Thursday, 11 January 2024

Sleighing It: A Festive Feast of Features in 2023

 Alright, Pleskians, it’s a wrap – time to wind down, looking back on 2023 with a steaming cup of eggnog and musing about what 2024 has in store for us. Join us as we revisit all the big and small tweaks we made to Plesk, traveled around the world to meet as many of you as we possibly could, and more.

The Gift that Keeps on Giving: Sitejet Builder for Plesk

Since its grand entrance in July, Sitejet Builder has been the star on top of the Plesk tree. This fully integrated website builder is like the Swiss Army knife of website creation included in your Plesk license, offering a modern and intuitive solution for both web novices and seasoned administrators alike. We’re talking 140+ templates, an AI-based Text Generator, and a user-friendly experience as smooth as sipping hot cocoa by the fire.

NSIONS HELP CENTER MORE FREE TRIAL

 

What is MariaDB?

MariaDB, emerging in 2009, stands as a significant fork of the widely-used open-source database system, MySQL. The inception of MariaDB was primarily influenced by the acquisition of MySQL AB by Oracle Corporation, leading to concerns within the MySQL community regarding the future of the project’s open-source commitment.

Developed by Monty Widenius, one of the original creators of MySQL, MariaDB was designed to be a drop-in replacement for MySQL, ensuring compatibility and ease of transition for existing MySQL users. The primary motivation behind MariaDB was to maintain and enhance an open-source database system, driven by the community’s needs and contributions.

Central to MariaDB’s philosophy is its commitment to remain open-source and maintain compatibility with MySQL. This approach has facilitated a seamless migration path for users, making it a preferred choice for many who were already familiar with MySQL. MariaDB has introduced several new features and storage engines, like Aria and TokuDB, which have contributed to its reputation for improved performance and functionality over MySQL.

Over the years, MariaDB has seen widespread adoption and community support, reflecting a broader trend towards open-source solutions in database management. Its development underscores the significance of community-driven projects in shaping the landscape of technology, particularly in the realm of open-source software.

What is MongoDB?

MongoDB, launched in 2009 by the company 10gen (now MongoDB Inc.), marked a significant shift in the landscape of database management systems. It emerged as a frontrunner in the NoSQL movement, which sought alternatives to traditional relational database systems (RDBMS) that were dominant at the time.

The core concept of MongoDB is centered around its document-oriented nature, a departure from the row-and-column format of RDBMS. This model allows MongoDB to store data in flexible, JSON-like documents, enabling the representation of hierarchical relationships, arrays, and other complex structures more naturally and efficiently than typical SQL databases.

MongoDB’s schema-less design is a fundamental characteristic that differentiates it from traditional databases. This feature facilitates the accommodation of varied and evolving data models, making it particularly suitable for use cases with large volumes of rapidly changing data, such as in big data and real-time applications.

Since its inception, MongoDB has focused on scalability and performance. Its architecture allows for the easy distribution of data across multiple servers, enhancing the database’s reliability and speed. This scalability, coupled with its agility in handling diverse data types, has contributed to MongoDB’s popularity in a wide range of industries.

Throughout its evolution, MongoDB has balanced innovation with user-friendly features, such as its powerful query language, which offers extensive querying and aggregation capabilities. Its history reflects a broader trend in database technology towards systems that are not only performant and scalable but also adaptable to the diverse and dynamic needs of modern applications.

MariaDB vs MongoDB – Core Differences

Here are the key differences between MariaDB and MongoDB:

MariaDB exhibits compatibility with Azure and features high availability. It offers a robust cloud storage solution, accompanied by security measures. Additionally, MariaDB is user-friendly in various systems and provides a cloud service that simplifies usage for developers. Conversely, MongoDB is compatible with major cloud platforms such as AWS, GCP, and Azure, owing to its ease of integration with different cloud services. It is readily accessible in various systems, though it does not have a proprietary cloud service, a feature that distinguishes MariaDB.

