WordPress security is being a biggest market ever in online marketing space when thousands of websites are cracked down each day due to vulnerable security issue and website owners are to pass very crucial time in providing extra security layer for their most popular website or business blog costing huge money for their business.
Today I will discuss WordPress security vulnerabilities, how to understand your Website is hacked and a complete setup procedure of a famous WordPress security suite iThemes Security Pro. Let’s begin…
Vulnerabilities of WordPress Security
WordPress websites face number of potential and highly targeted vulnerabilities that are today biggest issue for website owners to run a WordPress site without trouble. To all of us in common sense we think changing “admin” as username and choosing a strong password can protect our site in many ways. Apparently it’s true that choosing strong password is a big deal but in terms of ensuring a whole security layer for WordPress site only a strong password can’t help a lot indeed.
Following the potential WordPress vulnerabilities
- Server vulnerabilities
- Theme security
- Plugin security
- File permissions
- Securing specific files (like wp-admin and wp-config and wp-includes)
- Database security
- Computer vulnerabilities
- FTP vulnerabilities
- and more
The above mentioned vulnerabilities can’t be fixed with a single plugin or service provider but in a combination of recommended products and services a WordPress site can be made sure 100% secured and safe from all kinds of potential attacks.
And it’s a goal for website owners who think for real online business to protect their sites from all kinds of potential vulnerabilities by any means.
So today I will walk you out through understanding WordPress site hacking and reducing your WordPress vulnerabilities by installing a recommended WordPress security tool “iThemes Security Pro.”
How to Understand if Your Site is being Hacked?
Understanding whether your site is being hacked or not is a biggest deal to you since you’re in a space where website hacking is a common phenomena. There are few certain activities that can ensure you will always be updated with the latest events of your website especially regarding unusual activities like website hacking.
Following are quite few ways you can measure your website’s health
- Google Webmaster Tools: GWT is the best place to start out searching vulnerabilities of your WordPress site through advanced search console dashboard. If your site is in potential attack then immediately Google will warn you and display a message in your Search console mailbox in addition you will get that message sent to your Gmail account.
- Sucuri Sitecheck: Sucuri Sitecheck is a free service to scan your entire WordPress site to check potential vulnerabilities of your site. If you scan your site with Sucuri free plan then you may not get notifications of critical problems and errors that you will get from Sucuri paid plan. So it’s recommended to go through Sucuri paid plan to get real time notifications of your site health. Sucuri can give you heads up for website malware, spam injections, defacing or blacklisting.
- CodeGuard: CodeGaurd is a time machine for your WordPress site that is a fantastic and more reliable website backup – which track all of your changes daily. Try CodeGuard with free trial.
- Google Alerts: Google alerts can provide free services to head you up scheduled alerts with the aid of Google analytics tool for website activities and potential vulnerabilities of your WordPress site. This tutorial better explains how to use Google analytics and alerts together to monitor your Website latest events and activities.
So we have learned about potential WordPress security vulnerabilities and how to understand whether your site is being hacked or not. Now I will show you up a complete setting up tutorials for a famous WordPress security tool “iThemes Security Pro”
As the name suggests it’s a full version of iThemes security, though you can follow this tutorial if you run a free version except Pro features.
iThemes Security Pro
iThemes security(formerly Better WP Security) is one of the most popular WordPress security plugins in the market today which offers 30+ ways to secure and protect your WordPress site from attacks. To date iThemes Security receives 4.7 out of 5 ratings with 7M+ active installs.
Install and Activate
iThemes Security comes with both free and paid version. If you think for business then it’s recommended that you go for paid version for enabling extra security layer across your WordPress site with multiple security settings. If money is a concern then go for free version.
Anyway for tutorial purpose I will show how to install and activate Pro version of iThemes security in WordPress site.
First of all go to iThemes.com/security and download iThemes Security choosing a preferred plan
After buying iThemes Security Pro you need to activate license for your website with iThemes Sync Standard. To activate license simply click on “Licensing” and choose “Setup 10 Sites for Free”
Now you can buy iThemes Sync Standar (10 sites) with $0.00. After buying you will receive a welcome message from iThemes allowing you to login your Sync dashboard.
Login to your iThemes Sync account and add your current WordPress site to iThemes Sync. You can add maximum 10 sites in iThemes Sync for free.
Now download iThemes Security Pro from Downloads section. After that login to your WordPress account, install and activate the plugin with regular WordPress plugin installation method.
The very first step is to activate the licensing option for iThemes Security Pro. To activate license navigate Settings −> iThemes Licensing
Now select your iThemes products and click on “License Products” button. After licensing product you will see Expiration of each product with Product status.
After that head to Security −> Dashboard and click on “Secure Your Site Now.” There are four important steps you need to take action before setting up iThemes Security.
Important First Step
Backup Your Site: Before to get started with iThemes security it’s recommended to backup your database
Allow File Updats: iThemes Security requires to write up on wp-config.php and .htaccess files. So before to give those rights you should allow file updates. Click on “Allow file updates” button
Secure Your Site: This is a default setting that can not conflict with other plugins or themes.
Help Us Improve: iThemes Security Pro would like to collect anonymous date about features you use to help improve this plugin. Press, Yes, I’d like to help button.
Finally click “Dismiss” to get back to the Security Dashboard panel
Don’t Lock Yourself Out
iThemes security is very strong to secure your WordPress site from all the potential spam attacks that come from website users or hackers. It doesn’t care who you are, if it detects any unusual activity even from Website administrator it will lock you out.
This can be troublesome on sites with existing errors like admin lockout and you had to take action such as removing plugin files from your WordPress Plugins directory through File Manager on server-end.
