Introducing BlogVault’s New Dashboard!

Ruby 10 months ago

Over the past few months, we’ve been working on a number of changes at BlogVault. Not only do we have an improved UI, we’ve also got a bunch of new features that are bound to make managing your WordPress site a lot easier, and secure.

BlogVault has got a new dashboard that is better in every way, from allowing users to access our features for intuitively, to providing more than just backups.

Let’s take a look at a few of the changes, shall we?

Your BlogVault dashboard now has two major areas:

Site Listing
Site Details

Each area has specific functions, and together provide:

Ease of Use

BlogVault’s new site listing feature helps you see all the sites you’ve added to your BlogVault dashboard. From this part of the dashboard, you can filter sites based on their status:

‘Active’ sites are those that have the BlogVault plugin installed on them, and use the plugin regularly.

‘No Plugin’ sites are those added to your dashboard but haven’t got the BlogVault plugin installed. (This could also be because of a problem during installation.)

Sites that are ‘Unreachable’ are those that have the plugin installed, but our servers are unable to reach, due to a connectivity error, or probably due to firewall or network settings.

‘Hacked’ sites are those that the BlogVault plugin has detected malicious files on.

We built in this categorization of sites to help you see exactly what’s going on with your sites at a glance. Moreover, the Site Listing page also allows you to find a particular site, based on tags that they might have (more on this later).

Easier Account Control

With our revamp, we’ve also changed your account and billing settings so they’re easier for you to manage.

Everything related to your BlogVault account is easily accessible, and easily changeable too from the ‘My Account’ drop-down. You can change anything about your account, from your email address to the BlogVault subscription plan you’re on.

Your profile on the BlogVault dashboard gives you important details at a glance.

Optimized for Teams

This brings us to our other new addition: the option to add team members to your BlogVault account. Our new Account settings allows you to manage a team that can handle every aspect of backup, management and security of the sites linked to the BlogVault account.

BlogVault's new dashboard is optimized so you and your team can manage and secure sites. — BlogVault’s new dashboard is optimized so you and your team can manage and secure sites.

New, Improved Features

BlogVault now comes as a comprehensive package that allows our customers to backup, manage and secure their websites in every way. All you have to do, is to click on any one active site from your Site Listing page.

As you can see, we offer you WordPress backups, but also management and security settings that help you manage and secure your WordPress site. While the old UI allowed you to see all the features on the right in a sidebar, we’ve revamped BlogVault to let you to see it all under each option (Backup/Management/Security).

Backup features

Our backup features have always been functional enough to rely on completely, but with our new UI, they’re more accessible, and easier to use.

History

The History tab has been given a full revamp, and allows you to see the last 30 backups made of your site more clearly. You can see exactly what happened with each backup, and add notes more easily as well.

Again, as you can see, you can select any backup version you have and choose to migrate, test restore, or automatically restore from it. You can also upload any version to Dropbox, or add a notes to help you differentiate versions.

Download Backup / Upload Backup

Both ‘Download Backup’ and ‘Upload to Dropbox’ options are very different functions, but have a single form, that requires the following:

The backup version you would like to download (or upload from)
Your site’s database credentials
Your hosting server’s credentials (which come under Advanced Options, along with the next option)
A choice of whether you’d like to store either tables and files, only tables, or only files from your WordPress site

There is also a section that requires your HTTP Authentication credentials, which are your WordPress site’s credentials.

Both 'Upload to Dropbox' and 'Download backup' functions use the same form — Both ‘Upload to Dropbox’ and ‘Download backup’ functions use the same form

Migrate

The ‘Migrate’ option allows you to easily move all your site’s content and functionality to a different domain name or a different hosting service. All you require for this option, are the FTP credentials of the new site/domain/hosting service you’d like to move to.

Auto Restore

Perfect for when your site suddenly goes down, the ‘Auto Restore’ backup option has the same form to fill up, except that it requires the FTP credentials of the site you’d like to restore (which is your current site).

As you can see from the previous screenshot, we’ve also got a handy FAQ section on the right for all migration and auto restore- related FTP questions, so you have all the answers at your fingertips.

Test Restore

This option creates a test-environment (a replica), based on the latest backup version of your site, complete with the links, videos, images, and everything else on your site. You can click on these links, and they’ll work like they would on your site. Once BlogVault is done creating this test-version of your site, we mail you the link you can access it on, along with its FTP details, so you can experiment and see if you want to make any changes to your site.

If you’d like to make a Test-Restore of a different backup version of your site, you’ll have to go to the History tab, select the desired backup version, and then restore from it.

You can perform a Test Restore with a single click

Backup Now

BlogVault automatically backups your WordPress site every 24 hours, but if the backup schedule is just too far away (such as when you want to make an instrumental change but want to make a backup just before), this option comes in handy.

The Backup Now option also shows up on the Management and Security functionalities (just look for the following icon):

This allows you to backup your site before making any changes to it.

Management Features

From allowing you to manage your WordPress site’s users to helping you update the plugins and themes on your site, the Management feature allows you to manage your WordPress site to be secure against threats.

Manage Plugins

You can manage all the plugins and themes installed on your WordPress site from this option. This means you can see the version you have of each, as well as whether to update specific add-ons, or all of them.

Manage Users

With the ‘Manage Users’ option, you can remotely delete, or change the role or password of those who have access to the site, without having to log in to your WordPress site’s dashboard.

Managing your WordPress site's users with the BlogVault dashboard — Managing your WordPress site’s users with the BlogVault dashboard

Security Features

We also have a Security feature that allows you to harden your site and clean your site of malware. The Security feature helps you harden your WordPress site, as well as to clean malware and hacked files with a single click. Moreover, since our scanner is built to be accurate and intelligent, it detects the most complex hacks, without raising false alarms, or alerting you of ‘possible hacks’.

Secure Site

The BlogVault dashboard now features hardening settings under the ‘Secure Site’ feature. These are settings recommended by WordPress, that help make your site more secure against hacks. We’ve categorised these settings into two sections: Basic, and Advanced.

Here is a look at some of the basic security fixes:

The advanced security fixes require some caution though– even if they can’t break your site, you won’t be able to install new plugins or themes on your site if you have them enabled.

Advanced and Paranoid Secure Site settings — Advanced Secure Site settings

The convenient thing about these settings though, is that to enable (or disable) these settings, you have to only select the ones you’d like to enforce or remove, enter your WordPress site’s FTP credentials, and select the folder that your WordPress site is installed from.

Hacked Files

This option only appears when you have a hack on your WordPress site. It identifies the hacked file for you and pinpoints it, so you can look specifically at that one file, if you want to. If you’d rather just clean out the hack with a single click, you can do so by clicking on the ‘Auto Clean’ button.

Auto Clean

Another feature that only appears when you have a hack, the Auto Clean function helps you remove malicious code on your site with a single click. Since we’ve built our cleaner to even identify complex hacks, you can choose to remove them immediately, without technical assistance.

Once you click on the Auto Clean function, you are taken to the form asking for your WordPress site’s FTP details.