MongoDB is widely recognized for its popularity, while MariaDB is often noted for its performance, security, and availability. MariaDB also has the capability to integrate with other databases and utilizes a column-based structure. On the other hand, MongoDB is designed to operate as a cloud service with a robust infrastructure, which contributes to its efficient performance in various applications, often requiring fewer resources. Additionally, MongoDB is specifically tailored for environments where the data storage is exclusively document-oriented.

Both databases provide compatibility with a wide range of programming languages. However, MariaDB does not include support for Matlab and certain shell languages. On the other hand, MongoDB is known for its extensive support encompassing all major programming languages within its system.

MariaDB includes support for storing, accessing, and retrieving data in XML format. In contrast, MongoDB does not offer this specific feature, focusing instead on document-oriented access and storage capabilities.

MariaDB utilizes a variety of APIs, such as ODBC, JDBC, and ADO.NET, along with a native API for its security system. These APIs are instrumental in managing data operations and ensuring data availability upon user request. In contrast, MongoDB does not employ traditional APIs but instead uses a protocol tailored for JSON data format. This approach in MongoDB, which is less complex compared to the API system in MariaDB, facilitates efficient data management within its framework.

MariaDB is fundamentally structured as a relational database model, whereas MongoDB is primarily a document store. MongoDB operates both as a document search engine and can perform some functions akin to a standard relational database. It is considered a leading document store in comparison with other databases in the market. In addition to its primary relational model, MariaDB also supports secondary storage types such as document stores and graph DBMS, and includes a search engine capability for graph data stored within the database.

MariaDB employs SQL queries, facilitating database interaction through SQL commands, which are familiar to many users. In the case of MongoDB, while it also utilizes SQL queries, these are primarily available in a read-only format. Users do not directly interact with these queries. Instead, they are used in business intelligence applications through the MongoDB Connector. This functionality aids in integrating the databases with other systems and enables data sharing.

A Simple Comparison Between MongoDB and MariaDB

In this comparison table, we take a deeper dive into both databases to help you decide whether MariaDB or MongoDB is right for your requirements.

MariaDBMongoDB
In MariaDB, script execution maintains consistency, ensuring immediate data integrity in cases where queries fail.Scripts are designed to ensure both immediate and eventual consistency, facilitating smooth script operation and execution.
Various partitioning methods are available, including sharding and horizontal partitioning. Sharding can be performed with the storage engine or clusters. This is useful for avoiding unwanted data in the system and for staying relevant to the data needed.Thanks to the partitioning methods, the documents always work and identify the documents needed within the database. The method used here is Sharding, and this leaves documents arranged efficiently.
Master to master and master to slave replication methods are available. Any replication members have the power to edit data. The database functions effectively in this system.The master to slave replication method is available. Data is unable to be updated by any users but the servers within the group.
Inside the system, a cache is managed and the load is checked. If it’s unavailable, data is loaded from the server — so the database’s work is easy.As the cache is not managed in the system, data is not loaded from it.
The processing of data can take time and the facility of map reduce is unavailable.Data processing can be performed easily thanks to map reduce, that helps to process significant loads of data simply at once. Map reduce leads to proper results.
As foreign keys are utilized in the system, data is linked from table to table. It’s easier to grab data from any table as a result.This database does not use foreign keys, which means the tables aren’t easily linked. Data can be gathered from other tables if you call them from the table directly.
The database’s transaction levels are: atomicity, consistency, isolation, durability (a concept known as ACID).The database uses ACID concepts and snapshot isolation to create a consistent view of available data with data integrity.
MariaDB is easy to use for users with SQL base , due to the number of similar queries and its functional similarity to SQL. Users with SQL standards will have rights provided to them.MongoDB doesn’t work like SQL, but users have access rights based on system role.
  

Are These DBMS Supported By Plesk?

