How to secure your Wordpress website
Wordpress is the most used CMS and also the most targeted CMS by hackers. You can follow these steps which will considerably increase the security of your wordpress website hosting
Do all the following steps one by one. Do one changes and ensure that, your website is working fine. If website is working fine, proceed with next step or Undo the changes.
1. PHP INI (Update your PHP.ini settings as follows)
file_upload is off
display_errors is off
expose_php is off
allow_url_fopen is off
allow_url_include is off
2. wp-config.php (Update all your WordPress files with the following settings)
define( 'WP_AUTO_UPDATE_CORE', true );
define( 'DISALLOW_FILE_EDIT', true );
define( 'WP_POST_REVISIONS', false );
3. .htaccess (Add the following lines in your .htaccess)
# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# BEGIN WordPress
4. Install "All In One WP Security & Firewall"
click the Left menu option WP Security in WordPress Dashboard
follow the below step to secure your WordPress account.
1) User Account Section:
a. Don't keep username as admin or website name hack can predict your username easily, so keep any random username and also it's differ from display name.
b. Set Strong password such as 327h4!cbNNm#xXib21G
2) User Login
Enable "Login Lockdown" option it's protect brute force login attempts. Here multi option such maximum login attempts, Login Retry time period, time length of the lockdown
3) User Registration
a. Manual Approval
This is more secure than automatic registrations as it prevents bots from creating account.
b. Registration Captcha
This adds to the security of your site simply by adding another layer to prevent bots from registering.
c. Registration Honeypot
This allows you to catch relatively sophisticated bots and prevents them from making accounts.
4) Database Security
a. DB prefix and DB user prefix
5) Blacklist Manager
This option help to blocklist IP address. provide the IP addres and save it.
6) Brute Force
a. Rename Login Page
Change the login page instead of http://website.com/wp-admin to http://website.com/demologin
7) SPAM Prevention
a. Comment SPAM
If anyone comments on your site there will be a Captcha before the comment is submitted and known Spambots will be blocked.
8) Scanner
9) Firewall
More and more businesses are using the website and web hosting solution for their business. And the main reason behind it is that today a lot of people are using the interner solution. And this as made business easy to showcase their talent, service and products to the people across them easily. At HostingRaja today there are a lot of solution available but most of the people like to go with Wordpress hosting and the reason behind it is that First, they can easily create their own website, second they and hosting that website easily. Not only that using WordPress hosting also gives you other amazing features and advantages.
So today if you are using a WordPress hosting service for your website and if your WordPress hosting is not secured then hackers can access to your website. Not only that they may also demand for some ransom. So to overcome this you need to have a solid foundation on your WordPress account so that no hacker can attack and hack your website.
Here are some of the steps that you can follow to prevent your WordPress security issue.
1. You can avoid your WordPress website from malware attacks by using strong passwords for your cPanel and also for your WordPress admin panel. To set a password you can use password manager tool where it will generate a strong password.
2. One of the best ways to keep your website secure is that you need to keep updating your WordPress account along with its plugins and themes. Moreover, if you are using the latest version of WordPress then you can easily update all its sources like- themes, plugins, and core WordPress tool.
3. You also need to protect your WordPress directors from attackers and you can do this by giving proper directory permissions. So to protect all your directories, important files and images you need to write the respected conditions in the .htaccess file.
4. Avoid your WordPress website from malware attacks by using two-factor authentication for your WordPress admin panel while logging in. So by including the security plugins, it will enable the two-factor authentication and you can have a safe guard your website from hackers.
5. One of the important thing that you need to consider in avoiding your WordPress website from malware attacks is by choosing the right and proper and secured hosting provider. Yes using a right and secured hosting provider will ensure that all your WordPress account will be secure from the hacker.
6. Try not to use untrusted or pirated WordPress plugins and themes. If you are looking for any plugins or themes then you will get it in wordpress.org. But before you buy the install that plugins you need to check the ratings and numbers of users using that plugin. Because ratings and users count help to find the plugin trust.
7. You also need to remove the unused plugins and themes from your WordPress tool. And once after switching to new themes then remove the old plugins from your tools. Because sometimes hacker can hack your website through it.
8. One more thing always you need to consider is that while connecting to the server you need to make your FTP connection as secured. And also use trusted antivirus in your local PC and scan all the files before updating into your server.
9. Also, filter your IP and block them in case if there is any hazardous activities occurs. And you can do it by adding Security plugins.
10. Safeguard your administrative details and do not share it with anyone.
11. And last but not least take your website backup regularly so that you can restore it quickly at the time of an accidental crash.
