A Little History
In the early days, websites were hand-built using a special code called HyperText Markup Language (HTML). To create good-looking websites back then, you had to be something of a geek. Then, special tools came onto the market to reduce the learning curve associated with building websites in HTML. Two of the more popular ones were Macromedia Dreamweaver (now owned by Adobe) and Microsoft Front Page (discontinued in 2006). The problem with these web development tools is that they were expensive.
In May 2003, Matt Mullenweg & Mike Little released a new tool that would change the face of website building forever. They called it WordPress.
I have to admit I was a little reluctant to give up my copy of Dreamweaver at first. But in 2004, I began to experiment with the WordPress platform. It was a time when WordPress was just starting to get interesting. This was thanks to the introduction of something we now know as âplugins.â
Fast-forward to today, and WordPress is now the site-building tool of choice. Itâs popular with professionals and enthusiasts alike. Home-based businesses run by moms & dads love it, as do school kids running blogs about their favorite bands or video games. Today, even large corporations use WordPress and just about everyone else who builds websites.
WordPress is extremely powerful, flexible, and produces very professional-looking websites and blogs. Itâs pretty easy to use too, but best of all is that itâs 100% free.
The other advantage of WordPress is that the code is freely available to anyone who needs it. This same advantage, though, is also its biggest security threat. The open nature of the code means developers can create exciting new plugins and themes to extend the functionality. Alas, it also means hackers can find security holes in the code and use them to gain illegal access to WordPress websites.
A lot of the discussion on website security can get overly technical. Even so, the average webmaster needs to be able to protect and secure their website. That means there should be no technical barriers to stop the average user. Itâs why we need these things written in plain and simple English.
Thatâs where this tutorial comes in.
Iâm going to take you by the hand and guide you â one easy step at a time â as you secure your website(s) against hackers.
How to Use This tutorial
I wrote this tutorial for anyone who runs a WordPress website. I wonât assume you have any technical knowledge at all. You donât have to worry about steep learning curves or technical skill requirements. There arenât any.
What you have here is a hands-on tutorial. To get the most out of it, I recommend you sit at your computer and follow the steps outlined in these pages. Whenever I do something on my demo site, you do the same on your site. Donât be afraid to make mistakes, as they can easily be undone.
There are two main sections in the tutorial.
The first section looks at the various ways hackers can gain access to your site and how you can STOP them. I also provide detailed instructions on ways to plug these security holes. Donât worry; you donât need to do anything at this point, not if you donât want to.
The second part of the tutorial covers a comprehensive security plugin. This plugin secures your site using a simple point-and-click interface. Youâll learn about website security in the very first section of the tutorial. You then just follow my lead as we set up the plugin to secure your site against hackers.
By the end of this tutorial, youâll have a solid understanding of WordPress security. Youâll also know the measures to take to secure your website(s).
I have good news for anyone who likes to learn via audio-visual. You should find my companion WordPress Security video course very interesting. There are around 2.5 hours of video tuition and a Q&A section where you can ask me questions. You can find details in the Resources section at the end of this tutorial.
A Note About UK v US English
There are some differences between UK and US English. While I try to be consistent, some errors may slip into my writing because I
spend a lot of time corresponding with people in both the UK and the US. The line can blur.
Examples of this include the spelling of words like optimise (UK) v optimize (US).
The difference I get the most complaints about is with collective nouns. Collective nouns refer to a group of individuals, e.g., Google. In the US, collective nouns are singular, so Google IS a company. However, in the UK, collective nouns are usually plural, so Google ARE a company. This is not to be confused with Google, âthe search engine,â which is singular in both.
There are other differences too. I hope that if I have been inconsistent anywhere in this tutorial, it does not detract from the value you get from it.
WordPress itself will have some differences depending on whether you are using UK or US English. The one I find most obvious is in the labeling of the area containing things you have deleted.
If you installed WordPress with US English, youâd see this called âtrashâ:
But if your WordPress is installed with UK English, this becomes âbinâ:
There are other places in the dashboard that use localized words like this. Iâll leave those for you to find.
Found Typos in This tutorial?
Errors can get through proof-readers, so if you do find any typos or grammatical errors in this tutorial, Iâd be very grateful if you could let me know using the reply button.
SECTION 1 - About Security & Hacking
The first section of the tutorial outlines the main ways a hacker will try to gain access to your site. It also looks at how you can prevent these things from happening.
Chapter 1 â Introduction
In 2018, a report by infosecurity-magazine.com suggested that WordPress accounted for 90% of all hacked sites, up from 83% in 2017. WordPress is a target for hackers because of its huge user- base. Fortunately for you, WordPressâs âcoreâ is very secure. Unfortunately for you, hackers find their way into sites because of mistakes made by site administrators and security holes in third- party addons like plugins and themes. One report I read suggested that 98% of WordPress vulnerabilities are related to plugins. Another, more conservative report suggested that figure was 52%, but itâs still a large number. Another statistic showed that 8% of WordPress websites were hacked because of weak passwords. According to Sucuri, 61% of infected WordPress sites are out of date. WordFence, a company specializing in WordPress security, said there were 90,000 attacks per minute on WordPress websites.
Hackers hack websites for a variety of purposes. Some will want to redirect your traffic. Hackers also attempt to steal customer details, delete files, or change your login details to lock you out. Some will send spam emails to millions of people, SEO for the hackerâs site, and other, more sinister reasons.
Donât think that your small, insignificant site is safe from hackersâ itâs not. To a hacker, a site is a site, and theyâll attack it if it serves their purpose. They use computer software to auto-scan millions of websites for vulnerabilities. Once found, theyâll attack any soft targets they come across. There is no softer target than a newly setup WordPress website run from a bedroom.
There are good reasons to worry about your website security. Despite the scare, I donât want you to avoid WordPress thinking itâs an insecure platform. As Iâve already said, it isnât. When the WordPress security team finds a security hole, they usually plug it fast. They then automatically push the update out to all WordPress installs.
The real security issues derive from the folks who run the websites. They often donât have the knowledge to make the best-informed
decisions. They donât know enough about content, the plugins they use, or the themes they install.
This tutorial has two aims:
- I want to give you the knowledge you need so you can understand where the main threats come from. With this knowledge, youâll understand how your administrative actions can affect the security of your website. Your new understanding then gives you the power to stop hackers.
- I want to give you a step-by-step solution to make your website as hackproof as possible. Weâll install an excellent WordPress plugin and go through the entire setup process. For your part, just follow along on your site as I secure one of my own.
If youâre not technically minded, donât worry. This tutorial assumes no technical ability and no programming skills.
Chapter 2 â Why Do Hackers Hack
I guess you want something a little more than because they can , right?
Unfortunately, this is the reason for a large number of hacking attempts these days. Hackers often leave behind a calling card to show how clever they are. Itâs often in the form of a banner announcing their uninvited presence on your site. Itâs a kind of virtual ego trip.
Hackers can cause all kinds of damage to your site.
They might delete your content just for laughs. Others âsilentlyâ insert malicious code into a site to carry out some dastardly plan. The webmaster doesnât usually get any visual clues to show that someone has compromised their beloved site.