MariaDB is supported by Plesk under both Linux and Windows. For Plesk Obsidian under Linux you will need:

  • MariaDB 10.4 and 10.5 starting from Plesk Obsidian 18.0.30.
  • MariaDB 10.6 starting from Plesk Obsidian 18.0.41.
  • MariaDB 10.11 is supported starting from Plesk Obsidian 18.0.52

Plesk Obsidian for Windows requires:

  • MariaDB 10.4 and 10.5 starting from Plesk Obsidian 18.0.30 for both Plesk database and customers’ websites.
  • MariaDB 10.6 starting from Plesk Obsidian 18.0.41.
  • MariaDB 10.11 is supported starting from Plesk Obsidian 18.0.52

In contrast, MongoDB is not supported by Plesk Obsidian at the moment. MongoDB can be installed via Docker, however should be still managed manually – Plesk hasn’t got any set of tools to manage it.

Summary

In conclusion, MariaDB and MongoDB each offer distinct features catering to diverse data management needs. MariaDB, with its SQL query compatibility and variety of APIs, is well-suited for applications requiring traditional relational database structures and complex transactions. MongoDB, known for its document-oriented model and JSON protocol, excels in handling large volumes of unstructured or semi-structured data, making it ideal for big data applications and real-time analytics. The choice between MariaDB and MongoDB ultimately depends on the specific requirements of the application, such as data model complexity, scalability needs, and the programming environment.

Web Server Security – Beginner’s Guide

 Web server security is a broad term covering the processes and solutions that keep web servers secure. Web server security encompasses three elements: host, network, and physical. For example, a comprehensive firewall can protect network connections, while unauthorized users are prevented from accessing a network by specific hardware or software components.

When discussing web server security, we can look at two key areas:

  • Securing a web server’s data
  • Securing the services that run on a web server

Access controls and operating system security protect a web server’s data, while antivirus software and firewalls safeguard the services that run on said server. The server’s data can be considered the most important of its assets, which is why it’s likely to be targeted in the majority of attacks.

Fortunately, encrypting information stored on the disk allows you to protect data. Intrusion detection tools can identify unauthorized users’ attempts to intrude, too, and help you respond to them in an effective way.

Ultimately, a user’s priority when using the internet is reaching a specific website as soon as possible. But they want to land on, and use, that website safely. That’s why web server security is such a critical topic, especially today, when hackers have access to highly sophisticated software.

The good news is that professionals in the information technology (IT) industry can take various steps to defend web servers from outside attacks. For instance, implementing a firewall is one of the most basic security measures: these run checks on all traffic going into and out of a web server, identifies traffic that may be dangerous or suspicious, then blocks it. But what else can you do?

In this guide, we’ll explore helpful ways to secure your web server, the best open-source tools, and more. But first, let’s start by discussing why web server security is so important.


Understanding Why Web Server Security Matters

One of the most important parts of having a website is ensuring effective security — particularly when operating a web server. When a web server is unprotected, it can easily become the target of an attack, and hackers could steal sensitive data from it in no time.

Web servers are responsible for numerous tasks, including the storage, processing, and delivery of web pages (as well as other forms of online content). Additionally, web servers are essential for hosting and serving a variety of data in diverse formats. For example, video files, executable programs, and audio files.

With that in mind, a web server should be defended against unauthorized users to ensure that all information on it remains safe. That reduces the risk that anyone can access, modify, disclose, or even destroy data on the server.

What are the Most Common Web Server Weaknesses?

Web servers deliver the web content you browse daily, and they’re designed to be as robust, efficient, and secure as possible. However, they still have a number of vulnerabilities that affect their (and their users’) security.

Common weaknesses include command injection, cross-site scripting (XSS), and SQL injection. While some of these are easy to take advantage of, exploiting others requires a little more work and detail. Below, we’ll take a closer look at these security threats and why they’re so dangerous.

DoS Attacks

When someone launches a denial of service (DoS) attack, they are trying to prevent users from accessing the targeted web server or network resource as they usually would.

These focus on a specific web server or resource: the attacker floods the target with high levels of traffic until it becomes unavailable to genuine users. That can be especially damaging for online retail sites, as they would be unable to process transactions.