Clicking on the 'Auto Clean' button takes you to the same FTP form that appeared for 'Migrate' and 'Auto Restore' — Clicking on the ‘Auto Clean’ button takes you to the same FTP form that appeared for ‘Migrate’ and ‘Auto Restore’

Once you enter your WordPress site’s FTP details, your site will be cleaned.

Scan now

One of the most revolutionary additions to our dashboard, the ‘Scan Now’ feature allows you to scan your site for hacks at any given point of time. Our malware scanner looks for hacks based on the actions the code performs, rather than signatures, or keywords. So no more backdoors, or recurring hacks. Before scanning your site, we run a backup so you always have the latest version of your site to fall back on.

Better Navigation

We’ve tried to make the new dashboard as functional as possible. One of the steps we’ve taken in this direction, is the addition of ‘Quick Links’ that help you download backups, migrate backups to a new location, or restore it with a click. This section also has ‘Resources’, which help give you a quick snapshot of everything you need to know about your WordPress site. Perfect for emergencies, the icons for these functions, and the information related to your site, are right under your site’s thumbnail, on the Site Details page.

Features and information on the left for better, easier navigation

Since these features are in-built into BlogVault’s dashboard, we backup your site automatically before making any changes to your WordPress site. This makes it a comprehensive solution to help you manage your site in the most secure way possible. BlogVault has always been focused on giving our customers the best experience, in the most reliable, sensible way, and we hope you’ll find our new makeover to be as practical as we intended it to be.

If you’ve got questions about the new dashboard, or suggestions, do reach out to us here.

Password Management for WordPress Users

Ruby 11 months ago

Strong passwords can be difficult to remember… sometimes even impossible to remember (and passwords that are easy to remember are often weak). So what’s the way out of this conundrum? Storing passwords, of course! But which storage option is safe?

We’ve seen earlier that strong passwords are actually harder to remember than weak ones. And it’s not surprising… A strong password contains 15 or more characters. Enforcing a strong password for every site you log in to, might require some exceptional memory skills, or just a few handy hacks.

So how do you store strong passwords?

Well if memory-enhancing techniques don’t work, you could write them down, store them in a password-protected text file on your computer, or use a password manager.

Let’s look at the pros and cons of each of these password-storage techniques.

1. Writing down your passwords on paper

This is the old-school way that some people endorse thoroughly.

Pros

Your passwords can’t be stolen by hackers on the internet.

Cons

The book/paper you write your passwords in could be:

Stolen: Hackers might not be able to steal your credentials, but other people might. If anyone knew that you carried around your banking credentials in a little notebook, why wouldn’t they want to steal it? Sure, your FTP and phpMyAdmin passwords might not look as valuable as your banking credentials, but anyone could use your website to gain anything, even to steal your customers’ or investors’ information and sell it on the net.
Read by someone other than you: Of course to prevent this, you could write them down in a way that only you could understand, but then again, it would be almost impossible for this information to be passed down to anyone else without you explicitly explaining how to read the document. Besides, what would happen if you forgot how to read it?
Misplaced: What if you forgot where you put the important little booklet? You would have lost every single password to your website, and would have to reset them all, in which case, you’d have to have an alternative way to store them.

2. Storing your passwords in a password-protected file

This file could be kept on your computer, or on a portable storage device, such as a USB drive, or an external hard-drive.

Pros

Your passwords are less prone to being read by someone else, or lost.

Cons

You could forget the password protecting the file.
Hackers could use keylogging malware to know exactly what your password is.
Malware could corrupt the file so it’s not readable or retrievable, or so that the file keeps crashing.

3. Using a password manager

Password managers are programs or software that store all your passwords in a single place, in an encrypted form. It’s like having a password-protected file to store your passwords in that you need a very strong ‘master password’ to log into the Password Manager. However, password managers encrypt all your passwords before storing them either on your local computer, or on the cloud. This storage destination depends on the type of password manager you use.

There are three types of password managers. Firstly, there password managers that are offered as a bonus feature with a security product or another software (like extensions to antivirus software, or to browsers. Secondly, there are standalone password managing products which store your encrypted password on your computer (an example of this would be KeePass). Finally there are web-based password managers, which store your encrypted passwords in a location known to them, and hence provide the functionality of auto-filling up your password fields and even forms.

Password managers too have their own pros and cons.

Pros

This is the most obvious one: they allow you to use strong passwords without forgetting/losing them. Some password managers even generate strong, random passwords for you, and store them.
All your details and passwords are encrypted with high-level encryption. This means hackers who might even try to steal your passwords will have to use high levels of decryption before they can use them.
Good password managers do not store or encrypt your information on their servers.
Depending on type of password manager, you can choose to save your encrypted data locally or on cloud-based servers.
They’re compatible with all major browsers, so you can auto-fill online login forms with a click.
Depending on password manager choice, premium features include:
- Access of passwords across different devices.
- An audit of all passwords, and generation of random, secure passwords to keep credentials strong.
- Two Factor Authentication for extra security.

Cons

Password managers that store passwords on their own server, or perform encryption on their server aren’t safe. Unfortunately, even some of the topmost password managers do this. LastPass was hacked twice in July 2016, fortunately by white hat hackers who disclosed the vulnerabilities responsibly.
Storing the password on your computer has its risks. For example, a hacker could performs a keylogging attack to determine what your master password is.
The entire structure of a password manager depends on the user’s Master Password. This means if you forget or lose your master password, you lose access to all your passwords– there is no ‘forgot password’ link. Moreover, if your master password isn’t strong enough, all of your credentials could be hacked.

Just as there is no such thing as a completely safe website, there are no completely safe ways to store your passwords. Whichever method you choose to use, the safety of your passwords depends on how cautious and proficient you are in using the storage method.

How to Choose a Strong Password That’s Easy to Remember

Ruby 11 months ago

Having a strong password for your WordPress site is one of the basic steps to maintaining good security posture and hygiene. Strong passwords, however, are a pain to create, and to remember… unless you have a few handy tips and tricks.

Passwords are by no means the perfect way to authenticate users. This is why methods like Captcha and two-factor authentication exist. However, most of the time, they’re used as secondary authentication methods . This is because passwords are familiar to us as they have been used for a while (remember ‘Open Sesame’?). As a result, we programmed computers to process them easily too. What needs to be noted, however, is that the same things which make passwords easy to process and cross-check by computers, also makes them ‘bot-crackable’.

Brute Force and Dictionary attacks are automated, so bots don’t even need hackers’ intervention to break into your WordPress site. Using a weak and common password is as good as giving your password to the hacker. This is why it’s important to choose strong passwords.

WordPress has; since version 4.3, included an option for users to generate strong, random passwords, but they’re almost impossible to remember. This is the problem with passwords– if they’re easy to remember, they’re also easy to guess; on the other hand if they are overly complex or random it is very hard to remember them.

The real problem occurs when users concoct a supposed random string because we have all been told that we need to use strong passwords. And just as the popular comic strip from xkcd shows, such passwords may make it harder for us to remember them without making it much harder for bots to crack them.

