s free.

Get the “Limit Login Attempts” plugin from the WordPress Codex, and install it. Once you do, you’ll be on your to securing your WP website against the bad guys.

Limit Login Attempts begins working right out of the box. On it’s page in the Admin dashboard, it will begin reporting failed login attempts “by IP address”. It will also begin temporarily locking-out IP addresses for exceeding the number of failed logins you specify (the default is 4 login attempts).

You can even have it email you when a lock-out occurs. The subject line will read “[YOUR URL] Too many failed login attempts”. Ironically, I received one of these emails while writing this paragraph.

Tip – The lock-out notification email identifies the IP address of the locked-out hacker. I entered the IP address into the “IP Deny Manager” in my HostGator cPanel. At that point, the hacker cannot even access the login form through that IP address anymore.

As is obvious by it’s name, this great wordpress security plugin limits the number of times a hacker script can attempt to crack your login.

Here’s How To Defend Against Other Big WordPress Security Issues…

You’ve got one important WP security vulnerability plugged now. But, you’ll also want to take action on several more vulnerabilities.

Image of security for WordPress WP Secure ProSmart WordPress website owners want a complete solution to secure their WordPress websites. The guys at WP Secure Pro have made it easy with their complete system. I bought it and was so impressed with it that I have rolled it out across all of the websites I manage. It’s that good. With WP Secure Pro, you get

  • Videos – 27 short videos showing you step-by-step exactly how to secure all of your WP sites
  • Checklist – A security checklist
  • Guide – A companion guide with more information
  • Bonuses – 2 handy bonuses

The videos are short and to-the-point. The WP Secure Pro system relies on a select group of highly effective – and free – WordPress security plugins that you’ll want to install. You’ll also need FileZilla or a similar FTP client to make quick changes to a few files.

It’s all really easy.

What Does It Cost For Security In WordPress?

Consider what you would be willing to pay to keep hackers out of your WordPress websites…

In a world of $197 for “this” tool…and $97 for “that” tool, it’s refreshing to know that WP Secure Pro is only $29. But, don’t let the almost give-a-way price for WP Secure Pro lull you into questioning its value. At only $29, you get security for WordPress. It’s a screaming deal!

As you sit here reading this, you begin to realize that your WordPress websites are constantly under attack. When you buy WP Secure Pro, it will be one of the smartest decisions you make to have security in WordPress.

Image of note to self to get WP Secure Pro

Bottom-line

WP Secure Pro just works. Get WP Secure Pro now! It will be like having the house on the block with the burglar alarm on it. The bad guys will just move on to another house without one.

Highly recommended

What To Do Now…

Get WP Secure Pro now! You’ll be glad to have it.

 

Don Roberts, CLMC

Note: I purchased WP Secure Pro

Security for WordPress Resources:

Filed Under: Security for WordPress (Security in WordPress)

WordPress Backup: Avoid Disaster With This Easy WordPress Blog Backup Solution


 
 

Picture this WordPress Backup Scenario Happening to You…

You’ve just noticed in your WordPress admin panel that the latest version of WordPress is available for updating your blog with the latest security fixes and some functional improvements. Sounds pretty standard, right?

Image of WordPress update panel

Image of WordPress update message

And, just like you’ve done several times in the past, you click the “Update Now” button just to get it done and over with. Normally, it’s done before you know it. But, this time, something isn’t right. Instead of the usual successful update completion message you always get, you now see only a “Fatal Error” message.

As you’re sitting there, you begin to get concerned about what you’re seeing. Your concern turns into panic when you quickly discover that you can no longer login to your WordPress website. Did you ever buy that WordPress backup tool? No? Great…now what?

Image of Fatal Error Message on WordPress Update

Fatal Error Message on WordPress Update

Even if your WordPress website is somehow operational to site visitors, you won’t be able to make any changesto it…from now on.

Think about that for a minute…

Image of WordPress Backup problem

Wordpress Backup Problem (Photo coutesy of Channa)

And, If you’re thinking this wouldn’t happen to you, guess again. It happened to me, and it happens everyday to countless WordPress website owners. In fact, the more sites you have, the greater the likelihood of disaster happening to you…sooner than later.