Perpetrators launch DoS attacks using viruses, bots, or other tools that consume the target’s CPU or network capacity. They can also initiate attacks with computers or networks that have been infected by viruses or other harmful software.

Cross-Site Scripting Attacks

During cross-site scripting (XSS) attacks, perpetrators inject code executed by the user’s web browser. The code responsible is typically seized when the user’s cookies are sent to the web server.

Perpetrators tend to use XSS attacks to undertake actions on behalf of a user, which allows them to access a user’s current session.

SQL Injection Attacks

An SQL injection is a form of attack capable of overrunning a database. The attacker will input malicious code into the information entry fields on a data-driven application or website.

Once the code is injected into the database of a website or application, the attacker can access data that would normally be out of their reach. They can view and tamper with this information, which could allow them to manipulate and expose sensitive data.

How to Keep Your Web Server Secure

In our interconnected world, companies of all sizes must take web server security seriously to stay safe. Cybercriminals have a wide variety of techniques to choose from, so it’s vital that you implement the necessary measures to secure your web server.

Attackers can cause extensive damage to any business, but comprehensive security can make their work much more difficult. Here are three simple steps to keep your web server secure.

Eliminate Redundant Services

Standard operating system setups aren’t secure, often including unused network services, like remote registry or print server services. These services open additional ports, increasing vulnerability to malicious attacks. Deactivate and disable these services to prevent them from auto-starting after a reboot, improving server performance and freeing hardware resources.

Control Remote Access

While less practical today, server administrators should ideally access web servers directly. If remote access is necessary, secure it with tunneling and encryption, use security tokens and single sign-on tools, limit access to certain IPs and accounts, and avoid using public computers or networks for remote server access.

Distinguish Development and Production Environments

Developers often use production servers for quicker application development, leading to public exposure of unfinished versions or content in directories like /test/ or /new/. These early-stage applications, with various vulnerabilities and poor exception handling, are susceptible to exploitation. Development and testing should occur on isolated servers, disconnected from live data and databases.

Isolate Web Application Data

Web applications and scripts should reside on a separate partition or drive from the operating system and other system files. Hackers accessing the web root can exploit vulnerabilities and gain access to the entire disk, including system files, allowing them to execute commands and control the server.

Manage Permissions and Privileges

Properly assigning permissions to files and network services is crucial for security. In case of a network service compromise, limiting privileges can prevent further exploitation. Ensure minimal necessary access for network services and anonymous users for web applications and databases.

Install Security Patches

Fully patched software doesn’t guarantee complete security, but it’s vital to regularly update the operating system and software with the latest patches. Many hacking incidents result from exploiting unpatched servers.

Monitor and Audit Server Logs

Keep web server logs in a separate area and regularly check them, including network services, website access, database server, and operating system logs. Investigate unusual log entries immediately to address potential security issues.

Secure User Accounts

Disable unused default accounts created during operating system installations. Check accounts added by software installations, adjust permissions as necessary, rename built-in administrator accounts, and ensure each administrator has a unique account without sharing credentials.

Remove Unused Modules and Extensions

Disable unnecessary Apache modules and limit IIS to essential application extensions, restricting their HTTP verb usage. This step reduces risks of targeted attacks on these modules.

Utilize Provided Security Tools

Use security tools like URL scan for IIS and mod_security for Apache. While setup can be complex and time-consuming, especially with custom applications, these tools add significant security enhancements.

Top Open Source Security Solutions for Web Servers

You can choose from a wide range of open source security tools to protect your web server. These can help defend you against common threats and provide users with a safer experience.

Here are the best open source security tools for web servers available.

Nmap

Nmap (Network Mapper) is an open-source solution for security audits, discovering networks and hosts, and exploring networks. You can use Nmap to scan networks on a bigger scale, but it’s suitable for single hosts too.

Snort

Snort is built for preventing network intrusion and identifying potential threats. It can run traffic analysis in real-time, using both protocol analysis and pattern matching to pinpoint signs of possible issues in network traffic.

