02 Mar 2016

Protecting WordPress

WordPress is one of the most popular Content Management Systems in use today, however with that comes a lot of potential issues and protecting WordPress requires a few additional steps after installation.  Because of the Open Source nature of WordPress, the source code is freely available, meaning the less than ethical people out there are able to scour the thousands and thousands of lines of code to find potential ways to hack your site and cause problems for both you, and the host of your site.

Webworx have a number of security measures in place to minimise harm, and to try and limit Brute Force or Denial of Service attacks, but we can’t protect your site against badly written code!

The good news is, there are a number of precautions you can take to ensure any exploits are kept to a minimum:

1) Always ensure your WordPress installation, and any plugins used, are kept up to date.  Pay particular attention to any plug that provides code that might upload images etc, as these are often exploited to upload executable code.

2) If you have a static IP address in your office, restrict access to the admin section by adding the following code to the .htaccess file in your root folder:

<files wp-login.php>
order deny,allow
deny from all
allow from
allow from

(replacing the IP address(es) with your office/home address)

3) To add additional security to the back-end of your site, make sure you use complex passwords, and we suggest not using ‘admin’ as the username.

4) Use one of the many security plugins available.  We recommend Wordfence which will scan your site to ensure that no files have been edited by external sources.  It will also lock people out of your back-end system if they’ve been trying to guess admin passwords.

5) Ensure you have regular backups!  There are many plugins available, our personal recommendation is Updraft Backup and Restore.  This plugin will allow you to schedule regular backups of the database and files.  The backup files can even be automatically uploaded to external servers for your own piece of mind.   Webworx do take backups every night, but you can never have enough backups!!

6) If you have multiple people working in the back-end of the site, set them up with the relevant security level.  Someone editing content doesn’t necessarily need to be given Super Administrator rights.  Make sure you keep track on exactly who does have access to the admin login details, because if it falls into the wrong hands, i.e. and ex-employee or your old web designer, who knows what might happen.

If you run into any problems while editing your site, i.e. 403 Forbidden Error, or 500 Internal Server Error, then please do not hesitate in contacting Webworx.  It maybe that our security system has picked up something that it deems suspicious, or it might be that an errant plugin is using too many resources, and affecting the performance of your site.  We can often find out exactly what’s wrong by having a look at the log files and helping out with relevant fixes.

If you have a few people accessing your back-end at the same time, you may run into problems with the site, such as Out of Memory, or 500 Internal Server errors.  We’ve found that a feature added to WordPress recently can be causing you to use more resources than is necessary.  There is a simple Heartbeat Control plugin that you can install which may hopefully remove many of the problems.  See this link for more information and an explanation of the plugin: http://www.inmotionhosting.com/support/website/wordpress/heartbeat-ajax-php-usage

Share this
25 Jan 2015

The Heartbleed Bug

heartbleed_128The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Share this

© 2015 Webworx International Pty Ltd. All Rights Reserved.

Click Me