To understand what a strong password looks like, you have to understand how passwords are cracked. Passwords are usually guessed by bots during Brute Force or Dictionary attacks. While Brute Force attack bots try every different combination of characters to try and crack a password, bots performing Dictionary attacks enter a set of commonly used passwords to see if there’s a match.

Guidelines for Setting a Strong Password/Passphrase for Your WordPress Site:

1. Longer passwords are stronger passwords

With every character added to your password, it gets stronger against Brute Force attacks. In general, passwords that exceed 8-10 characters are not typically crackable via Brute Force bots. However, with the advancement in technology, the computational ability of these bots also increases. The safest bet is to have a passphrase, of 15 characters in length or more.

2. Strong passwords don’t have common replacements

Strong passwords do not use common common number-for-letter replacements (1337speak). This is because bots performing Brute Force attacks try every possible combination of characters.

3. Strong passwords contain uncommon words

Even when you use a ‘passphrase’, common words and common passwords are easily crackable by Dictionary attack bots. This means the more commonly used words your password contains, the weaker it is. According to an infographic by Splashdata, the top 25 most commonly used passwords are:

Numbers in order: From ‘12345’ to ‘1234567890’, the numbers in order made up for 7 out of 15 top passwords used.
Letters in order: These are a commonly used password too. ‘qwerty’ has been one of the world’s most common passwords since 2014. ‘abc123’ is another common password too.
Based on common sports and interests: This is the category that ‘football’, ‘baseball’, and Star Wars-related passwords like ‘solo’, ‘princess’ and ‘starwars’ fall under.

4. Strong passwords don’t contain your publicly known details

Ensuring that they do not contain personal, yet well known details about the user. Suppose you blog frequently about your favourite band, it would be unwise to use the band’s name as your WordPress site’s password. If targeting your site, hackers could use social engineering to guess your password.

5. Strong passwords use a combination of uppercase, lowercase, and special characters

Every character of a different type can be guessed only when the set (that the character belongs to), is checked. ‘p’ belongs to a set of lowercase letters consisting of 26 letters, while ‘P’ belongs to a set of uppercase letters consisting of 26 letters. If your password/passphrase contains letters of both cases, bots will have to try both sets. Most bots use a general formula when cracking passwords:

(characters of a certain type in the password) number of characters of that type

(characters of a different type in the password) number of characters of that type

So, for example, even if your password were as simple (and weak) as ‘password85’, the number of attempts a bot has to make to crack password would be (26)8 * (10)2 attempts.

Just using ‘P’ instead of ‘p’ would mean that the bots would need (26*2)8 * (10)2 attempts. However, while this looks like it’s a difficult password to crack, good bots try a few million passwords every second. Having letters and characters mixed up makes the password more unpredictable, and hence makes the bot’s job more difficult. A good password could take years to crack.

Enforcing a strong password is essential to keeping your WordPress site safe, but it doesn’t have to be a difficult task, or something that is impossible to remember. Choosing a passphrase wisely is key to reducing the risk to your WordPress site’s security.

There is no such thing as a completely secure website though, so the wise thing to do, would be to use a WordPress firewall to keep attacks at bay, in conjunction with enforcing a strong passphrase. Investing in an accurate, intelligent malware scanner and cleaner helps remove any malicious code that may have made it to your WordPress site.

Why and How to Protect Your WordPress Login Page

Ruby 11 months ago

We rarely need to be convinced to harden our WordPress site security. But, how useful is protecting you login page? And, are you doing it right?

WordPress is a popular CMS, and the fastest-growing platform to build websites. This is why hackers target it; they gain more out of every attack.

Your WordPress login page is what keeps you and other users out of your WordPress dashboard. It’s no surprise, therefore, that the login page is one of the most attacked areas of your WordPress site. Hackers program bots to barrage your WordPress login page with possible username and password combinations, so that once there’s a match, they have unlimited, legitimate access. ‘Guessing attacks’, as they’re known could have bots entering every single possible combination of letters, numbers and characters, or enter a set of probable credentials.

This is why enforcing login protection is an important way to harden your WordPress site against hacks.

What is login protection?

There are six ways that security blogs recommend using to protect your WordPress login:

Using a unique username: Having a unique username can make guessing attacks on your WordPress site (such as Brute Force and Dictionary attacks) harder to perform. This is because the bots would have to guess the username too, along with the password.
Using strong passwords: This is paramount to any WordPress site’s security. Choosing a strong password makes it difficult for any hacker trying to log in to your site via Brute Force and Dictionary attacks.
Using two-factor authentication: Two means/factors (such as the entry of user credentials and an alphanumeric code) are used to identify the user of the site. Anyone who wants access to the site needs more than just the user credentials; they will need a second token too that is send to them via SMS, email, a phone call, or an app on their phone.
Using Captcha: It’s an alphanumeric picture-based challenge to users to determine if they’re bots or not. Captchas, on an average, take about 10 seconds to read and type out.
Setting a time-period within which the login page will expire: This means anyone who wants to login beyond that point will have to refresh the page and start all over again
Limiting login attempts: This means every user who needs to sign in to your site would be locked out and prevented from accessing it after entering wrong credentials for a specific number of times.

1. Using a unique username

The default username of WordPress is ‘admin’, and a number of WordPress site owners choose to leave it as such. However, this gives hackerbots one thing less to guess. In fact, since the login page only requires the username and password, it reduces the effort and time bots require, by 50%. Hackers using bots and guessing attacks to attack your site generally do not know your site personally, so having a unique username is better for your site’s security. However, if it’s a subscriber who wants to attack your site, they would already know your username. This is why it’s always important to complement having a unique username with other security measures, such as the others on this list.

2. Enforcing a strong password

Having a strong password is one of the key ways to protect your WordPress site from attacks launched on your WordPress login page. Strong passwords are about (or more than) 15 characters in length, use a variety of characters, and do not use very common number-letter replacements. The only troublesome aspect of enforcing strong passwords, is the fact that they’re difficult to remember. This is why it’s important to find good ways to store them.

3. Using two-factor authentication

Two-factor authentication is widely used by financial websites. The two factors are usually what you know– login credentials (username & password) and what you receive on something you have/own– eg: a token (or a graph, as in the instance of Clef), on your mobile phone. Access is granted only when both factors are input correctly.

Most websites use time-based tokens, or One Time Passwords. So once you input your login credentials, the OTP is sent to your registered mobile number. This also ensures that bots are prevented from successfully logging in, since the token is sent via SMS, email or a phone call, and must be entered within a maximum of 15 minutes. A token can’t be used more than once, (or after the time period) and is hence called a One-Time Password (OTP). A couple of plugins that allow you to set up 2FA with WordPress are Google Authenticator and iThemes Pro.

A drawback of this method is that while setting up, the user can set up secondary means of communication (an alternate phone number, or an alternate email address) that the OTP can be sent to. So if a hacker gains access to one of these means, there is a high chance of the website being compromised.

This is why 2FA apps like Clef (which does not require a password as a secondary means of authentication), are deemed to be more secure than the OTP-based 2FA methods. If you’re trying to log in with Clef, you have to match the graph on the WordPress site’s login page with the one that the Clef app on your phone generates.

