Blog

January 3, 2017 by Suhas Udayakumar

What You Should Know About Making Daily WordPress Backups

Daily backups offer a balance between minimizing data loss & minimizing load on server/site. Is it, however, the most optimum WordPress backup frequency for your WordPress site? Here’s what you need to know about the different methods; and the pros and cons of each of them.

Daily backups are the most practical backup frequency for a majority of WordPress sites that have scheduled updates every day.

Daily WordPress Backups

Who is it for?

Daily backups are a good option for sites which make numerous changes in a month. These may be blogs that predominantly have content additions everyday, or news/magazine sites which have scheduled daily updates.

Even if daily changes are not made to your site, daily backups may be worth considering. WordPress sites depend on plugins, and themes. As you well know updates to plugins and themes, along with updates to WordPress Core are very important for the sake of your site’s security, and functionality.

Updates are not released at the same time and different plugins and themes have to be updated regularly. While these updates are important, they are part of a complex mix of softwares that together form your WordPress site. If you make an update and the site crashes then it is easy to pinpoint the problem. Often this is not the case. Problems only surface days; maybe weeks after a handful of changes are made. In such cases identifying the issue is a laborious matter.

Performing daily backups ensures that such updates are also saved. You can then restore your site with minimal or no data loss, and figure out any issue affecting your website, later. When you restore your site, fewer of those updates have to be made to harden your site’s security. Otherwise, without those updates, even if you restore your site it may have many vulnerabilities putting you at constant risk.

Advantages of Daily Backups

Good backup solutions optimize between resources consumed and efficiency. Daily backups bring the following advantages:

Reduces data loss
Provides the option of multiple backup versions to test and restore
Requires least tinkering once restored – updates made to plugins and themes can be retained.

Methods for Making Daily Backups

You can make daily backups in a few different ways. While all the methods used to make daily backups will offer the above mentioned advantages, each method also brings its own challenges. Let us explore them one by one.

Manual Backups

Making manual backups of your WordPress site is an additional, laborious job to add to your everyday business task list. Remembering to make backups or taking out the time for it may not always be possible.

Securely storing backups is another issue that you are solely responsible for while making manual backups. HDDs or external HDDs or USB drives have been known to fail. Local storage devices, and the data stored in them can also become infected with malware.

Testing backups before restoring/migrating them can become a challenge when you are making manual backups and storing them locally.

Web Hosting Service

While many web hosting services offer backups and it is a seemingly convenient option, it is important to note that not all hosting services offer daily backups. Most of the time, premium web hosts like Flywheel, and WP Engine that do offer daily backups come at a premium price. Sometimes web hosts offer other backups solutions as add-ons and these come with additional costs.

A premium price tag may not be the only drawback when you choose your hosting service as your WordPress backup service. Backups with web hosts don’t have backup descriptions, which makes identifying and restoring the right version a very tedious process. Also, if your backups are stored by your web hosts then they might not be completely independent of your site. It means that your backups may be exposed to all the risks to which your site is exposed. For example, if your hosting service is hacked or the infrastructure is affected by a natural disaster, then chances are that along with your website, your backups are also lost. This is not an ideal way to store backups.

WordPress Backup Plugin

Some backup plugins are free and allow you to schedule your WordPress backups. While these plugins will help you perform daily backups, storage may be an added issue for you to consider. This is because not all plugins offer independent storage options. You can link your cloud storage account (for example, your Dropbox account) to these plugins. Doing so, however, usually means that the plugins store an API key of these accounts on your WordPress site. API keys are how the backup plugins communicate with your backup destination. However, it exposes backups to similar risks as your site. This may allow for your backups to be compromised when your site is hacked.

Backup plugins have to be installed on your site. If you lose access to your site for some reason then using the plugin to restore your site is not possible.

Tip: If you decide to use a WordPress backup plugin it may become important for you to track your WordPress site’s traffic. Backups can be resource intensive and making a backup when most visitors come to your site might slow the site and spoil the user experience.

WordPress Backup Service

A WordPress backup service offers a more complete backups solution. Backup services perform incremental backups and automatically upload backups to completely independent storage.

Incremental backups mean that only those parts of the site which have changed since the last backup are stored. This means that you do not have to worry about large sites not getting backed up, or about forgetting to perform backups.

Backup storage comes as part of the service and you do not have risk using your personal accounts. Backup services also offer simplified processes for restoring and migrating your site. BlogVault offers you a one-click, test restore option which allows you test your sites on an automatically generated staging environment, before restoring them.

Choosing a WordPress backup frequency and solution for your site depends on a few factors– budget, frequency of changes to the site, time available, and the size of the site. There is a case to be made for daily backups as the most optimum frequency for most sites, barring sites with a high frequency of changes like e-commerce or news sites, (which might need solutions providing real-time backups instead). Knowing the advantages and challenges with making daily backups can help you make an informed decision.

December 28, 2016January 3, 2017 by Suhas Udayakumar

Are There Downsides to Frequent WordPress Backups?

Frequent WordPress backups can minimize data loss and thereby greatly help your business. However, they can be resource-intensive and affect your WordPress site performance, if not done right.

Frequent backups present some obvious advantages which are particularly important for WordPress (WP) sites. Content creation takes some planning, effort and resources. Losing such content may become a major setback for your website. Daily backups minimize data loss in such cases.

Finding secure storage solutions is a real challenge with frequent WordPress backups.

WordPress sites are dependent on many third party plugins and themes. WordPress site owners are always running the risk of installing software that is not compatible with other plugins or themes on the site or installing those which may have some vulnerabilities. The risk of losing data from frequent updates and third-party software vulnerabilities is mitigated to a degree by having up-to-date backups.

Advantages of Frequent Backups

Minimize data loss
Reduce downtime
Retain updates & functionalities on WP sites

What are Frequent Backup Options?

Of course real-time backups is the best solution to achieve the goals stated above. Hourly/Daily backups may be the most frequent options apart from that.

Challenges with Frequent Backups

Higher frequency of performing backups brings its own complications. Backing up sites not only makes demands on your server resources but also brings up the issue of secure storage of the backups made. To add to the list of issues to consider, tracking whether backups have happened correctly and what has been backed up is not always easy.

Backups are Complicated

We have been in the business of premium WordPress backup service for over five years now. A number of things can, and do go wrong with backups. Sometimes when someone opts to backup their site manually, it is as simple as forgetting to perform frequent backups.

Often, WordPress site owners don’t know if backups are happening according to plan. Sometimes not all files are backed up.

In cases where site owners may have backups, restoring sites may not be easy. At other times, site owners who are relying on backups by web hosting services may not be fully aware of backup & storage policies. As a result, there have been times when WordPress site owners find out that there may not be any backups when they need it the most.

Resource Intensive

Increased load on your server resources could lead to an increased site load time or pages crashing. Otherwise, the user experience of visitors to your site may be spoiled because certain elements in the site may not function as intended.

Large Sites Offer Their Own Problems

Backing up larger sites takes more time & more resources. In such cases it is possible that certain sites may not get backed up at all. This is because hosting services; especially on shared hosting, have policies about the time, and the server-resources that a particular task can take. In such cases although you may have employed a backup solution, your site may have not been backed up at all, or may have been backed up incompletely. In both cases, restoring the site is not possible.

Storage Space & Security

Frequent backups lead to multiple copies. Storing these copies securely can be a challenge. Storing backups on your own Dropbox accounts or local storage devices like your PC’s hard drive (HDD) or USB drive is not recommended.

Backups stored locally can become infected with malware as you are constantly browsing and downloading files. Also, HDDS or USB drives have been known to crash. This doesn’t even account for the risks associated with accidents and natural disasters.