Hacking causes chaos to the site owner and is often time- consuming and expensive to clean up. Some of the more common reasons why hackerâs hack include:
- To break into a popular site to stage some kind of protest.
- To post banners or extremist messages to support their cause.
- To insert malware that auto-downloads to the computers of those who visit the pages. This malware can cause all kinds of chaos. They can use it to steal personal data (like credit card details) from the computers it infects.
- To send huge volumes of spam emails from your domain. This action is likely to get your site closed down by your web host. Itâs not your fault that millions upon millions of spammy emails leave your server over a short space of time. Despite this, your site cannot be live until you resolve the problem.
- To gain a competitive advantage. They may embed links into your pages for their SEO purposes. They might also do it to destroy the SEO of the target site so that it drops out of Googleâs search engine results pages (SERPs).
The bad news is that no amount of security on any site can guarantee itâll be 100% hacker-proof. It all depends on the motivation and resources of the hackers involved. You may have seen recent news reports on some very major hacks. Here are some high-profile hacks.
- In July 2019, online bank Capitol One found out that its data had been hacked. Sensitive information on hundreds of thousands of credit card applications, like birthdates and social security numbers, was exposed. This attack was done by an American named Paige Thompson, who knew that Capitol Oneâs Amazon AWS server was badly configured because she had previously worked at Amazon.
- In April 2019, the Weather Channel became the victim of a ransomware attack. The service was offline for nearly 90 minutes. Fortunately, the Weather Channel didnât need to pay over the Bitcoin ransom as they had good backups and reinstated their service within 2 hours.
- In May 2019, U.S. Customs and Border Protection was the target of a cyberattack. Images of peopleâs faces (used in the facial recognition program and license plates were exposed. Information found its way onto the Dark Web. It was ironic that the agency dedicated to protecting US borders couldnât protect its data.
- In August 2019, 22 small Texas towns were hit by ransomware attacks leaving the government paralyzed, unable to provide basic services. The towns refused to pay the millions in ransom, but thanks to remediation efforts, they were back up and running in a matter of weeks.
These are just a few of the high-profile cyber-attacks that have happened in recent months on large Corporations.
Fortunately, when dealing with WordPress, there are simple measures you can take to make your site as hack-proof as possible. There are other measures you can take to ensure you never lose your site or your website data.
I can promise you that once youâve finished this tutorial, your site will be a lot more secure than most other WordPress websites. The type of hacker thatâs usually responsible for hacking an average website is not going to have the time, patience, or resources to break into yours. Remember, most of these guys look for "soft targets.â
There are two sections to this tutorial. You can treat the first one as information-only if you like. I show you some manual procedures for securing against hackers in this section. However, you donât need to do anything as you read the first part. The second section covers a WordPress plugin that secures against all the important threats. This is where I show you the step-by-step instructions on how to install it and set it up to secure your site.
Chapter 3 - WordPress Is Secure, ButâŚ
WordPress has a bad reputation when it comes to security, but that reputation is wrong. Itâs true; WordPress websites do tend to get hacked a lot. Remember, 90% of all hacked websites run on WordPress. However, these hacks are usually because of the webmaster and not WordPress itself.
WordPress is open source. That means the programming code behind it is free for anyone to look at and modify if they so wish. They created WordPress this way so that third-party developers could extend its features. That meant anyone could create and distribute new WordPress themes and plugins.
The freedom to offer WordPress enhancements is enough to start alarm bells ringing. Imagine a hacker who wanted to infiltrate a lot of websites. What better way than to develop a really useful plugin or a cool theme and offer them for free? Can you see the problem?
Plugins and themes represent one of the top three ways to hack a WordPress website. If the plugin or theme is not in itself malicious, it could still have vulnerabilities in its code. Any weaknesses can provide a doorway to hackers.
The good news is that WordPress runs ârepositoriesâ for themes and plugins. WordPress.org carefully vets any plugin or theme included in these repositories. This safeguard is to ensure they donât contain any vulnerabilities or malicious code. So the key here is to simply choose plugins and themes from authorized sources. Just by doing this, you already take a giant step to secure your site against hackers.
So, plugins & themes are one of the top three ways for hackers to hack WordPress websites and blogs. Maybe you can guess the other two?
- Weak usernames and passwords
- Not keeping software up to date
Weak usernames and passwords are a common route to a hack. Theyâre a hassle, though, right? After all, we have so many usernames and passwords to remember these days. This includes things like bank details, website logins, utility bill sites, and online shopping stores, etc. Itâs the reason why a lot of people use the same username and/or password for multiple site logins.
Be warned!
If a hacker gets access to just one of your accounts, they can usually gain access to a lot more by using the same login details.
Think about your passwords.
Do you have them written down in a little tutorial somewhere? What if you lose that tutorial or someone steals it? Do you use the same password for multiple online accounts? Is it a âsecureâ password? Itâs a good question, bearing in mind that automated software tools can try hundreds of password combinations a second?
Weâll go over the dos and donâts of passwords later in the tutorial.
Not updating software is another very common problem. The software includes things like themes, plugins, and WordPress core files. When the WordPress team finds vulnerabilities, itâs usually quick to plug them. If you keep WordPress up to date, hackers cannot use those vulnerabilities to gain access. If you donât keep it up to date, hackers have an easy way into your site.
What makes things even easier for hackers is that WordPress can show them exactly what version youâre using. All they have to do then is look up vulnerabilities in that particular version and use them to hack your site.
This all sounds bad, doesnât it? Donât panic!
Thereâs one thing these three major security issues have in common that gives you the upper hand:
THE USER CAUSES THE PROBLEMS, NOT WORDPRESS
As the webmaster, itâs what you do (or donât do) to your site that makes it secure or insecure. I say again, WordPress is very secure.
Thereâs a team of 25 experts (researchers and developers) who continually work to make WordPress even more secure. Since version 3.7, automated updates fix all security issues routinely, without you having to lift a finger.
Chapter 4 - Learning What Needs to Be Secured
This chapter takes you through the main security threats. Itâs where I offer you some advice on what you should be doing to secure your site. In some cases, you can go ahead and make changes as you read through the chapter. In most instances, though, Iâll tell you not to worry about doing anything right away. This is because the security plugin we install and configure in the second part of the tutorial will do it all for you.
Iâve broken the chapter down into âthreats.â Each âthreatâ covers a security issue you should know about. Before we start to look at these threats, letâs consider the only way to protect your site 100%.
Backup Your Website
The only real way to make your website safe is to back it up. Whatever happens after that, at least youâll always have the files saved to replicate the site again. Even if it means starting over, itâs still better than losing everything.
With traditional HTML-based websites, backing up is a simple process. You just copy the files on your hosting server to your computer (download), and thatâs your full backup. WordPress is a little more complicated, though.
A WordPress website consists of two main parts:
- The files. This includes the WordPress core files, plugins, themes, and uploaded files like images, and settings.
- The Database, which stores all your website content.
For a full WordPress website, you need to back up the files AND the database.
There are a lot of tools and plugins available to help you backup your WordPress website. Itâs important to check what they back up-exactly.
Some only do partial backups like the database. The more useful ones will backup both the database and all the files.