The trouble here is only when you lose your phone, or when it’s not with you when you want to log in.

4. Using Captcha

A very effective way to protect your login on WordPress, would be to use a Captcha tool, which generates an image with warped alphanumeric text on it. Users are required to read the garbled text, and type it out in the text box below the image. The image expires after a certain amount of time, and must be refreshed after expiry. This makes it a great tool to protect against Brute Force attacks.

The reason this is also a useful tool to differentiate between bots and human is because humans can easily:

Recognize different shapes and sizes of letters, despite a variation in fonts.
Recognize the space between letters and if they’re separated.
Understand the difference between letters based on context (eg: if a letter is an ‘m’ or a combination of ‘n’ and ‘u’).

While the first two forms of recognition come to humans naturally, they are separate tasks for computers, and it requires a lot of time and effort to train bots to perform all three tasks well, and fast.

The only disadvantage of this type of authentication is that sometimes the image can be difficult to read, and those with special needs have a hard time performing the task.

An easy way to add Captcha to your WordPress site, is with plugins like Captcha by BestWebSoft.

5. Setting an expiry-time for your login page

This is a good security measure to use against two types of attacks: Brute Force attacks, and Distributed Denial of Service attack. This is because the page will expire, and any request that tries to access the login page from that IP address, will be blocked. Requests to the login page will only be taken from the said IP address after the login page is refreshed. A plugin that allows you to do this is Login Security Solution.

You could also set up the expiry time for your login page by using the following code in your WordPress theme:

{

add_filter( ‘auth_cookie_expiration’, ‘keep_me_logged_in_for_30_minutes’ );

function keep_me_logged_in_for_30_minutes( $expirein ) {

return 1800; // 30 minutes in seconds

}

Some security measures, such as NinjaFirewall, WordFence, and iThemes take this step a little further by blocking suspicious login requests from an IP for a period of time that you, as an admin of the site, can set. This means even if the login page is refreshed, any request made from the particular IP to the site in question, will be blocked for the set period of time.

6. Limiting login attempts

Limiting login attempts is a great way to protect your login page from bots or hackers trying a number of username-password combinations to log in to your site. You could use plugins like WP Limit Login Attempts or iThemes security to do this, or use code to modify your .htaccess file, but we recommend using plugins. WordPress firewalls such as NinjaFirewall have this feature inbuilt too. The one downside with this method, is that if you enter the wrong credentials to your site more than the specified trial attempts, you could be locked out too.

Getting access back into your site would require you to follow a series of steps, depending on whether you choose to access the site via FTP and then delete the responsible plugin; or unblock your IP address manually (with code) via phpMyAdmin.

Of course, with security plugins like iThemes and NinjaFirewall, you could use settings to prevent your IP address from getting blocked in the first place.

Misleading recommendations to protect your WordPress login page

While it’s important to protect your login page, it’s also important to be careful about the changes you make to your WordPress site.

A number of recommended practices do not protect your WordPress login page as they are claimed to. One of the main reasons behind this is because they include changes that are complex, might harm your site, and are difficult to undo. Another reason, is that they advocate security through obscurity.

A few of these recommended practices include:

1. Hiding your login page by moving it to a custom URL

This is another useless security measure that involves moving it to a custom URL. Those who recommend this step, do so with the idea that this would prevent those visiting your site from knowing if it was a WordPress site. Another advantage of using a tool to do this, security experts say, is that it would also help protect against Brute Force attacks, since most hacks are automated, and having the login page at a different URL makes it a little harder to find. However, this step doesn’t necessarily protect your WordPress site in any way. If you’re using a tool such as iThemes to change your login URL to a default address that the tool gives you, chances are, every website used by iThemes has a similar URL format for the login page. This means if a hacker (or his bots) know the format, your site will still be hacked if you don’t have a good username and password combination.

Another case in which this measure would be useless, is if a hacker is actually determined to hack your site (which admittedly is a rare occurrence).

Moreover, suddenly changing your login URL without prior information, might prove to be inconvenient to your site’s users, who might need to login to complete certain actions. On the flip-side of the same scenario, even if you send an email notification about the change to your users and the hacker happens to already have a credible user account, you wouldn’t be protecting your site.

2. Modifying your user enumeration and hiding your WordPress username

These practices involve completely different procedures, but both require changes to be made to your WordPress site’s database or your .htaccess file. These changes, are complex and could affect your site negatively… and are never recommended before having a reliable, recent WordPress backup of your site. Moreover, WordPress doesn’t recommend making such changes because it also spoils the user experience for your site’s subscribers and contributors.

Instead of such practices, just having good login credentials, like a unique username, and a strong password, could protect your site better.

Hardening your WordPress site isn’t difficult, but knowing which measures to use and how to use them is paramount to not falling prey to hackers. No matter whether you choose to implement security measures manually or you choose a plugin to secure your WordPress site, it’s always safer to have a reliable backup solution like BlogVault, in case any of the measures cause your site to crash.

Why and How To Change the Default Username on WordPress

Ruby 11 months ago

Your WordPress login credentials are the first line of defense for your site against hackers. Using the default username ‘admin’, is harmful to your site. Do you know how to change your WordPress username?

How many hackers does it take to break into your site?

Well… Zero.

Most hacks are automated, and performed by hackers’ bots. So just as a search engine’s bots crawl the internet for content, hackers’ bots crawl for vulnerabilities that they can exploit. Unfortunately, one of the most common vulnerabilities (and the most common mistakes WordPress site owners make), can be found on the WordPress login page– in the form of weak credentials.

Why hackers attack the login page

Your WordPress site’s login page is what grants access to your site. If hackers can successfully exploit your login, then they can access your site like a seemingly ‘legitimate’ user; and can use your site to do anything they have in mind.

In the hacker’s eyes, attacking the login page is the easiest hack, especially when they have bots programmed to try commonly used username-password combinations. Attacks like Brute Force or Dictionary attacks have bots entering combinations till they crack the right one, so they’re called ‘guessing attacks’.

Why change your username?

With every character added to your login credentials, the guesses/attempts that bots have to make to gain access to your site is increases. Most people think that this only applies to the password and its strength, but they forget that the username is also part of your login credentials. Anyone trying to log in to your site must get both the username and the password right in order to gain access to your WordPress site. Using the default username (admin), therefore, makes sure that the bots have to only get the password right, in order to gain access to your site. Keeping the default username reduces the time the time taken by the bots to crack your credentials, by 50%.

Choosing anything other than the default username makes your site a little more secure, and as an extension to this, choosing a unique username is the most basic step to protecting your site.

A few factors that must be taken into consideration when choosing a username are:

The username should be unique, but must also be a name by which you would like to be known, since it’s not going to be hidden. This would help, especially in instances where subscribers to your website will be able to see your username, or you have to moderate a discussion on your website. Hackers in general perform noncommittal attacks, meaning that they don’t personally know your site, your username, or your role on the site. As mentioned, in these cases, they usually use guessing attacks to attack your login page. Targeted attacks however, will need the hackers to observe your site for a while, so they might know your username. This isn’t a bad thing though (we’ll tell you why at the end of this article.)
When you change your username, you won’t lose your rights as the Administrator of the site, or lose any of your content on the site.

