29 May, 2017

Hardening WordPress Website

Learn how to harden your WordPress website against malware, hacking, and blacklisting. Follow our best practices and tips to improve your site’s security.
Among the Content Management Systems (CMS) the WordPress is probably the most popular. Our statistics in the Annual Website Malware Report | 2016 show WordPress as leading CMS in 2016. Due to its popularity, it is also prone to vulnerabilities. In the same report it can be seen that 76% of our infected customers were using WordPress.
What Are the Main Components of The WordPress Installation?
Each WordPress website has three main parts:
I. Core files - the default WordPress installation files.

These files should not be edited except for index.php, licence.txt and readme.html. If the other files are modified, there might be an outside intrusion.

A. Here are the installation files.
wp-admin [dir]
wp-content [dir]
wp-includes [dir]
index.php
license.txt
readme.html
wp-activate.php
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-cron.php
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php

B. Configuration files.
wp-config.php - Database configuration and global settings.
.htaccess - Server configuration. Use to manage rules and redirection of site.

II. Plugins
Additional codes and functionalities to manage WordPress. After you install the core code of the WordPress you will then typically look for the features and additional functionality to improve your website. There are plenty of free plugins that offer useful features to your website, however you should be very cautious about it. Hacker's entry usually takes place here.

III. Themes
Design or layout of the site. This is the common place where an attacker would add redirection codes.
WordPress Best Practices
Most of the hacker looks for vulnerabilities of plugins and themes aside from WordPress core file because it is easy to penetrate the site. To minimize the risk of attacks, here are our tips on how to harden your site.

  1. Regular backup. This is a must. Some infections can destroy your site instantly. If your site is hacked, you can easily revert it back from a clean backup.
  2. Keep your WordPress updated. WordPress actively update its code for security issues. Hackers are constantly looking for security holes to penetrate a site. Updating your WordPress core files regularly will fix this holes.
  3. Change WordPress Database prefix. WordPress uses default prefix of "wp_" for tables. The bad guys uses SQL injections or automated scripts to access your database.
  4. Use strong password and username. Attackers use brute force to enter your site. Avoid using common names such as "admin" or "administrator".
Password advice:
- Minimum of 12 characters.
- Must include Numbers, Symbols, Capital Letters, and Lower-Case Letter.
- Not a dictionary word or combined words.

5.Use only well-known plugins and themes. Choose those plugins and themes that update regularly. This will assure you they are fixing the bugs.
6.Use Quttera Web Malware Scanner Plugin for WordPress to regularly scan your site. This plugin will scan your website for malware, trojans, backdoors, worms, viruses, shells, spyware and other threats as well as JavaScript code obfuscation, exploits, malicious iframes, malicious code injection, malicious code obfuscation, auto-generated malicious content, redirects, hidden eval code and more. You should use both External and Internal scan options to get comprehensive results.
Signs of Infection
  1. Alerts coming from your Web browser.
  2. Blacklisted score is high in the VirusTotal report.
  3. Google’s search console alerts from your site.
  4. Spam on your pages and post.
  5. Site traffic monitor suddenly spikes.
  6. Website redirection.
  7. Additional files inside wp-admin and wp-includes directory except default installation files.
  8. Additional folders in your site.
Is your website flagged for malware, blocked by the search engines or disabled by the host?
Our experts are here to clean up any malware from your sites and remove false-positives, blacklisting and other kinds of alerts by any security vendor and search engines. Just select appropriate ThreatSign! Anti-Malware plan and get back online.

For other issues and help: Quttera help-desk