Today if you are looking for the best WordPress hosting provider for your website then you are at right and also at best place. Because here at HostingRaja we provide best in class WordPress solution for our customers at an affordable price. We also provide WordPress hosting solution on our highly secured servers at an affordable price with amazing features. Since we provide highly secure server along with that we also provide 99.9% server uptime with 24/7 customer support.
MySQL is one of the most popular Open Source SQL database management systems which is developed and distributed as well as supported by Oracle Corporation.
MySQL is a data management system:
Database can be defined as the collection of data. Database could be anything which can be from a simple shopping list to a picture gallery, a database can also be a vast collection of data. A database management system is required for adding, accessing as well as processing the data stored in a computer database. We might be knowing that computers are one of the best equipment to store large amounts of data, hence database management plays an important role in computing. Even we can say that dedicated servers are a form of the computer where a large amount of data is stored.
MySQL is relational:
Here in MySQL the data is stored in separate tables rather than storing it in one single storeroom. Hence the database is structured in way to optimize it for speed. Hence this type of structured model gives a flexible environment. The best part is that you can set up the rules governing the relationship between different data fields.
My SQL is Open Source
Open Source can be defined as the way by which the user can modify the software. Hence MySQL can be modified by downloading it through the internet, one can study the source code and change it according to its needs.
MySQL Server is faster, scalable, reliable, and easy to use
MySQL is easy to run on a desktop or laptop along with the applications. If an entire machine is dedicated to MySQL, one can adjust the settings so that you can utilize the memory, I/O capacity, and CPU power. MYSQL Server is offering a rich and useful set of functions which makes it best suited for accessing databases on the internet.
MySQL works in embedded systems
The MySQL Database Software consists of a multi-threaded SQL server, which supports different types of back ends, administrative tools, and a wide range of applications.
Contributed MySQL software is available
MySQL Server has features developed with close cooperation for users. Most of the applications or languages across the web support the MySQL Database Server.
'mysql' => array(
'read' => array(
'host' => env('DB_HOST', 'server_ip'),
'port' => env('DB_PORT', '3306'),
),
'write' => array(
'host' => env('DB_HOST', 'server_ip'),
'port' => env('DB_PORT', '3306'),
),
'driver' => 'mysql',
'database' => env('DB_DATABASE', 'database'),
'username' => env('DB_USERNAME', 'username'),
'password' => env('DB_PASSWORD', 'password'),
'charset' => 'utf8',
'collation' => 'utf8_unicode_ci',
'prefix' => '',
),
There are three ways to connect PHP to MySQL
i) MySQL
ii) MySQLi
iii) PDO
i) MySQL
mysql_connect() function is helpful to open the connection in MySQL. Earlier PHP versions only used this function. Till 5.6 PHP version, this function working fine but PHP 7 version that function was deprecated due to security issues
<?php
$connection = mysql_connect('localhost', 'mysqluser', 'mysqlpassword');
if (!$connection ) {
die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
mysql_close($connection );
?>
Update mysqluser, mysqlpassword which was created by our end using ovipanel.
ii) MySQLi
MySQLi is known as a MySQL improved extension. compared to MySQL, MySQLi has a lot of enhancements like object-oriented interface, support for Multiple Statements & prepared statements, transaction, and so on. This function will be available from PHP5
<?php
$connection = new mysqli("localhost","mysqluser","mysqlpassword","mysqldatabase");
if ($connection -> connect_errno) {
echo "Failed to connect to MySQL: " . $mysqli -> connect_error;
exit();
}
?>
<?php
$connection = mysqli_connect("localhost","mysqluser","mysqlpassword","mysqldatabase");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
exit();
}
?>
Update mysqluser, mysqlpassword, mysqldatabase which was created by our end using ovipanel.
iii) PDO
PHP Data Objects are helpful to connect the MySQL database via PHP. PDO enabled by default.
<?php
$servername = "localhost";
$username = "mysqluser";
$password = "mysqlpassword";
try {
$connection = new PDO("mysql:host=$servername;dbname=mysqldatabase", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
echo "Connected successfully";
} catch(PDOException $e) {
echo "Connection failed: " . $e->getMessage();
}
?>
Update mysqluser, mysqlpassword, mysqldatabase which was created by our end using ovipanel.
A server is one of the most effective ways of getting the website hosted successfully. Dedicated server hardware is rented to you by the service provider. And the dedicated come with their own processors, RAM, bandwidth, hard drive and much more. With these servers, your website and its software will be included on the hard drives provided. The servers are flexible and permit you to run and install any program required by you. And can also share the features with anyone for which you give access to the system so can use the program at the same time.