How to change the username on WordPress

Now that we’ve established how important it is to change your WordPress username from ‘admin’, you should know how to make the change.

There are three ways you could go about changing your username on WordPress:

From your WordPress site’s dashboard
Using a plugin
By making changes to your site from phpMyAdmin

1. From your WordPress site’s dashboard

Changing the username on WordPress by this method is a little weird. You have to create a new user with a new username, and attribute this new user with admin rights, as well as all the content you’d put up on the site. This means that you will not be missing anything from the original account. However, this method has one drawback: you have to use a different email address from the one used for the ‘admin’ username.

How to change your username from your WordPress site’s dashboard:

Step 1: Click on the Users tab on your WordPress site, and check out the email address attached to the ‘admin’, under Your Profile.

Step 2: Click on ‘Add New’ under the ‘Users’ tab.

Step 3: Fill out the details. Make sure to use a different email address, and password from the one used for the username ‘admin’.

Step 4: Logout, and then log back in with the new username and password.

Step 5: Go back to the ‘All Users’ tab, and select ‘Delete Users’. Make sure to attribute all your content to the new user you’ve created before hitting ‘Confirm Deletion’.

That’s it! You now have a new username that is more difficult to guess.

2. Using a plugin

This is significantly easier than creating a new user from scratch from the WordPress dashboard. To illustrate this, we’re going to be using the Username Changer plugin.

Step 1: Install and activate the Username Changer plugin.

Step 2: Click on the ‘Users’ tab on your site. You should be able to see ‘Username Changer’ right below the ‘Your Profile’ tab.

Step 3: Once you click on ‘Username Changer’, you can select which user’s details you’d like to change (in this case ‘admin’), and save the changes. You can then log out, and log back in again with the same password that you used for ‘admin’.

Congratulations! You now have a new username.

The best part about this method, is that you could use the plugin just for this purpose, and delete it once the username is changed. Doing so will not undo any changes made to the username, or affect your site negatively.

3. From phpMyAdmin

This process is a little more difficult, and requires changes to be made to your WordPress site’s database, which we don’t recommend. But if you’ve forgotten the email address you used to create your WordPress admin account, or your username, this option might come in handy. Before you follow these steps, please make sure that you have a reliable backup solution to depend on, such as BlogVault.

Step 1: Login to your cPanel, and click on phpMyAdmin (we used a site of ours hosted on HostGator for this demo).

Step 2: Select the admin database of your WordPress site.

Step 3: Click on the ‘wp_users’ table. If you’ve changed the name of this table, you might have to remember and locate it.

Step 4: Locate the username you want to edit, and click ‘Edit’.

Step 5: Type in the new username as the ‘Value’ for ‘userID’.

Note: Once you type the new username, the field will turn red. Don’t get alarmed. This is just phpMyAdmin alerting you of a change.

Step 6: Scroll to the bottom, and click on ‘Go’ for ‘Save’.

You now have a new username.

Be careful of the ways you use to ‘protect’ the login page.

While changing the username and using it in conjunction with a strong password is an essential step, there are a number of other practices that are highly recommended. However, not all of them are useful.

One of the inefficient ways to protecting your WordPress login includes the practice of ‘hiding’ the WordPress username. WordPress doesn’t recommend this measure since having a visible username not actually a vulnerability.

It is important to not follow useless, more complex procedures that might harm your site; and to focus on the real measures essential to hardening your site against hackers’ attacks. Your login credentials are the first line of defence to your WordPress site, so it’s essential for you to have strong ones.

While enforcing a strong password is critical to having a safe login page, having a unique username does its part too, in protecting against guessing attacks.

Investing in a security measure like a WordPress firewall, would help you avert hackers’ attacks even more. However, since there is no such thing as a secure website, it is important to also have an accurate, intelligent malware scanner and hack cleaner, like MalCare to deal with malicious code on your site, in case a hacker has already penetrated your WordPress site.

Downloading WordPress Backups: Pros and Cons of Storing Backups on Your PC

Suhas 11 months ago

Storing WordPress backups on your PC can quickly become laborious and the risks outweigh the convenience or economic benefits. Find out why.

Locally storing your WordPress backups means storing them on your PC or desktop. The other option is maybe to store them in an external storage device like a USB drive or or an external HDD/SSD.

Saving backups of your WordPress site to your computer seems convenient, but how reliable is it?

In this article let us look at how you can do it, why you may be looking at this option and also answer the question which matters the most– should you do it?

How To Make WordPress Backups Locally

There are 3 ways through which you can download backups to your computer:

Manual WordPress Backup Download
WordPress Backup Download via cPanel
Plugins

Manual WordPress Backup Downloads

You can download WordPress files by using an FTP client— eg: FileZilla, CyberDuck. Making a full backup includes backing up files as well as your WordPress site database. To make WordPress database backups you can use phpMyAdmin.

However, once you download your backup files, labeling and organizing them is important. Otherwise it may be impossible to find the desired version when you want to make a restore.

cPanel

Usually web hosts provide a cPanel account to users. Using the tools in cPanel– Create Backup or Backup Wizard, you can download backups. Again these backups are usually .zip files with filenames containing date names. However, that is not enough information when you make regular backups. You may have to spend more time organizing your backups with descriptions to ensure restores are easy.

Plugins

Most WordPress backup plugins; at least all the popular ones, offer the option to download WordPress backups to your computer. However, regardless of the WordPress backup plugin you use, downloadable backup files; especially of the full site, are available in .zip format when you download a full WordPress site backup. On top of that not all plugins give you the option to download individual files. This means we are back to our recurring theme of how downloading and storing backups also means maintaining them.

Storing WordPress Backups Locally

There are some key concerns when thinking of destinations for WordPress backups.

Storage space
Security
Organization
Restoration Issues
Ease of use

An ideal WordPress backup solution addresses all of these concerns.

Pros and Cons of Storing WordPress Backups Locally

Storage Space

Backups must be made regularly; daily if possible. If you are making regular backups then storage space will become a concern for you. Your PC’s internal HDD will eventually run out. You can solve the problem by investing in an external HDD/SSD, or USB drives dedicated for storing your backups; especially if you have large sites and you make regular backups. If you use USB drives for example you may be forced to make backups once in awhile and and overwrite previous copies. This is not a good solution.

Security of WordPress Backups

Making a backup is a security measure. Which means your backups must be secure. However, storing them on your PC or on a storage device is not the best idea when considering the security of backups.

Malware

Backups stored on a PC may be infected with malware from a few sources. They may either already be on your computer, or your browser may have been infected by a malware from an unsafe site, or your backup files may be corrupted by malware in external storage devices like USB drives or HDD/SSD.

