OWASP WordPress Security Implementation Guide

Ever since late 2001, OWASP has become an essential part of online freedom, security, and trustworthiness. For the best part of two decades, they have played a leading role in the development of a safer, stronger internet. That’s very important, and their work when it comes to safe and secure internet usage, including with WordPress, is invaluable.

If you wish to make the most of your WordPress website, OWASP has produced an impressive new security implementation guide. When used accordingly, this guide provides users with all the information that they need to stay ahead of the game and to maintain a safe website which everyone is able to use.

This has become an increasingly important part of online safety and security. To help you make sure that your website is safe, you should look to carry out the following security implementations. Done correctly, this could vastly improve the safety and security of your website for all users.

1. Broken authentication in WordPress

A common problem with your WordPress site may come from broken authentication. When this happens, hackers could have manual access to your website and gain complete control over the website in a worst-case scenario.

It’s recommended that you remove the standard /wp-admin platform for your WordPress page, instead of replacing it with something much harder to guess. The same is true of making sure that you avoid using standard usernames.

For example, you should rename any account named ‘admin’ and ensure that it is instead replaced with something unique and much harder to guess: complexity is important, and its worth making login challenging to put off attackers.

2. XML external entities (XXE) in WordPress

This is another common issue that you need to be prepared for, and most commonly happens when your XML parser is not strong enough. While this is often a developer issue, the best way to avoid XXE problems in WordPress is to keep updating your WordPress software.

Also, try and avoid using needlessly complex data formats, and make sure that all of your XML processors are up-to-date. If you would like to install a more studious option, it’s recommended that you look at getting a Web Application Firewall, which works to help block XXE attacks.

3. Security misconfiguration in WordPress websites

One extremely common yet damaging issue would be a security misconfiguration. This often comes due to a lack of updating or patching of the WordPress system that you use, or a failure to make basic security changes such as removing the basic ‘admin’ account, as mentioned above.

You should get rid of any WordPress default that exists: this includes the two mentioned before. You should also change any other path which is installed by default, including on any plug-ins or themes that you might be using. The developers of any third-party WordPress tool should be able to help you do that. The more unique your WordPress website is at the back-end, the better.

4. Using components with known vulnerabilities

While updating all of your plug-ins and components might mean paying for them, it’s essential that you do so. Old legacy editions of WordPress plugins and third-party software often require you to stay on an older edition of WordPress: this is never recommended.

Delete any old components which are installed, such as the default WordPress themes, even if you never use them. Get rid of anything that is out-of-date, and if you need to invest some money into buying the safest and most up-to-date option, do so. The cost is minor in comparison to the cost of lost or compromised data.

5. Apply controls as per the classification

To avoid data from becoming needlessly sensitive, you should look to apply controls as per the classification. This is vital to help avoid the exposure of sensitive and vital data. Avoid storing any of your sensitive data unless it is 100% necessary and make sure that you make a clear point of identifying data which must be secured as a priority.

Make sure that you look to change any default cryptographic keys if you are using any, too; the more unique your keys are, the better.

6. Verify independently the effectiveness of configuration

To help prevent the exposure of vital data, you should look to make sure that you get independent verification of the configuration. This will often mean bringing in a security expert to put your systems through a stress test. This is very much recommended, as the benefits of doing so will often mean that your data is less likely to be exposed.

Whilst preventing data exposure is probably the hardest part of running a WordPress website, the consequences of doing nothing can be incredible. Therefore, you should look to identify all data which is sensitive, and then have your data storage configurations rigorously tested. It’s better to find out a problem now than before it’s too late.

 

The Most Common Password Hashing Methods For Securing Your Ecommerce Platform

In 2018 password hashing is becoming more important than ever for both ecommerce website owners and people who provide commercial software applications.

Protecting your users’ data is no longer a suggestion, rather, it is a requirement as consumers are beginning to consider their security and the safety of their data a top priority.

As ecommerce continues to grow at a solid rate, with ecommerce sales projected to hit just over $4 billion by the year 2020, protecting your users’ data is now more important than ever.

If a hacker or malicious actor gains access to your password database and those passwords are stored in plain text the Intruder will have access to every user accounts on your website or application.

The recommended way to avoid this is through password hashing.

Ecommerce Hacks

Without the proper cybersecurity protocols in place, ecommerce store owners risk putting themselves and their customers at risk. We don’t need to look any farther than the 2013 Target hacking to understand how and why hacking is a major threat to ecommerce platforms.

That being said, smaller ecommerce stores are at an even bigger risk than the larger corporations due to the fact that they have lesser security protocols against cybercriminals. Two of the largest kinds of cybercrimes that smaller ecommerce stores may face include phishing attacks, where user data such as their credit card numbers and login information is targeted, and credit card fraud, where hackers will attempt to extract credit card numbers and then sell them on the black market.

As you can hopefully tell by now, the security of your ecommerce store must be of the utmost concern to you, and this will require you to employ a number of security measures, including password hashing.

What is Password Hashing?

To understand how password hashing is used currently on content management systems and web applications, we have to define a few key things.