Steps to check Mail Log in Web Hosting Manager:
Step-1: Log in to the WHM panel.
Step-2: Click on Mail Log.
Step-3: It will display the complete Mail Log information.
Step-4: You will be offered with the information such as per day traffic summary, message rejects details and much more.
Get more info about checking the Mail Log in WHM - Dedicated or VPS or Cloud Hosting, by contacting Hosting Raja support team members through the phone call, email, ticket system, live chat, ticket system. HostingRaja support team members are available 24/7 to solve all your issues.
As you know that using dedicated gives you a lot of advantages with more resources and helps you to handle your website easily. Not only that today if you are having a website and if you have hosted it on the shared hosting environment and now if you are facing some issues related to resources or you face load time or server down then choosing dedicated is one of the best methods where it gives you more features and advantages in your hosting. Using dedicated will also get more flexibility and security in your hosting.
And today most of the people are using the email services on their dedicated. Because at present email plays an important mode of communication between business and its customers. Not only that with the help of email you can also easily create the brand awareness of your business products and services. So today if you are using dedicated hosting server for your website and if you are looking for information on how to check the mail log on your server then here is the solution.
Here is the solution to check the mail log on your server:
Plesk Users
>>> Log into your Plesk SSH or Root access
>>> Follow this path to locate your email logs
/usr/local/psa/var/log/
>>> To view the email log use the following command
tail -f /usr/local/psa/var/log/maillog
>>> To search for a particular string:
example@demo.com /usr/local/psa/var/log/maillog |more
>>> This is how you get the log sequence showing the complete transmission of one piece of mail:
April 10 14:10:45 dv qmail: 1223985219.945231 new msg 153248276
April 10 14:10:45 dv qmail: 1223985219.945231 info msg 153248276: bytes 860 from <> qp 24106 uid 2522
April 10 14:10:45 dv qmail: 1223985219.945231 starting delivery 2: msg 163786382 to local 2-user@example.com
April 10 14:10:45 dv qmail: 1223077819.937835 status: local 1/10 remote 0/20
April 10 14:10:45 dv qmail-local-handlers[24107]: Handlers Filter before-local for qmail started ...
April 10 14:10:45 dv qmail-local-handlers[24107]: from=
April 10 14:10:45 dv qmail-local-handlers[24107]: to=user@example.com
April 10 14:10:45 dv qmail: 1213077819..159866 delivery 2: success: did_0+0+2/
April 10 14:10:45 dv qmail: 1213077819..160087 status: local 0/10 remote 0/20
April 10 14:10:45 dv qmail: 1213077819..160159 end msg 163786382
cPanel Users
>>> Log into your cPanel SSH or Root access
>>> Follow this path to locate your email logs
/var/log/
>>> To view the email log use the following command
less /var/log/maillog
>>> To search for a particular string:
example@demo.com /var/log/exim_mainlog
>>> This is how you get the log sequence showing the complete transmission of one piece of mail:
2010-11-10 11:40:40 1ZthQy-000586-3x <= example@demo.com H=localhost (pyxv-qnqd.testdomain.com) [127.0.0.1]:42112 P=esmtpa A=dovecot_login:example@demo.com S=597 id=33bac78ae03ebe8bb6ec5e545864caf6@demo.com T="Hiya!" for noreply@gmail.com
2010-11-10 11:40:40 1ZthQy-000586-3x SMTP connection outbound 1446579596 1ZthQy-000586-3x example.com noreply@gmail.com
2010-11-10 11:40:40 1ZthQy-000586-3x => noreply@gmail.com R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [133.14.243.47] X=TLSv1.2:ECDHE-RSA-C="250 2.0.0 OK 1446579596 fk5si44423567pbd.33 - gsmtp" 22010-11-10 11:40:40 1ZthQy-000586-3x Completed
As we have already discuss how to Install CSF on a server, in this tutorial we are going to discuss how to configure CSF on a Linux Dedicated server.
AFter installing CSF on a server, a CSF firewall is fully ready to protect your server from dangerous assaults, but still you require to set extra rules and configure it so will will function properly to support you.
At this point you know why it is mentioned as Config-server Firewall because it still relied upon your requirements to configure to work properly.