You may think that the only way to do a proper backup is to do a full one. First, you need to be aware of the file size of these backups.
The database-only backups are typically 1-5 MB in size. You can even have these emailed to you.
Full backups can be gigabytes (GB) in size, and they use a lot of server resources to process. Clearly, you cannot receive these by email.
The solution is to use a plugin like UpdraftPlus. Thereâs a free version, which is more than adequate for most users. The premium version is great for anyone who needs more power and options.
UpdraftPlusâ free version can automatically backup your site to a remote storage location on a predefined schedule. It includes popular online storage like Dropbox, Google Drive, and Amazon S3, to name a few. If anything should happen to your hosting server, you have offsite backups to fall back on.
Installing & Setting up UpdraftPlus
As with most trusted plugins, you can find UpdraftPlus in the WordPress repository. You just log in to your WordPress Dashboard and go to âinstall a new plugin.â
Search for âupdraft.â
As I write this tutorial, you can see the plugin is actively in use by 3+ million websites. It is also updated regularly.
Install and activate Updraft.
Once active, youâll find a new menu under the Settings menu, called UpdraftPlus Backups .
Clicking on it takes you to a screen showing the current status:
In your case, there wonât be any backups yet, but there is a big
Backup Now button that I recommend you click.
You need to choose what to include in your backup, so choose database and files. Youâll notice the disabled box referring to remote storage.
Since we havenât set up remote storage yet, it isnât an option. The program is currently set to store the backup directly on your web server.
However, a backup is not much use if we store it on a hacked server. This is why we need to set up some off-site storage.
OK, now cancel the backup and click on the Settings tab.
At the top of this screen, you can choose the frequency of automated backups.
The frequency you choose will depend on how often you update your site. If you donât update the site at all, then leave both database and file backups as monthly.
If you update weekly, set the database to weekly but leave the files as monthly.
If you update daily, set the database frequency to at least daily. The file backup frequency is up to you. But remember, it takes more server resources to back up the files. Theyâre also a lot bigger in size, and therefore use more bandwidth when uploading to your off-site storage.
I leave files as monthly for all my sites and then adjust the database, depending on how frequently I update the site.
When you set the frequency, you can also choose how many backups to keep. The only real concern here is how much space you have on your remote storage. I would recommend you always have a minimum of at least three months of backups. Therefore, if backups are monthly, keep 3. If theyâre weekly, keep 12.
You can now choose the remote storage option.
Click your chosen remote storage to select it. Iâve chosen Dropbox for mine. When you select a remote storage option, more settings will appear on that page related to your choice.
The settings below appeared when I selected Dropbox:
During the process of setting up a storage option, youâll have to authorize UpdraftPlus to log into the chosen site.
You can see the link I need to click to authorize Updraft Plus to use my Dropbox account. Just follow the instructions.
When done, you can continue to scroll down the settings of this plugin. This is where you choose which files to backup and those to excludeâif any:
Thereâs also a useful option to have an email report sent with the backup details.
Now click the save button at the bottom of the screen. Thatâs all there is to it.
Over on the Backup/Restore tab, you should see a date in the Next Scheduled Backups section. This is when the next automated backup will take place.
You can also create a manual backup right now by clicking the Backup Now button. Youâll then get the option to: Send this backup to remote storage :
With backups done, you now have everything you need to restore your site to its present glory in any eventuality. Itâs effectively 100% secure already.
With the site backed up, letâs now learn of the threats to your website security.
Threat 1 â Passwords
Earlier in this tutorial, we identified passwords as one of the weakest links in WordPress security.
If you have a strong password, then you have a strong foundation on which to build other security measures. So, what forms a strong password?
There are a few considerations when deciding on a strong password. It should include all the following:
- A random collection of characters
- Include numbers
- Include upper and lower case
- Include special characters
When it comes to passwords, the longer they are, the better.
When they released WordPress 4.3, they introduced strong passwords by default. There is also a tool inside the WordPress Dashboard to generate super secure passwords if you need one. You can find it in your user profile:
To generate a secure password, click the Set New Password
button, and WordPress will create one for you:
If you look at the password, you can see it meets the criteria I specified at the start. Itâs random, includes numbers, upper and lower case, and special characters (#, & and %). Itâs also a lot longer (24 characters) than the passwords most people make up themselves.
The tool will also give you an idea of how strong your password is. Type it into the box and make sure your password reads Strong under the data input field.
I know most peopleâs objections to this type of password. Itâs impossible to remember.
Thatâs correct, but there are some great tools out there. These tools not only remember your passwords, but they can also auto-fill them for you as well. I use a tool called Roboform and can highly recommend it. Roboform remembers all my secure passwords (and I have hundreds), and it automatically fills them in for me whenever I visit a website.
NOTE: If youâre just installing WordPress, you wonât have access to the Dashboard yet, or the password generator tool. Never mind. Do a Google search for secure password generator instead. Youâll find a few tools which can create these strong, random passwords for you. Lastpass is another popular password manager that provides a free secure password generator. You can get it here:
https://lastpass.com/generatepassword.php Here are your options with this tool:
You can choose a 24 character password as WordPress suggests, plus all the other criteria. Here is a sample password generated with that tool:
You can also find free tools online that will check how secure a password is. Hereâs one example:
Thatâs a strong password!
Before you move on in the tutorial, make sure you update your password, if necessary, to make it strong and long.
If you need software to remember passwords, I highly recommend LastPass, which has a good free version:
Threat 2 â WordPress Usernames
Usernames and passwords go together like peanut butter and jelly (thatâs âjamâ in the UK). Theyâre very important as a hacker needs both to log into a website.
Unfortunately, when WordPress installs, it uses the default username admin. M ost newbies to WordPress donât bother to change it, but they should. By not changing it, you give hackers half of what they need to log into your site!
If you already have your site installed and DID use admin as your username, donât panic. When we install the security plugin later, weâll check this and change it if necessary.
When you install WordPress, you can choose your own unique username, and you already know what to do about the password.
Choose a username that is:
- Not easy to guess
- Not admin
When I choose a new username, I use the same criteria as for passwords, though maybe only 12-15 characters in length.
Threat 3 â Signing In
When you log into your website, make sure you check the address bar at the top of your browser BEFORE you log in. You should do this check before signing into ANY webpage, whether itâs your bank, Paypal, or even your Facetutorial account.
Here I am at one of my sites, and I can see the login form. However, get used to glancing up at the domain in the address bar before you log in. Make sure itâs YOUR domain.
If a hacker can inject code into your website, they can set up a redirect. That means as you try to log in, youâre taken to a completely different domain. This is one the hacker owns, and itâll have a dummy login form. You think youâre logging into your site, but youâre not. Then, as you enter your username and password, youâve just given the hacker your login details.
Threat 4 â PHP Error Reporting
PHP is a widely used open-source programming language. Itâs great for most kinds of web development, so itâs no surprise to learn that WordPress is coded in PHP.
Besides the WordPress core files, WordPress themes and plugins also add PHP code to your website. As with any kind of programming, bugs in the code can cause problems. WordPress will tell you when an error occurs, as well as the line of code that caused it. Thatâs great for developers. Alas, hackers can also use these error messages to gain more information about your web server.
