How To Secure Your WordPress Site

Reading Time: 4 minutes

WordPress is one of the most popular Content Management Systems on the Internet. Due to it’s popularity, it is also the target of many hackers.  We’re here to show you our top 5 recommendations on how to secure your WordPress site based on issues we’ve come across.

1. Keep WordPress Up to Date!

Our number one and top recommendation is to keep WordPress up to date! WordPress is a very active platform and updates come out regularly for it. The updates include many new features and changes in the backend, but also patch many bugs and exploits that the WordPress team finds. Just take a look at the releases and patch notes on https://wordpress.org/news/ sometime to get an idea of how much work gets put into finding and fixing these problems!

Being even just one or two versions behind can leave your site open to hackers that analyze the updates, create exploits, and go looking for outdated sites across the Internet. The longer a site isn’t updated, the more exploits and vulnerabilities are out there, and the increased likelihood that your site could be compromised.

The same rule applies to your Plugins and Themes, make sure those are all properly updated for the same reasons! Which brings us to item two on our list!

2. Review your Plugins and Themes!

WordPress is great because the plugins can quickly and easily give new features and customize your site very quickly, and themes can give your site a very professional appearance in a matter of seconds, but if they are not properly maintained, it could lead to problems down the road.

First, just remove any plugins and themes you don’t need. You could leave them disabled, but outright removing them is a safer option as the files wouldn’t be sitting on your server. Even if it’s disabled, it could still potentially be reached if an exploit can gain access to the files.

A side effect of removing the plugins is that it could actually speed up our site as well!

After removing any plugins and themes you don’t need, make sure to keep the ones you have left updated. WordPress can generally check for updates right in the admin area, but if you bought a plugin from a third party source, make sure to check with them for any updates. It would also be recommended to visit the website of each plugin and theme or even check reviews on other sites to make sure development is still active on it and that there are no known vulnerabilities.

3. Protect your logins!

Having your site publicly accessible out on the internet means customers and potential clients can access your site, but so can bots and people with malicious intentions! By default WordPress allows you to go to yourdomain.com/wp-login.php or yourdomain.com/wp-admin and should bring up a login page. If you try that on any of your sites and you get the login page, it’s highly recommended you use a plugin to hide where you go to log in.

WordPress does have some general security that blocks attempts after a few failed attempts, but if thousands of bots are all trying to log in and guess passwords, why even give them the chance to try? Make sure you use strong passwords, don’t use the same username and passwords in multiple locations, and go through your WordPress users to make sure they are all still valid. For example, if you gave a developer access years ago, maybe you don’t need that user sitting around there still.

4. Install protection plugins

I know I said to reduce your plugins earlier, but I would recommend having some plugins to block malicious connections, monitor suspicious activity, and scan site files for malware. We recommend iThemes Security, as it offers a lot of different features in just a single plugin, but you can look up what’s popular and read other reviews to help you decide on what would be the best fit with your site. For example, if you have a site where users can upload data, it would be a good idea to scan those files as they are being uploaded and block or at least report any that trigger warnings in a plugin that scans for viruses and malware.

Depending on how much protection you need, paid options would be recommended over free options to help increase the chances that newer exploits are blocked as well with more features and newer virus definitions.

5. Make sure you have good backups

Having good backups isn’t exactly a proactive step on how to protect your site, but it sure is a reactive step that can greatly help if the need arises. It’s a good idea for any business that relies on the data on their site. Think about all the orders, profiles, records, logs, and any other important information stored on your site, then imagine if something causes a problem and the whole site gets deleted, maybe a hard drive crash or malicious code is injected into it somewhere and causes the data to be lost. If you have no backups at all to restore from, then depending on the nature of your business this may be hundreds of work hours for a team to rebuild the site, lost revenue, lost customers, and would definitely be a major hit to your site’s reputation.

If you did have backups, depending on the frequency of the backups and how quickly the problem was noticed and rolled back, there may be little to no data loss, customers may not notice, and the site can quickly bounce back.

