Monthly Archives: March 2019

Mindful WordPress Security Practices

Secure WordPress Practices

With WordPress, one of the easiest tasks to complete is to harden your site but it’s one of the most overlooked tasks! In this day in age with data breaches and hacks running rampant, it’s never too late to implement security practices on your website. While absolutely no site is 110%-without-a-doubt-no-way-in-hell-is-anyone-hacking-anything secure, there are many ways to minimize such risk. By not following any security practices or just “letting things go” you’re not only putting your site at risk, but you’re putting your audience at risk as well.

Quick Changes to Make Right Now

WordPress user practices

Please do not ever use the username of “admin” for your main administrative login. It is the WordPress default when creating a WordPress site, but it’s also the easiest to guess and easiest to start exploiting. Even if you use your email to log in to WordPress but still have your user created as “admin” you are still at a risk.

It’s always a great idea to periodically go through registered users and audit users that have any dashboard access whatsoever such as other Administrators, Editors, and Authors. That administrative user you made for a plugin support developer a few years ago that’s never been used again? You should delete that user ASAP. Multiple users with dashboard access are just more points of entry for bad guys.

Minimum password strength and password change schedule

Consider setting a schedule for yourself and additional users to change their login passwords. Your password that you haven’t updated since your site’s inception in 2013? Take a few seconds to change that today! We have a wonderful article on password security practices when creating new passwords. Try and put more thought into your passwords, and never use anything easy to guess like names and important dates.

If you care about your site at all, keep it up to date!

When Black Chicken Host receives a client request to install a new WordPress site, we always make sure to enable automatic core WordPress updates per our Terms of Service. Most likely if you’ve migrated to us you will need to enable automatic WordPress updates.

https://codex.wordpress.org/Configuring_Automatic_Background_Updates

Any theme or plugin developer worth their salt will test theme and plugin updates for compatibility with multiple versions of WordPress. While it is still an excellent practice to backup your site (you can ask us for help, we don’t mind!)  before doing major updates, unless your own website developer or “IT person” went to town with poorly coding your site, hit that update button!

…and just delete unused themes and plugins

The more themes and plugins, the more points of entry. Added bonus: reduces disk space!

Hide author usernames

Using your WordPress username as your “published” name on posts and pages is just handing people half of your login on a silver platter. But there’s a simple fix! Under your user profile, set a nickname for your user and change the “Display name publicly as” option:

“Advanced” Practices:

Change wp-login.php

One of the most common reasons we see for elevated server load/slow sites is IP addresses trying to brute force their way into your WordPress login landing pages. Since WordPress has a default www.yoursite.com/wp-login.php site landing page, this makes it easy for would be hackers and troublemakers to try and force their way into your WordPress dashboard. If your WordPress login landing page is a different URL that makes more “work” for the bad guys to try and locate and can help keep you safe!

We do not recommend editing your core WordPress files via FTP or File Manager to change your wp-login.php file or theme files. This can go wrong so quickly for so many reasons. There is however a myriad of plugins that quickly and safely change the default login landing page for your WordPress dashboard, just give a quick search! We’ve seen a few of our clients use WPS Hide Login.

Please note that if you do change the login for your site and later require our assistance with your site that involves logging into your site, please give us a heads up on what your login URL is. That will save us all some time and back and forth!

Use .htaccess to limit wp-login.php altogether

Via your site’s .htaccess file, we can deny all requests to your WordPress login page except for specified IP addresses. This is usually a last resort method as most folks do not have static IP addresses from their ISPs. So once your IP address changes, you will be locked out of your WordPress login page until your new IP address is added to your .htaccess file. If you would like assistance setting up this directive in your .htaccess, please contact us for assistance.

A Final Piece of Advice

Keep any computers and devices that access your WordPress site and email updated! If there are viruses to hack your email accounts, there are viruses to gain access to any site that requires a login. Make sure your computer has anti-virus setup and regularly updated, don’t slack on that! It’s an absolute nightmare trying to clean up an infected computer (we speak from experience).

When you don’t take your own computer and site security seriously, you aren’t taking your reader’s or customer’s security seriously. Data breaches aren’t just the huge ones you hear on the news, they can happen to any site no matter how small.

As always, please do not hesitate to contact us if you have any questions or concerns or just want to chat!

Why *Everyone* Should Have Off-Server Backups

We have all heard the horror stories, and indeed, some of us have lived them ourselves – my hard drive failed, and I lost everything. Backups are so very important! However, there are many different kinds of backups, and which of those backups we use is something we all need to think about before catastrophe strikes.

There have been numerous events across many major hosting companies, ranging from “unexpected thermal events” (which is to say, fires) to hardware failures to natural disasters, all of which have resulted in some measure of data loss. You can protect yourself from these events 100% by taking a few simple steps.

The Backup Lowdown

Before we get into those specific steps, though, let’s talk about backup security in general. Black Chicken Host provides on-server backups as a courtesy service; per our Terms of Service, these backups are not guaranteed. While they are typically very robust and trouble-free, it is possible something might happen to them rendering them unusable.

The most important step in obtaining additional backup security is to have off-server backups. You can set this up either with a WordPress plugin, such as BackupBuddy or Updraft, or you can manually download cPanel backups to your home or office computer.

Pro tip! If you are utilizing a backup plugin we recommend downloading those backups immediately. Otherwise, your disk space allowance will quickly fill up which can render your site inaccessible.

Your Options

For our Standard Shared clients, we have our courtesy backup system which backs up your sites once a month and several times during the week. You can manually generate and download backups via your cPanel account access too! The Backup Wizard feature allows you to create a full backup of your entire account for download (site files, databases, and email) or you can pick and choose which part of your account you want to backup. We always recommend having a full download of everything, just in case!

For our WordPress Only clients, we have a rolling incremental backup available of your site taken every morning. We highly recommend utilizing a backup plugin to keep local backups saved to your computer. Again, you will want to make sure you have these backup plugins download to your computer or other remote location (Dropbox or Google Drive) to keep your disk space allowance in check.

For our VPS server clients, we offer the widest range of backup solutions. Like our Standard Shared clients, we have our courtesy backup system which backs up your sites once a month and several times during the week. You can also manually generate and download backups via your cPanel account access. If you have a dedicated WordPress Only server, we have a rolling incremental backup available of your site taken every morning. For all of our VPS server clients, we also offer a paid-for, off-server backup option called “Time Snap”; this takes weekly snapshots of all files on the server, and retains four rolling restore points. Rather than restoring a single site or account, this restores the server as a whole, which is great in the event the whole server becomes unusable. The cost of these server-level backups is 20% of the server cost.

A Solution for Everyone

Our BCH Managed WP Services also include backup plans! Backups are stored offsite at the Amazon S3 infrastructure and retained for 90 days before being rotated out. We can also download, restore, and even clone your site with a few clicks of a button. Plans include Weekly, Daily, 2x Daily, 4x Daily, and Hourly. Learn more here!

As always, please contact us if you have any additional questions or concerns about site backups or what options are best for you.