When you hash a password, it basically turns the password into a scrambled representation or ‘string,’ and you use this to avoid storing passwords as plain text where they can be found by malicious actors. Hashing compares the value with an encryption key internally to actually interpret the password.

It should be also noted that hashing is a form of cryptographic security that is different from encryption. This is because encryption is designed to encrypt and decrypt a message through a two step process, but as we have just gone over, hashing is designed to generate a string from a previous string in text, that can vary significantly with only small input variations.

An additional hashing measure that you will see is what’s referred to as salting, which is simply the addition of the characters on to the end of the hashed password to make it more difficult to decode.

Similar to salting is what is referred to as peppering. This also adds an additional value to the end of the password. There are two different versions of salting the first where you add the value to the end of the password as I mentioned above and the second that the value added to the password is both random in location and in its value. The advantage of this is that it makes Brute Force attacks and certain other attacks very difficult.

Currently Used Hashing Algorithms

You will see a wide variety of hashing methods used on passwords depending on the platform. This can also vary between content management systems.

One of the least secure hashing algorithms is referred to as MD5, which was created in 1992.  As you may imagine from an algorithm created in 1992 it is not the most secure hashing algorithm. This algorithm uses 128-bit values which is a lot lower than traditional encryption standards so that means it is not a very secure option for passwords and instead is more often used for Less secure requirements such as a file downloads.

The next common hashing algorithm that you will see is SHA-1. This algorithm was created in 1993 by the US National Security Agency. They waited a few years to publish the algorithm, however despite being developed only one year later than MD5 it is significantly more secure at the time. You may still see some passwords being hashed this way but unfortunately, this standard was decided to be no longer secure.

As an upgrade to SHA1 that the National Security Agency published, SHA-2, was created 2001. And like its predecessor, it was not specifically created by the NSA and was only standardized just a few years before now. It still Remains a viable method for securely hashing passwords.

Another password hashing algorithm that you will see is Bcrypt. The BCrypt algorithm includes a salt which is designed to protect against brute-force attacks.

One of the tools BCypt uses to make Brute Force attacks more difficult is slowing down the Brute Force operation or program that a malicious actor may be using. This means if a Brute Force attack is attempted it will likely take years if it is successful at all.

Similar to bCrypt is Scrypt. This password hashing algorithm also extends the key with additional defenses such as salts (designed to add random data to a hash function input to create a more unique output), and to make Brute Force attacks almost impossible with an additional advantage of Scrypt is that it is designed to take up a large amount of computer memory when it is being Brute Force attacked. That means it has an additional measure to extend the length of time a Brute Force attack may take to be successful.

The last password hashing algorithm we’ll see on content management systems and web applications is PBKDF2.  This password hashing algorithm was created by RSA Laboratories and like the algorithms mention before, also add extensions to the hash to make Brute Force more difficult.

Storing Hashed Passwords

After the process of hashing, and after whatever algorithm is being used does its job, the output of the password will be a scrambled hexadecimal representation of itself.

What that means is that it will be a very long series of letters and numbers that will be what is stored by the website or application in the case that a hacker gains access to that information.

So in other words, if a hacker gets into your ecommerce website and finds a database of user passwords then he will not be able to use them to directly log into a user’s account.

Rather, he or she would have to interpret the random letters and numbers to figure out what your password would actually be.

Multiple Website Passwords

Sometimes you’re going to run into situations where your ecommerce store users may need to share passwords across different services.

An example of this might be that you have a separate build of your application for mobile devices that is maybe a different technology or on a different platform as compared to your web-based version. In this instance, you would need to sync hashed passwords across multiple platforms, which can be very complicated.

Fortunately, there are companies that can help with cross-platform syncing of hash passwords. An example would be FoxyCart, which is a service that allows hashed password syncing from application to application.

Wrapping it Up

In addition to Foxy, there are many other popular ecommerce platforms to choose from. Regardless of which one you use, keeping your online ecommerce store secure before must be a top priority, and password hashing is one of the best and also one of the more overlooked security measures that you can employ today.

The more properly hashed a password is, and if it’s using the newest standards like salt and pepper ring, then basically the only way for a malicious actor to get someone’s password would be via a Brute Force attack.

And with the methods we mentioned above and the algorithms used by various content management systems, even brute force attacks are becoming more and more difficult. That is, only if you implement these tools properly.

The Overlooked Principles of a Strong WordPress Security Strategy

It should be no secret that websites are inherently vulnerable to security risks.  And unfortunately, that includes your own website run by WordPress.

Hackers will use malicious software to infect your websites, gain financial and customer information, infect your visitors with similar software, and even redirect traffic.

Needless to say, having your website hacked is going to almost certainly result in you losing a lot of money and customers, not to mention your reputation will take a hit.

That being said, many website owners choose not to follow basic web site security practices because they believe that their site or blog will never be hit. They convince themselves into thinking that since they don’t have anything worth of much value to hackers, their site will then be kept safe from hacking.

But in reality, this mindset ignores how hackers actually work. In fact, hackers and cybercriminals rarely target specific online small businesses, blogs, and websites. Instead, they broadly search for websites and online businesses that have common vulnerabilities that they can exploit.