We highly recommend having multiple backups taken over a period of time. The more backups you have the more options you would have to restore from. Having only one daily backup could cause problems if an issue isn’t noticed until three days after it happens. Active sites may need continuous backups compared to a static site that maybe hasn’t changed in months.

Also storing your backups in different locations would help spread out the number of available backup copies. Like if a dedicated backup hard drive failed then you could still have remote backups saved on a different service that wouldn’t be affected. Think of it like not putting all your eggs in one basket! For more information on good backup practices, see Best Practices: Developing a BackUp Plan.

Hopefully, you gained something useful from this article! If you or a friend are in the market for a web host, feel free to talk to a Liquid Web tech by phone or in a chat 24 hours a day! Thanks for reading!

How To Verify WordPress Checksums Using WP-CLI

Reading Time: 2 minutes

If you do not keep site plugins updated along with WordPress core updated, then you run into the chance of your site being hacked or infected by Malware. If your site does get infected by malware, a way to easily find any of the non-standard WordPress core and plugin files is by using the verify checksums commands in WP-CLI (the WordPress Command Line Interface).

Preparing to Run Commands

First, you will need to login to your portal via SSH. For directions on generating credentials for sFTP/SSH creds from your site manager, see Finding Your SFTP/SSH Credentials in Managed WordPress Portal. For help using SSH, see Logging into Your Server via Secure Shell (SSH).

Getting Started

Security plugins have definite uses, but when you need to verify WordPress core as well as all installed plugins on the WordPress.org checksums, plugins are just not the appropriate tool. WP-CLI already has checksum commands for both WordPress core and all plugins.

Checksums Commands

  • To verify that all WordPress core files checksum match, the WP-CLI command to run is:

wp core verify-checksums

  • To verify checksum against specific versions of WordPress, you can include the version number in the command. To verify for version 5.2.1 of WordPress core, for example, the command would be:

wp core verify-checksums --version=5.2.1

  • If you were using an older version of WordPress, for example version 4.9.10, the command would be:

wp core verify-checksums --version=4.9.10

  • To verify the checksum of all plugins which are installed on your site server (this would only include plugins available from WordPress), then the command to run would be:

wp plugin verify-checksums --all

  • To verify the checksums of a specific plugin (e.g., WooCommerce), you will need to know the plugin “slug” (or short name). You can find the slug by looking in the plugins links on the WordPress website.

The plugin slug for WooCommerce is woocommerce, so to verify the checksums of the WooCommerce plugin, the command would be;

wp plugin verify-checksum woocommerce

Summing Up

The files that the core verify checksum or the plugin verify checksum commands in WP-CLI will display will be any of the non-standard PHP or other files that should not exist in WordPress folders. The files should be deleted (it’s always a good idea to take backups before deleting data from your server). and then you can rerun the same verify checksums commands to check that there are no other files which should not exist on your site server.

Knowing how to verify the checksums of WordPress core files, all plugins installed from WordPress.org, and specific plugins installed from WordPress.org using simple-to-use WP-CLI commands will give you peace of mind in knowing that there are no non-standard files that exist in those folder directories.

5 Android/iPhone Apps for IT Admins

Reading Time: 3 minutes

As administrators for our servers, we may find ourselves needing to do certain things while on the go. We may also not have a laptop or PC within reach. But one thing most of us have at all times is a cell phone. Whether we have an Android or an iPhone, most of us do possess a smartphone. One thing great about these smartphones is their constant connection to the Internet. Having that constant connection makes it simple to use various apps that assist with admin tasks through our smartphones. Here is a list of five applications available both on iPhone and Android. If you are interested in checking them out, click on your phone’s type next to the application name. You can also search for these applications by name in your smartphone’s app store. Continue reading “5 Android/iPhone Apps for IT Admins”

Delete Posts and Comments from Action Scheduler

Reading Time: 2 minutes

The Action Scheduler is a background processing, queue job runner which is built into WooCommerce core. A number of plugins use the Action Scheduler, WooCommerce Subscriptions and WooCommerce Follow-Ups being two of the best known.

