How To Secure Your WordPress Site

Reading Time: 4 minutes

WordPress is one of the most popular Content Management Systems on the Internet. Due to it’s popularity, it is also the target of many hackers.  We’re here to show you our top 5 recommendations on how to secure your WordPress site based on issues we’ve come across.

1. Keep WordPress Up to Date!

Our number one and top recommendation is to keep WordPress up to date! WordPress is a very active platform and updates come out regularly for it. The updates include many new features and changes in the backend, but also patch many bugs and exploits that the WordPress team finds. Just take a look at the releases and patch notes on https://wordpress.org/news/ sometime to get an idea of how much work gets put into finding and fixing these problems!

Being even just one or two versions behind can leave your site open to hackers that analyze the updates, create exploits, and go looking for outdated sites across the Internet. The longer a site isn’t updated, the more exploits and vulnerabilities are out there, and the increased likelihood that your site could be compromised.

The same rule applies to your Plugins and Themes, make sure those are all properly updated for the same reasons! Which brings us to item two on our list!

2. Review your Plugins and Themes!

WordPress is great because the plugins can quickly and easily give new features and customize your site very quickly, and themes can give your site a very professional appearance in a matter of seconds, but if they are not properly maintained, it could lead to problems down the road.

First, just remove any plugins and themes you don’t need. You could leave them disabled, but outright removing them is a safer option as the files wouldn’t be sitting on your server. Even if it’s disabled, it could still potentially be reached if an exploit can gain access to the files.

A side effect of removing the plugins is that it could actually speed up our site as well!

After removing any plugins and themes you don’t need, make sure to keep the ones you have left updated. WordPress can generally check for updates right in the admin area, but if you bought a plugin from a third party source, make sure to check with them for any updates. It would also be recommended to visit the website of each plugin and theme or even check reviews on other sites to make sure development is still active on it and that there are no known vulnerabilities.

3. Protect your logins!

Having your site publicly accessible out on the internet means customers and potential clients can access your site, but so can bots and people with malicious intentions! By default WordPress allows you to go to yourdomain.com/wp-login.php or yourdomain.com/wp-admin and should bring up a login page. If you try that on any of your sites and you get the login page, it’s highly recommended you use a plugin to hide where you go to log in.

WordPress does have some general security that blocks attempts after a few failed attempts, but if thousands of bots are all trying to log in and guess passwords, why even give them the chance to try? Make sure you use strong passwords, don’t use the same username and passwords in multiple locations, and go through your WordPress users to make sure they are all still valid. For example, if you gave a developer access years ago, maybe you don’t need that user sitting around there still.

4. Install protection plugins

I know I said to reduce your plugins earlier, but I would recommend having some plugins to block malicious connections, monitor suspicious activity, and scan site files for malware. We recommend iThemes Security, as it offers a lot of different features in just a single plugin, but you can look up what’s popular and read other reviews to help you decide on what would be the best fit with your site. For example, if you have a site where users can upload data, it would be a good idea to scan those files as they are being uploaded and block or at least report any that trigger warnings in a plugin that scans for viruses and malware.

Depending on how much protection you need, paid options would be recommended over free options to help increase the chances that newer exploits are blocked as well with more features and newer virus definitions.

5. Make sure you have good backups

Having good backups isn’t exactly a proactive step on how to protect your site, but it sure is a reactive step that can greatly help if the need arises. It’s a good idea for any business that relies on the data on their site. Think about all the orders, profiles, records, logs, and any other important information stored on your site, then imagine if something causes a problem and the whole site gets deleted, maybe a hard drive crash or malicious code is injected into it somewhere and causes the data to be lost. If you have no backups at all to restore from, then depending on the nature of your business this may be hundreds of work hours for a team to rebuild the site, lost revenue, lost customers, and would definitely be a major hit to your site’s reputation.

If you did have backups, depending on the frequency of the backups and how quickly the problem was noticed and rolled back, there may be little to no data loss, customers may not notice, and the site can quickly bounce back.

We highly recommend having multiple backups taken over a period of time. The more backups you have the more options you would have to restore from. Having only one daily backup could cause problems if an issue isn’t noticed until three days after it happens. Active sites may need continuous backups compared to a static site that maybe hasn’t changed in months.