Storage may drive up the cost of storing backups as you may have to invest in independent storage solutions.
In all the above cases the real risk is that eventually when you need to restore your site you may not have backups, have incomplete or infected backup files. This is not the optimal scenario for your business. Probably a good way to evaluate a backup solution is to list some scenarios in which you would need to rely on backups, and see if the backup solution in question will give you access to backups and allow you to restore your WordPress site.

The Answer?: Backup Service as a Solution

A WordPress backup service like BlogVault will not only take care of storage space and security but make incremental backups. This intelligent approach ensures that even large sites on shared hosting can be completely backed up. Apart from this backups services may also eliminate cache and log files from backups, thereby reducing problems at the time of restores. All of this is done automatically, thereby eliminating the human errors so that you can go about your business without worry.

With a WordPress backup service restoring your site is always the goal. When the time comes you will have multiple backups versions; securely stored, from which you can choose. You can also automatically restore your site with a single-click. Of, course a backup service comes with a more premium price tag but with the price you’ll have backups with best practices at your disposal.

December 17, 2016 by Ruby Paulson

The Pros and Cons of Automating Updates on WordPress

Updating WordPress is something that every site owner has to do, at least for WordPress’ security updates. Automating updates seems like the easy way out, but how do you know if your WordPress site is compatible with, and needs any other updates?

Atuotmatically updating your site might seem like an easy way out, but there's more to it than meets the eye.

Every new WordPress site owner faces a conundrum when it comes to updating their WordPress site. Even if you only have to click on ‘update’ to update the sites, there are so many updates happening so frequently that simply updating might seem like a gargantuan task. This is why automating the process might seem like an easier route to take.

What Does it Mean to ‘automate’ WordPress Updates?

Ever since version 3.7, WordPress has allowed security and translation updates to happen in the background of every default installation, but this doesn’t include major and add-on updates… Which means a huge chunk of updates are still not performed. This is why choosing to perform automated updates on your WordPress site is a tempting choice. Moreover, it’s an option that can be carried out in a number of ways. It means every update on your site would happen automatically. You wouldn’t be shown notifications, wouldn’t need to click on ‘update’ everywhere, and you can stay at peace.

Making this decision isn’t as easy as it sounds though, simple because of the consequences it might have on your site. This is why we’re going to break it down for you.

The Pros of Automating WordPress Updates

It reduces your workload

Automating updates for both WordPress Core and add-ons on your WordPress site isn’t recommended, since any of these updates could contain changes that might cause your site to crash. But even just automating WordPress’ major core updates would reduce the amount of work for you as a WordPress site owner, since you would only have to worry about the add-ons.

It makes your WordPress site better in every way

WordPress updates allow the addition of new features and security patches for known vulnerabilities, thus making WordPress sites more functional, and secure. Automating your site to update, therefore, would help your site be more functional for your site’s visitors and users, as well as more secure for everyone.

The Cons of Automating WordPress Updates

There are a number of downsides to automating updates on your WordPress site, but the extent to which this might affect your site negatively, depends on what you choose to update, and how you choose to do it.

Your WordPress site could crash

Depending on the functions, and the scale of the changes in the updates made (whether to WordPress Core or to add-ons), your WordPress site could crash.

If you automate WordPress Core updates, there is a possibility of the old add-ons on your site not being compatible with the Core changes. As a result, your site could crash.

Automating add-ons is not recommended. This is because there are thousands of different plugins and themes, and although they’re coded to be compatible with WordPress, they’re not all coded with each other in mind. This means your site could crash with the update of any one plugin or theme.

The aftermath of WordPress crashing takes time to fix

If you choose to configure your WordPress site to automatically update via code, and not a plugin or a service, you’ll have to make changes to your site’s wp-config file. This can be daunting, and can take time for a novice.

Moreover, no matter why your WordPress site crashes, you will have to restore it to a recent backup, and figure out which update caused your site to crash… which again will take time.

Automated updates with Managed WordPress Services have consequences too

Using managed WordPress services (those that update your WordPress site for you as a part of maintenance or hosting services) might seem like an easy option, but it also has a number of consequences.

If you have chosen to enable automatic updates with a managed WordPress service, they will email you with the update schedule. In this case, you will have to check all the elements on your site for compatibility before approving the update.
If an element on your WordPress site is not compatible with an update, you will have to ask your WordPress manager to postpone the update until you fix the issue.
It is added trouble for you as a WordPress site owner, if you can not fix the issue causing incompatibilities by the time managed WordPress services force updates on your site. This would mean that your site would break, and you would have to restore it to a previous backup that is recent enough. If you own an e-commerce WordPress site, this isn’t an option, because of the constant input of data on your site.

Deciding to automate the updates to be made to your WordPress site isn’t an easy decision, especially if you don’t know your WordPress site inside-out. However, it’s something that every WordPress site owner has to do, a least for WordPress’ security updates. Learning whether your WordPress site needs any other updates to be updates is a time-taking experiment, but it’s one that will pay off in the end. The only way to make sure that your site is safe, is to rely on an intelligent, secure backup solution to create backups before you perform any update or make any changes to your WordPress site.

November 28, 2016June 12, 2017 by Ruby Paulson

Introducing BlogVault’s New Dashboard!

Over the past few months, we’ve been working on a number of changes at BlogVault. Not only do we have an improved UI, we’ve also got a bunch of new features that are bound to make managing your WordPress site a lot easier, and secure.

BlogVault has got a new dashboard that is better in every way, from allowing users to access our features for intuitively, to providing more than just backups.

Let’s take a look at a few of the changes, shall we?

Your BlogVault dashboard now has two major areas:

Site Listing
Site Details

Each area has specific functions, and together provide:

Ease of Use

BlogVault’s new site listing feature helps you see all the sites you’ve added to your BlogVault dashboard. From this part of the dashboard, you can filter sites based on their status:

The BlogVault dashboard's Site listing page

‘Active’ sites are those that have the BlogVault plugin installed on them, and use the plugin regularly.

‘No Plugin’ sites are those added to your dashboard but haven’t got the BlogVault plugin installed. (This could also be because of a problem during installation.)

Sites that are ‘Unreachable’ are those that have the plugin installed, but our servers are unable to reach, due to a connectivity error, or probably due to firewall or network settings.

‘Hacked’ sites are those that the BlogVault plugin has detected malicious files on.

We built in this categorization of sites to help you see exactly what’s going on with your sites at a glance. Moreover, the Site Listing page also allows you to find a particular site, based on tags that they might have (more on this later).

Easier Account Control

With our revamp, we’ve also changed your account and billing settings so they’re easier for you to manage.

The 'My Account' drawer opens up all the details related to your dashboard and subscription, easily.

Everything related to your BlogVault account is easily accessible, and easily changeable too from the ‘My Account’ drop-down. You can change anything about your account, from your email address to the BlogVault subscription plan you’re on.

Your profile on the BlogVault dashboard gives you important details at a glance.

Optimized for Teams

This brings us to our other new addition: the option to add team members to your BlogVault account. Our new Account settings allows you to manage a team that can handle every aspect of backup, management and security of the sites linked to the BlogVault account.

BlogVault's new dashboard is optimized so you and your team can manage and secure sites. — BlogVault’s new dashboard is optimized so you and your team can manage and secure sites.

New, Improved Features

BlogVault now comes as a comprehensive package that allows our customers to backup, manage and secure their websites in every way. All you have to do, is to click on any one active site from your Site Listing page.

The BlogVault dashboard gives you a plethora of options to help you manage and secure your site too!

As you can see, we offer you WordPress backups, but also management and security settings that help you manage and secure your WordPress site. While the old UI allowed you to see all the features on the right in a sidebar, we’ve revamped BlogVault to let you to see it all under each option (Backup/Management/Security).