In other words, hackers are just going after the most vulnerable websites they can find regardless of what those websites are, meaning that by failing to follow basic and yet effective security practices you could be setting yourself up for a major disaster.

In this article, we’re going to cover the overlooked principles of a strong website security strategy that you would be wise to follow.

Automate Patching

A ‘patch’ is simply a security fix released by a CMS, or content management system, and accomplished by adjusting pieces of code.

That being said, the vast majority of small to medium sized online businesses (SMBs) do NOT keep up with the patching rate.  In fact, around 75% of all websites contain unpatched vulnerabilities.

Simply put, without patches, you;’re leaving huge swathes of your website open and vulnerable to hackers, to the point that financial data can be stolen or the entire site could be completely defaced.

This is why automating your patching process is so important, so that patches are simply automatically updated whenever a new one is released.

Use CDN’s Wisely

A Content Delivery Network, or CDN for short, is simply a distribution network consisting of interconnected servers that can give cached internet content from whichever network location is closest to the user.

CDN’s are definitely one of the best ways to reduce loading times of your individual website pages, mainly because it’s possible that a user could have cached the script already by visiting a separate website that also uses that CDN.

Certain CDN providers can also offer a number of advantageous security improvements to your sites as well, such as DDoS mitigation and web application firewalls to name a couple.

But that being said, CDN’s also open things up to other kinds of attacks. For instance, how CDN’s work is when a user requests content that local CDN servers lack the file types for (called dynamic content), the origin CDN server will be contacted to provide the content.

Hackers will take advantage of this by attacking content during the ‘hand off’ between the origin server and the local server, but the issues that many businesses lack the origin server that can defend against these kinds of attacks.

One solution is to restrict how much dynamic content requests your site will accept over a specific period of time, though it can also result in innocent users being denied access to such content during times of high traffic.

Another solution would be to select an overlay CDN that focuses specifically on accelerating dynamic content requests across the internet and without sacrifice security. An example of an overlay network that does this include Teridion, which is a superior choice to alternatives such as CloudFront.

Offer SSL Certificates To Your Customers

Previously, it was very financially inconvenient to offer SSL certificates to each of your customers, but today it’s very easy to get cheap ssl certificate and can even be done at no cost with open certificate authorities such as Let’s Encrypt.

Offering SSL to your customers will make it far more difficult for hackers to intercept data, and Google will also rank your website higher in the search engines if you use SSL as well.

Basically, SSL is simply a technology that forges an encrypted link between a browser and a web server, to ensure that all data passed between the two is kept completely private.

To put this into perspective, if a user visit a website with a form, once the form is filled-in and submitted the information can be easily intercepted by a hacker.  For example, you may enter your credit card number or your login information.

The most common method by which a hacker will intercept this data is by installing a listening program on the server that hosts the website. Encrypting the website and browser connection with SSL will create what is called a binding connection to ensure that no one else can see the information that a user types in to a form.

The website holder needs to decide which SSL is ideal for the website and if you are not certain about the choice there are multiple options like single SSL, cheapest Wildcard SSL certificate, multi domain SSL. Even you can ask SSL provider about your requirement and get the best SSL for WordPress security.

Conclusion

Too many website owners overlook the above security procedures, and the result is their websites will be inherently vulnerable when hackers are on the prowl for sites that can be easily exploited.

Automating your patching, carefully using Content Delivery Networks, and offering SSL Certificates to your customers are by no means the only things you should do to beef up your website security, but they are undeniably among the most effective, not to mention neglected by the average website owner.

Top 5 Cybersecurity Startups of 2019

In the cybersecurity market, it seems as if every new solution is almost immediately followed by a host of new challenges. This has been the reality of a market that is considered to be a top-priority as time goes by. The number of security breaches made has been increasing drastically and recent figures show that even big companies like Facebook are not safe. According to ITProPortal, 2018 saw at least 50 million users affected by a large-scale Facebook breach. Such figures go to show how hackers are getting inventive even in an age of technical know-how. Because of the huge cybersecurity threats, many companies are getting involved in creating solutions. We have compiled a list of some of the top cybersecurity startups to follow in 2019.

1. Zeguro

Zeguro is one of the startups that are providing a wide range of solutions for small and medium-sized companies. This startup has a platform that allows users to detect and identify cyber security threats. In addition to identification, the platform has a wide range of solutions for users. The virtual security officer that comes with the platform is capable of tackling a large number of threats. Zeguro is also an insurance platform that gives internet users relief in case they are attacked. With services like training, insurance, risk assessment, and overall management; Zeguro is a comprehensive platform that has great prospects in the industry. The platform has big plans for cyber insurance and other products.

2. Darktrace

Darktrace is a platform that has been around for several years now. The main feature of this platform is the ability to identify and respond to threats in real-time. This proposition is unique in that not many companies have such services in the market. The startup was launched in 2013 and it has seen positive growth over the years. One of the key reasons why Darktrace has been embraced by internet users is its effectiveness. With over 60,000 threats having been identified by the platform across the world, the platform is unique and there are not many other startups that can boast of such stature. The executives at the company believe that they will be able to solve more high-profile attacks with time as they bake in more features into the platform.