Also storing your backups in different locations would help spread out the number of available backup copies. Like if a dedicated backup hard drive failed then you could still have remote backups saved on a different service that wouldn’t be affected. Think of it like not putting all your eggs in one basket! For more information on good backup practices, see Best Practices: Developing a BackUp Plan.

Hopefully, you gained something useful from this article! If you or a friend are in the market for a web host, feel free to talk to a Liquid Web tech by phone or in a chat 24 hours a day! Thanks for reading!

How to Revert a Windows Update

Reading Time: 2 minutes

Windows periodically checks for the latest updates and security features for your devices. Automatic updates are implemented with the intention of running your device smoothly and securely. With top security in mind, most Liquid Web servers are set to automatically install these updates thus saving you the task of remembering to implement critical updates or patches.

The vast majority of the times, windows updates complete successfully, keeping you and your customers safe.  These updates rarely cause any server issues, but you may find that you want to roll back an update due to an unforeseen server change.  Fear not, in this tutorial we’ll show you how to easily undo a Windows update on 2016, 2008R2 and 2012R2 servers.

Note
Liquid Web customers have the option to install automatic updates themselves. In these cases, security patches are updates fall under the responsibility of the account owner.

 

Server 2016 with Windows 10

  1. Click on the Start button, search for Windows Update and hit Enter.
  2. Go to View Update History and select Uninstall Updates.  Click the update you are wanting to uninstall/remove. (Generally, these are the most recent installs.)
  3. When the installed update window comes up, you can see the updates by name, KB number, type of program, version, and even the date of installation.
  4. Select the update and choose Uninstall.  Follow the on screen instructions.
  5. Depending on the update, there may be a need to reboot the server to complete removal.
  6. While you are still in the Windows Update screen, select the offending update and click Hide Update.  ** Once the Update is fixed and it is safe to install, then you can go in and manually install it on your system.

Complete the removal of the update by rebooting the server.

 

Server 2008R2 and 2012R2 with Windows 7/8

  1.  Go to the Start button and select Control Panel.
  2.  Go to Programs >> Uninstall a program.
  3.  Select the program and right-click to Uninstall.
  4.  Select the update you would like to revert.
  5.  Select Yes to uninstall the selected update.
  6.  Select the Restart Now button.
  7.  While you are still in the Updates screen, select the offending update and right-click, to select Hide Update.  ** To re-instate the update you can manually install it on your system.

Complete the removal of the update by rebooting the server.

Still having issues with reverting a Windows update? Liquid Web customers enjoy 24/7 support with our Managed Dedicated and VPS servers. Find out today why we are the most loved in hosting!

 

How to Change Your Hostname in Ubuntu 16.04

Reading Time: 5 minutes
Image result for ubuntu logo

Times are changing, and possibly your hostname is too if you are reading this article.  You may have come across a scenario within your business that requires you to change your hostname.  You might ask yourself why you would need to change your hostname? The most common scenarios would be due to a domain name change, your business has changed its course, or because you have thought of something better.

Sometimes you might forget to renew the domain names before they expire. Unfortunately, this can be a time where a domain brokers purchases you domain name.  These are agencies who take popular sites and purchase with the intent of holding the domain until their inflated price is met.  As unfortunate as this may be, sometimes it is best to purchase a new domain name for cost efficiency.

Note
When purchasing domains from Liquid Web you can always select the option to Auto Renew within our portal Domains >> My Domains

 

Benefits to using a Fully Qualified Domain Name for your Hostname

It is good practice to use your FQDN Fully Qualified Domain Name as your hostname. Following this practice creates more options for securing your hostname with an SSL.  This will allow services like email to function using a secured connection. Using a hostname with a registered domain will allow you to add a corresponding DNS entry.  This will prevent unpredictable behavior by some services that use the hostname. This would allow you to set up a reverse lookup DNS entry. It can be very important especially with services like email verfication.  For example, when an email is sent the receiving server runs a reverse lookup on the sender’s hostname. The reverse lookup allows receivers server to ensure the hostname resolves to the matching IP address. This is just one preventive measure servers now use to reduce email spoofing incidents.