Backup features

Our backup features have always been functional enough to rely on completely, but with our new UI, they’re more accessible, and easier to use.

History

The History tab has been given a full revamp, and allows you to see the last 30 backups made of your site more clearly. You can see exactly what happened with each backup, and add notes more easily as well.

backup_2_history_

Again, as you can see, you can select any backup version you have and choose to migrate, test restore, or automatically restore from it. You can also upload any version to Dropbox, or add a notes to help you differentiate versions.

Download Backup / Upload Backup

Both ‘Download Backup’ and ‘Upload to Dropbox’ options are very different functions, but have a single form, that requires the following:

The backup version you would like to download (or upload from)
Your site’s database credentials
Your hosting server’s credentials (which come under Advanced Options, along with the next option)
A choice of whether you’d like to store either tables and files, only tables, or only files from your WordPress site

There is also a section that requires your HTTP Authentication credentials, which are your WordPress site’s credentials.

Both 'Upload to Dropbox' and 'Download backup' functions use the same form — Both ‘Upload to Dropbox’ and ‘Download backup’ functions use the same form

Migrate

The ‘Migrate’ option allows you to easily move all your site’s content and functionality to a different domain name or a different hosting service. All you require for this option, are the FTP credentials of the new site/domain/hosting service you’d like to move to.

Auto Restore

Perfect for when your site suddenly goes down, the ‘Auto Restore’ backup option has the same form to fill up, except that it requires the FTP credentials of the site you’d like to restore (which is your current site).

As you can see from the previous screenshot, we’ve also got a handy FAQ section on the right for all migration and auto restore- related FTP questions, so you have all the answers at your fingertips.

Test Restore

This option creates a test-environment (a replica), based on the latest backup version of your site, complete with the links, videos, images, and everything else on your site. You can click on these links, and they’ll work like they would on your site. Once BlogVault is done creating this test-version of your site, we mail you the link you can access it on, along with its FTP details, so you can experiment and see if you want to make any changes to your site.

If you’d like to make a Test-Restore of a different backup version of your site, you’ll have to go to the History tab, select the desired backup version, and then restore from it.

You can perform a Test Restore with a single click

Backup Now

BlogVault automatically backups your WordPress site every 24 hours, but if the backup schedule is just too far away (such as when you want to make an instrumental change but want to make a backup just before), this option comes in handy.

The Backup Now option also shows up on the Management and Security functionalities (just look for the following icon):

This allows you to backup your site before making any changes to it.

Management Features

From allowing you to manage your WordPress site’s users to helping you update the plugins and themes on your site, the Management feature allows you to manage your WordPress site to be secure against threats.

Manage Plugins

You can manage all the plugins and themes installed on your WordPress site from this option. This means you can see the version you have of each, as well as whether to update specific add-ons, or all of them.

Manage Users

With the ‘Manage Users’ option, you can remotely delete, or change the role or password of those who have access to the site, without having to log in to your WordPress site’s dashboard.

Managing your WordPress site's users with the BlogVault dashboard — Managing your WordPress site’s users with the BlogVault dashboard

Security Features

We also have a Security feature that allows you to harden your site and clean your site of malware. The Security feature helps you harden your WordPress site, as well as to clean malware and hacked files with a single click. Moreover, since our scanner is built to be accurate and intelligent, it detects the most complex hacks, without raising false alarms, or alerting you of ‘possible hacks’.

Secure Site

The BlogVault dashboard now features hardening settings under the ‘Secure Site’ feature. These are settings recommended by WordPress, that help make your site more secure against hacks. We’ve categorised these settings into two sections: Basic, and Advanced.

Here is a look at some of the basic security fixes:

The advanced security fixes require some caution though– even if they can’t break your site, you won’t be able to install new plugins or themes on your site if you have them enabled.

Advanced and Paranoid Secure Site settings — Advanced Secure Site settings

The convenient thing about these settings though, is that to enable (or disable) these settings, you have to only select the ones you’d like to enforce or remove, enter your WordPress site’s FTP credentials, and select the folder that your WordPress site is installed from.

Hacked Files

This option only appears when you have a hack on your WordPress site. It identifies the hacked file for you and pinpoints it, so you can look specifically at that one file, if you want to. If you’d rather just clean out the hack with a single click, you can do so by clicking on the ‘Auto Clean’ button.

When you click on 'Hacked Files', a list of just the hacked files appears. You can choose to clean them automatically by clicking on the 'Auto Clean' button.

Auto Clean

Another feature that only appears when you have a hack, the Auto Clean function helps you remove malicious code on your site with a single click. Since we’ve built our cleaner to even identify complex hacks, you can choose to remove them immediately, without technical assistance.

Once you click on the Auto Clean function, you are taken to the form asking for your WordPress site’s FTP details.

Clicking on the 'Auto Clean' button takes you to the same FTP form that appeared for 'Migrate' and 'Auto Restore' — Clicking on the ‘Auto Clean’ button takes you to the same FTP form that appeared for ‘Migrate’ and ‘Auto Restore’

Once you enter your WordPress site’s FTP details, your site will be cleaned.

Scan now

One of the most revolutionary additions to our dashboard, the ‘Scan Now’ feature allows you to scan your site for hacks at any given point of time. Our malware scanner looks for hacks based on the actions the code performs, rather than signatures, or keywords. So no more backdoors, or recurring hacks. Before scanning your site, we run a backup so you always have the latest version of your site to fall back on.

Better Navigation

We’ve tried to make the new dashboard as functional as possible. One of the steps we’ve taken in this direction, is the addition of ‘Quick Links’ that help you download backups, migrate backups to a new location, or restore it with a click. This section also has ‘Resources’, which help give you a quick snapshot of everything you need to know about your WordPress site. Perfect for emergencies, the icons for these functions, and the information related to your site, are right under your site’s thumbnail, on the Site Details page.

Features and information on the left for better, easier navigation

Since these features are in-built into BlogVault’s dashboard, we backup your site automatically before making any changes to your WordPress site. This makes it a comprehensive solution to help you manage your site in the most secure way possible. BlogVault has always been focused on giving our customers the best experience, in the most reliable, sensible way, and we hope you’ll find our new makeover to be as practical as we intended it to be.

If you’ve got questions about the new dashboard, or suggestions, do reach out to us here.

November 28, 2016 by Ruby Paulson

Automated Updates on WordPress: Choosing the right way to do it

WordPress site owners are constantly asked to update their sites. But keeping track of updates is incredibly difficult, because of the frequency and number of updates to be made. This is why automating updates might a useful practice.

Making sure your WordPress site is up to date could be an overwhelming process, since there are so many releases.

If there’s one piece of advice in the world of WordPress for site owners, it’s this: update, update, update. Updating WordPress is easy in theory, especially since all site-owners receive notifications about core and plugin updates. When it has to be put into practice, though, updating WordPress is its own beast. Not only might updates break WordPress sites; they might also cause incompatibilities, and be impossible to undo as well. This is why it’s important to always have a reliable backup solution for WordPress sites.

Updating WordPress is an important task though, because of new features that might impact user experience, but also security updates that help against major vulnerabilities. However, with WordPress receiving updates very frequently on the Core as well as the add-on front, it is difficult to keep up with all the changes, and apply them. This is why automating updates on WordPress sites might be a workable solution for you as a WordPress site owner.