Now, Picture This WordPress Backup Scenario…

The WordPress update still goes bad (or something else goes wrong), but this time you have a solid WordPress backup solution already in place. And, because of this, you are glad to know that you will avoid the panic altogether…and simply make quick work of getting things back to normal.

What if This Happens to You Without a WordPress Backup Solution in Place?

A friend of mine is a real estate attorney, and he got his WordPress business website hacked so badly that the web hosting company’s tech support guys couldn’t even recover his website. [inset lr=”left”]Tech support couldn’t even recover his website…it was a total loss.[/inset]

Let me repeat that. The tech support geeks who pride themselves in solving technical problems…couldn’t save anything.

…and, he did not have a WordPress Backup solution in place. It was a total loss. He had to have his website re-created from scratch.

Imagine that happening to you…

Not all Backup for WordPress Solutions are Created Equal

My friend’s catastrophe got me thinking about WordPress security solutions and WordPress backup solutions. I’ll tackle security for WordPress head-on in another article. But for this article, let’s take a look at a great WordPress blog backup solution.

Now, of course, there are free tools and paid tools. Some may ask, “Why should I buy a WordPress backup tool when I can get one free on the WordPress Codex?” It’s a logical question to ask.

[inset lr=”right”]Some WordPress backup tools don’t backup the whole site…[/inset]As I began looking around, I found that many of the free WordPress blog backup tools only backup the WordPress files, not all of the files on your WordPress website. What was that? Yes, you’re reading that right..many do not backup everything.

That sounds ridonculous to me…

Why settle for an incomplete solution? I mean, who would want to use a WordPress blog backup tool that restores only the WordPress files, but requires that you spend hours finding and uploading all the non-WordPress files (like photos). No thanks…

The WordPress Backup Tool of Choice*

While comparing WordPress blog backup tools, I quickly zeroed-in on one in particular that stood-out above the others. It’s called WPTwin, and it’s a real lifesaver.

While additional WordPress functionality often comes in the form of a plugin, the initial WPTwin solution does not.

Here’s what you get when you choose to buy WPTwin:

  • 2 php files (easy to upload to your website)
  • Browser login to generate a “clone” file (WordPress backup file)…or to “deploy” the clone (copy it back to your hosting account)
  • Member’s access to 2 short training videos

…Simple to get set-up and running.

For the initial WPTwin WordPress backup solution, backing up (or “cloning” as the WPTwin guys put it) a WordPress website is a manual process with WPTwin. But, it’s so simple, and it takes less than a minute per website. The makers of WPTwin do, however, offer an addon plugin for WordPress to completely automate the backups.

[important color=”red” title=”* GoDaddy Warning”]I have found that WPTwin does not work with GoDaddy. I went round and round with their tech support, and because of the way their server technology works for shared hosting, WPTwin won’t work…unless you upgrade to GoDaddy’s dedicated hosting for about $250/mo. This was a deal-breaker for my attorney friend… so much so that he decided to choose HostGator for his web hosting instead of GoDaddy. He moved everything over and has been making weekly backups since.[/important]

Here’s How to Backup WordPress…

Using an FTP client (like FileZilla) or the cPanel’s File Manager, you upload the wptwin.php file to your WordPress website’s root directory (do this just once for each WordPress website). Using your browser, navigate to the wptwin.php file you just uploaded (e.g., www.domain.com/wptwin.php). Note that you have to be logged-in as an Admin to your WordPress, otherwise you won’t be able to clone your website. That’s a security feature that will keep others out, too.

Image of WordPress Backup with WPTwin

WordPress Backup with WPTwin

Once logged in, you simply click the “Click to Clone this Site” button. Depending on how big your WordPress website is, it can take as little as 15 seconds to have a full clone of your website. On sites with a lot of content, it usually takes less than a minute.

Next, you click the freshly-created “Download:”  link and copy the clone file to a folder you’ll remember on your hard drive. I have a separate folder for each WordPress website…easy to find everything related to a specific website that way.

