Home » Blog » Security

Category: Security

WordPress SSL Lock

WordPress SSL: The Importance Of A Secure Website

A secure website has become mandatory for all websites. For example, Google announced back in September, starting January 2017, Google Chrome will inform visitors if a website is sporting an insecure connection. An example of providing a secure website is implementing a SSL certificate. A SSL certificate (secure socket layer) is a type of security technology used to establish an encrypted link between a server, browser and the end user. We will focus on why a SSL certificate, specifically for WordPress, is important.

WordPress SSL – When Should You Use SSL?

 

WordPress SSL - HTTPS Results On Google Page 1 (2 Years)
Source – Moz

As mentioned above, Google announced websites that are insecure will inform website visitors of an insecure connection. We forgot to mention an insecure website will be ranked lower in the search results page. For instance, all secure websites are ranking higher than non-secure websites since the announcement. The real question is when do you implement a SSL certificate? The answer is always. For one, a secure website encrypts all user data. Meaning, no personal information is easily accessible. A visitor will fill in a form and the data will be encrypted. Second, if customers are entering credit card information, it is best to encrypt the credit card numbers. Encrypting the credit card details will make the numbers unreadable. Both for humans and computers. Lastly, a WordPress SSL website will help rank a website higher in the search results page. A small business needs every competitive edge.

 

What Does a WordPress SSL Protected Site Look Like?

For instance, when do you know you’re on a secure website? There are a couple of signals that can identity whether a website is secure or not. For example, when browsing a website on Google Chrome, there’s a green padlock with the text Secure. These two items are indicators of a secure website.

 

WordPress SSL - Secure Padlock HTTPS URL

 

When browsing a non-secure website, you can see there’s an i within a circle. For example, when you click on the i circle icon, you’ll be greeted with a pop up box. The box reads “Your connection to this site is not secure.” Knowing the difference will help you determine which site is secure vs. non-secure.

 

WordPress SSL - Insecure connection notice

 

How To Install A SSL Certificate

Knowledge is power and we’ll help you install a SSL certificate onto your WordPress website. For this example, we’ll be using SiteGround as our web host. First, perform a backup of the website. Second, store the backup somewhere easily accessible in case of emergency. Third, we’ll be using the Let’s Encrypt certificate. Lastly, be sure you have all login credentials for WordPress and web host handy.

Log into your cPanel account. Under the Security section, find the Let’s Encrypt icon. Click on the Let’s Encrypt logo.

WordPress SSL - Let's Encrypt Icon

You will land on the Let’s Encrypt SSL overview. From here, you will toggle on HTTPS Enforce. Issuing the SSL certificate is the first step in making your website work properly over HTTPS.

https://www.siteground.com/img/knox/tutorials/uploaded_images/images/letsencrypt/cert3.jpg

Once the HTTPS Enforce has been toggled on, head over to your .htaccess file and add the following code. This will force an HTTPS connection on your website. Replace https://yourdomain.com with your actual domain name.

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]

If your website is in a subfolder, use this code instead:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} folder
RewriteRule ^(.*)$ https://yourdomain.com/folder/$1 [R=301,L]

 

There may be additional steps required to perform, such as making all of the images secure, securing third party code snippets like Google Analytics or any other element of the website.

Conclusion

A secure website is a must. For example, any type of website should have a SSL certificate. A secure website ensure numerous benefits. First of all, Google and other search engines are ranking secure websites higher in the search results page. Also, a secure website encrypts customer data. Lastly, we presented a tutorial on how to add a certificate. Good luck and let’s chat in the comments if you run into any issues!

WordPress Security Tips

WordPress Security Tips For Businesses

WordPress security should be a high priority for all WordPress sites. Even though it may be an afterthought.

WordPress security has always been a hot topic for discussion. A lot of customers we interact with are concerned about WordPress vulnerabilities. We’re here to tell you that WordPress, like all other platforms, is not invincible. However, if you keep plugins, themes, and WordPress core up to date, you’re already winning half the battle. We’ll discuss some important tips for hardening a WordPress website. In addition, we’ll provide WordPress security plugins to help along the way.

Host Your Website With A Great Web Host

We’ve dealt with plenty of different hosting vendors. We don’t like saying this out loud, but some are lousy, while others are really top notch. When we perform an audit or a customer is having issues with the website. We always like to review the host the customer is on. Almost half of all websites that are comprised are due to their web host. What do we mean? A staggering 41% of hacked websites are through a security vulnerability found on their hosting platform. The statistic is astonishing! There are numerous steps you can take in order to help harden your website. For starters, always check with a web host if the company supports the latest PHP version. Chances are the answer is yes. Perform some due diligence and ask questions. Verify with the hosting company if a WordPress Firewall is included. A Firewall provides a layer of security in front of your website. Highly recommend you shop around to see what host suits your needs and budget.