3. Cybereason

One of the main approaches that have been explored in recent years when it comes to tackling cybersecurity issues is the proactive identification of threats. Cybereason is one of the companies that have been a huge champion of this. Experts in the IT field have for a long time expressed the importance of real-time detection and resolution of threats. Jamie Cambell from gobestvpn.com, states that the technology available currently is good enough for proactive solutions. Cybereason has been using artificial intelligence to do tasks like monitoring in order to detect threats in a timely manner. As technology continues to evolve, it is expected that the speed of detection will be shortened. This is why the objectives of Cybereason are quite realistic for the current market.

4. Obsidian

When it comes to detecting threats, data is a crucial part of the process. Obsidian is a startup that has taken up the challenge to study how companies can use data science methods to tackle threats. This startup was founded in 2017 and it has been growing steadily over the time it has been on the market. At its launch, the founders stated that their goal was specifically on big enterprises that had challenges protecting their users’ data.

By using AI and machine-learning technologies, Obsidian hopes to make effective use of data science to detect and forestall cybersecurity threats.

5. PerimeterX

Finally, PerimeterX is a startup that has ventured into areas of emerging threats. While most threats in the market are carried out by actual humans using technology, some are often done by bots. Technology has evolved to the extent where programmed bots can be used to cause security challenges to businesses. PerimeterX is a company that has invested heavily in studying threats caused by bots.

This startup uses machine learning technologies for various identification processes. By establishing that certain threats are emanating from non-human entities, it becomes easier to tackle them before any damage is done. PerimeterX is, therefore, a company that is breaking the barriers when it comes to the sophistication of cyber threats. It is expected that bots will play a much bigger role in insecurity. This startup is thus one of those that will be interesting to watch over 2019 and coming years.

How To Reduce Plugin Security Risks Once and For All

If you use WordPress, you know how much of a godsend plugins can be.

The ability to add functionality to your website quickly and easily via installing and activating plugins is one of the reasons why WordPress reigns supreme in the web design and development world. However, when thinking about security, plugins can cause some issues.

Often times the way hackers or malicious actors gain access to WordPress websites are through security holes in plugins. That means that the more plugins you have, the more holes there could possibly be.

In order to reduce this risk on the website, we will outline the best practices for reducing WordPress plugin security risks.

Use Fewer Plugins

This may seem like a no-brainer, but many people overlook this as a possible way to keep their site safe. As we explained earlier, the more plugins you have the more risks there could be.

That’s why a great way to reduce the security risks surrounding WordPress plugins is to avoid using them for adding very small pieces of functionality for your site.

So, if possible, add functions and custom code directly instead of relying on a plugin to do that for you. While this may seem like a tall order, it is certainly easier than hiring a developer to clean up a hacked WordPress site.

Uninstall Plugins That Haven’t Been Updated

It’s an unfortunate fact that sometimes developers are not able to keep their plugins up to date. And one of the top reasons WordPress plugins are updated is because new security issues being patched or fixed by the developer.

That means if you have a plugin on your WordPress site that hasn’t been updated by the developer in months or years you should look for an alternative. Not only will plugins that are regularly updated work better, but they are also often more secure than those who go without updates for a long period of time.

Implement A Firewall

Even if WordPress plugins are updated frequently, that doesn’t 100% guarantee that they will be secure. That is why it’s also a common security practice to implement a firewall on your WordPress site using a firewall plugin

This will eliminate the ability for hackers or malicious actors to access your site through security holes they may find in your plugins. In addition to being a best practice for reducing plugin risks, it will also help you in a broad range of other areas. Generally, WordPress firewalls stop things like brute force attacks, and other common vulnerabilities experienced on the WordPress platform not related to plugins.

Using a firewall is like WP Security 101, and having plugins that do the job is one of the things that us love WordPress (most out of the box website builders have no firewall feature, and generally weak security in comparison).

Keep Plugins Updated

Some people never check back in on the plugins they use to add functionality to their WordPress website. This can be a huge issue. Because as we mentioned before, the main reason why developers update plugins aren’t just to upgrade their functionality, but to make them more secure as new security standards are developed and as new techniques hackers use are revealed.

Luckily, WordPress provides a way to keep your plugins updated right in the back end of the admin panel. So check the plugins area of your WordPress admin often to ensure all of your plugins are continuously up to date.

Delete, Not Just Deactivate

It’s a common thing for people running WordPress websites to find a new plugin that meets their needs or to realize that a particular plugin isn’t providing the value you thought it would. Most commonly, WordPress admins just deactivate this plugin.

However, if the plugin still exists on the site then it could still be presenting security holes for hackers or malicious actors to exploit. That is why instead of just deactivating the plugin, you should delete it altogether. Additionally, you should check your WordPress plugin directory on your server to ensure no files were left over when the plugin was deleted from your site.