Types of WordPress Updates

While updates for WordPress add-ons have both developmental as well as security updates, updates for WordPress core perform different functions. Based on these functions, WordPress Core updates can be categorized into:

Release updates, which contain both Major and Minor releases.
1. Major updates contain developmental changes including the addition of new features, or changes to core technologies on WordPress. Every major release is named after a major jazz musician.
2. Minor updates contain security patches and fixes. As a result, they are highly recommended, and are automated by default on every installation of WordPress. Every WordPress site is recommended to run these updates since they contain important security updates that keep WordPress sites safe.
Developmental updates, which are only for the changes that might be unstable– these updates are what future developments are built on. Also known as ‘bleeding edge’ updates, they are only meant for sites running the developmental version of WordPress.
Translation updates (which are language packs), and come in handy if your WordPress site has multilingual support.

Depending on your comfort-level with code, and the time you’re willing to spend maintaining your site, you could automate your WordPress site’s updates manually, with the help of a plugin, or via managed WordPress services. Every method has its pros and cons, so it’s best to choose one with careful thought.

Automating WordPress Updates the Manual Way

This method will require you to make changes to your WordPress installation’s core files.

How to automate updates to WordPress Core the Manual Way

Updating WordPress Core includes making changes to the wp-config.php file.

WordPress contains a parameter called define( ‘WP_AUTO_UPDATE_CORE’) in the wp-config file. The value you assign this function determines WordPress release update is automated.

To Automate All WordPress Core Updates

Assign the value ‘true’ to the above function, as demonstrated:

define( ‘WP_AUTO_UPDATE_CORE’, true );

This will enable the automation of all release updates, developmental updates, and translation updates on your WordPress site.

To Only Automate WordPress Core Minor Release Updates

As mentioned, WordPress automatically makes Minor release and translation updates to your site. However, if you disabled all automatic updates by assigning the above function the value ‘false, you would have disabled Minor updates too. Just assign the value minor to the same function above, instead of true. This will disable all updates other than Minor updates, which keep your WordPress site secure.

Here’s how you do it:

define( ‘WP_AUTO_UPDATE_CORE’, minor );

How to Automate Updates to WordPress Add-ons the Manual Way

Automatically updating add-ons isn’t recommended by WordPress, since the developers’ updates might work for that plugin/theme, but might be incompatible with other add-ons or elements on your WordPress site. However, if your WordPress site is simple and has very few plugins/themes that are compatible with each other, it might not be as big a problem.

In order to manually configure your installation of WordPress to update plugins & themes, you have to make modifications to a filter called auto_update_$type, found in the wp-admin folder. The value assigned to $type determines which WordPress add-on is updated automatically.

To automatically update all plugins on your WordPress site, the filter must read:

add_filter( ‘auto_update_plugin’, ‘__return_true’ );

To automatically update all themes on your WordPress site, the filter must read:

add_filter( ‘auto_update_theme’, ‘__return_true’ );

Pros of Manual Automation of Updates

The code isn’t complex, so it’s beginner friendly.
Manual automation is free.
WordPress site owners won’t have to install an extra plugin just to keep their site up to date.

Cons of Manual Automation of Updates

The changes have to be made to the WordPress wp-config.php files and the wp-admin folder. This might make some WordPress users uncomfortable, especially since changes to the WordPress core files are not recommended.
Making the changes to code might require some time, especially for WordPress novices.
If your site crashes with any update, you will have to check your site’s status after disabling each update manually.

Automating Your WordPress Site with Plugins

This method comes in handy for WordPress site-owners who do not want to tinker with code themselves, and don’t mind installing an extra plugin on their site. A couple of examples of plugins that help automate updates, are Advanced Automatic Updates, and WP Updates Settings.

How to Use the Advanced Automatic Updates Plugin

Step 1: Install and activate the plugin.

Step 2: Locate the plugin under your WordPress site’s Settings tab, and click on it.

Using the Advanced Automatic Updates plugin

Step 3: Check the kind of updates you would like to automate on your WordPress site.

Updating Themes with the Advanced Automatic Updates plugin

If you would like notifications about these updates to be sent to an email address other than the one of the site owner, you can enter it here:

Notifications with Advanced Automatic Updates

As you can see, you can also disable email notifications about the same, and request for debug information (in case you’re running development updates).

How to Use the WP Updates Plugin

Step 1: Install and activate the plugin.

Step 2: Just like for the Automatic Updates plugin, locate the Updates tab under your Settings tab, and click on it.

The WP Updates plugin shows up under Settings

Step 2: Choose the kind of WordPress Core release updates you would like to automate on your WordPress site.

Core Updates with the WP Updates plugin

Step 3: Choose whether you would like to automatically update add-ons on your WordPress site.

Plugin and theme updates with the WP Updates plugin

Step 4: If you’d like translation and developmental updates, click on the appropriate check-boxes.

Click on these checkboxes if you want other updates also to be automated.

Pros of Automating Your WordPress Updates With a Plugin

These plugins do the work for you: you don’t have to manually tinker with any code; they’ll do it for you.
Most plugins that automate WordPress sites allow you to enable or disable different updates with a single click.

Cons of Automating Your WordPress Updates With a Plugin

This will require you to install an extra plugin just for updating your WordPress site.
Some plugins only update WordPress core, while others will allow you to update add-ons as well.
You, as a WordPress site owner, will still need to weed out problems if your site crashes with updates.

Using Managed Services to Automate Your WordPress Site

There are two types of managed services you could use to automate updates on your WordPress site: managed WordPress hosting, and WordPress support and maintenance services.

Managed WordPress Hosting

These services help manage your WordPress site’s hosting issues, as well as a few issues related to your WordPress site as well. A couple of examples of managed WordPress hosting services/ managed WordPress hosting providers are Flywheel, and WP Engine. These services automate the update of your entire WordPress site, but after the following steps meant to benefit you no matter the state of compatibility of your WordPress site:

The hosting provider checks their systems for compatibility with WP updates (whether this includes both core and add-on updates depends on the web host).
They then mail you beforehand with the dates for your WordPress site’s update.
Every managed hosting service performs a backup of your WordPress site before the update. Only after this do they perform the update.
Once they perform the update, they check for issues.
If your WordPress site is not compatible with the update, the managed hosting provider restores your site with the backup that they made.
The service then mails you about the status of the update (successful/unsuccessful, and reasons if unsuccessful).
If you’ve tested your site and found it incompatible, you can ask certain web hosting services to postpone updates till you fix the issue at hand.

Notes:

Plugin and theme updates are not done automatically by managed WordPress hosting services, simply because different plugins have settings that might conflict with each other and break your site.

If you’d still like to automate the updates of add-ons, you can get in touch with your WordPress host about the same.

Since each managed hosting service has different terms and conditions, and pricing plans, it is recommended that you read their documentation carefully, and then get in touch via email or from their in-website chat support.

Pros of Using a Managed Web Hosting Service With Automatic WordPress Updates

You, as a WordPress site owner, don’t have to fiddle with the WordPress core files.
Your WordPress hosting service tests and runs WordPress updates for you.

Cons of Using a Managed Web Hosting Service With Automatic WordPress Updates

Managed WordPress hosting comes at a price.
These services don’t take care of all the issues that might come up during updating your WordPress site. If your site has certain customizations that makes it incompatible with WordPress updates, these services might mail you asking for you to seek a professional developer’s assistance. This means even if you’re paying a premium price for managed hosting, you might also have to hire a WordPress developer separately.

WordPress Support and Maintenance Services

WordPress support and maintenance services (such as WP Curve, WP Maintainer, and Valet), are perfect for super-busy site owners who can afford to have a full-time service just for maintaining their WordPress sites. In terms of updates and maintenance, these services usually perform the following functions:

Core and add-on updates.
Support/repairs in case of incompatibility.
Audit of the security and maintenance of your site so the chances of it breaking upon update are reduced.
Regular backups to rely on in case of incompatibility with any update.