Metasploit

With Metasploit, you can get an insight into security weaknesses that will make it easier to protect your web server.

Metasploit helps in IDS signature development and penetration testing, so you can learn more about vulnerabilities and take action to address them before they are exploited by attackers.

Sqlmap

Sqlmap is an open-source tool for automated security testing: you can automatically identify and exploit SQL injection vulnerabilities that would allow attackers to take a database over. This can be an effective way to fix weaknesses before someone else discovers them.

OpenVAS

With OpenVAS, you can run a comprehensive network scan to detect issues (such as XSS vulnerabilities). OpenVAS is free to use, and companies across the globe use it to maintain a secure infrastructure.

Top Web Server Security Tools for Plesk

The number of servers managed by Plesk is growing every year. If you are already using Plesk or just plan to –  it is worth to remember that part of the most popular Plesk extensions are those focused on server’s security. Here are some of the most powerful ones which help combat server threats.

Sentinel Anti-malware

Sentinel Anti-malware is a scanner that combines the open-source principles from Linux Malware Detect and ClamAV. This extension especially serves power users and service providers who want to ensure they have protection from a variety of malware.

Kernelcare

This premium extension (free trial for 30 days) protects Linux servers against critical vulnerabilities. Mainly by automatically installing security updates to running kernels. This avoids rebooting servers and planning scheduled downtime for your customers. And it also ensures kernels are updated within hours of patch releases for uninterrupted security.

BitNinja

The BitNinja extension prevents 99% of malicious attacks. This can consequently reduce your server alerts and customer complaints by just as much. It actually provides protection against nine different aspects of attacks – including malicious port scans and infections. You can even set it up and start automatically protecting your server in as quick as five minutes.

Atomic Secured Linux

The Atomic Secured Linux extension provides the same level of protection that typically comes with an expert security team. It can prevent, detect, and respond to today’s greatest cybersecurity challenges. In particular, it features host and kernel intrusion prevention systems, brute force protection, and automated malware removal.

(D)DoS Deflate Interface

(D)DoS Deflate Interface is a lightweight shell script that helps deflect DDoS attacks automatically. The script runs in the background, blocking incoming connections from multiple IPs from which connections exceed the configured threshold. And above that – It’s simple to install and operate.

Summary

Operating a website of any kind requires a good web server. The site’s core files are hosted on a computer and delivered to the users who land on your site, so ensuring effective web server security is paramount to reduce risks. Otherwise, attackers could target your site, access sensitive data, and disrupt your operations.

We hope this guide to web server security has helped you understand some of the risks out there and the best ways to stay safe.

Protecting Your WordPress Website

 

Protecting Your WordPress Website with Passwords and Permissions

Stolen passwords are the cause for most attempts to hack a WordPress website, but you can make a hacker’s task more difficult if you create unique, complex passwords that no one can guess. Good passwords are a must for the WordPress admin area, database, FTP accounts, email accounts featuring your website’s name, and more.

Unfortunately, some novices prefer not to use complex passwords as they can be tough to remember. That’s understandable, but it can leave WordPress websites more vulnerable to hacking than they need to be. The good news is that nobody has to memorize passwords today: password managers can do that for you. These make storing passwords for various accounts quick and easy.

Furthermore, you can ensure good WordPress security by restricting access to your WordPress admin account as best you can. That means only sharing it with others when it’s critical, and only choosing individuals you know you can trust.

Take care when adding new user accounts to your WordPress website: to minimize risk, everyone with access to your WordPress admin account should understand what they can and can’t do.

The Importance of Updating WordPress Regularly

WordPress is an open-source platform that undergoes frequent maintenance and receives updates regularly. Small updates are installed automatically by WordPress, which is convenient and straightforward for website owners. However, WordPress requires you to initiate bigger updates manually instead, though that’s still fairly simple.