Choose Well Rated Plugins

The WordPress plugin directory provides a rating system and feedback system that is directly integrated into the platform. So a good way to ensure a plugin is going to both work well and be secure is to check these things out. By checking the ratings, you are able to see what other WordPress admins think of its functionality.

Additionally, you can see the frequency of updates that have been pushed out for any particular program. And as we established earlier in this article, it’s essential for a WordPress sites security that plugins be updated regularly. The WordPress team also provides a support forum, where often you will find discussions about a particular plugin.

This forum will give you even more insight into a plugin and it’s developers nature. In addition to the WordPress plugin directory and forum, a simple Google search will reveal lots more opinions of the plugin.

Only Use Safe Plugins

Often times you will find plugins off the WordPress plugin directory. While some of these plugins are okay, you need to be wary of them. The WordPress plugin directory checks certain things like minimum security and performance standards.

That means plugins that don’t go through this system could possibly be insecure without the developer even knowing. So if you do decide to use third-party plugins, be sure to get them from reputable sources whom you can source good reviews for on the web. Often times WordPress plugins that are paid have a higher degree of quality than those that are free.

Conclusion

The plugin function is one of the things that is keeping WordPress as the #1 CMS out there.

However, with security becoming a bigger and bigger concern, you need to know the best practices when using plugins. Adding extra functionality to a website with a click of a button is a huge advantage.

However, if it comes at the cost of comprising your site’s security, you should just find other ways to add that functionality to your site. But, the issue of WordPress security doesn’t just stop with good plugin practices. There are other ways to keep your site secure that you should think about if security is one of your top priorities.

WordPress Security – Essential Tips for Every Site Owner

Did you know there are over 90,978 attacks on WordPress websites every minute? Luckily, even though this number sounds huge, if you follow the basic security rules, you can prevent the majority of potential attacks and make your website attack proof.

Or at least make it so hard to break in that hackers would rather target one of the thousands of poorly secured ones. Which is not that hard to do, especially if you consider that many attacks are performed after automated vulnerability scanners find potential ways in. So, how to skyrocket your WordPress site security? Here are the 6 Essential Tips.

1. Keep Your WP Installation, Themes and Plugins Updated

A no-brainer but a frequently ignored one. According to WordPress.org, 1/3rd of all WordPress websites hasn’t been updated to the latest version. On top of that, almost 2/3 of all web hosts use PHP older than 7.0. Outdated WordPress installation and server frameworks pose a great threat to your site and increase the risk of a successful breach as hackers will try to access your website using non-patched vulnerabilities.

In fact, if you keep all your themes, plugins, as well as WordPress up-to-date, you will be more secure than 75% of all legitimate sites – as it’s estimated that three in four sites contain unpatched vulnerabilities. Luckily, getting the latest versions of your WP plugins, themes, and WP itself is pretty straightforward – all you need is a few clicks of a button.

At the same time, ensuring that your server is running the latest PHP version can be a bit more time-consuming. That’s why it’s best to just reach out to your hosting support and ask them to point you to a guide on how you can upgrade it yourself or even ask them to upgrade it for you.

2. Install a Malware Scanner and Firewall

If you thought that only your PC can get affected by malware, viruses, and brute force attacks, you could not be more wrong. Not only can WordPress be affected, but it’s, in fact, the most infected website CMS, which most likely has a lot to do with its popularity.

The good news is, there are many free and paid firewalls and malware scanners for WordPress. One of the most popular ones is Wordfence Security, which offers both malware scanning and firewall, and comes in both free and paid versions.

3. Get a VPS and Turn It into a Fortress

Compared to a shared hosting, a VPS allows you to control every aspect of its configuration. Thanks to that you can not only make your website faster but also ensure that its hosting environment – the server – is properly secured.

On an unmanaged VPS, it’s up to you to choose the OS (for example, CentOS is considered more secure compared to Ubuntu), the firewall and other software that you install, such as malware scanners (which you should install both on WordPress and the server itself).

Moreover, by installing your WordPress on a VPS where you have a root access, it’s easy to change things such as MySQL passwords or rename WordPress folders and reconfigure its files to reduce the chance of a potential attack. Although some of that can also be done using security plugins

Naturally, to reap all the benefits of a virtual private server (speed, flexibility, and scalability to name a few), you should rent a server from a company that offers different pricing packages that are easy to upgrade should you need more resources. You can see a great example of such an offer here.

4. Hide /wp-admin and your WordPress installation

Why tell the world you are running on WordPress in the first place? While it’s a great content management system, you don’t necessarily have to boast about running it. Especially that it provides the potential intruder with valuable information. For example, unless you hide WordPress, websites such as What WordPress Theme is That? disclose information not only about the theme that you use but also about some of the plugins. It’s like telling the hacker hey, this is how you can get inside:

So, how do you hide your WP site information from the prying eyes of potential intruders? Fortunately, you don’t need any technical skills at all. Where there is demand, there are WordPress plugins, which you can use to do that – the most popular being Hide My WP by the wave, which can hide your login page, and make the details about your WordPress website invisible (unfortunately, there is no free version).

Alternatively, you can get the free version of iThemes Security, which doesn’t provide you with as many hiding options (although it allows you to hide the login page), but comes with many other security perks.