Similar to managed WordPress hosting services, it is recommended that you go through the list of their offerings, (and their pricing plans) carefully. All you have to do after that, is contact them over email, or from their respective websites.

Pros of Depending on WordPress Support and Maintenance Services

Since you are paying these services specifically to maintain your WordPress site, you can expect them to solve any problems you might have while updating your WordPress site.
You need not hire a developer to this end.

Cons of Depending on WordPress Support and Maintenance Services

These services come at a premium price, and usually require you to pay more in order to fix issues that might come up during updates. Each service has its own pricing plan.
A number of maintenance and support services do not provide free support, so if you run into issues with your site, it might be expensive to get them sorted out.

Automating your WordPress site might seem like an easy fix that will help your WordPress site stay up to date with security patches and new features, but it also comes with many caveats. Not only might updates your site break, but they might also be difficult to undo. This is why it is imperative for every WordPress site owner to maintain a recent, secure backup of their WordPress sites that can be relied on.

November 7, 2016 by Ruby Paulson

Password Management for WordPress Users

Strong passwords can be difficult to remember… sometimes even impossible to remember (and passwords that are easy to remember are often weak). So what’s the way out of this conundrum? Storing passwords, of course! But which storage option is safe?

We’ve seen earlier that strong passwords are actually harder to remember than weak ones. And it’s not surprising… A strong password contains 15 or more characters. Enforcing a strong password for every site you log in to, might require some exceptional memory skills, or just a few handy hacks.

So how do you store strong passwords?

Well if memory-enhancing techniques don’t work, you could write them down, store them in a password-protected text file on your computer, or use a password manager.

How do you store your passwords?

Let’s look at the pros and cons of each of these password-storage techniques.

1. Writing down your passwords on paper

This is the old-school way that some people endorse thoroughly.

Pros

Your passwords can’t be stolen by hackers on the internet.

Cons

The book/paper you write your passwords in could be:

Stolen: Hackers might not be able to steal your credentials, but other people might. If anyone knew that you carried around your banking credentials in a little notebook, why wouldn’t they want to steal it? Sure, your FTP and phpMyAdmin passwords might not look as valuable as your banking credentials, but anyone could use your website to gain anything, even to steal your customers’ or investors’ information and sell it on the net.
Read by someone other than you: Of course to prevent this, you could write them down in a way that only you could understand, but then again, it would be almost impossible for this information to be passed down to anyone else without you explicitly explaining how to read the document. Besides, what would happen if you forgot how to read it?
Misplaced: What if you forgot where you put the important little booklet? You would have lost every single password to your website, and would have to reset them all, in which case, you’d have to have an alternative way to store them.

2. Storing your passwords in a password-protected file

This file could be kept on your computer, or on a portable storage device, such as a USB drive, or an external hard-drive.

Pros

Your passwords are less prone to being read by someone else, or lost.

Cons

You could forget the password protecting the file.
Hackers could use keylogging malware to know exactly what your password is.
Malware could corrupt the file so it’s not readable or retrievable, or so that the file keeps crashing.

3. Using a password manager

Password managers are programs or software that store all your passwords in a single place, in an encrypted form. It’s like having a password-protected file to store your passwords in that you need a very strong ‘master password’ to log into the Password Manager. However, password managers encrypt all your passwords before storing them either on your local computer, or on the cloud. This storage destination depends on the type of password manager you use.

There are three types of password managers. Firstly, there password managers that are offered as a bonus feature with a security product or another software (like extensions to antivirus software, or to browsers. Secondly, there are standalone password managing products which store your encrypted password on your computer (an example of this would be KeePass). Finally there are web-based password managers, which store your encrypted passwords in a location known to them, and hence provide the functionality of auto-filling up your password fields and even forms.

Password managers too have their own pros and cons.

Pros

This is the most obvious one: they allow you to use strong passwords without forgetting/losing them. Some password managers even generate strong, random passwords for you, and store them.
All your details and passwords are encrypted with high-level encryption. This means hackers who might even try to steal your passwords will have to use high levels of decryption before they can use them.
Good password managers do not store or encrypt your information on their servers.
Depending on type of password manager, you can choose to save your encrypted data locally or on cloud-based servers.
They’re compatible with all major browsers, so you can auto-fill online login forms with a click.
Depending on password manager choice, premium features include:
- Access of passwords across different devices.
- An audit of all passwords, and generation of random, secure passwords to keep credentials strong.
- Two Factor Authentication for extra security.

Cons

Password managers that store passwords on their own server, or perform encryption on their server aren’t safe. Unfortunately, even some of the topmost password managers do this. LastPass was hacked twice in July 2016, fortunately by white hat hackers who disclosed the vulnerabilities responsibly.
Storing the password on your computer has its risks. For example, a hacker could performs a keylogging attack to determine what your master password is.
The entire structure of a password manager depends on the user’s Master Password. This means if you forget or lose your master password, you lose access to all your passwords– there is no ‘forgot password’ link. Moreover, if your master password isn’t strong enough, all of your credentials could be hacked.

Just as there is no such thing as a completely safe website, there are no completely safe ways to store your passwords. Whichever method you choose to use, the safety of your passwords depends on how cautious and proficient you are in using the storage method.

November 7, 2016 by Suhas Udayakumar

How Often Should You Backup Your WordPress Sites?

Frequent WordPress backups contribute greatly towards efficient your WordPress restores. The battle is between resource consuming hourly backups and infrequent backups which increase the risk of data loss. Do you know what is the right answer?

The frequency of WordPress backups is a much-discussed topic. At BlogVault we believe that ideally, WordPress sites must be backed up at least once a day. This is a logical idea when you consider that all backups are meant for recovering your site. This means you want to minimize data loss, when you restore your WordPress site.

Daily backups, however, is not a ‘golden frequency’. Different types of sites require backups to be made at different frequencies. Daily backups strike a balance between minimizing data loss and not consuming too many resources of your WordPress site’s servers. Backing up more frequently, however; especially when done inefficiently, may affect your site’s performance. On the other hand, backing up infrequently, like on a weekly/monthly backup schedule may mean that you lose substantial amount of data.

How frequently do you backup your WordPress site?

WordPress Backup Frequency

Why Make Daily Backups?

We mentioned that daily backups ensure that updates to all the posts and pages of your site are saved. WordPress users who manage smaller sites may feel that daily backups are not as important. This may be because the website is not updated with new content. However, we have to remember that WordPress sites are run on plugins and themes which are updated often. Older backups will not contain these updates and restoring them is not very efficient. This can also cause security concerns as plugin and theme updates include security updates too.

Restoring from Older WordPress Backups

If older backups are restored, then you may have to go back and update all the plugins, themes and may be even WordPress core. This may not be feasible in case you own multiple sites or have many plugins and and themes on your site.

Also, backups bring up compatibility issues. In case you restore older backups, then you can only test these issues after the site has been restored and the updates are made. However, the more recent the backup, the easier it is to test for functionality. Of course, with a WordPress backup service like BlogVault you can test your backups with a single click.

What Type of WordPress Site Do You Have?

E-commerce sites & Popular Blogs

While daily backups are a great option, for e-commerce and popular blogs it still may not be enough. For e-commerce sites, it is crucial to track transactions, data on pending orders, and the delivery status of orders with utmost immediacy. For popular blogs, comments and content can be generated very regularly; and this includes news sites. In such cases, real-time backups is the answer.

Real-time Backups for WordPress Sites

Backups in real-time are meant to save every change as soon as the changes are made, (or at least as quickly as possible). The concern with this is of course the effect on WordPress site-performance. However, when done right, real-time WordPress backups can be a comprehensive solution.