Fortunately, thereâs a way to stop WordPress from issuing these error reports, therefore disabling PHP error reporting.
The security plugin we install later in the tutorial doesnât take care of this for you. If you want to disable error reporting, hereâs how you do it.
You need to add a special line of code to your wp-config.php file. You can find this file in the root folder of your domain.
The simple line of code is as follows: error_reporting(O);
Place the code right after the opening <?php tag and above all the other code in the file as per the image:
If you ever need to see the error messages in the future, simply come in and remove this line of code while youâre working on your site. You can either delete it or comment it out using the format below:
/* error_reporting(O); */
The /* at the start and the */ at the end stop any commands inside from being read. When youâve finished the work on your site, you can remove the comment markers to once again disable PHP error reporting.
Threat 5 â File Editor
The file editor inside your WordPress Dashboard is invaluable. It gives you â or any other admin user logged into your account â access to theme and plugin files.
To edit theme files, go to the Appearance menu and select Theme Editor .
To edit plugin files, go to the Plugins menu and select Plugin Editor .
The problem we have is that anyone with access to these files can âinjectâ malicious code into your website. So, if the logged-in user is a hacker, the consequences can be catastrophic.
The good news is you can disable these editors by adding a single line of code to your wp-config.php file.
Iâm going to show you how to do this manually, but this is for information only. The plugin we install in the second part of this tutorial will do the work for you.
For those who want to do this manually now, hereâs how it works.
This wp-config.php file is in the root folder of your website. You can gain access to it by using FTP or the File Manager inside cPanel.
Hereâs what it looks like when opened in a text editor:
Iâve drawn an arrow at the point where Iâm going to insert the line of code.
Position your cursor in the blank line right before the line that starts:
// ** MySQL settings - âŚ
In this line, insert the following code:
define(âDISALLOW_FILE_EDITâ, true);
When youâve done that, save your wp-config.php file and make sure it overwrites the older version.
Now log in to your WordPress Dashboard. Youâll no longer see the options to use the editor. Hereâs how the Appearance menu looks now:
Hereâs the Plugins menu:
Threat 6 â Control the Content Published on Your Site
This is common sense, I know. Itâs still vital to realize how security issues can result from the stuff you publish.
When you create a page or post in WordPress, you have an option to embed code into that page or post. For example, it could be YouTube video code, JavaScript, or something else.
The only reason you add code to your pages is to add some form of functionality or feature. If youâre non-technical, then you may not understand the code, and thatâs okay. But what is vitally important is that you trust the source. Remember, malicious code gives hackers a back door into your website or web server.
The âcommon senseâ rules that apply here are:
- Donât embed any code into a post or a page unless you trust the source 100% or know the code is safe.
For example, you know you can embed a YouTube video into your page, as Google owns YouTube. They are a trusted source.
If youâre an affiliate marketer and you want to embed some affiliate code given to you by Amazon, then that is fine too. Amazon is another trusted source.
But if you join an unknown affiliate scheme and they ask you to embed code into your pages, get the code checked out. Only put it into your posts if you trust the person or company that gave it to you 100%.
- Be careful if you allow other people to publish content on your site. I suggest you manually approve all new submissions before you publish them. The quick way to check the content is to switch over to the Text tab of the WordPress editor so you can see if thereâs any code in the article. Donât publish anything that contains code you were unaware of or are uncertain about.
- If you allow visitors to leave comments, DONâT auto-approve them. Even comments can have code embedded into them. Itâs safer to check comments manually first and only approve them when youâre sure.
IMPORTANT : There is an option in WordPress that allows you to auto-approve comments from visitors that have had at least one comment approved previously.
Donât enable it.
This was the way a lot of WordPress sites got hacked in the past. A hacker would submit a good comment to get it approved manually. Theyâd then use their new âauto-approvedâ status to add comments with code embedded. Itâs much safer to moderate ALL comments manually.
Weâll revisit comment security later in the tutorial.
Threat 7 â New Users
A WordPress website can have more than one user.
A âuserâ in this context means anyone who can log in to the WordPress Dashboard. It has nothing to do with being a âvisitor.â A visitor is anyone who turns up to view your website in their web browser.
Some sites allow visitors to register as users, giving them login details to access the Dashboard. What they can do after they register depends on the privileges you give them. Privileges range from editing user profiles to complete control and administration of the site. You should give your users only the privileges they need, and no more.
At this point, you might wonder why a webmaster would allow visitors to become users. Here are some of the most popular reasons:
- To allow guest bloggers on the site. That is, allow your visitors to create posts (fresh content) on your site. This is usually in return for a link they include somewhere in the article. Unless you trust them and know exactly what youâre doing, I donât recommend having guest bloggers post on your website. They pose a security problem, as well as an SEO headache.
- To create a membership site. If you decide you want to create a membership site, I recommend you use the Wishlist Member WordPress plugin. The plugin adds extra layers of security and gives you a lot more options for configuring and setting up your site. If youâre interested in learning more, I have a course on building a membership site with Wishlist Member . Thereâs a link to all my video courses at the end of this tutorial.
- To create a mailing list of âsubscribers.â The best way to create a mailing list is to use proper third- party tools. One of the best ones for mailing lists and autoresponders is Aweber â http://ezseo.aweber.com. Companies like Aweber
shield you from a lot of potential security (and hosting) issues. Security and hosting hassles can arise when you try to set this type of thing up on your domain.
For safety reasons, my advice is to NOT let unknown visitors register as users. Thereâs a setting in the WordPress Dashboard you need to check.
Anyone can register
In the General Settings, make sure Anyone can register is unchecked like this:
This should be off (unchecked) by default. It will only show as active if you, or someone else, checked it at some point.
If you choose to enable this option, I highly recommend you set the default role to âSubscriber.â Thatâll give new users basic access without the opportunity to cause much damage. You can then change these roles as needed if you want to elevate a userâs privileges at any point.
The options you have for roles are as follows:
- Subscriber: can manage their profile.
- Contributor: can write guest posts but not publish them (best option).
- Author: can write and publish their posts.
- Editor: Can write, publish and manage ALL posts.
- Administrator: full access to the site and all administrative screens.
- Super Admin: a network administrator when using networked WordPress (not an option with the regular version of WordPress).
If you decide to allow visitors to register as users, only give them the privileges they need and no more. This is the most important piece of advice I can give you, so please take heed.
Usernames & Passwords
We looked at usernames and passwords earlier in the tutorial and how important they are to keep your site safe. The same is true for ALL users on your site. If you have multiple users, your site is only as secure as its weakest link.
When you allow other users to register, you need to make sure they all use very secure usernames and passwords.
Although WordPress automatically generates a secure password for each new user, they can still edit their profile. That means they can also change their password. Donât ever let users change their secure password for an insecure one.
Threat 8 â Widgets & Code
Earlier in the tutorial, we looked at why you need to control the content of your site and the common-sense rules surrounding published content. We saw code as one potential problem. I want to revisit code here because widgets can pose a threat.