Stronger Login Credentials

Don’t make an website attackers life easy by having a simplified password. Use a password that is hard to guess. There have been plenty of times when a customer is using a password that is oversimplified. We won’t embarrass any of our customers because we love them too much. A good rule of thumb is having a password with 12 – 14 characters in length. Throw in some special characters such as exclamation points, question marks, and asterisks. Don’t get cute and use numbers for letters. Everyone has caught on to that game. Add some numbers to the mix as well. The more complex the password the better. Even a random password generator can be used. There are numerous sites that can randomly generate passwords for you to use. Use the password generator and store the passwords in a secure place.

Back in the old days of WordPress, the default username “admin” was used to create the administrator for the WordPress site. Fast forward to the present, the administrator has the ability to create any username. We still see WordPress websites using “admin” as the primary administrator account. Stop! The problem with using “admin” is hackers already know this fact. You’ve already provided the directions to the house. All these attackers need to figure out is the password for the website. Chances are the hacker will figure it out. The best way to keep the WordPress login secure is to change the username to something unique. The more unique, the better you are off.

Remember strong login credentials are a must have. A hard to guess password, coupled with a unique username make a hackers life more difficult. If you really want to remain secure, you should change passwords on a scheduled basis. Practice safe security with complex passwords and unique usernames.

Limit Login Attempts

We stay with the login theme with another helpful tip. There are scripts and plugins that can help limit login attempts. We’ll discuss the plugin in detail. An excellent reviewed plugin that provides limit login attempts is Login Security Solution. The plugin provides many different amenities. Everything from limiting login attempts into a WordPress site to blocking brute force attacks attempting to login.  In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. In our case, the attacker is attempting to guess the username and password to force themselves into the website’s back end. The Login Security Solution plugin has a setting that recognizes this type of attack. The software in the plugin shuts out the hacker without affecting real administrators. After multiple attempts of failure, the likelihood of the attacker moving on to an easier site increases. Another plugin that we’ll discuss in another blog post is WordFence. Quick overview, WordFence is a robust plugin that provides many WordPress security features. Including the limit login attempts. Install the Limit Login Attempts plugin. We know it will help in the long run.

Use Common Sense

When it comes to making sure the website is secured, use common sense. Don’t give out login credentials to strangers. Don’t ever add another administrator to your WordPress site. Do not give strangers FTP access. Be wary of people around you. Make sure no one is watching you enter your credentials into your website. If something doesn’t feel right, do not do it. Listen to your gut. Practice secure credential transfers with emailing the username and texting the password to the other party. This helps prevent your username and password being out on the internet. Using common sense can go a long way.

WordPress security is a concern website owners should be wary of. Having the website harden by a WordPress professional is something a businesses should consider. One WordPress security we didn’t discuss much was performing regular website backups. We actually have a blog post dedicated to WordPress backups. We highly recommend you read the post. Get caught up on the best practices for backing up. Find out what plugins we recommend for those backups. If you have any questions be sure to comment below and we’d be happy to answer!

WordPress 4.4.2 Release

Earlier this week WordPress 4.4.2 was released. A new security and maintenance patch for version 4.4.2. All WordPress 4.4.1 and earlier websites are strongly recommended to backup the entire website and push the 4.4.2 update immediately. Two security issues were found in WordPress 4.4.1 and earlier. We’d like to discuss the two vulnerabilities in more detail for educational purposes.

The two attacks were a Server Side Request Forgery (SSRF) for certain local URIs and an open redirection attack.

A SSRF is a vulnerability that appears when an attacker has the ability to create requests from the vulnerable server. In layman’s terms, an attacker can use SSRF to access the internal system that is not accessible from the outside world. This allows potential attackers to gain access to sensitive information stored on the website.You can see why WordPress wanted all of its websites to update immediately.

The second vulnerability, an open redirection attack, would allow an attacker to redirect the website to another source. For example, if a website is attacked with an open redirect, the website would take the user to another website. A good example is someone who redirects users who are going to destination A, but decides to take the users to destination B. Destination B can be numerous end points. From a program that installs malicious software to the computer being hijacked and requesting one’s credit card. The end game is not ideal for the non-savvy technical individual.

In addition to the WordPress 4.4.2 release plugging two major security holes, the update resolved 17 bugs from version 4.4 and 4.4.1. Feel free to browse the 17 WordPress bug fixes on the official website.

Highly recommended all WordPress website’s stay up to date with the latest releases. We discussed in another blog the importance of having all WordPress components updated. A good read about why it’s important to keep WordPress updated and how you can prevent malicious attacks to a WordPress website.