Additionally, you can choose from a huge range of themes and plugins ready to install on your WordPress website. There are thousands of options to explore, with something for everyone. Themes and plugins are the work of third-party developers, and updates are released often.

Installing the latest WordPress updates is essential to maintain your website’s security and general performance. You should ensure that your theme, plugins, and WordPress core are the most up-to-date versions.

WordPress Website Hosting and Security

One of the most important elements of effective WordPress security is the WordPress hosting service you choose. A reputable provider of shared hosting services, such as Siteground or Bluehost, implements careful precautions to defend all of their servers from security threats.

A trustworthy hosting brand works hard behind the scenes to keep your WordPress website as secure as possible. Here’s how:

  • Keeping all server software, hardware, and all other essential components up to date. This helps to prevent hackers from taking advantage of security weaknesses that may be more prevalent in outdated versions.
  • Monitoring their network round the clock to identify signs of possible security threats and other disruptions.
  • Maintaining detailed plans for disaster recovery in the event of a major security breach or accident, which enables them to keep your data safe and secure.
  • Using cutting-edge tools to fend off major distributed denial-of-service (DDoS) attacks that could cause severe disruptions.

How does a shared hosting service work? It’s simple: you and a plethora of fellow customers share the provider’s server resources. However, the biggest issue with this setup is that hackers may attack your site through a neighboring one.

Managed WordPress hosting services, though, offer a more secure environment for websites. Providers give customers automatic updates for their WordPress website, automatic backups, and intricate security setups to keep sites safer.

Simple No-Code Ways to Improve WordPress Security

Taking WordPress website security into your own hands can be a daunting concept for newcomers, even if you consider yourself fairly tech-savvy. However, there are steps you can take to boost the quality of your WordPress website’s security with no need to delve into the complex realm of coding.

Let’s take a look at a few ideas to get you started.

Take Advantage of Backup Plugins to Keep Data Secure

A solid backup process is vital for protecting your WordPress website: in the event of a disruptive attack, backups will help you restore your site. No website is completely safe from being hacked, sadly, so you need to be prepared for potential problems.

Fortunately, you have a wealth of backup plugins to choose from for your WordPress site, with free and paid options available. Whichever backup plugin you pick, though, bear this in mind: full-site backups must be saved to a remote location, such as Dropbox, on a regular basis.

The ideal frequency for backing up your WordPress website depends on how often you update it. That could mean backing the site up every week or every day. Reputable backup plugins include BlogVault and Duplicator: both of these are straightforward and require no experience of coding.

Encryption Is A Must

The Secure Sockets Layer (SSLprotocol encrypts data as it’s transferred from your WordPress website to a user’s web browser. As a result, it’s much more difficult for hackers to access and steal data in transit.

By activating SSL, your WordPress website will switch from HTTP to HTTPS, denoted by the padlock symbol beside your site’s address in a browser. And it’s easy to implement SSL for your WordPress website today, thanks to the Let’s Encrypt non-profit project.

Initially, certificate authorities distributed SSL certificates for a price, charging potentially hundreds of dollars on a yearly basis. That put many website owners off, and they operated a less-secure site instead. But the Let’s Encrypt organization came along and provided website owners with free SSL certificates, with support from Mozilla, Google Chrome, and other major names.

If you’re ready to switch to SSL, you can find various hosting companies offering WordPress website owners free certificates.

Using Security Plugins for WordPress Website Safety

Another crucial security factor to consider is implementing a system to monitor and audit everything that occurs on your WordPress website (e.g. failed attempts to log in and scanning for malware). One of the most popular security plugins for WordPress, Sucuri Scanner, can do this for you with ease.

The Sucuri Security plugin is free and ready to use. Install it, activate it, then make your way to your WordPress admin section and find the Sucuri menu. Set up a free API key to get started, which allows you to use email alerts, audit logs, and more. Click on the Hardening tab (found in the settings menu), then tap the Apply Hardening button.

Why go through this process? Because this plugin will help you secure those areas that hackers tend to utilize when launching attacks. Most hardening options are free, but there is a paid Web Application Firewall available too.