For example, the Custom HTML and text widgets can contain any text you like, including code. Here is a Custom HTML widget on one of my websites:
The code above is a script and displays some recommended products in the sidebar. I understand the code and know itâs safe to use, so itâs fine. But what if you donât understand what the code does or what it means?
Letâs recap the common-sense rules again:
-
Only put code into your posts, pages and widgets if you trust the source and know the code is trustworthy.
-
Only install widgets (installed as plugins) if you trust the source of the plugin 100%.
-
Plugins and themes you get from the official WordPress repositories should be safe. For your part, you still need to update them regularly in case any vulnerability issues need fixing. Keeping themes and plugins up to date minimizes the risk from hackers.
-
If you buy themes or plugins from other websites, is the source trustworthy? Do your due diligence on Google and read any reviews. Are there customer comments that concern you?
Embedding Code in a Post or Page
I want to show you a bit of code to highlight a potential issue. You will see how easy it is to spot once you know what to look for.
This code is from Amazon and is safe.
What I want you to look out for are URLs that donât belong to your site. The code above has two. If you know any HTML, youâll know that the first mention of Amazon.com is the URL for a text link. The second is an image displayed with the advert. This is all fine because we understand the code.
But what if you get some code you donât understand. Take this example:
OK, the URL is to amazon-adsystem.com. I assume itâs an Amazon- controlled domain, so it is safe. If youâre unsure, you can check with a quick search on Google. Just search Google for the domain and see what comes back. In this case, itâs a legitimate domain used by Amazon to serve ads. You need to verify any suspicious or unfamiliar URLs found in the code you add to your posts or pages.
IMPORTANT: That URL calls some JavaScript (JS) code (ads.js). You donât get to see the actual JS code thatâll be running on your site. It could be anything and do pretty much what it wants on your page(s). Can you see why you need to trust the code you add 100%?
Threat 9 â Plugins
Plugins are pieces of code that add new features to your WordPress site.
Since code can control pretty much every aspect of a site, including malicious things, you need to be sure you can trust the plugins you use.
Although much of this is also common sense, here are a few helpful tips:
- Only install plugins from trusted sources. The WordPress repository is the main trusted source. But what if you find a plugin on a website that isnât in the repository. In this case, do your due diligence and check out reviews and customer comments on those plugins.
- Developers who create free plugins come in two forms. There are the good guys who are happy to help and want to create a useful, free plugin with no strings attached. Then there are those who want to profit from their free plugin. There are several ways to do this. The most common method is to give away a free trial version. They hope youâll upgrade to a paid version with more features and functions after the trial period. These can be fine but again, do your due diligence.
The type of plugin to be wary of are those which include code that doesnât directly contribute to the functionality youâre trying to gain. For example, a mortgage calculator that adds a link back to the lenderâs website. In this case, you want the functionality of the calculator. Yet, the bank has included other, unrelated code to that function. In this case, itâs a link pointing back to their website. My advice is to avoid this type of plugin at all costs.
- Always keep plugins up to date. Be wary of those that have no known updates or have not had an update in a very long time. There are also legitimate plugins that just donât get updates. For example, they use secure code, and the
author doesnât want to add new features. These are fine. If thereâs a plugin you want, but itâs been a while since its last update, check it out on Google. Use a search term like âplugin name + securityâ to see if there are any reported issues.
- If you deactivate a plugin, uninstall it altogether. Even inactive plugins CAN cause security problems if they contain vulnerable code.
â
Threat 1O â Themes
Themes, like plugins, add code to your website.
The same kind of common-sense measures we talked about for plugins also apply to themes. Here are some guidelines.
- The WordPress theme repository is a safe place to get themes. Many people still want to look further afield to find the best themes for their website. Be careful where you get yours from. Again, do a search on Google for the theme in question and see whether it appears to be from a trusted source.
- Some authors offer free themes. They usually include a link in the footer (or elsewhere) back to the developerâs website. On the face of it, the deal looks sweet. NEVER use a theme that forces this type of site-wide link on you, no matter how subtle. Why? You have no control over the destination website attached to that link. The link may redirect, either now or later on, to any site the author chooses, e.g., porn, gambling, and so on. This type of site- wide footer link will also cause you SEO problems in Google. The search engines donât like them, not even if the site it links to is a trusted one.
- Keep themes up to date and install updates as soon as you know about them. Theme developers might release an update to add new features, but it could also be to plug security holes.
Threat 11 â Comment Spam
Comments are an important part of any WordPress website. They allow visitors to leave valuable feedback about the siteâs content. Itâs a great way to engage in a conversation with you, the webmaster, and other visitors on your website. Google likes sites that have this type of interaction. Therefore, it makes good sense to have comments enabled. There is a âbutâ though. Comments can also pose a real threat to your website security.
In the past, hackers have used comments to gain access to websites. They did this using something called the Zero-Day Exploit. The exploit involved hackers inserting malicious JavaScript into a simple comment. Once you approved their comment from the WordPress Dashboard, the door opened. The hacker got remote access to the site, control passwords, and add administrative users, etc. In other words, they had total control over the affected website.
If you want to research it more, this type of exploit is a good example of a âcross-scripting attack.â
For the exploit to work, the webmaster had to approve the hackerâs comment. That was the first hurdle for them. Fortunately for the hackers, some sites are set up to auto-approve comments IF the person had a previous comment approved.
The hacker would begin their hack by leaving a great comment, knowing the webmaster would most likely approve it. Once accepted, theyâd follow it up with a malicious comment, realizing that some sites would auto-approve it.
Look at this setting in the discussion panel:
As things stand, if a commenter has a previously approved comment, any new ones would be auto-approved. WordPress
versions between 3.9 and 4.2 were vulnerable to this hack. The developers have since patched more current versions to prevent these attacks from happening.
So now your site is up to date and safe against the Zero-Day exploit. But hackers are smart people, and theyâre always looking for new ways. For that reason, I recommend you always check the first box in that section:
Comments must be manually approved.
Now you have to manually approve ALL comments. This way, you can check the comment for code before you accept it. Moderating comments is also a good way to make sure no nasty language or hostilities end up on your pages.
Links in Comments
When a visitor leaves a comment, they have two opportunities to insert links into it. They can add a URL in the URL box of the comment section, or they can insert a link into the body of the actual comment:
Here is a nice simple rule to follow for comments:
Always nofollow links in the comments section of your site. The ânofollowâ attribute tells search engines not to let the link influence a siteâs rankings. In other words, ignore it, donât follow it. You do this because you have no control over where these links point. Whoever controls the URL in the link can point it wherever they like, but youâre not responsible for it.
Fortunately, the WordPress default is to nofollow links in comments. However, some plugins allow you to make them dofollow. The advantage is that dofollow sites encourage more comments. People like them because dofollow links are valuable for off-page SEO purposes. My advice is to avoid the temptation and donât do it. If someone only leaves a comment because they want the backlink, itâs likely to be a poor comment to have anyway.
Here are some other comment tips:
- Manually approve ALL comments.
- Only approve comments that genuinely add value to your page, i.e., they contribute to the conversation.
- Use a spam filter like Akismet to filter spam comments.
- Donât approve a comment if the author of the comment has filled the name field with keywords.