Allow & Deny IP in Config-server Firewall:
In the event that you have to permit or deny IP address using CLI, these decisions according to the accompanying are generally utilized:
Rundown out every single connected lead are given in CSF by utilizing this,
$ sudo csf -l
To enable CSF & LFD,
$ sudo csf -e
You will see this message at the end,
Starting lfd: Done
csf and lfd have been enabled
Stop CSF Firewall Service,
$ sudo csf -x
CSF is stopped, no worries utilize this
$ sudo csf -s
Use the following command for restart
$ sudo csf -r
To put your IP address to a lasting enable list in csf.allow:
$ sudo csf -a 000.00.00.00
Remove from allow list
$ sudo csf -ar 000.00.00.00
Put an IP into deny in csf.deny:
$ sudo csf -d 000.00.00.00
Remove from Deny list,
$ sudo csf -dr 000.00.00.00
On the off chance that you need to whitelist an IP, The given value in csf.conf of IGNORE_ALLOW will appear as "0" and on the off chance that you need to transform it to "1" and reboot administration of CSF on your Linux Dedicated server.
$ sudo csf -i
Find your input pattern which an organize on IP-tables e.g: IP, Port and etc.
$ sudo csf -g 000.00.00.00
Remove or flush blocked list
$ sudo csf -f
Update CSF to the most recent version,
$ sudo csf -u
csf is already at the most recent version: v9.28
All right, now we have learned how to enable or disable IP’s although what about ports?
Because of several choices in csf.conf we are simply beginning here.
Yet, don't stress we will direct you through the most straightforward route conceivable to configure CSF firewall.
In csf.conf file list of ports specified in TCP IPv4 as well as IPv6 but at present we will set this for IPv4 because many of us are well-know to handle it.
Additionally, it's critical to know which ports are opened or shut reason it'll influence your task on a server in your Linux Dedicated server hosting account.
# Allow incoming TCP ports
TCP_IN = "10,11,12,15,53,80,110,473,963,741,587,789,123"
# Allow outgoing TCP ports
TCP_OUT = "10,11,12,15,53,80,110,473,963,741,587,789,123"
# Allow incoming UDP ports
UDP_IN = "10,11,12"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this
list
UDP_OUT = "10,11,12,15,53,80"
The ports given above TCP and UDP are enabled a web server on your Linux Dedicated server to impart utilizing default ports.
At the point when a server begins an administration that administration characterizes a port of correspondence and that is a passage to impart to outside world and for approaching movement.
You can verify at present on your system which administrations utilizing which particular ports for correspondence,
$ sudo csf -p
Ports tuning in for outer connections and the executables running behind them:
Port/Proto Open Conn PID/User Command Line Executable
22/tcp 4/6 2 (736/root) /usr/sbin/sshd -D /usr/sbin/sshd
80/tcp 4/6 - (876/root) /usr/sbin/apache2 -k start /usr/sbin/apache2
80/tcp 4/6 - (878/www-data) /usr/sbin/apache2 -k start /usr/sbin/apache2
80/tcp 4/6 - (879/www-data) /usr/sbin/apache2 -k start /usr/sbin/apache2
8009/tcp -/- - (704/tomcat) /usr/lib/jvm/java-8-oracle/jre/bin/j... /usr/lib/jvm/java-8-oracle/jre/bin/java
8080/tcp -/- - (704/tomcat) /usr/lib/jvm/java-8-oracle/jre/bin/j... /usr/lib/jvm/java-8-oracle/jre/bin/java
You can set your custom ports on this arrangement underneath list indicates you default benefit ports which are broadly utilized as a part of association services,
Here are some widely recognized service ports,
21 : FTP
22 : SSH
23 : Telnet
25 : SMTP Mail Transfer
43 : WHOIS service
53 : NameServer (DNS)
80 : HTTP (Default Web Server)
110 : POP protocol (Email Service)
443 : HTTP Secure (SSL for HTTPS )
995 : POP over SSL/TLS
9999 : Urchin
3306 : MysQL Server
2082 : cPANEL Default
2083 : cPANEL - (Secure / SSL)
2086 : cPANEL WHM
2087 : cPANEL WHM - (Secure / SSL)
2095 : cpanel webmail
2096 : cpanel webmail - (Secure / SSL)
Plesk Control Panel : 8443
Direct Admin Control Panel: 2222
Webmin Control Panel : 10000
Here you will be informed on some of the ways to reduce the page loading speed to one third and having the number of HTTP requests. All of this can be done without making any changes in the visual user experience.
Using the Content Delivery Network (CDN)
One of the best ways to speed up the website is by using the Content Delivery Network, this can save upto 60% of the bandwidth and reduces the number of requests which the website makes.
CDN works by hosting the files on a large network of the servers which are around the world. When a user visits website from USA they will be downloading the files from the server which is closest to them. Here the bandwidth is spread across different servers as it reduces the load on a single server and it also protects the website from DDoS attack as well as traffic spikes.
Using the Caching Plugin
If you are using WordPress for your website one of the best ways of cutting down the page loading speed is by installing the caching plugin like an WP total cache or the WP super cache.