Storage Location

Apart from malware issues, there is the concern of where your backups are stored. Even if you have a dedicated external storage device– HDD/SSD, it may not be enough as they are not reliable. They do have failure rates, and may crash or be infected with malware as they have to connect to your computer at some point. HDDs/SSDs may also stop working due to heat or natural wear and tear. Along with all of these points, if you choose to store backups locally on a hard drive, then your backups are in a single location, this raises the risk of losing them significantly. As a result, they may not serve as the most secure environment for storing your backups.

Organization

Downloaded backups have to be organized if they have to be useful when you have to restore your WordPress site. Consider that your site is down and you have to restore it. If you are left going through all your backup versions one by one trying to make the right decision, then you might spend a lot of time and effort which you could have invested in developing your business ideas.

Restoration Issues

Manual downloads or locally stored backups usually mean manual restores too. This may suit some developers or those who have spent time working on WordPress but for the majority who are business owners, or bloggers who are utilizing the CMS, this may not be a viable option.

Restorations usually have to be done via your cPanel account or via an FTP Client and phpMyAdmin. There are often limits to the size of files that can be uploaded via cPanel or PHPMyAdmin. These restrictions can cause restores to fail. Again, the lack of backup descriptions, and easy options to make restores, together make extra demands of your time and energy. Expending this extra effort may be unnecessary if you utilize a complete WordPress backup service.

Ease of Use

First of all since this is a manual process. If you are following best practices than you have to make backups daily. This can get tiring, and worse, you may forget to make backups at all.

After taking all of the above points into consideration, the answer to this one seems to be clear. Storing WordPress backups locally doesn’t seem to be a great idea. However, there may be a couple of benefits. It is an economical option, and you can be sure that backups are done as making manual backups or downloading them from plugins allows you to keep track of your backups.

However, even in these cases, you may end up spending on storage devices, or professional help when you need to restore. Along with those issues, if you account for the time spent doing the work— making, downloading, organizing, and maintaining backups; and the time spent worrying about their safety, then the economical benefits and surety about backups being done seem to be nullified.

Instead choose a professional WordPress backup service like BlogVault, for worry free backups so you can do what you do best. A premium WordPress backup service would allow you to easily track backups, makes one-click WordPress restores, and even one-click WordPress migrations; leaving you worry free.

What Can Go Wrong With Your WordPress Site?

Suhas 11 months ago

While it is easy to be online with a WordPress site, the real task starts after you are online. Do you know all the things that go wrong with your WordPress site? Read on to find out.

Every person wanting to start a blog or a small business has heard the words “you can be online in just 5 minutes”. This is true and this is what makes WordPress popular. However, very few people realize that owning a self-hosted WordPress site is the beginning. There are many things that could go wrong with your site… Right from accidentally deleting files, posts or plugins to a bunch of problems with your hosting provider.

A WordPress site and its web host need to fit well together. Finding the the best for your WordPress site might take some trial and error. Even if you do find the option with the least worries there are still many issues you can run into. The key lies in knowing what the potential issues are and finding answers to as many questions as possible from the start. This is a list of many possible things that can go wrong with your WordPress site.

WordPress Host Hardware Issues

The hardware in a web host is one of the most common problems to arise. Everything from overworked hard disks, power surges, heating issues to natural disasters and accidents can cause hardware failures.

Usually hard disks are said to be the hardware component to fail most frequently. It is not surprising because most hard disks (which are HDDs) rely on moving mechanical parts. This increases not only the probability of wear and tear, but also heating due to friction, and the rate of failure. This is true when compared to the alternative to HDD, the SSD. There are no moving parts, they are silent and reduce chances of heating too, but SSD cards are more expensive and have a high failure rate too.

Heating issues are generally exacerbated by outdated hardware or when there is insufficient cooling infrastructure. On the flip side, if a hosting provider stuffs a room with servers then the cooling infrastructure might prove to be inadequate, automatically heating the hardware as well as the environment. This increases the failure rate in hardware and more likely heating causes performance lags in servers and in turn in your WordPress site.

Something you may not pay attention to, is the location of your web host’s infrastructure and how prone that location is to natural disasters. If your web host is in a location that is prone to flooding, earthquakes or tornadoes then you might want to ask them about the preparations they have made in case of such eventualities. Even cases of heavy storms, lightning has hit data centers causing damage.

Not just natural disasters, even accidents can cause unexpected trouble, such as the freak accident in which an SUV crashed into a building knocking out the power generator of a data center.

Your WordPress Site Is Hacked

WordPress not only the dominant entity in the CMS market now, it is also the fastest growing CMS too. This means that WordPress is big and here to stay for the foreseeable future. This popularity provides hackers a large target.

WordPress is open source software, dependent on plugins and themes and popular. All these points contribute to the CMS being a popular target of hackers.

While vulnerabilities on WordPress core are patched quickly, the security through transparency model means that anyone keeping tabs of WP news knows which vulnerabilities were found, where they were found and what is the patch. This system is just part of the deal when dealing with the open source platform- WordPress.

WordPress, because it depends on plugins and themes to make it extensible is also in an unique position because one of its biggest strengths is also the source of most of its vulnerabilities.

Remember, modern day hackers are not targeting sites but have bots crawling the net searching for vulnerabilities. If you are not practicing basic security practices like updating everything then your WordPress site is at risk.

Hosting Provider Issues

While creating a WordPress site may be easy, hosting it can bring up many complications. This is especially true for WordPress sites on shared hosting. On shared hosting your server might be overloaded if your hosting provider hosts too many sites on your server affecting the performance of your site.

Apart from site performance and uptime you also have to worry about the name server going down, again your hosting provider getting hacked, your account being suspended by your hosting provider, or your hosting provider is going out of business.

Natural Disasters & Accidents

Hosting providers even today are affected by natural disasters and accidents. While your web host’s infrastructure may be built with disasters such as earthquakes, floods and tornadoes in mind, it might not be true for all data centers. The best defence of course is to ensure that data centers are not built in such locations. However, this is not always possible in the 21st century. The next best option is to be prepared.

This equally true for accidents too. Not only can accidents cause significant damage to your web host, they can also impose significant financial losses to both your web host and you as a WordPress site owner.

The cost of downtime is going up all the time because it not only means the accountable loss in transactions for e-commerce sites but also the more qualitative measure of visitors’ perception of credibility. If not as serious then you could simply lose visitors because there is no destination for them to see and with which to engage.

It is best to plan for a WordPress backup solution that is truly a disaster recovery plan. This means not only reduce or eliminate dependability on your web hosting service, their infrastructure or backups but also protecting your WordPress site from damages caused due to weather which may affect your web host.

Software Issues

WordPress is of course an open-source CMS which is extremely popular. This also means that a large number of novices are developing for/on it. Such processes make WordPress extensible and contribute to it is popularity, but also expose it to exploits.

However, along with security scares, bad code on WordPress themes and plugins cause the following compatibility and performance issues:

Compatibility with WordPress
Compatibility with the theme
Compatibility with other plugins installed on the site
Proliferation of plugins
- Security concerns
- Performance lag

Apart from all these issues bad code might lead to the dreaded the ‘White Screen of Death’ too. Updating plugins and themes with bad code is one of the reasons for this to occur.