Real-time backup solutions for WordPress sites track changes and backup only those changes to the site as quickly as possible. Since only the changes are backed up, even large sites with frequent updates and changes can be completely backed up without affecting site performance. However, there are different methods to achieve this result and results vary depending on how effectively your backup plugin does the job.

Frequency is Key to Having Secure WordPress Backups

If backups do not allow you to make efficient restores then the point has been missed. Making daily or real-time backups are key to having functional backups which are ready for restores. A WordPress backup service, can allow you to not only automate the frequency of your backups; but also ensure that your backups follow other best practices of WordPress backups as well.

October 28, 2016 by Ruby Paulson

How to Choose a Strong Password That’s Easy to Remember

Having a strong password for your WordPress site is one of the basic steps to maintaining good security posture and hygiene. Strong passwords, however, are a pain to create, and to remember… unless you have a few handy tips and tricks.

Strong password

Passwords are by no means the perfect way to authenticate users. This is why methods like Captcha and two-factor authentication exist. However, most of the time, they’re used as secondary authentication methods . This is because passwords are familiar to us as they have been used for a while (remember ‘Open Sesame’?). As a result, we programmed computers to process them easily too. What needs to be noted, however, is that the same things which make passwords easy to process and cross-check by computers, also makes them ‘bot-crackable’.

Brute Force and Dictionary attacks are automated, so bots don’t even need hackers’ intervention to break into your WordPress site. Using a weak and common password is as good as giving your password to the hacker. This is why it’s important to choose strong passwords.

WordPress has; since version 4.3, included an option for users to generate strong, random passwords, but they’re almost impossible to remember. This is the problem with passwords– if they’re easy to remember, they’re also easy to guess; on the other hand if they are overly complex or random it is very hard to remember them.

The real problem occurs when users concoct a supposed random string because we have all been told that we need to use strong passwords. And just as the popular comic strip from xkcd shows, such passwords may make it harder for us to remember them without making it much harder for bots to crack them.

To understand what a strong password looks like, you have to understand how passwords are cracked. Passwords are usually guessed by bots during Brute Force or Dictionary attacks. While Brute Force attack bots try every different combination of characters to try and crack a password, bots performing Dictionary attacks enter a set of commonly used passwords to see if there’s a match.

Guidelines for Setting a Strong Password/Passphrase for Your WordPress Site:

1. Longer passwords are stronger passwords

With every character added to your password, it gets stronger against Brute Force attacks. In general, passwords that exceed 8-10 characters are not typically crackable via Brute Force bots. However, with the advancement in technology, the computational ability of these bots also increases. The safest bet is to have a passphrase, of 15 characters in length or more.

2. Strong passwords don’t have common replacements

Strong passwords do not use common common number-for-letter replacements (1337speak). This is because bots performing Brute Force attacks try every possible combination of characters.

3. Strong passwords contain uncommon words

Even when you use a ‘passphrase’, common words and common passwords are easily crackable by Dictionary attack bots. This means the more commonly used words your password contains, the weaker it is. According to an infographic by Splashdata, the top 25 most commonly used passwords are:

Numbers in order: From ‘12345’ to ‘1234567890’, the numbers in order made up for 7 out of 15 top passwords used.
Letters in order: These are a commonly used password too. ‘qwerty’ has been one of the world’s most common passwords since 2014. ‘abc123’ is another common password too.
Based on common sports and interests: This is the category that ‘football’, ‘baseball’, and Star Wars-related passwords like ‘solo’, ‘princess’ and ‘starwars’ fall under.

4. Strong passwords don’t contain your publicly known details

Ensuring that they do not contain personal, yet well known details about the user. Suppose you blog frequently about your favourite band, it would be unwise to use the band’s name as your WordPress site’s password. If targeting your site, hackers could use social engineering to guess your password.

5. Strong passwords use a combination of uppercase, lowercase, and special characters

Every character of a different type can be guessed only when the set (that the character belongs to), is checked. ‘p’ belongs to a set of lowercase letters consisting of 26 letters, while ‘P’ belongs to a set of uppercase letters consisting of 26 letters. If your password/passphrase contains letters of both cases, bots will have to try both sets. Most bots use a general formula when cracking passwords:

(characters of a certain type in the password) number of characters of that type

(characters of a different type in the password) number of characters of that type

So, for example, even if your password were as simple (and weak) as ‘password85’, the number of attempts a bot has to make to crack password would be (26)8 * (10)2 attempts.

Just using ‘P’ instead of ‘p’ would mean that the bots would need (26*2)8 * (10)2 attempts. However, while this looks like it’s a difficult password to crack, good bots try a few million passwords every second. Having letters and characters mixed up makes the password more unpredictable, and hence makes the bot’s job more difficult. A good password could take years to crack.

Enforcing a strong password is essential to keeping your WordPress site safe, but it doesn’t have to be a difficult task, or something that is impossible to remember. Choosing a passphrase wisely is key to reducing the risk to your WordPress site’s security.

There is no such thing as a completely secure website though, so the wise thing to do, would be to use a WordPress firewall to keep attacks at bay, in conjunction with enforcing a strong passphrase. Investing in an accurate, intelligent malware scanner and cleaner helps remove any malicious code that may have made it to your WordPress site.

October 28, 2016October 28, 2016 by Ruby Paulson

Why and How to Protect Your WordPress Login Page

We rarely need to be convinced to harden our WordPress site security. But, how useful is protecting you login page? And, are you doing it right?

Is your WordPress login page really secure?

WordPress is a popular CMS, and the fastest-growing platform to build websites. This is why hackers target it; they gain more out of every attack.

Your WordPress login page is what keeps you and other users out of your WordPress dashboard. It’s no surprise, therefore, that the login page is one of the most attacked areas of your WordPress site. Hackers program bots to barrage your WordPress login page with possible username and password combinations, so that once there’s a match, they have unlimited, legitimate access. ‘Guessing attacks’, as they’re known could have bots entering every single possible combination of letters, numbers and characters, or enter a set of probable credentials.

This is why enforcing login protection is an important way to harden your WordPress site against hacks.

What is login protection?

There are six ways that security blogs recommend using to protect your WordPress login:

Using a unique username: Having a unique username can make guessing attacks on your WordPress site (such as Brute Force and Dictionary attacks) harder to perform. This is because the bots would have to guess the username too, along with the password.
Using strong passwords: This is paramount to any WordPress site’s security. Choosing a strong password makes it difficult for any hacker trying to log in to your site via Brute Force and Dictionary attacks.
Using two-factor authentication: Two means/factors (such as the entry of user credentials and an alphanumeric code) are used to identify the user of the site. Anyone who wants access to the site needs more than just the user credentials; they will need a second token too that is send to them via SMS, email, a phone call, or an app on their phone.
Using Captcha: It’s an alphanumeric picture-based challenge to users to determine if they’re bots or not. Captchas, on an average, take about 10 seconds to read and type out.
Setting a time-period within which the login page will expire: This means anyone who wants to login beyond that point will have to refresh the page and start all over again
Limiting login attempts: This means every user who needs to sign in to your site would be locked out and prevented from accessing it after entering wrong credentials for a specific number of times.

1. Using a unique username

The default username of WordPress is ‘admin’, and a number of WordPress site owners choose to leave it as such. However, this gives hackerbots one thing less to guess. In fact, since the login page only requires the username and password, it reduces the effort and time bots require, by 50%. Hackers using bots and guessing attacks to attack your site generally do not know your site personally, so having a unique username is better for your site’s security. However, if it’s a subscriber who wants to attack your site, they would already know your username. This is why it’s always important to complement having a unique username with other security measures, such as the others on this list.