- Donât approve comments with links in the body of the comment unless those links point to high-authority sites you trust. If the comment is good but has unwanted links, you can always strip out the links and then approve it.
- Never approve a comment that is trying to flatter your ego. Comments like âgreat postâ or âcool informationâ are pure spam. Treat them as such.
Most comment spam tips are good common sense, but it never hurts to recap.
Threat 12 â Limit Login Attempts
When a hacker tries to get into a site, they might use special software tools. They use these to launch something called a brute force attack.
Their software programs try thousands, or hundreds of thousands, of usernames and password combinations. They can do this in a very short space of time. The way to prevent attacks of this type is to limit the number of login attempts.
If a user fails to log in after X attempts, the system locks their IP address for a set length of time. Once the time expires, they can try to log in again. Itâs a sensible precaution. Itâs there so that genuine users â who accidentally mistype their passwords â can access their site after the lockout period. As for the hackers, the delay is usually long enough for them to give up and move on to an easier target.
The plugin we install and set up in the second part of the tutorial will limit login attempts for us. Thereâs no need for you to do anything about it just yet.
Threat 13 â 2-Factor Authentication
You may already have this set up for your Gmail account or another online system. It adds a great level of security to your website by requiring TWO forms of authentication.
For example, first, you go to a login form and enter your username and password (the first form of authentication). They then send a special code to your mobile phone. You then enter the code into a form (second authentication) in the login process. You can only log in to your site after successfully entering the code.
Itâs more hassle, but it does add an extra level of security to your site, and thatâs always a good thing.
The plugin we install later does not offer 2-factor authentication. If you want to add this to your site, you have other options. I recommend you search the WordPress plugin repository for âGoogle Authenticator.â
Youâll find a lot of plugins that offer this functionality. Look for one with good reviews and with recent updates. Hereâs a good example:
This plugin is free for one user. If you want to protect more than one site, youâll need to sign up for one of their plans or find a different plugin.
After you install and activate it, youâll see a new menu item in the sidebar labeled miniOrange 2-Factor. When you click on that, it takes you to a simple setup screen.
I wonât go into detail on how to set this up, but itâs fairly intuitive. On the Setup Two-Factor tab, you can select the method of the verification, including:
- SMS
- Phone Call verification
Is this type of protection worth setting up? Well, thatâs up to you. I find it a little too much hassle, so I donât use it on my websites.
Threat 14 â Login Page Protection
The login page for your website is the main gateway to access your Dashboard. Itâs often the first port of call for hackers.
If you protect your login page, you reduce the chance of a hacker gaining access.
Fortunately, there are a few ways to protect the login page. You can rename it, move it, add a Captcha, or block certain IP addresses.
Some methods of protection are more effective than others. The plugin we install in the last part of this tutorial gives us some great options, so no need to worry about this right now.
Threat 15 â Database Table Prefix
Earlier in the tutorial, we looked at backing up your WordPress websites. You saw how this was the only way to protect your site 100% from any major issues. If you remember, there were two elements to back up, namely:
- Site files
- Site database
WordPress uses a MySQL database that contains several âtables.â Tables are simply spreadsheets of data. WordPress uses a number of these tables to store related information.
For example, the âusersâ table contains data about the users, like username and password, email address, and so on.
The âpostsâ table will have all the posts youâve ever created. It will include the date, excerpt, post name, title, and content, etc.
Each table in the database has a name, and WordPress creates these names at the install stage. You do have some control over the name of each table as these names have a prefix. WordPress, by default, used the prefix: wp_
In the case of the âusers table,â the name will be wp_users.
The security problem arises when the webmaster uses this default prefix. If a hacker knows your prefix, they know the name of every table in your database. Because of this, you must change your default prefix.
Youâre in luck if you use Softaculous to install WordPress on your server. It randomly generates a prefix for your install. That means no more wp_ default.
Donât worry if you have an existing site that still uses the wp_ prefix. The plugin we install and setup later in the tutorial gives you an easy way to change it.
Threat 16 â WordPress Security Keys & Salts
WordPress developers introduced security keys in version 2.6, and theyâve been with us ever since. They initially added them to encrypt the cookie information stored on the visitorâs computer.
As WordPress evolved, they added more and more of these security keys. You can find them in the wp-config.php file. Automated WordPress installer software generates these for you during the install process.
You need these keys because they add an extra layer of security to your site. They encrypt vital information like passwords.
If you install WordPress manually, youâll need to generate them yourself and copy them into the wp-config.php file. Thereâs a URL included in the wp-config-sample.php file that generates your unique keys & salts.
A WordPress salt is simply a random string of data. What it does is hashes (transforms) the WordPress security keys in the wp- config.php file. These security keys & salts are long. Fortunately, you donât need to remember them.
Thereâs good news if you already have WordPress installed. These keys are more than likely already generated and residing in your wp-config.php file. If theyâre not, you can add them manually, though this wonât be necessary with automated installers. The only time you need to add them by hand is if you manually install
WordPress. Few people have reasons to take the manual route these days.
Threat 17 â XML-RPC
XML-RPC is a programming interface (API). What it does is allow programmers and developers to talk to WordPress.
A lot of tools may need XML-RPC to work properly. For example, I use Open Live Writer to work offline on my websites. This gives me a WYSIWYG (What You See Is What You Get) editor. I use it to create and format posts or pages that I can then publish to my site when Iâm ready. Open Live Writer requires XML-RPC to be enabled for it to work.
Some plugins also need XML-RPC, like Jetpack. Since WordPress 3.5, XML-RPC is enabled by default.
The problem we have is that software can manipulate WordPress through the XML-RPC. This makes it a possible security concern. A lot of WordPress gurus recommend you disable it.
In the past, hackers used XML-RPC for something called DDoS attacks. It stands for âDenial of Service.â
Plugins like Akismet can usually spot this type of attack and prevent it. Therefore, it may not be worth switching off XML-RPC to stop DDoS attacks.
Hackers also extensively used XML-RPC for brute force attacks. But again, most security plugins will prevent this type of attack today, so itâs not worth worrying about. The plugin we setup later also prevents this type of attack.
My suggestion is not to disable it. If you decide you want to, then some plugins can disable it for you. Check out this one:
Disable XML-RPC-API
A simple and ligh,tweight plugin to disabi= XM L-RPE AFI, X-Fingberk and pingback-ping in WotdPres s
3.5+ âŚ
5.000+ Active Instailations
Last Updated: 3 weeks ago vâ CDmpatible with your version of WordPress
Threat 18 â Web Hosting
The threat most people donât even think about is the hosting company they use for their website. You need to do a few checks and be aware that the cheapest option is not always the best.
If a web host offers cheap hosting, it can mean the following:
- Plenty of people who want cheap hosting will be signing up.
- Accepts any type of site, meaning your website may be on the same server as porn, gambling, and other undesirable topics. These may be more vulnerable to hacking attempts because of their content.
- They will likely cut a few corners. Security costs money, so it could be one of the weaker aspects of your host.
At the very least, you should:
- Check what version of PHP and MySQL (or MariaDB) the web host uses. These are both required for WordPress sites and should be kept up to date. This minimizes the chance of any security breaches.