WP-CLI makes it easy to delete posts and comments which have been created by the Action Scheduler in WooCommerce. There may be cases where the Action Scheduler might create a large number of posts and comments on your live site, and you want to clear up the data from the site’s database.

 

Delete Comments from Action Scheduler

To delete comments created by the Action Scheduler, you can run this command:

wp comment list --field=comment_ID --'post_author'='ActionScheduler' --number=1000 | xargs wp comment delete --forceThe number can be increased if you have more comments that need to be deleted to 2000 or higher.

Delete Bulk Posts from Action Scheduler

To delete all of the scheduled-action posts, you can run this command:

wp post list --field=ID --post_type=scheduled-action --posts_per_page=1000 | xargs wp post delete --forceThe number can be increased if you have more posts that need to be deleted to say 2000 or higher.

Delete Scheduled Action Posts

To delete all of the scheduled-action posts with a post status of trash, you can run this command:

wp post list --field=ID --post_type=scheduled-action --posts_per_page=1000 --post_status=trash | xargs wp post delete --force

Delete Bulk Scheduled Actions

To delete all of the scheduled-action posts with a post status of cancel,  you can run this command:

wp post list --field=ID --post_type=scheduled-action --posts_per_page=1000 --post_status=cancel | xargs wp post delete --force

 

Using a mix of these commands, you will be able to delete posts and comments easily, using WP-CLI on your site. It will also keep your site database clean, allowing it to run more efficiently.  Take the work out of maintaining your WordPress site with our Managed WooCommerce product.  Our WooCommerce platform comes with free iThemes plugins curated especially for online stores.

8 WP-CLI Commands to Clean Up and Optimize your Site

Reading Time: 2 minutes

Want to clean up your WordPress site without having to add multiple plugins? By using WP-CLI, you can run many useful commands to helpfully clean up your database and elements related to your site. In this post, many of the most common tasks are covered:

Continue reading “8 WP-CLI Commands to Clean Up and Optimize your Site”

What are Common Commands to Update WordPress Using WP-CLI?

Reading Time: 2 minutes

WP-CLI is a very handy set of commands. You can run anything that you would run in wp-admin on a WordPress site but from the command line. Useful commands which WP-CLI employs to keep WordPress core updated plugins including the default themes which come with WordPress.

Continue reading “What are Common Commands to Update WordPress Using WP-CLI?”

Troubleshooting: Too Many Redirects

Reading Time: 7 minutes

The error “too many redirects” means that the website keeps being redirected between different addresses in a way that will never complete. Often this is the result of competing redirects, one trying to force HTTPS (SSL) and another redirecting back to HTTP (non-SSL), or between www and non-www forms of the URL.

Continue reading “Troubleshooting: Too Many Redirects”

Reset Your WordPress Admin Password

Reading Time: 1 minute

Whether its a hacked site or a lost password, you may find that you are locked out of your WordPress Admin control panel. If you’ve forgotten your password or don’t have access to the email address that the “Lost your password?” link sends to, you still have one more option to access it. Through the database!  WordPress’ database stores all WordPress username, encrypted passwords, and the user’s email address and thus can be edited through a database client like phpMyAdmin. In this tutorial, we’ll be showing you how to edit the email address and change your user’s password.

Continue reading “Reset Your WordPress Admin Password”

How To Change Website Name in WordPress

Reading Time: 2 minutes

You may have noticed, when transferring a website, that the URL is still stuck on the old site even though you have changed the virtual host file to reflect the new domain name. Or you may see the URL entirely greyed out in your WordPress portal. This mismatch can happen if you can’t change the URL within WordPress to reflect the new site name. In this tutorial, we will show you how to change the URL through the database. Continue reading “How To Change Website Name in WordPress”