2. Enforcing a strong password

Having a strong password is one of the key ways to protect your WordPress site from attacks launched on your WordPress login page. Strong passwords are about (or more than) 15 characters in length, use a variety of characters, and do not use very common number-letter replacements. The only troublesome aspect of enforcing strong passwords, is the fact that they’re difficult to remember. This is why it’s important to find good ways to store them.

3. Using two-factor authentication

Two-factor authentication is widely used by financial websites. The two factors are usually what you know– login credentials (username & password) and what you receive on something you have/own– eg: a token (or a graph, as in the instance of Clef), on your mobile phone. Access is granted only when both factors are input correctly.

Most websites use time-based tokens, or One Time Passwords. So once you input your login credentials, the OTP is sent to your registered mobile number. This also ensures that bots are prevented from successfully logging in, since the token is sent via SMS, email or a phone call, and must be entered within a maximum of 15 minutes. A token can’t be used more than once, (or after the time period) and is hence called a One-Time Password (OTP). A couple of plugins that allow you to set up 2FA with WordPress are Google Authenticator and iThemes Pro.

A drawback of this method is that while setting up, the user can set up secondary means of communication (an alternate phone number, or an alternate email address) that the OTP can be sent to. So if a hacker gains access to one of these means, there is a high chance of the website being compromised.

This is why 2FA apps like Clef (which does not require a password as a secondary means of authentication), are deemed to be more secure than the OTP-based 2FA methods. If you’re trying to log in with Clef, you have to match the graph on the WordPress site’s login page with the one that the Clef app on your phone generates.

The trouble here is only when you lose your phone, or when it’s not with you when you want to log in.

4. Using Captcha

A very effective way to protect your login on WordPress, would be to use a Captcha tool, which generates an image with warped alphanumeric text on it. Users are required to read the garbled text, and type it out in the text box below the image. The image expires after a certain amount of time, and must be refreshed after expiry. This makes it a great tool to protect against Brute Force attacks.

The reason this is also a useful tool to differentiate between bots and human is because humans can easily:

Recognize different shapes and sizes of letters, despite a variation in fonts.
Recognize the space between letters and if they’re separated.
Understand the difference between letters based on context (eg: if a letter is an ‘m’ or a combination of ‘n’ and ‘u’).

While the first two forms of recognition come to humans naturally, they are separate tasks for computers, and it requires a lot of time and effort to train bots to perform all three tasks well, and fast.

The only disadvantage of this type of authentication is that sometimes the image can be difficult to read, and those with special needs have a hard time performing the task.

An easy way to add Captcha to your WordPress site, is with plugins like Captcha by BestWebSoft.

5. Setting an expiry-time for your login page

This is a good security measure to use against two types of attacks: Brute Force attacks, and Distributed Denial of Service attack. This is because the page will expire, and any request that tries to access the login page from that IP address, will be blocked. Requests to the login page will only be taken from the said IP address after the login page is refreshed. A plugin that allows you to do this is Login Security Solution.

You could also set up the expiry time for your login page by using the following code in your WordPress theme:

{

add_filter( ‘auth_cookie_expiration’, ‘keep_me_logged_in_for_30_minutes’ );

function keep_me_logged_in_for_30_minutes( $expirein ) {

return 1800; // 30 minutes in seconds

}

Some security measures, such as NinjaFirewall, WordFence, and iThemes take this step a little further by blocking suspicious login requests from an IP for a period of time that you, as an admin of the site, can set. This means even if the login page is refreshed, any request made from the particular IP to the site in question, will be blocked for the set period of time.

6. Limiting login attempts

Limiting login attempts is a great way to protect your login page from bots or hackers trying a number of username-password combinations to log in to your site. You could use plugins like WP Limit Login Attempts or iThemes security to do this, or use code to modify your .htaccess file, but we recommend using plugins. WordPress firewalls such as NinjaFirewall have this feature inbuilt too. The one downside with this method, is that if you enter the wrong credentials to your site more than the specified trial attempts, you could be locked out too.

Getting access back into your site would require you to follow a series of steps, depending on whether you choose to access the site via FTP and then delete the responsible plugin; or unblock your IP address manually (with code) via phpMyAdmin.

Of course, with security plugins like iThemes and NinjaFirewall, you could use settings to prevent your IP address from getting blocked in the first place.

Misleading recommendations to protect your WordPress login page

While it’s important to protect your login page, it’s also important to be careful about the changes you make to your WordPress site.

A number of recommended practices do not protect your WordPress login page as they are claimed to. One of the main reasons behind this is because they include changes that are complex, might harm your site, and are difficult to undo. Another reason, is that they advocate security through obscurity.

A few of these recommended practices include:

1. Hiding your login page by moving it to a custom URL

This is another useless security measure that involves moving it to a custom URL. Those who recommend this step, do so with the idea that this would prevent those visiting your site from knowing if it was a WordPress site. Another advantage of using a tool to do this, security experts say, is that it would also help protect against Brute Force attacks, since most hacks are automated, and having the login page at a different URL makes it a little harder to find. However, this step doesn’t necessarily protect your WordPress site in any way. If you’re using a tool such as iThemes to change your login URL to a default address that the tool gives you, chances are, every website used by iThemes has a similar URL format for the login page. This means if a hacker (or his bots) know the format, your site will still be hacked if you don’t have a good username and password combination.

Another case in which this measure would be useless, is if a hacker is actually determined to hack your site (which admittedly is a rare occurrence).

Moreover, suddenly changing your login URL without prior information, might prove to be inconvenient to your site’s users, who might need to login to complete certain actions. On the flip-side of the same scenario, even if you send an email notification about the change to your users and the hacker happens to already have a credible user account, you wouldn’t be protecting your site.

2. Modifying your user enumeration and hiding your WordPress username

These practices involve completely different procedures, but both require changes to be made to your WordPress site’s database or your .htaccess file. These changes, are complex and could affect your site negatively… and are never recommended before having a reliable, recent WordPress backup of your site. Moreover, WordPress doesn’t recommend making such changes because it also spoils the user experience for your site’s subscribers and contributors.

Instead of such practices, just having good login credentials, like a unique username, and a strong password, could protect your site better.

Hardening your WordPress site isn’t difficult, but knowing which measures to use and how to use them is paramount to not falling prey to hackers. No matter whether you choose to implement security measures manually or you choose a plugin to secure your WordPress site, it’s always safer to have a reliable backup solution like BlogVault, in case any of the measures cause your site to crash.

October 26, 2016 by Ruby Paulson

Why and How To Change the Default Username on WordPress

Your WordPress login credentials are the first line of defense for your site against hackers. Using the default username ‘admin’, is harmful to your site. Do you know how to change your WordPress username?

Your username is important

How many hackers does it take to break into your site?

Well… Zero.

Most hacks are automated, and performed by hackers’ bots. So just as a search engine’s bots crawl the internet for content, hackers’ bots crawl for vulnerabilities that they can exploit. Unfortunately, one of the most common vulnerabilities (and the most common mistakes WordPress site owners make), can be found on the WordPress login page– in the form of weak credentials.

Why hackers attack the login page

Your WordPress site’s login page is what grants access to your site. If hackers can successfully exploit your login, then they can access your site like a seemingly ‘legitimate’ user; and can use your site to do anything they have in mind.

In the hacker’s eyes, attacking the login page is the easiest hack, especially when they have bots programmed to try commonly used username-password combinations. Attacks like Brute Force or Dictionary attacks have bots entering combinations till they crack the right one, so they’re called ‘guessing attacks’.

Why change your username?