By using a unique domain name, you can reduce editing time. You may have a script that calls to the servers IP, instead of the hostname, to correctly function.  Best practice is to use the hostname because future migrations may change IP addresses/ranges.  Using the hostname can save you a lot of time in the long run, depending on your infrastructure and coding.

 

Using SSH for Windows 10, 7/8, and Mac OS X

We’ll need to connect to your server.  For this article, we will be using SSH “Secure Shell” to access the server and issues commands.  SSH is a powerful tool that will allow us to establish a secure connection with your server, diagnose, and issue remote commands.  For more information on the SSH protocol, you can visit the following links.

There are a few ways to use SSH depending on your operating system. We’ve have included some examples below followed by links with more information.

Windows 10

Using SSH client in Windows 10

Note
Note: Because the OpenSSH client was introduced in the Windows 10 Fall Creators Update, you’ll need to first update to at least that version of the operating system.

Windows 7/8

Unfortunately, for older versions of Windows, it is not exactly possible to set up an SSH natively to connect to your server.  Thankfully, applications were created to assist. We like to use MobaXterm, but Putty is a safe choice as well. Both of these applications are free to use and simple to set up. We’ve included links below with more information on these applications.

Mac OS X

Newer Mac operating systems come with an excellent utility to access SSH called Terminal. To access Terminal navigate to your Applications folder >> Utilities folder >> Terminal.

In case Terminal is inefficient for your preference, there are other options available in the App store or through a quick search on Google . Putty is also available on Mac!

 

Changing the Hostname in Ubuntu 16.04

At this point, you should be able to access your server using SSH.  Once you have accessed your server, you will want to either switch to the root user or run these commands using sudo.  The files you will be accessing are owned by root. Because of this, you will need root privileges.

To start things off, we will want to edit /etc/hostname and the /etc/hosts files.  You can do so by using a text editor of your choice. We will demonstrate how to accomplish this task using the text editor called VIM.  Some of these command line text editors can seem complicated, we will include the “sed” command to make things even easier.

Switching to root user:

# su – root

Editing the hostname and hosts file:

# vim /etc/hostname

# vim /etc/hosts

Once you have opened these files, you will need to change your hostname as follows:

  1. Press the i key to insert.  This will allow you to edit.  You will notice the editor says “Insert” at the bottom of the page.
  2. Use the arrow keys to navigate the cursor to your old hostname.
  3. Backspace to delete single characters
  4. Replace with the new hostname.  Be sure the syntax is correct.
  5. When done editing hit the ESC key to exit insert mode.
  6. Then hold shift andpress the : key
  7. Finally, type wq and press enter key. This will write to the file and quit the editor
  8. Repeat for /etc/hostname

As we mentioned earlier, the command line text editors can appear to be overly complicated, especially when you’re used to programs like Word and the Window’s text editor.  Because of this, we have included the command below.

Note
Change host.example.com to your old hostname. Change host.newhostname.com to your new hostname

# sed -i 's/host.example.com/host.newhostname.com/g' /etc/hosts

# sed -i 's/host.example.com/host.newhostname.com/g' /etc/hostname

After editing these files, you’ll need to reboot the server. If you wish to reboot at a later time but still want your new hostname to take immediate effect click on this sentence to skip ahead. Otherwise, you can do so by running

# reboot

Your SSH session should be terminated.  Depending on your server it can take a few minutes to boot back up.  Once the server is back online you can check your changes by running the following command:

# hostname

If all went well, the terminal should output your new hostname.

If you wish to reboot at a later time but still want your new hostname to take immediate effect, you can use the hostname command to temporarily set the hostname until the next reboot.  From there, the changes in /etc/hosts and /etc/hostname will take permanent effect.

# hostname host.newhostname.com

There is also an alternative available.  The hostnamectl command is default for both Desktop and Server versions. They combine setting the hostname via the hostname  command, editing  /etc/hostname and setting the static hostname. Unfortunately, editing /etc/hosts still has to be done separately.

