Today on episode 18 of Web Hosting Podcast, I continue the discussion of the wordpress hack dissection. I have been asked, since the last episode, about ways to harden and secure a wordpress install and what I recommend to do about managing updates. Also in this episode, GDPR (General Data Protection Regulation), Are you ready for the coming changes on May 25th?
GDPR New rules for EU take affect May 25th, 2018 – Official Link
The most important pieces that change here
WordPress 4.9.6 was released with GDPR specifically in mind. Release Notes
Simple ways to keep your wordpress install safer.
- Keep your wordpress install updated. Plain and simple. Have a update schedule and stick to it. Some plugins need the core of wordpress updated before it will be allowed to update the plugin in question. If you are on a old version of wordpress, it is very likely your plugins are outdated as well and possibly contain exploits used to hack your site.
- Don’t use plugins that are outdated or no longer maintained. These could easily have old exploits that leave you open for a hack and they will never be updated. The plugin could also be purchased by a hacker group, which has happened, and they add code to exploit your install. If you see a plugin that has not had updates for many years then suddenly has 1 update recently, be wary.
- Use strong passwords and don’t use the default username “Admin”
- Use a plugin to block failed login attempts.
- Move wp-admin url to something else.
- Ensure the PHP version you are using is still being maintained. If you are using PHP 5.x series, you really should migrate to PHP 7.x.
- Use common sense. Don’t login to your wordpress site, even over HTTPS, in a shared wifi environment. This would be coffee shops, bars, the mall, etc.. Even over HTTPS, information can be intercepted.
If you are new to wordpress and managing updates, you can use an external management application that provides additional services. I personally use managewp.com for this task. It has many features (listed below) and is 100% free for unlimited domains. Best of all, well maybe not best, they gave Web Hosting Podcast a coupon code to use after you sign up. Use WHPOD after you enter in your billing details, this will apply $10 to your account so you can try the paid options for nothing.
Initial questions about managewp that I am often asked by listeners and pretty much anyone that will tolerate me talking about this product.
Q: why would i want to use it?
Q: how difficult is it to signup?
Q: do i need to be a techie to set it up?
Q: how much for basic services?
Q: how much is x feature?
Q: can i get help?
Q: Is it secure?
Current pricing for a site is free for unlimited domains. This free plan includes the following addons.
- manage updates, plugins and themes
- Monthly Cloud Backup
- 1-click login
- Performance Check
- Security Check using sucuri
- Analytics with google
- Manage Comments
- Code Snippets
- Maintenance Mode
- Client Report
- Vulnerability Updates
The following addons are paid options per month per site. Total price for all Premium addons is $8/mo.
- Premium Backups $2 +.13 per GB of traffic.
- Clone (requires Premium Backups)
- Safe Updates (requires Premium Backups)
- Templates (requires Premium Backups if creating a template from a current site)
- White Label $1
- SEO Ranking $1
- Uptime Monitor $1
- Advanced Client Report $1
- Automated Security Check $1
- Automated Performance Check $1
Plugins I currently use the paid versions of:
Premium Backup – I schedule a nightly backup to their backup location and a weekly backup to DropBox. I also use “safe updates” which allows me to perform a backup before I run a update, then verify the screen image of before and after the update to determine if I need to roll back.
Security – This allows me to schedule a scan of my site daily. This not only scans my site for issues, it also checks for vulnerabilities in plugins and checks the web of trust to ensure my site is not listed on any “not safe” databases.
Uptime Monitor – This sends me a email and text message if my site goes offline, but not only that it also verifies that a specific keyword is found on my site. This helps let me know if my site has been defaced, which would still mean it is up and online.
SEO Ranking – I paid for this just to see how it works. This allows you to set up to 100 keywords and track them for your site with SEO.
Advanced Client Report – I also paid for this to see how it works. This allows me to get a weekly report for my site. it tells me what has been updated, SEO and Analytics reports as well as security audits. It pulls all the information from the plugins active in my account and sends me a nice little report every week.
Plugins I don’t pay for.
Advanced Performance – I already spend a lot of time using pagespeed tools to get the most performance I can. I am always tweaking things. It is just easier for me to trigger a Performance Check manually since I am always in my managewp dashboard.
My total monthly cost is $6. $2/mo. for Permium Backups, $1/mo. for Uptime Monitor, SEO, Client Reports and Security Check.
Podcast: Play in new window
Subscribe: Google Podcasts | Spotify | Stitcher | TuneIn | RSS | More