With every character added to your login credentials, the guesses/attempts that bots have to make to gain access to your site is increases. Most people think that this only applies to the password and its strength, but they forget that the username is also part of your login credentials. Anyone trying to log in to your site must get both the username and the password right in order to gain access to your WordPress site. Using the default username (admin), therefore, makes sure that the bots have to only get the password right, in order to gain access to your site. Keeping the default username reduces the time the time taken by the bots to crack your credentials, by 50%.

Choosing anything other than the default username makes your site a little more secure, and as an extension to this, choosing a unique username is the most basic step to protecting your site.

A few factors that must be taken into consideration when choosing a username are:

The username should be unique, but must also be a name by which you would like to be known, since it’s not going to be hidden. This would help, especially in instances where subscribers to your website will be able to see your username, or you have to moderate a discussion on your website. Hackers in general perform noncommittal attacks, meaning that they don’t personally know your site, your username, or your role on the site. As mentioned, in these cases, they usually use guessing attacks to attack your login page. Targeted attacks however, will need the hackers to observe your site for a while, so they might know your username. This isn’t a bad thing though (we’ll tell you why at the end of this article.)
When you change your username, you won’t lose your rights as the Administrator of the site, or lose any of your content on the site.

How to change the username on WordPress

Now that we’ve established how important it is to change your WordPress username from ‘admin’, you should know how to make the change.

There are three ways you could go about changing your username on WordPress:

From your WordPress site’s dashboard
Using a plugin
By making changes to your site from phpMyAdmin

1. From your WordPress site’s dashboard

Changing the username on WordPress by this method is a little weird. You have to create a new user with a new username, and attribute this new user with admin rights, as well as all the content you’d put up on the site. This means that you will not be missing anything from the original account. However, this method has one drawback: you have to use a different email address from the one used for the ‘admin’ username.

How to change your username from your WordPress site’s dashboard:

Step 1: Click on the Users tab on your WordPress site, and check out the email address attached to the ‘admin’, under Your Profile.

Step 2: Click on ‘Add New’ under the ‘Users’ tab.

Add New User from the WordPress dashboard

Step 3: Fill out the details. Make sure to use a different email address, and password from the one used for the username ‘admin’.

Fill up all the details required, and set up their post as 'Admin'.

Step 4: Logout, and then log back in with the new username and password.

Step 5: Go back to the ‘All Users’ tab, and select ‘Delete Users’. Make sure to attribute all your content to the new user you’ve created before hitting ‘Confirm Deletion’.

Deleting users

That’s it! You now have a new username that is more difficult to guess.

2. Using a plugin

This is significantly easier than creating a new user from scratch from the WordPress dashboard. To illustrate this, we’re going to be using the Username Changer plugin.

Step 1: Install and activate the Username Changer plugin.

Step 2: Click on the ‘Users’ tab on your site. You should be able to see ‘Username Changer’ right below the ‘Your Profile’ tab.

Using the Username Changer plugin

Step 3: Once you click on ‘Username Changer’, you can select which user’s details you’d like to change (in this case ‘admin’), and save the changes. You can then log out, and log back in again with the same password that you used for ‘admin’.

Select which user you'd like to change the name of, with the Username Changer plugin.

Congratulations! You now have a new username.

The best part about this method, is that you could use the plugin just for this purpose, and delete it once the username is changed. Doing so will not undo any changes made to the username, or affect your site negatively.

3. From phpMyAdmin

This process is a little more difficult, and requires changes to be made to your WordPress site’s database, which we don’t recommend. But if you’ve forgotten the email address you used to create your WordPress admin account, or your username, this option might come in handy. Before you follow these steps, please make sure that you have a reliable backup solution to depend on, such as BlogVault.

Step 1: Login to your cPanel, and click on phpMyAdmin (we used a site of ours hosted on HostGator for this demo).

phpMyAdmin on HostGator's cPanel

Step 2: Select the admin database of your WordPress site.

Selecting databases

Step 3: Click on the ‘wp_users’ table. If you’ve changed the name of this table, you might have to remember and locate it.

wp_admin database in phpMyAdmin

Step 4: Locate the username you want to edit, and click ‘Edit’.

Editing the admin entry

Step 5: Type in the new username as the ‘Value’ for ‘userID’.

Editing the username value

Note: Once you type the new username, the field will turn red. Don’t get alarmed. This is just phpMyAdmin alerting you of a change.

Step 6: Scroll to the bottom, and click on ‘Go’ for ‘Save’.

Final step of editing username on phpMyAdmin

You now have a new username.

Be careful of the ways you use to ‘protect’ the login page.

While changing the username and using it in conjunction with a strong password is an essential step, there are a number of other practices that are highly recommended. However, not all of them are useful.

One of the inefficient ways to protecting your WordPress login includes the practice of ‘hiding’ the WordPress username. WordPress doesn’t recommend this measure since having a visible username not actually a vulnerability.

It is important to not follow useless, more complex procedures that might harm your site; and to focus on the real measures essential to hardening your site against hackers’ attacks. Your login credentials are the first line of defence to your WordPress site, so it’s essential for you to have strong ones.

While enforcing a strong password is critical to having a safe login page, having a unique username does its part too, in protecting against guessing attacks.

Investing in a security measure like a WordPress firewall, would help you avert hackers’ attacks even more. However, since there is no such thing as a secure website, it is important to also have an accurate, intelligent malware scanner and hack cleaner, like MalCare to deal with malicious code on your site, in case a hacker has already penetrated your WordPress site.

Sign In

Sign Up

Be upto date on Wordpress Security

Daily WordPress Backups

Who is it for?

Advantages of Daily Backups

Methods for Making Daily Backups

Manual Backups

Web Hosting Service

WordPress Backup Plugin

WordPress Backup Service

Advantages of Frequent Backups

What are Frequent Backup Options?

Challenges with Frequent Backups

Backups are Complicated

Resource Intensive

Large Sites Offer Their Own Problems

Storage Space & Security

The Answer?: Backup Service as a Solution

What Does it Mean to ‘automate’ WordPress Updates?

The Pros of Automating WordPress Updates

It reduces your workload

It makes your WordPress site better in every way

The Cons of Automating WordPress Updates

Your WordPress site could crash

The aftermath of WordPress crashing takes time to fix

Automated updates with Managed WordPress Services have consequences too

Ease of Use

Easier Account Control

Optimized for Teams

New, Improved Features

Backup features

History

Download Backup / Upload Backup

Migrate

Auto Restore

Test Restore

Backup Now

Management Features

Manage Plugins

Manage Users

Security Features

Secure Site

Hacked Files

Auto Clean

Scan now

Better Navigation

Types of WordPress Updates

Automating WordPress Updates the Manual Way

How to automate updates to WordPress Core the Manual Way

To Automate All WordPress Core Updates

To Only Automate WordPress Core Minor Release Updates

How to Automate Updates to WordPress Add-ons the Manual Way

Pros of Manual Automation of Updates

Cons of Manual Automation of Updates

Automating Your WordPress Site with Plugins

How to Use the Advanced Automatic Updates Plugin

How to Use the WP Updates Plugin

Pros of Automating Your WordPress Updates With a Plugin

Cons of Automating Your WordPress Updates With a Plugin

Using Managed Services to Automate Your WordPress Site

Managed WordPress Hosting

Pros of Using a Managed Web Hosting Service With Automatic WordPress Updates

Cons of Using a Managed Web Hosting Service With Automatic WordPress Updates

WordPress Support and Maintenance Services

Pros of Depending on WordPress Support and Maintenance Services

Cons of Depending on WordPress Support and Maintenance Services

1. Writing down your passwords on paper

Pros

Cons

2. Storing your passwords in a password-protected file

Pros

Cons

3. Using a password manager

Pros

Cons

WordPress Backup Frequency

Why Make Daily Backups?

Restoring from Older WordPress Backups