5. Change Your WP Username and Keep It Hidden

Just like you shouldn’t use the word password as your actual password, leaving the default WordPress username admin can have dire consequences. In the end, it’s probably the first thing any potential intruder would try to guess, so by using it, you make it incredibly easy for them to figure out the details of your admin account.

How to change it? There are two ways in which you can do that. You could look for a plugin which can do it for you or go the manual way. Personally, I prefer the latter – as it’s just as quick and easy, and anyone can do that. But, because WordPress doesn’t give you an out-of-the-box option to change it, you need to use a small workaround. First, log into your site and go to Users > Add New.

Once there, insert the username of your new admin account and make sure that you set the user role to Administrator. Once that’s done, click Show password and change or copy the default (secure) password.

After the user is created, log out of the site, and log in using the new user. Go to Users > All Users and remove the old WordPress admin account. But, that’s not all. You need an account to publish your posts with, right? Instead of publishing them using an administrator which, due to permalinks, makes its username easy to guess, (unless you play around with them), go ahead and create a separate account. This time, instead of setting its role to an administrator, set it to one that doesn’t have administrator capabilities (such as that of an author or an editor).

Once done, go ahead and set the author of all existing posts to the new user (you can do that in All Posts > Quick Edit under each article).

6. Secure Existing WordPress User Accounts

Do you work with virtual assistants or have employees who can access your WordPress website? In this case, it’s best not to give them access to all plugins and data. In the end, they probably don’t have to be able to configure all the plugins on your site. And, unless they are a trusted developer, they most definitely shouldn’t have the access to the theme editor. How to restrict their access? One of the ways is to create their accounts and set their roles to one of the default ones of the contributor, author or editor.

But what if you want to block them from more than these roles restrict while giving them access to parts of the website the default settings don’t provide them with? In this case, you can use a free plugin such as User Role Editor, which allows you to create new roles, and set which elements of the website can be accessed by them.

7. Monitor Activity Through Audit Log

And what if you can’t just restrict your users from accessing the majority of vulnerable elements on your website, but would like to at least know who changed or edited what, in case anything goes wrong? To get an overview in the form of a comprehensive audit log, you can install the WP Security Audit Log. Its free version is more than enough to give you a convenient overview of the activity of your employees and VAs:

8. Make Login More Secure Using Google Authenticator

Speaking of users, there is one more thing you can do to make your site even more secure. Imagine having your WordPress credentials (or that of your employees) stolen. In this case, depending on the user role of your employee, an intruder could get access to the whole WP website. To prevent that from happening, consider adding a two-factor authentication on login. The easiest way to do that is the Google Authenticator plugin. Once that’s done, even if someone gets your username and password, they won’t be able to log in without the code provided by the Google Authenticator app.

As you can see, even though WordPress is considered the most vulnerable content management system out of all the popular ones, it’s not that hard to minimize or even completely get rid of the most common risks and secure the most endangered elements on your website.

If you follow the above tips, stay cautious when giving access to your site to others, and keep the elements of your site up to date, your website, and with it, your business will be safe from any potential intruders. Not to mention how much you can save only prevented the security breach.

Free 11 Security Plugin For Your WordPress Website

WordPress is the very most popular management Content system on the web. There are so many frees of cost plugins. by using these all free plugins you can protect your website.
Here is a Perfect list of security plugins for you. There are many plugins for firewalls,  anti spam plugins, and many more.

1. Wordfence Security – Firewall & Malware Scan

Wordfence is a most popular security plugin with over 2 million downloads on WordPress. This WordPress plugin provides you with the best protection for your websites.
The plugin firewall will stop you from getting hacked by traffic.
before they can try to access your websites, Its automatically update your rules that protect you from all the latest threat.

into the Premium version, you get country blocking, real-time updates and many more.
Also, It has a Monitor traffic in real time, blocking robots and humans, login and logout and 404 errors.

2All In One WP Security & Firewall

The WordPress Plugin All In One Security will take your website security to a new level.
This WordPress plugin is design and written by plugin experts. Also, this plugin is very easy to customize and use for WordPress User.

This WordPress plugin doesn’t slow down your website.
You can add advanced security feature into user accounts, sign-in, and log-in. Ban users by IP Address or user agents. Block force attackers.
This plugin may collect your IP address for security reason. The collected information is stored on your server. No information is transmitted to the third party.

3. Sucuri Security – Security Hardening

Sucuri plugin for WordPress is a tool-set for security, log-in, and security hardening.

Monitor all of your security related events into your WordPress site. Access all multiple blacklist engine for your brand reputation and website.
Also, Get help on what to do if your site is compromised. And access Cloud-Proxy, an enterprise-grade firewall.

It’s a globally recognized authority in all matters related to your website with WordPress Security.
This Security WordPress plugin is free for all WordPress users. It is a security suit means to your existing security posture. It offers there users a set of security features for their website, all designs have a positive effect on their security posture.

4. i-Themes Security (formerly Better WP Security)

It offers more than thirty ways to lock down WordPress in an easy-to-use security plugin.