- Ask your host what other security measures they take to protect your website. Do they regularly back their servers up? And in the event of a disaster, would they reinstate your site for free or a fee? How often do they carry out server maintenance? Anything specific to prevent hackers?
Threat 19 â wp-config.php
The wp-config.php file contains sensitive information. This includes things like security keys & salts, usernames, passwords, and database names, etc.
If a hacker gets hold of this file, theyâd be a lot closer to hacking into your site. For this reason alone, itâs a good idea to protect the file in any way you can.
One way to do this is to move the file to a folder above your WordPress installation directory. Some people will tell you this is a good idea, while other security experts will disagree. I donât do this.
An alternative is to put the following code into the .htaccess file for your website.
order allow, deny deny from all
Like this:
Mac computers hide the .htaccess file by default, so youâll need to âunhideâ all files to find it on your server.
Adding the above code will stop anyone from accessing this file. If you need to open it, you can do that via your cPanelâs File Manager or FTP.
So should you add this code to your .htaccess file?
I donât, but thatâs my personal choice. I donât add it because the plugin we install later adds so many other good layers of protection. Because of this, I think both the above methods are unnecessary.
Threat 2O â File Permissions
Files on a web server, just like files on a computer, have certain permissions. These permissions define who or what can access, read and/or write to those files.
Your files need tight controls. We donât want a hacker to come along and be able to access them, or worst still, change them around.
The permissions you see on a web host are a little different from what you see on a PC. Your typical PC files will have something like read-only or writable. On a web server, youâll see the permissions as numbers.
I took the following screenshot from an FTP program. Here it shows the file permissions on one of my WordPress files:
You can see that three groups have permissions:
- Owner
- Group
- Others
The possible permissions for each of these groups of users are:
- R â Read
- W -Write
- X â Execute (or run the file).
Note that the permission for this file is 0644 (in the âOc talâ box). So 644 is a number made up from the permissions table above. Each of these permissions has a value.
Example: For owners, the Read permission has a value of 400 and a Write value of 200. Execute would add 100 points to this permissions value.
For âGroup,â the Read permission has a value of 40 and a Write a value of 20. You may be able to guess the execute permission for the group has a value of 10.
For âOthers,â Read, Write and Execute are an order of 10 smaller, so 4, 2, and 1 respectively.
In the screenshot above, you can do simple maths. We have:
- Owner read (400) and write (200) = 600 total.
- Groups read (40) = 40 total.
- Others read (4) = 4 total.
Therefore, the total permission for this file is 600+40+4 = 644
Fortunately, you donât need to remember any of this. Iâll give you a guide to what permissions your files and folders should have, and you can check them if you want. The security plugin we install later checks and fixes permission issues for you anyway. Thereâs nothing for you to do at the moment.
Expected File Permissions
- All directories should be 755.
- All files should be 644, including the wp-config.php,
.htaccess, and wp-admin/index.php files.
OK, on that note, weâve now finished this section of the tutorial. You now know the majority of security issues that relate to WordPress and how to fix them. In the second part of the tutorial, we install and set up a single security plugin. This will protect your WordPress site against most threats discussed so far.
SECTION 2 - Secure Your Website with a Plugin
The first part of this tutorial was an introduction to the types of protection you should use on your website. Some of these measures are a little technical to put into place. Fortunately, thereâs a great WordPress plugin thatâll add most of these layers. Best of all is that it uses a simple point-and-click interface. In this section of the tutorial, we install our smart security plugin and configure it for your site.
Chapter 5 â Installing the Plugin
The plugin I recommend is called the âAll In One WP Security & Firewallâ plugin. You can find it by clicking the âAdd Newâ link in the Plugins menu and searching for it. This is what it looks like:
Install and activate it now.
Youâll see a âWP Securityâ menu item in the Dashboard. If you move your mouse over WP Security, the popup menu looks like this:
Each item in the popup menu opens a page of settings you can change.
Click on the âDashboardâ link in the menu. Youâll get a graphical interpretation of the current security measures on your site.
The Security Strength Meter gives you an indication of how secure your site is right now. It is a points-based scoring system, so the more points you have, the more security measures you have in place. Currently, my site scores just 25 out of a total of 515 points available.
The Security Points Breakdown will list some of the security measures that are already in place. On my site, I donât have âadminâ as my username, and my database prefix is not the old
default âwp_.â These two measures make it more difficult for hackers, but as the 25 out of 515 points suggest, there is still a lot to do.
Both of these graphics will look a lot different by the time weâre finished.
Before we start to make any changes to the siteâs security, thereâs one very important task you need to do.
Chapter 6 â Backup Important Files
This plugin makes changes to some of the WordPress files on your server. These changes are necessary to keep hackers out. In rare cases, though, they could break your site or make it difficult for you to log in to the Dashboard.
Donât panic. Itâs quite uncommon for this to happen. Even so, weâre going to make backups of important files before we start. This is just a precaution in case anything goes wrong. In the event of any problems, you can simply use the backups to restore the file that causes issues.
The good news is that once you find a configuration that works for you, you wonât have any problems down the line. In other words, the only time you may encounter issues is when you initially set up the plugin. Weâre going to go through things in some detail, and Iâll inform you of any potential problems along the way. Iâll also show you how to recover your site if a setting in the plugin breaks something.
You can back up all the important files from within the plugin itself. From the WP Security menu, select Settings .
In the WP Security Plugin section on the General Settings tab, youâll see what needs backing up:
The three essential items to back up are:
- Database
- .htaccess file
- wp-config.php file
With backups of these three things, we can recover from any problem we may encounter during the plugin setup stages. Youâll notice that these three items are links. These links take you to the tool that can back up that item.
Backup the Database
Click the link to Back up your database link. This will open a new tab in your browser and take you to the DB Backup tab within the plugin settings.
Click the button to âCreate a DB Backup Now .â
Once the backup is complete, youâll get a message on the screen to show you where the backed up file is on your server:
I suggest you login to your webspace â via FTP or File Manager in cPanel â and download the backup to your computer.
Once done, go back to the general settings tab of the plugin and click the second link to Backup .htaccess file . Again, this will open a new tab in your browser. Youâll see the Backup .htaccess File button, so click on that. Youâll get a message to confirm a successful backup and its location. Download the file to the same folder on your computer as the database backup.
Finally, click the Backup wp-config.php file button to open a new tab with an option to back up this file. In this case, the file downloads automatically to your computer. I suggest you then copy it to the same folder as your database and .htaccess files.
Now you have the three important files safely on your computer in case of a problem.
In the next chapter, we look at the steps to take if the plugin locks you out of your website.
Chapter 7 â If You Get Locked Out
Locked out of your WordPress Dashboard? Donât worry! You can quickly return your website to its previous state. We can do this by restoring one or two files. Iâll show you how to do that now.
You can work with the files on your server in a couple of ways:
- FTP (File Transfer Protocol, using an FTP Client software tool).
- File Manager in cPanel.
I like to use FTP. Itâs faster and more convenient than going through the cumbersome File Manager inside cPanel. If you donât know how to set FTP up for your web server, ask your web host. Alternatively, you can always use the File Manager inside cPanel to make the necessary changes.