The plugin’s default settings are effective for the majority of websites, and it’s unlikely that you’ll need to make adjustments. Still, take a few moments to set up your email alerts to cover important activities (e.g. plugin tweaks) to prevent your inbox from being crammed.

Whether you opt for Sucuri Security or another reputable security plugin for your WordPress website, explore its features in depth to make sure you know what it offers and how to get the most out of it.

Activate the Web Application Firewall (WAF) to Improve Your WordPress Website Security

Take advantage of a WAF to defend your WordPress website and enjoy greater peace of mind that it will be protected effectively. A WAF will block all traffic viewed as malicious before it can get to your site.

You can choose from two types of website firewall:

  • A DNS level firewall directs traffic via its proxy cloud servers, which enables it to deliver genuine traffic only to your server.
  • An application level firewall that assesses traffic at the point between it getting delivered to your web server and WordPress scripts being loaded. Generally, this type of firewall is less efficient at decreasing server load than the DNS option.

Advanced Ways to Improve Your WordPress Security

In this section, we’ll look at some more advanced techniques for taking your WordPress security higher. You may need some knowledge or experience of coding to implement these.

Turn Off File Editing

If you want to edit your WordPress plugin files or theme, try the built-in code editor. WordPress’s code editor is solid, but it can create security hazards, so we suggest that you disable it immediately.

That’s easy to do: just enter the following command into your wp-configphp file:

define( ‘DISALLOW_FILE_EDIT’, true ) ;

Create a New Username for Your Admin Account

Once upon a time, the admin username for WordPress was “admin” by default. However, that helped hackers launch brute-force attacks on WordPress sites more easily, and WordPress tried a new approach. As a result, you now need to create a personalized username when you install WordPress instead.

WordPress won’t let you switch usernames by default, but you can try one of three methods to do that instead:

  • Install the Username Changer WordPress plugin
  • Update the username from phpMyAdmin
  • Set up a new admin username and get rid of the previous one

Restrict the Number of Attempted Logins Permitted

WordPress gives you an unlimited number of login attempts by default, but that means your website could be hacked using the brute-force method. Attackers will try to guess passwords by entering a plethora of combinations at the login screen.

However, you can limit the number of failed login attempts a user is allowed to make before they’re blocked. Web application firewalls will put this into effect automatically, but if you don’t have one, you can follow these steps instead.

  • Install the Login LockDown plugin and enable it.
  • Go to Settings > Login LockDown to initiate the setup process.
  • Determine the number of login attempts users have, how long the plugin will lock a user out for, and more.

Deactivate PHP File Execution

Another technique for improving your WordPress security is turning off PHP file execution in directories in which it’s unnecessary (e.g. /wp-content/uploads/).

Simply open a text editor and enter the following code to get started:

<Files *. php>

deny from all

</Files>

Save this text file as htaccess. Next, use an FTP client to upload the file to /wp-content/uploads/ folders on your WordPress website. Certain plugins allow you to do this with one click instead.

Set Up 2FA for Added WordPress Security

Two-factor authentication (2FA) is a popular security measure that requires users to verify their identity in two ways before they can log into an account. The first step involves entering their usual details (username and password), and the second requires that they use a different application or device to confirm who they are.

A huge range of websites use 2FA for security purposes, and you can set it up on your WordPress site. Install the Two Factor Authentication plugin to get started, then activate it. You will then be able to click on the Two Factor Auth link in the admin sidebar to set it up.

You also need to install an authenticator app on your smartphone, such as LastPass Authenticator or Google Authenticator. Both of these enable you to backup accounts to cloud storage, which is helpful if you lose or replace your current phone.

When you install your preferred authenticator app, you’ll need to connect it to your site. In the case of LastPass Authenticator, launch the app and tap the Add button. You can either scan a barcode or scan a site manually. For the former option, aim your device’s camera at the QR code on the LastPass Authenticator settings page.