Example:

# hostnamectl set-hostname host.newhostname.com

 

Common Issue after Hostname Update

The “Failed to start hostname.service: Unit hostname.service is masked” error can happen when there is a syntax error within the /etc/hostname, or /etc/hosts file, or when the hostname does not match between these two files.  Be sure to check both of these files for mistakes and correct them as needed. In newer versions of Ubuntu, you will also want to use the hostnamectl command mentioned earlier.  

# hostnamectl set-hostname host.newhostname.com

Once corrected, be sure to start the hostname service to see if the issue has been corrected. You can do so by running the command that we have included below. Afterward, we would recommend rebooting your server.  This is not always necessary, but in some cases, it is required.

# systemctl restart hostname  

As always, Liquid Web customer’s enjoy 24/7 technical support with changing your hostname. Reach out to our sales team to see how you can get into our lightening fast servers today!

 

How to Upgrade Ubuntu 16.04 to Ubuntu 18.04

Reading Time: 6 minutes

If you are still using Ubuntu version 16.04, you may want to consider updating to the latest Long Term Support release, version 18.04. In this post, we will cover what a Long Term Support release is and why you would want to use it. You will also learn the significant changes between 16.04 and 18.04. Last, but not least, you will also learn how to upgrade your server from Ubuntu 16.04 to Ubuntu 18.04.

Continue reading “How to Upgrade Ubuntu 16.04 to Ubuntu 18.04”

What are Common Commands to Update WordPress Using WP-CLI?

Reading Time: 2 minutes

WP-CLI is a very handy set of commands. You can run anything that you would run in wp-admin on a WordPress site but from the command line. Useful commands which WP-CLI employs to keep WordPress core updated plugins including the default themes which come with WordPress.

Continue reading “What are Common Commands to Update WordPress Using WP-CLI?”

Upgrading MariaDB 10.0 to 10.3.9 on Ubuntu 16.04

Reading Time: 3 minutes

MariaDB is quickly becoming the de facto open-source database software to use in development, production, and even enterprise environments. Our very own Cloud Sites product uses the newest in MariaDB as it’s mostly known for being a fork and drop-in replacement to MySQL, which is created and maintained by the original MySQL developers.

Continue reading “Upgrading MariaDB 10.0 to 10.3.9 on Ubuntu 16.04”

MySQL Performance: Converting MySQL to MariaDB

Reading Time: 16 minutes

As we explored in our previous article of our MySQL Perfomance Series: MySQL vs. MariaDB there are very few downsides to using MariaDB over standard MySQL. Our high-availbility MariaDBs have proven itself to be a worthy successor with easily migitated drawbacks.  As the last article in our series we will focus on upgrading to various MySQL and MariaDB version on the following servers:

CentOS 6/7

Ubuntu 14.04/16.04

Continue reading “MySQL Performance: Converting MySQL to MariaDB”

Updating PHP 5.6 to 7

Reading Time: 3 minutes


PHP is a programming language that can run with Apache or Microsoft IIS and works with your server to execute the requests that make up your website. 88% of online sites run on, soon to be vulnerable PHP 5.X technology. At the close of this year, scheduled by Dec 31, 2018 security support will end for our dear old friend PHP 5.6, meaning bugs and security fixes will not be tended to and could lead to security vulnerabilities. 
Each PHP version gets supported actively for two years while the third year only gets critical security updates. Luckily, the PHP gods had smiled upon us and extended the life for just a year longer than the typical PHP version before giving us the new year deadline. For all of you developers out there wanting to know exactly what is changing, here’s a helpful migration guide from PHP 5.6 to PHP 7.X.

Continue reading “Updating PHP 5.6 to 7”

Going Live With Your Site in Managed WordPress Portal

Reading Time: 2 minutes
Note: The instructions in this tutorial are for the Managed WordPress portal client, these instructions do not apply if you have a Liquid Web WordPress Server Optimized Template account.

Going live with your site is the last step in the process of migrating your WordPress sites into Liquid Web’s Managed WordPress portal. These instructions are for domains pointed to our DNS. To check where your name servers are pointed to visit this DNS checker and input your domain name.  If your name servers point to ns.liquidweb.com and ns1.liquidweb.com you can continue on the tutorial.  Otherwise, you’ll want to update your A record’s IP with the outside name servers. Continue reading “Going Live With Your Site in Managed WordPress Portal”