With this Security WordPress two-factor authentication, users are required to enter both a password and a secondary code sent to a mobile device, smartphone or tablet.
Also, Limit the numbers of failed log-in attempts allowed per user. Make your WordPress dashboard in-accessible certain hours.
database backups and have them emailed to you. Also, Assess the security of your WordPress user account at one time or take action on them.

i-Themes Security gives you many ways to secure your WordPress site. On average, 40,000 new websites are hacked each day. WordPress sites can be an easy target for attacks because of a plugin, weak passwords, and software.

5. Shield Security for WordPress


There is no good reason for WordPress security plugins to be so complicated.
A shield is the easy security plugin to setup. you simply activate it. Then a beautiful, step-by-step wizard will walk you the basic customization.
And you can find deeper.
shield allows you for No more manual IP Blacklist. This plugin handles the blocking of IP address for the host that is naughty.
Also, A very Powerful free security protection.

6. Google Authenticator

It has a Two Factor Authentication adds and the second layer of security to your WordPress accounts.
It protects your website from hacks and unknown login attempt.

Secure your WordPress site log-in with an additional security from us.
The setup takes minimum minutes, then protect your sites forever.
This plugin provides two-factor authentication during login to your site.
If you are looking for one-time password Verification of users during Registration so use this plugin.
Two Factor Authentication allows authentication on log-in pages itself for Google Authentication & mini-Orange Soft Token.
Google Authentication, Push Notification, Soft Token, and Security Questions.

7. Acunetix WP Security

Acunetix WP Security plugin is a free security tool that helps you secure your WordPress website installation.
Safeguard passwords, protect database security, hide versions, file permission, admin protection, and many more.

The solution features are easy for database backup and disaster recovery, allows hiding dashboard info from non-admin, live-traffic to monitor the activity of your website.
This WP Security plugin is a free security tool that helps you to secure your WordPress websites. WP Security checks your WordPress website for security and suggests corrective actions.

8. WP Antivirus Site Protection

WP Antivirus Site Protection is a security plugin to prevent, detect, and remove viruses and suspicious codes.
It detects backdoor, rootkits, Trojan horses, fraud tools, spyware, hidden links and more.

WP Antivirus Site Protection scan not only for theme files, but also overall files of your WordPress website. Get alerts by email, and view security report online.

8. Really Simple SSL

Really Simple SSL automatically detects your all settings and configure your website to run over HTTPS server.
To keep it light-weight, the options are kept to a minimum. All of the incoming requests are redirected to a server.
Also, The site URL & home URL are changed to HTTPS at free of cost.

Its Really Simple and automatically detects your settings.

9. Security Ninja

This is the more popular products out there, it’s certainly one of my favorites.
This is a top product which takes plenty of action to make sure that there is no chance for compromise.
You might be experiencing a slight slow down while the test is being run. but that takes less than a minute.

It looks for a potential problem, 0-day exploits, the software actually running on your server.
Security Ninja plugin will just give you the test results and suggest with precise instruction

10. Secu-Press Free

SecuPress is a new security plugin on the market. it’s definitely one that’s growing rapidly.

It’s actually developed by Julio. one of the co-founders of WP Media, as they develop Imagify and WP Rocket.
There are a free version and premium version (both) which include a lot of features.
Protect your WordPress with malware scans, block with bots and suspicious IP. this free WordPress security plugin is a great choice.

11. Jetpack by WordPress.com

Most of the people who use WordPress are familiar with the Jetpack plugin, and it’s because the plugin has many features.
but it’s also because the plugins is made by the people from WordPress.com website.

It is filled with your social media and spam protection, site speed. There are many features in it that it’s worth.
Also, Stop worrying about your data losses and hacking it helps you fully protected.

Since it’s services which are provided and hosted by WordPress. Also, WordPress.com account is required for the Jet-pack plugin to function.

8 Steps For Responding To A Cyber Attack On Your WordPress Website

Your WordPress installation has been hacked.

How do you respond?

First, don’t worry, as this happens to WordPress site owners everywhere. The WordPress platform is one of the most popular content management systems used to power websites around the planet. However, with that wide-ranging usage, comes risks.

And because WordPress is used so widely, it has become a favorite cybercrime target as well. Even if you keep your WordPress site secure with various security plugins, malicious actors can still find holes in your security. So if you’ve found yourself needing help with a hacked WordPress installation, follow our tips to keep your sanity and hopefully fix your site.

Here are 8 Steps For Responding To A Cyber Attack On Your WordPress Website:

1 – Identify The Type Of Hack

First, you have to find out what type of hack has happened. Can you still access the WP admin panel? How does the hack present itself? Is your website serving pop-ups, or is it redirecting to another URL?

Determining the type of hack is crucial to your ability to fix whatever went wrong. Once you learn what has actually happened, don’t be afraid to give it a Google to see what the best course of action may be. The WordPress support forums are great for providing advice, as well as StackOverflow WordPress section.

But remember, when asking for help from a community always search to see if the question has been asked and answered before. Community members hate nothing more than being de-facto customer service agents for people who do not search beforehand.