Updating WordPress Plugins & Themes

This means that updating, which is a necessary security step, becomes a serious concern for WordPress site owners. The site may stop being functional and depending on the seriousness of the issue availability of redundancies, your site could be down for hours.

In such cases you have few options that might ease your burden:

To start off with the basics making WordPress backups must be the first step of updating your themes & plugins
If you’re using a backup service that allows you to test your backups before you restore, then you can you can even use it to test updates before making changes to your live site.
Also, in case you make updates to the live site and it doesn’t work out for you, then you can simply restore a backup. This saves time that might have been wasted in figuring out which plugin is at fault for taking your site down.

Human Errors

With a self-hosted WordPress site human errors can occur from two ends- you the WordPress site owner, or the web hosting company.

Site owners

Accidental file deletions

As site owner you may delete files, plugins, or even posts. Recovering these may be a difficult job if you do not have them backed up because not all web hosts make WordPress backups and among those that do, not all do it on a daily basis.

Not Renewing Hosting Contract

This seems like a simple enough point and in the modern world with email reminders, it seems like a point that shouldn’t be in this section but it happens often enough for us to not mention it. In this case, you must know what your web hosting company’s policy is, regarding your data.

Hosting Providers

Accidental file deletions, or rebooting the system has been reported often enough now for it to be part of our checklist to test the efficacy of a given WordPress backup plan. Unlike individual site owners, when a hosting provider runs a script deleting a file or reboots a section of the data center the scale of the consequence is much bigger. Don’t get me wrong, I don’t mean to underestimate the damage of a single business site losing all its customer and transactions related data. However, generally, errors by hosting providers tend have a bigger effect in terms of scale than a single WordPress user deleting a post on their site.

Data Center Issues

A data center can be divided into four parts:

Building shell
IT equipment
Electrical Infrastructure
Mechanical Infrastructure – Cooling infrastructure

A data center may face issue in each of these four sections/parts. Apart form this your data can be threatened when your WordPress hosting service’s data center itself is hacked or hit by a natural disaster.

The building shell is obviously the first line of defense. It can regulate access and keep the inside equipment safe. The IT equipment is the very business of the data centers – this refers to the servers, storage and communication equipment. Servers and storage can fail either due to wear and tear, heating or power surges, among other causes.

Communication equipment like cables and switches is not easily visualized generally. A single cable not connected properly or knocked off during maintenance can cause a lot grief. The same can be said of uplink failures, or when network switches fail or undersea cables get cut. A case when a network switch failed and took down four popular web hosting companies, is a good example of how of such issues cause serious enough damage for you consider them a threat to your WordPress site’s uptime.

We mentioned the importance of electrical infrastructure in the previous section. Equally important and closely connected to the electrical infrastructure is the cooling equipment and all the other non-IT equipment that the electricity powers.

If A Data Center Is Hacked?

If a data center is hacked then your data may be compromised. What is not obvious is that you may not always lose your data to the hacker. There have also been cases when data centers have gone out business because of a single hack. This means even if your site may not be directly compromised, you might still have to find ways to secure your data.

The point to remember is that your data- your website and your backups are at risk even if your site/server is not hacked. Which is why you must have backups which are completely independent of your web host’s data center.

Power Failures in Data Centers

Power supply is the cornerstone of a good web hosting. If there is adequate and constant power supply is then it powers not only the servers but all the other equipment required to keep the web host running- air handlers/cooling/heating/ventilation, lighting, UPS system and generators, fire suppression systems, alarm systems. Needless to say, a reliable web host must have adequate power backup which is tested and functional. If backups fall short then you might be looking at frequent downtimes which may add up to costing you a significant amount. Asking about your host’s power backup system may be an important factor in your decision making process when the time comes to choose a web host.

Bad hardware— outdated power backup systems, lack of maintenance, and lack of testing for power failure are all part of reasons why a data center may experience power outages.

Completely Independent WordPress Backups

It is obvious to think— “I have backups. My hosting provider does it for free! I’m safe.” This along with the addition of a moderate financial burden turns most people away from backups. However, ask yourself this— Can I access my WordPress backups when every single point mentioned above does go wrong? If not, then your WordPress backup is not a disaster recovery plan. It is as simple as that. The reason for this is that the functionality and security of your backups are dependent on your web host.

All WordPress backups have one purpose, WordPress restores. For this you might want to rely on a comprehensive WordPress backup service which is all about restores, BlogVault.

What Do Hackers Gain from Hacking WordPress Sites?

Ruby 11 months ago

WordPress is a popular target for hackers because every website has something to offer them, and the returns on attacks are high.

WordPress is the most popular CMS in the world, and a popular target for hackers too. The scale of the problem may make it seem like the hacks occur randomly and for random reasons. In reality, every website has something to offer hackers. The exact nature of the payoff also depends on the intentions of the hackers.

Hackers can be grouped into three categories, depending on the purpose behind their attacks:

White-hat hackers usually test a website or a computer system for vulnerabilities. They do not have malicious intent, and disclose vulnerabilities responsibly.

In the WordPress community, white hat hackers are either a part of a web security team, or are developers within the community who contribute by discovering vulnerabilities and helping protect the community against such risks.

Hacktivists, (who are ‘activists’ acting by means of hacking) target websites mostly to bring awareness to socio-political issues, but the means they pursue for these ends are questionable. This is why it’s difficult to categorise what they do. Most of the time, hacktivists deface websites, or publish sensitive information.
Examples for hacktivist defacing websites range from Anonymous’ hack of the Phillipine Comelec that asks questions, to the defacement of the ISIS website with ads for performance-enhancing drugs. Hacktivists could also publish sensitive information. Examples of such attacks include the Panama Papers leak, and the hack of the CIA and FBI websites that released officers’ personal information and put them in danger.

Since the classification of what hacktivists have to gain, and the means they use to achieve their ends can fall in gray areas, we’re going to exclude hacktivism from this article.

Black-hat hackers, who hack websites indiscriminately, purely because of more ‘materialistic’ gains. They exploit vulnerabilities to their own ends. Any website can be targeted by these hackers, since they are not looking to test a specific system for vulnerabilities, nor do they want to further a socio-political agenda.

What Black-hat hackers can gain from hacking websites

Black-hat hackers could gain one of three things from hacking websites:

Reputation
Access to resources
Information

Reputation

In terms of technical know-how, and the scale of the reputation they seek, black-hat hackers could be ‘script kiddies’, or ‘experienced hackers’.

‘Script kiddies’ depend on tools to perform hacks. While the scale of the havoc they wreak can vary in degree, they usually hack websites to be accepted, or to gain reputation among their peers. They usually don’t have criminal intent. However, the more they learn, the more they could move towards higher levels of experience and reputation.

Garnering reputation among other black-hat hackers depends not only on the technical know-how they have, but also on the damage they have the ability to wreak independently. This is when/why they move away from readily-available tools, and craft malicious code of their own that can bypass usual security measures on websites.

‘Experienced’ hackers look to earn a more ‘professional’ kind of reputation. You might know that there are black markets for the sale of illegal goods, but there are similar establishments for cybercrime too. One such black market/forum, was Darkode. Hackers have profiles on these websites and are ranked. These hackers look to earn higher ranks so that their ‘customers’ will pay more for their services, and their work will be recognized more.