Tip: So that I always have two identical backups in case of the unexpected, I copy a new clone file from my hard drive and paste it to my DropBox account, too.

Image of WPTwin WordPress Backup download link

WPTwin WordPress Backup Download Link

After I download the clone backup from the wptwin browser session, I immediately click the “Delete This Clone” button to delete the clone file so that it is not available to others.

If you get the WPTwin backup plugin, it currently saves backup files on your website’s server only. And, naturally, it does not automatically delete backup files.

I manually backup my sites and my client’s sites once a week.

Where the Rubber Meets the Road in a WordPress Backup…

Having WordPress backup files certainly provides a sense of security. But, they have little value if they don’t work when you need them to work.

Imagine the frustration you’d feel if you had used some other WordPress backup tool that only had been backing up the WordPress files…not everything. Many WordPress Admins find this out the hard waywhen it’s too late.

Image of a WordPress backup lifesaver

Click to Get the WordPress Backup Lifesaver

As it happens with WPTwin, re-creating a WordPress website from a complete clone is a piece of cake.

To redeploy the cloned website, the WPTwin instructions say to:

  • Install WordPress on your desired Domain and/or directory using cPanel (Fantastico)
  • Upload wptwindeploy.php and clone file to the root directory of your new WordPress installation
  • Access wptwindeploy.php with your web browser and follow the on-screen instructions

I Did This When Deploying My WordPress Backup Clone…

I actually went to a little more effort because I wanted to make sure there were no gremlins left running around on the hosting server hard drive. [inset lr=”left”]I decided to start completely fresh…[/inset]I decided to start completely fresh, so I deleted the currently corrupted WordPress installation in Fantastico…and, I decided to delete the associated addon domain from my hosting account. Then, I re-added it back to my hosting account. Perhaps a bit overkill, but I wanted to ensure I eliminated any trace of the previously corrupted set-up.

After I created a brand new WordPress installation, I pointed my browser to the domain just to make sure that the virgin WordPress blog was operational again. It was.

Next, you upload the wptwindeploy.php file and the backup file to the website’s root directory. I used FileZilla for this, but you can use other FTP clients…or the File Manger in cPanel.

When the files are in place, navigate to the wptwindeploy.php file (e.g., www.domain.com/wptwindeploy.php). Note that you’ll be asked to validate your use of WPTwin. When you’ve done this, you’ll be be presented with some recommended defaults for the deploy process. I went with the recommended settings, then clicked “deploy clone”.

What Were the Results?

Image of checkmark for a WordPress backupAbout 5 minutes later, the process was complete. My site was not only alive and well again, I was easily able to login to the Admin area to continue on as normal. Oh, and I made another backup just for good measure.

Which Website Did I Rescue from Disaster?

You’re looking at it. If I didn’t choose to buy WPTwin in 2011, my only choices would have been to re-create it…or scrap it. Neither are desirable.

The reason I have Word Press backup in place…is the same reason I have insurance for my car and house. It’s not sexy, until you need it. And, just like with insurance, if you don’t get WordPress backup in place before the problem arises, it’s going to be a bad day for you…

Additional Incentive to Get WPTwin

There are some other paid WordPress backup plugin tools out there. And, while I believe WPTwin is the best WordPress backup solution, an additional reason to buy WPTwin is that you can use it on an unlimited number of WordPress websites. Other WordPress blog backup plugins have a limit on the number of websites you are allowed to use them on. And, outrageously, with that limitation, some cost more than WPTwin!
Image of note to self about getting WordPress Backup

Bottom-line

WPTwin just works. Get WPTwin now. You’ll be glad you did, especially when WordPress disaster strikes…and you have a recent clone of your entire WordPress website waiting-in-the-wings to re-create your site…within about 10-minutes.

Highly recommended

What To Do Now…

Join me and make the smart decisionchoose to get wptwin now before you lose your WordPress website because you didn’t have a complete clone ready to go.

WordPress Backup Resources:

Don Roberts, CLMC

Note: I purchased WPTwin

Filed under: WordPress Backup, WordPress Blog Backup