The app will save the site, and you’ll be asked to complete the 2FA process next time you sign into your WordPress website. Open the app and use the code shown to get into your website.

Use Password Protection on the Login Page

Here’s a short and simple WordPress security tip: set up password protection on your wp-admin folder and login page to keep hackers out.

Usually, there is no restriction in place to stop them from requesting this, which makes it easier for them to launch attacks. But you can implement password protection to prevent them from making requests.

Stop Using the Default Prefix for WordPress Database

WordPress utilizes wp_ as the prefix for every table within your WordPress database as standard, which makes hackers’ work easier if they try to guess the name of your table. To make things harder for them, just change the prefix from the default to something more secure.

Changing the WordPress database prefix can be time-consuming, but it’s worth considering. However, only try it if you have some coding skills and experience, or get someone else to handle it for you. You could break your site if you get it wrong.

Deactivate Directory Browsing to Keep Vulnerabilities Out of Hackers’ Hands

Hackers can take advantage of directory browsing to discover files with known weaknesses on your WordPress website. If they find any of these vulnerable files, they can use them to get the access they need.

However, other users can delve into your files with directory browsing, too. They can explore images, check out the architecture of your directory, and more. That’s why it’s best to disable directory browsing and indexing.

To start, use FTP or cPanel’s file manager to connect to your WordPress site. Find the .htaccess file in your root directory, then add this line at the end of that file:

Options - Indexes

You also need to save the .htaccess file and upload it to your site once you’ve done this.

Sign Inactive Users Out Automatically

If a user leaves their device while they’re signed in, that creates an opportunity for someone to take over their session and adjust their logins or settings. It’s a real security risk.

However, lots of websites (including banking sites) automatically log users out after a period of inactivity. You can set this up on your WordPress website as well to improve security.

To do this, you’ll need to install and enable the Inactive Logout plugin. Navigate to the settings page and select Inactive Logout after installation to set it up. Choose how long you want to allow users to stay idle before they’re logged out, and create a logout message.

Switch Off XML-RPC

WordPress 3.5 activated XML-RPC as standard, as it enables websites to connect to apps. However, it can also help hackers use brute-force attacks to penetrate your site.

How? They can leverage the system.multicall option to try hundreds of access passwords with only dozens of requests, instead of making hundreds of individual attempts. Hackers can be harder to detect by security plugins as a result, and it’s best to disable XML-RPC if you’re not currently using it.

Searching for Security Vulnerabilities

WordPress security plugins automatically run routine searches for malware and indications of a breach. But if you notice that your traffic decreases or your rankings falter, it may be time to run a manual scan instead.

A good WordPress security plugin will make this fast and simple. Generally, you need to input the URL of your website and allow the crawlers to search for all known malware or harmful code. While WordPress security scanners are capable of scanning a site, they have no way to get rid of malware.

What can you do? We’ll come back to cleaning up a hacked site later.

Use Security Questions for Identity Verification on Your Login Screen

Using a security question on your WordPress login screen is a simple way to prevent anyone accessing your site without authorization.

Install the WP Security Questions plugin, then activate it. Navigate to the settings page and find the Security Questions page to set up the plugin.

Dealing with a WordPress Website After it’s Hacked

Setting up comprehensive security and backups for a WordPress website is crucial, but sadly, many site owners only realize that after they have been hacked. Cleaning a website after a hacker has breached it can be complicated and take a long time, which is why calling in professionals is often the quickest, easiest option.

One of the main reasons for leaving it to the experts is to prevent further hacks: backdoors may have been installed on a site, which allow hackers to attack it again in future. Working with professionals will reduce the risk of backdoors going undetected and help protect your site from other hackers.

Conclusion

Implementing a strong security configuration for your WordPress website will help keep it safe against common and uncommon cybersecurity threats. Taking advantage of the various security measures offered by security plugins will reduce your risk of being attacked by hackers and malicious software. In turn, that can decrease the likelihood of experiencing disruptive and costly downtime, reputation damage, and other negative effects.