This is a short but powerful guide on how to keep your WordPress website safe, and protected against hackers and other dangers.
Step 1: Have a good backup plan.
Ask yourself this question. If your site is now suddenly deleted, can you restore a backup from 1 day ago, and also from 1 month ago? If not, there is work to be done. You can use a plugin such as a backup buddy, or 1 of the many other backup plugins . It is important to remember that a backup of your site that is local (in your site itself) is -no-backup!
Where: for example on your own computer or in the cloud (think of the privacy aspect)
Code Orange also offers free backups, which are automatically made for you, and can be restored at your request. You should see that as an extra safety net, and – not – as a replacement for your own backups.
Step 2: Remove all unused installations from WordPress and other applications.
You may have done a test installation on a subdomain and have not looked at it anymore. Hackers love that, and use that outdated installation to get into your real website. Easily delete unused subdomains via the Control Panel , and unused folders within your website via FTP .
Where: Control Panel, FTP
Step 3: Remove all plugins and themes that you no longer really need or that are no longer maintained
This is an essential part of keeping WordPress safe. Some plugins started so promising, but the maker may have stopped developing it. Then it is time to look for an alternative, because plugins that are no longer updated are vulnerable to exploits.
How do you see if plugins are no longer maintained? For example, by surfing to https://plugins.wordpress.org and looking at the plugin page
Where: Wp-admin panel, Plugins, Appearance->Themes
A plugin such as Wordfence can you also alert you to that.
In any case, remove plugins and themes that are not active. Many people think that inactive plugins can not be exploited, but that is certainly not the case as the files are still there!
Step 4: Check all users
Does the SEO expert who optimized your site 2 years ago really still need access? Remove all accounts, especially accounts with administrator rights from your WordPress website. Because your previous SEO expert might not mean any harm, but his password could accidentally be leaked. Are there users that you do not know at all, with weird email addresses? Then check whether something has already gone wrong in your website.
Where: Wp-admin panel, under Users-> All Users
Step 5: Update everything!
And that means; WordPress itself, plugins, themes, and any other software you use on your site. Pay particular attention to plugins that come with your theme for free, or “custom made” themes that are no longer maintained. In the WordPress wp-admin / panel you go to Dashboard-> Updates to see what you can immediately post up. But beware, paid themes sometimes need to be updated in a different way, for example by manually re-downloading them or by going to the settings of the theme. Look in the template maker’s FAQ or contact them if you do not know how to do it.
Where: Wp-admin panel, onder Dashboard->Updates, Plugins, Appearance->Themes, Theme Settings
The biggest risk? In the past, popular plugins such as Revolution Slider, which were often supplied free with themes, caused the biggest problems because they were not updated properly.
Step 6: Install a security plugin
If you followed all the steps above, your site should in principle already be 99% secured. But it does not hurt to keep an eye on your website, and plugins like WordFence help with that. Make sure that you go through the options as well , so that you do not receive unnecessary emails (which you will automatically ignore).
Where: Wp-admin panel, under Plugins
It is good to know that earlier this year, a bug in WordPress turned automatic updates off -forever-. That was fixed in WordPress 4.9.4, but if you are running 4.9.3, you have to do a manual update!
Code Orange, we provide you backup service and always keep your website, plug-in, and theme up to date. We also have malware scanning to make sure that your website always secured.
In the recent announcement from WordPress, they state that they are treating Google’s new FLoC tracking technology as a security concern and may block it by default on WordPress sites. Google’s Federated Learning of Cohorts (FLoC) received a lot of criticism concerning privacy. “FLoC is meant to be a new way to make your browser…
Am I FLoCed is one of an effort to uncover the invasive practices of the adtech industry—Google included. It is a new site where you can check if you are being subjected to the latest advertising experiment, FLoC. What is FloC? Federated Learning of Cohorts or FLoC is Google’s new advertising technology intended to replace…
DuckDuckGo describes itself as “the search engine that doesn’t track you.” Although DDG is better known for its privacy-focused search engine, the company has expanded into making its own Privacy Browser app for Android and IOS. The DDG Privacy Browser has the speed you need, the browsing features you expect (like tabs & bookmarks), and…
THERE’S A NEW battleground in the browser wars: user privacy. Just recently, we published an article about Brave browser and how effective its tracker blocking technologies. So here’s another talk of the town privacy-focused search engine that will help you enjoy the internet without having to worry about leaving a digital footprint. What is DuckDuckGo?…
The popular open-source web browser Mozilla Firefox finally released version 85.00. With significant updates including the much-awaited major privacy enhancement called network partitioning. Check out the major improvements and what’s been added and changed for the latest Firefox 85.00. What’s new? The Adobe’s popular software Flash Player is no longer supported by Firefox 85. “There is…
Back in November, Let’s Encrypt an open certificate authority announced an end to its partnership with Identrust and to “Standing on Our Own Two Feet – Let’s Encrypt”. The supposed part ways will cause compatibility issues with Android 7.1.1 or older to not be able to access HTTPS websites. In its new announcement, Let’s Encrypt has…
Apple and Cloudflare team up to develop a new internet protocol called “Oblivious DNS-over-HTTPS,” or “ODoH,” which can prevent Internet Service Providers (ISP) from knowing which websites you visit. When visiting a website the request sent can be logged and tells your ISP which websites you visited, down to the hostnames and subdomains. This information…
[Update] Let’s Encrypt Extends Support for Android 7 or Older Devices for Three Years Let’s Encrypt announced its partnership with IdenTrust will come to an end by September 1, 2021. Except for its own root certificate, Let’s Encrypt has been using a cross-signed certificate from IdenTrust. The decision to part ways is dubbed as the…
“If you make the world better for kids, you make the world better for everyone”. We have faced a lot of hurdles this year, and I know everyone can’t wait to put this year behind us and start anew.
With the internet becoming an integral part of every business today, it has also increasingly become important that DNS servers remain stable, secure, and resilient against DNS attacks. By default, you’re most likely using your Internet Server Provider (ISP) DNS servers. DNS queries through ISP’s are vulnerable to attacks as it does not always use…