2 – Change Any & All Passwords

Your first thought might be to change the passwords on your WordPress installation after a hack. However, you need to take it a bit further than WordPress. Even if malicious actors or hackers compromised only your WordPress installation, they might have gained access to the web server or database as a whole.

One of your first steps should be changing all passwords associated with the hack. That means not only your web server login, but the database login and password hooked to your WordPress installation, your email passwords on the domain, and literally, any other passwords you can think of that are connected to your hacked WordPress installation.

One of the best ways to ensure that you always have secure passwords will be to invest in a high-quality password manager, which can change your passwords regularly for you and will always choose ones that are the toughest to break.

3 – Contact Your Hosting Provider

Your web host may be able to provide more in-depth info about the hack, such as access and FTP logs you may have access to otherwise. Most hosts will also offer some sort of back-up if you do not have one yourself.

Some hosts have also been known to add compromised WordPress files to a “quarantined” area of the web server. If this is the case, and your host has quarantined files already, you now know exactly where to look to find the hack.

Your host will also be a great resource to find out how the malicious behavior happened in the first place, possibly giving you a good idea of where to start repairing security holes.

4 – Audit WordPress Theme & Plugins

If your WordPress installation is still accessible via the admin panel, a good first step is updating both your WordPress installation, themes and plugins. When developers update their plugins & themes, it is often because a security issue is being fixed. So that means you, as a WordPress site owner need to keep them updated to keep your site secure.

You can update your WordPress installation, plugins, & themes directly from the WordPress admin panel. Don’t have access to the admin panel because of the hack? Your alternative would be deleting the plugin from your website server and downloading the newest version and uploading it as a replacement.

5 – Restore From An Existing Backup

Most hosts provide some type of backup and restore functionality at the server level. However, lots of WordPress owners choose to create secondary backups. If this is you, and you have backups, restoring may be a good course. Yet, you have to make sure the version you are restoring isn’t compromised as well.

And certainly, once you restore your site (if possible), you should update WordPress, your theme, and plugins. If possible, you should also try to save a copy of your site backup locally. There is a possibility that if your backups are stored on the same web server as the hacked WordPress installation that they might be compromised as well.

6 – Hire A Professional Security Export or WordPress Developer If Needed

There is no shame in hiring a WordPress or security professional to finish what you started. Cleaning up a hack can be complicated. And if you’ve never done it before, there is always the risk you will miss something, leaving your site and visitors vulnerable.

7 – Check All Your WordPress Users & Permissions

Often you will see that user permissions have been changed after a hack. This usually happens because the malicious actors or hackers have created an account for themselves, or compromised an existing account and upgraded its permissions.

Sometimes, hackers have a way of keeping accounts hidden from the admin panel of WordPress, meaning you have to check the user MySQL database to find them. You should delete any accounts you don’t recognize, and change all passwords for every user account, in addition to checking their permissions.

8 – Stay Calm & Keep Your Composure

The most important thing required of you when your WordPress site has been hacked is to keep calm. Often times you see website administrators doing more harm than good when dealing with a hack, due to the frantic nature of the work.

Often times a website being down meaning the business or individual it belongs to is losing money. However, you can’t let this fact allow you to cut corners, or fix the hack sloppily.

Conclusion

Hopefully, these steps have given you a sound basis for how to respond to cybercrime, hacking, or malicious behavior on your WordPress installation. If you do fix the issue yourself, great!

However, keep in mind that you have to stay diligent in the future. The security landscape changes continuously, and so should how you handle these situations. And remember, keeping calm is the most significant help in scenarios like this.

Get Google reCaptcha Site Key And Secret Key

Get Google reCaptcha Site Key And Secret Key

Step 1. Go to Google reCaptcha platform to CLICK HERE.

Step 2. After opening Google reCaptcha website, click on “Admin Console” blue button at the top right side.

 

Step 3. Sign In into your google account to proceed next into reCaptcha dashboard.

Step 4. After Sign in, you will be redirected to your Google reCaptcha dashboard. If you have already generated reCaptcha keys than dashboard show stats about your previously created keys request.

 

Step 5. To get new site key and secret key, click on “+” blue button top right side.

Step 6. Register a new website form will open and you need to fill all the details correctly and submit the form.

  1. Label – Type a suitable label which co-related your site name and for later remembrance.
  2. reCaptcha Type – Select a version type of google captcha security, you can read more about of version details type here.
  3. Domain – The website URL, where you will use these keys like https://mywebsite.com.
  4. Owners – You don’t need to change this, it’s set by default accordingly to logged in account. If you want the report on more email addresses then you can add here multiple email accounts.
  5. Alerts – You can enable it to get email alert to owners, if there is any problem on your website like reCaptcha misconfiguration or increase suspicious traffic.

 

Step 6. After submitting the form you will get newly generated Site Key and Secret Key as below.

Now, you can use the site and secret key in your app to configure the Google reCaptcha setting. Thanks for following our tutorial to generate keys for your website. We hope you like this updated article and this is helpful to you.

Please comment your thought about this tutorial and share on your social media account.

Cheers!