IP Lockout
One of the main reasons the plugin locks people out is if their IP address triggers the security settings. If it locks your IP address, you wonât be able to login to your Dashboard with that particular IP.
The simplest solution is to use a VPN. This lets you change the IP on your computer as if you were in a different location, even a different country. There are a lot available; just search Google for VPN service.
When the system logged me out in the past, the first thing I would do is change my IP using a VPN service. Iâd then log in and make the necessary changes to the plugin settings. Iâd say this works fine in 99% of all cases, without the need to restore any files.
If you donât have, or want to buy a VPN service, then work your way through the next section.
Disabling the All In One Security Plugin
The quickest way to fix the issue is to disable the All In One Security plugin and reverse any changes it made. This is a 2-step
process.
Step 1. Disable the plugin
Step 2. Reverse any changes the plugin made.
Step 1. Disable the Plugin
If you cannot log into your dashboard, you may be wondering how you can disable the plugin. The answer is to log into your hosting account and use the File Manager tool there. For cPanel hosting, log into cPanel and open up File Manager.
Navigate to the folder where WordPress is installed. Youâll be able to tell you are there because youâll see the following folders:
Open the wp-content folder and then the plugins folder inside that:
Youâll see a folder for each plugin installed in WordPress. Right- click the one for the All In One Security plugin and click Rename .
Add -old to the end of the filename (you can add anything you like):
Now click the rename button.
With step 1 complete, you should be able to log into the dashboard.
Step 2 - Reverse Changes made by the plugin
The All In One Security plugin made some changes that uninstalling does not reverse. For that, you need a free plugin from this site:
https://www.tipsandtricks-hq.com/all-in-one-wp-security-reset- settings-plugin
(If you search Google for the All In One Security reset plugin , you will find it).
Download and install the plugin following the instructions on that web page if needed.
Once activated, go to the Settings , AOIWPS Reset :
Click the Reset Settings button.
You can now uninstall this plugin. Also, log out of your dashboard.
Back in the File Manager of your cPanel, rename the plugin folder by removing the -old suffix in the same way you added it.
Now log back into your Dashboard and go to the Plugins screen.
Youâll see the All In One Security plugin is there and deactivated. You can now activate it again.
The settings for the plugin that locked you out will have been reset, so be careful going forward. Donât enable something that locked you out previously.
The Last Option in case all else fails is: Restoring Files
If the previous option fails, and it never has for me, there is one final option. Restoring files from backup.
The problem with restoring files is that you lose all customizations to the plugin settings since the last backup. In other words, say you took the backup before you began to configure the plugin. This means â after the restoration â youâll have to reconfigure it all again from the start.
One thing that can make life a little easier is if you back up the files periodically as you set up the plugin. Then, if a problem does arise, you can restore the files starting with the most recent backup. If necessary, you can work backward until you find the backup file that fixes the issue.
So, you need your backup files to restore your site in the event of a problem. We saved those to your computer in the last chapter.
The chance is youâll only need to restore the .htaccess file as itâs where the plugin makes most of its changes. If WordPress does lock you out, I recommend you try to restore functionality in the following order:
- Restore the .htaccess file and check to see if you can get in. If you can, you donât need to follow step 2. If you canât, keep reading.
- Restore the wp-config.php file and check to see if you can get in.
After completing steps one and two, you should have access to your site. If not, then clear cookies in your browser and try again.
If you still canât get in, I recommend you go and rename your âpluginsâ folder. This is the last resort, but it does work. You can then log in, but youâll get some error messages. Ignore them. While youâre logged in, rename the plugins folder back to its correct name and refresh the browser. You should now be able to access the Security settings and make the changes.
Iâve never seen an instance where youâd need to restore the database because of the security plugin. The database backup is very useful in case your site gets hacked, and you need to restore the content. However, for a full backup, I recommend you look at the Updraft plugin we mentioned earlier.
Restoring the .htaccess file
This is simply a matter of uploading your backup and overwriting the existing .htaccess file in the root folder of your site.
First, itâs worth having a look at the .htaccess file on your server. Youâll see it contains some comments that pinpoint the changes made by the plugin:
Comments start with the # symbol.
As you can see, the block of code added to the htaccess file begins with:
BEGIN All In One WP Security
âŚand ends with:
END All In One WP Security
Another way to try and recover your site is by reinstating your
.htaccess file by deleting all the plugin content. This is the code that starts with the opening # BEGIN All In One WP Security and ends with # END All in One WP Security . Make sure you save the edited file back to your server.
This should remove all security measures applied by the plugin.
If you donât want to manually edit this file, then simply restore the backup.
To do this:
- Upload your backup to the root folder of your website.
- Delete the original.
- Rename your backup (which will have a random name created during its backup) to .htaccess.
If you are not sure which is the root folder of your site, you can quickly identify it because it contains these three WordPress folders:
You can also see the original .htaccess file in the root folder. For Mac users, the .htaccess file is probably invisible by default, so youâll need to unhide it to see it.
After you restore the backup .htaccess file, you should have access to your site again through the regular login URL.
If you donât, you can use the same procedure to restore the wp- config.php file.
You should then get access back to your Dashboard. Now you can start to set up the plugin again.
Chapter 8 â Classification of Security Measures
To make things easier and safer, the plugin classifies its security measures into three categories:
- Basic
- Intermediate
- Advanced
The Basic classification means it will not break your site.
The Intermediate classification means it can cause problems, but usually, itâs fine.
The Advanced classification means be careful! This could break your site.
Our Security Strategy Going Forward
The best strategy is to activate all the basic measures immediately. These should be safe and will give your site a lot of protection against hackers.
After activating these, make a new backup of your files (the same ones as earlier). I suggest you save them to a separate folder (maybe call it âpostbasicâ).
If you have to restore the files, you can use these âpostbasicâ ones. Itâs a simple system that means you wonât have to configure the plugin again from scratch.
My advice is to test the site for a day or two to make sure everything works fine.
You can then go in and activate some of the intermediate measures and again take a backup of the files once youâre done. Put these into a separate folder (maybe call this one âpostinterâ).
Again, youâll test the site for a couple of days to make sure there are no issues.
You can then go in and activate some of the âadvancedâ features.
At any stage, if you have problems, you can go back and restore the files. Just choose the ones from the last working configuration before you implemented the advanced strategies.
In the next few chapters, weâll go through all the setup screens and most of the options: Basic, Intermediate, and Advanced. Iâll tell you the settings I recommend you enable. Some of these will be Basic, some Intermediate, and a few Advanced.
The first time you go through these chapters, only activate the basic features I suggest. Once activated and working fine, backup the files and work through the chapters again. This time, enable my recommended âIntermediateâ features. After a day or two, back up the files and work your way through these chapters again.
This time youâll enable my recommended âAdvancedâ features. This is our strategy.
There are a couple of settings that I know cause issues for some people. These can trigger the IP lockouts we looked at earlier. Iâll highlight those for you as we go through the settings. If the system locks you out, once you get access again, go and disable the known troublemakers first. Then log out of your site and back in again. You can then start to re-enable these settings one at a time and test them for a day or two before moving on.
OK, letâs begin by looking at the Dashboard screen.