Both of these plugins are easy to download as well as free. They do a lot beyond the caching although that is their primary function. Here we will be using the WordPress and look on improving the page speed quickly. It is much easier to install a plugin.
Adding Expires Headers to Leverage Browser Caching
If you not have been using the WordPress, or if you are not installing another plugin for adding the expires headers and browser caching here is what you can implement it manually. The expires headers will be telling the browser whether to request for a specific file from the webserver or to get a version of the page from the browser cache. This will only apply if the user is already having a version of the web page which is stored in the cache, hence it will only speed up the website for the users who have already visited the website.
Using a Good Theme if Using the WordPress
For preventing the page speed issues one should choose a good host, a good CDN as well as a good theme. There has been no change of what it was five years back. Before designers used the flash and other technologies for building the website. Nowadays the web designers are building the WordPress themes with so many stuffs that its no wonder it is taking 10 seconds for website to load.
Cleaning up the Database
One of the worst parts with WordPress is that the database can get very messy and too quickly when saving the drafts, post revisions, deactivating the plugins etc. WP optimize is a great plugin which routinely deletes the things that you dont require which is cluttering up the database. By using the venture harbor database one can reduce the database from 5mb to 3mb, this can help in speeding up the website which helps in speeding up at the time for the browser to collect and then return the files from the database.
Compressing the files with Gzip
Gzip is a method by which one can compress the files for saving the banswidth as well as speeding up the page loading time. Here the Gzip works by compressing the files into a zip file, which is much faster for the users to download. Here the users browser can unzip the file and then show the content. Here the transmission of the content from the server to the browser is efficient and can save a lot of time.
By the following code you can enable Gzip into the .htaccess file:
# compress text, html, javascript, css, xml:
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
# Or, compress certain file types by extension:
Fixing all the broken links
Broken links can not only drain the bandwidth but it also makes the user to leave the website. By fixing the 404 errors which is shown in the google webmaster tools increase the average page visited per user and one can also see a noticeable decrease in the bounce rate.
Reducing the Redirects to the Website
As a 301 redirects are much more suggested over a 404 broken links but these are still not ideal as it can slow down the time it takes for the browser in reaching the correct version of the page.
By Minifying the CSS and JS Files
When you will be thoroughly checking the reasons behind the page loading very slow, there are good chances that it has to do something with the JavaScript files or the CSS not being loaded properly. One of the common pitfalls in WordPress as well as in other CMS is that the new JS or the CSS file being added virtually everytime when you are installing a new plugin. There are many ways of minifying the files. One of the common ways is by squshing all the files into one, hence instead of calling ten javascript files, you can simply place all the javascript file at one place. The other way of minifying involves deletion of white spaces and making the files smaller.
Replacing the PHP with a Static HTML wherever Possible
PHP is one of the best ways by which you can make your website efficient and thus reduce the need of entering the same information multiple times. PHP consumers the server resources and it should be changed with a static HTML where its not saving any time.
Turning off the PingBacks and Trackbacks in WordPress
PingBacks and trackbacks dosent play a role in wordpress however it is enabled by default. Hence it is recommended on turning both of these off as they can clog up the database and thus increasing the number of requests that are made.
Enabling the Keep Alive
Here the HTTP keep alive refers to the message which is sent between the client machine and the web server which asks for the permission of downloading the file. Enabling the keep alive allows the client machine in downloading the multiple files without asking repeatedly for permissions. This helps in saving the bandwidth. For enabling the keep alive you simply need to copy and paste the code which is shown below in the .htaccess file.
<ifModule mod_headers.c>
Header set Connection keep-alive
</ifModule>
Specifying the Image Dimensions
Before the browser can be displayed on the webpage one has to figure out on how to lay out the content around the images. Hence without knowing the size of the image the browser will work it out which cause it to work harder as well as longer.
Specifying the Character set in HTTP
It is very useful in specifying a character set in the HTTP response headers, here the browser will not have to spend an extra time on working out which character set you will be using. One can do this by simply adding the UTF-8 character set tag in the website section.
By Minimizing the Round Trip Times
Round trip times can called as the time taken for the client in sending the requests and the server to respond. This is affected by a range of things but it is mainly impacted by the number of requests which are being sent. For reducing the number of requests one needs to use the CSS sprites for calling less images, then minify and combine the JS and the CSS files. You will not have to call anything you not required.
As the mobile internet usage has taken over the desktop usage, its been never so important to fix the website speed. Nowadays internet users are less tolerant on the website speed and are shifting towards internet based mobile devices is not fast, hence this is what you are going to see.
Page 5 of 9