So if you don’t want to get yourself into serious technical trouble like this then whitelist your IP by clicking on Temporarily Whitelist my IP for 24 hours.
In Getting started guide you will watch a quick walk-through video about iThemes security pro installation and setup documentations. Also if you have any question regarding iThemes products you can get help by clicking on “Get Help Now” button
Security Status section represents your site’s High risks, Medium risks, and Low risks points where you must take action like fixing issues by clicking on Fix it button.
- XML-RPC requests can try multiple authentication attempts per request. Attackers can use this to speed up their brute force attacks.
- Malware scanning is not scheduled to run automatically.
- You are not allowing two-factor authentication
So the above mention activities must be done in order to keep your site safe (as it’s now under risk) of very potential attacks.
By clicking on Fix it button you can fix every critical issue individually in “Settings” section
- Your website is not protected against bots looking for known vulnerabilities. Consider turning on 404 protection.
- Your login area is partially protected from brute force attacks. We recommend you use both network and local blocking for full security.
- Your WordPress Dashboard is using the default addresses. This can make a brute force attack much easier.
The above mentioned security signals are performed in your site as Medium priority tasks and these are displayed in a yellow highlighted zone meaning that these are imperative to fix to enable strong security coating across your site.
In Low Priority section you will see handful of tasks that are less responsible of causing critical issues across your site. But it’s strongly recommended that you fix each and every issue very carefully because your site’s security is a big concern after all.
Global settings are the initial security settings of iThemes Security that controls your site’s unethical login attempts through locking out process. In Global settings you mostly take actions in Notification Email, Blacklist Lookback Period, Lockout Period, Lockout White List etc.
404 detection looks at a user (possible hacker) who is hitting a large number of non-existing pages and getting a large number of 404 errors.
Your site normally remains active login for 24 hours unless you activate Away Mode feature. This setting will allow you to disable access to the WordPress Dashboard for the specified period. In addition to limiting exposure to attackers this could also be useful to disable site access based on a schedule for classroom or other reasons.
Brute Force Protection
If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site they eventually would, right? This method of attack, known as a brute force attack, is something that WordPress is acutely susceptible by default as the system doesn’t care how many attempts a user makes to login.
By enabling this feature your site will be safe from unwanted brute force attacks
Hide Login Area
Enable this to hide the login page (wp-login.php, wp-admin, admin and login) making it harder to find by automated attacks and making it easier for users unfamiliar with the WordPress platform.
iThemes Malware scanning is powered by Sucuri Sitecheck. It checks for known malware, blacklisting status, website errors, and out-of-date software.
Force users to use strong passwords as rated by the WordPress password meter.
These are advanced settings that may be utilized to further strengthen the security of your WordPress site.
This feature will improve the security of your WordPress installation by removing common user attributes that can be used to target your site.
A secret key makes your site harder to hack and access by adding random elements to the password.
Change Content Directory
Changing the name of the Content Directory on a site that already has images and other content referencing it will break your site. For this reason, it is highly recommended that you only change the Content Directory on a fresh WordPress install.
Change Database Prefix
WordPress assigns the prefix “wp” to all tables in the database where your content, users, and objects exist. This is also a vulnerable point of any WordPress. By enabling this setting you can generate a new database table prefix.
These are the pro features that only included in iThemes Security Pro, which contains some most advanced site security layer especially Malware Scan Scheduling, WordPress Password Expiration, Google reCAPTCHA, Two-Factor Authentication, and User Logging.
If you don’t have a pro version then use this link to download iThemes Security Pro
Malware Scan Scheduling
Protect your site with automated malware scans. When this feature is enabled, the site will be automatically scanned each day. If a problem is found, an email can be sent to select users.
Enabling this feature will allow administrators to temporarily grant extra access to a user of the site for a specified period of time.
Use this option to strengthen the passwords users use to log in to your site.
Protect your site from bots by verifying that the person submitting comments or logging in is indeed human.
To allow users to log in with two-factor authentication, enable one or more two-factor providers. Once at least one two-factor provider is enabled, users can configure two-factor authentication from their profile.
By clicking on this button you will be taken to iThemes Backup plugin Backup Buddy. If you use iThemes Security then it’s highly recommended to use also BackupBuddy to ensure your site’s full backup and database backup scheduling.
In this section you will see various security log information regarding Don’t Lock Yourself Out, Security log Data and Log Summary. If you want you can clear logs anytime.
To get instant help from iThemes Security expert team you can easily create a support ticket by clicking on “Create a support ticket” button or get Hack repair service from Sucuri and iThemes recommended hack repair partner to get things back in order.
WordPress security is indeed a big concern to many people who are in internet marketing space and do maintain number of websites and blogs for their businesses. Hackers are unstoppable and they’re damn terror to vulnerable WordPress sites that can be easily cracked down by some simple steps of hacking procedures.
After having countless WordPress security services and security experts in our industry still many people can’t have a calm and peaceful sleep for a night for their most beloved website or blog. We know how hard to stop hacking attempts made by hackers to a million dollar worth website when on average, 30,000 new websites are hacked each day.
iThemes Security Pro can be your ultimate solution of getting away of all kinds of hacking attempts made by hackers. This security tool never causes any downtime issue across site and it’s a handy WordPress security suite of any time.
Let me know your thoughts about iThemes Security Pro, I would be happy to know your positive feedback about this product.
Latest posts by Ahmed Shawan (see all)
- An In-depth Look at Nextcloud File Hosting - March 5, 2017
- 15 Best and Cheapest Email Marketing Service Providers - May 2, 2016
- How I Increased My WordPress Site Page Speed by 300% - April 24, 2016