How high a hacker’s rank is, on cybercrime forums, depends on:

The number of sites they’ve hacked.
How proficient they’ve been (the difficulty of the hack).
The reputation of the sites they’ve hacked.
How satisfied their customers are with their ‘service’.

In short, even if your website has great security, it’s better for them: they get a better ranking if they succeed in hacking your site.

For example, if your site had tight security, and a hacker successfully retrieve contact information of all your customers, they only garner reputation and have no use for the information afterward. They could go ahead and publish it on the cybercrime forum so other hackers could use the information to send spam mail to your users, send them downloadable malicious code, or send them mails crafted for phishing.

Access to resources

The resources on your WordPress site include your site’s database, the server it’s hosted on, as well as the users and visitors to your site. Black hat hackers hack your website in order to gain access to these resources. Attackers have a number of ways that they could exploit your site’s resources:

They could plant malicious code on your site to do anything they need to do, without the action getting traced back to them. An example of this would be that of hackers planting malicious code on your server to send their spam mail to your site’s visitors. This would not only get your server blacklisted by mail servers, but also could lead to your WordPress site getting blacklisted by search engines (since it has malware).
They could use your site to perform Black Hat SEO practices that allow them to hijack your site’s traffic and redirect it to their own websites, or their customers’ websites. A common type of attack on WordPress sites that uses this technique is the WordPress Pharma hack.)
They might use malicious code on your site to trick the visitors of your site into downloading malicious software to their computers.
Cross-site scripting attacks could be used to steal cookies from your site’s visitors and use their credentials.
They could use your server as a bot in a DDoS attack.
They could manipulate your site to trick users into entering sensitive information that could be used for phishing.
They could use ‘ransomware’, which is malicious software that doesn’t allow you access to your resources, your website, or important files on your website unless you pay up. Ransomware keeps popping up in tech news because of technology’s progression into the Internet of things (smart home appliances that can be connected to the internet). In the context of websites, ransomware could be used to either lock you out of your site, or encrypt all the data on your website until you meet the hacker’s demands. If you don’t give in to the hacker’s demands, they could keep all the data from your WordPress site to themselves until you do, or worse, delete it all. The only sensible way to protect yourself from such an attack, is to have a reliable WordPress backup solution that has updated backups of your site.

Information

As any website owner knows, information is probably the most important thing on a website. From your site’s data to your visitor’s data, all of the information on your website is unique to you, and is hence valuable.

Hackers could hack your site to retrieve information that belongs to your site’s visitors, such as their personal information(which includes contact information, photos, medical records and other information about their identity), or financial information.

Hackers could use this information in the following ways:

They could use it for their own purposes (such as to send spam mail). Sending spam mail from your website’s server could get it blacklisted by search engines, and other mail servers.
They could publish sensitive information from your site.
They could sell it to others looking for this kind of information.
They could also retrieve confidential information from your WordPress site (such as information about your investors), and ask you to pay a ransom to make sure it isn’t published, or sold.

Publishing sensitive information

Sensitive information on your website doesn’t have to just be related to the financial information … it could be anything that is specific to just your site, such as the personal information of your site’s users (like their email addresses), that could be used in line with malicious intent (to fulfill a job request, to damage the reputation of the company whose information they publish, to help other hackers send spam).

For example, a hacker could publish your users’ email addresses, to ruin your establishment’s reputation and the trust your customers have in you.

Selling sensitive information online

This is another dangerous way hackers target the information on your site.

While some hackers sell personal information of celebrities online (like in the case of Pippa Middleton’s iCloud photos that the hacker attempted to sell), in the past few years, a number of medical websites have been targeted.

This is because social security numbers, medical and healthcare information could prove to be more valuable in terms of identity theft than even financial credentials.

Hackers who sell financial information are in a race against time; they only get the best price for their hard work as long as the credentials are recent, and valid. If the people whose information was stolen, blocked their cards or switched banks, they don’t get paid. However, with identity-theft, the validity of the crime is much longer; and the payoffs for the buyer is considerably higher.

The parties that buy this information could use it to:

Create online loan applications
Create applications online for credit cards
Apply for prescription drugs
Create fake IDs

This poses a serious risk for any website, but especially for those that store any sort of user-information.

With reasons/aims like these, it’s no wonder that hackers continue to do what they do. They know that there is no such thing as a secure website, so any website can be hacked, and used to any end. The returns for them on hacking websites is high. This is why hackers who seek to obtain information or access to resources on your site make sure to keep their tracks hidden. They do this in order to utilise your site for as long as they can, and make sure to leave backdoors in inconspicuous file so that they can always gain access back to your site.

This is why the best way to stay safe is to have a solid disaster recovery plan in place. The prime element in such a plan, would definitely be a WordPress backup solution like BlogVault that is truly reliable, and an intelligent malware scanner+cleaner, like MalCare, that leaves no malicious code behind.

Common Security Mistakes WordPress Site Owners Make

Ruby 11 months ago

WordPress has become the most preferred content publishing platform online, and its popularity is continuously growing. For hackers, this means a bigger target with greater payoffs. Are you, as a WordPress site owner committing basic security mistakes that make it easier for them?

WordPress is the most popular platform to build websites on, and its popularity has only been growing. The CMS has something to offer anyone who has ever wanted to own a website. The WordPress community is supportive, and consists of developers who can build anything in code as well as code-averse site-owners who are given a world of add-ons to make their sites extensible, and more functional.

However, maintaining a WordPress site comes with a number of caveats, which are difficult to navigate. The case is worse for new site-owners, since committing a small mistake could knock their site offline, or make it vulnerable to hackers’ attacks.

Knowing the common mistakes made, and avoiding them, is key to keeping your WordPress site safer. This is why we’ve come up with a list of the basic security mistakes that WordPress site owners and users make. Are you making any of these mistakes currently?

1. Not updating WordPress and its add-ons

Now while the rest of our list talks about mistakes to definitely avoid committing, this issue is a little more complicated. This is why we’ve chosen to get this out of the way right in the beginning.

Everybody talks about keeping WordPress Core and add-ons (themes and plugins) up-to-date, for the sake of security, as well as to add new features to the site. However, you as a WordPress site owner, have one good reason for not doing so– incompatibility.

Your WordPress site could break because of:

Updating WordPress Core

There are two kinds of updates on WordPress Core that keep it up-to-date with the best features, and security measures on the web.

Major updates (like 4.5 or 4.6): These add new features and functionality to WordPress.
Minor releases like Release 4.5.1 and 4.5.2: These are dedicated to security patches, and bug fixes.

There are a couple of catches with these releases. For one, it can be cumbersome to keep up to date with all of them. Version 4.5, for example, was released on April 12, while 4.5.1 was released 14 days later, and 4.5.2 was released about 10 days after 4.5.1. Secondly, while WordPress Core upgrades are designed to be compatible with all the previous versions; (even the first one), it doesn’t always work out that way. So when WordPress site owners update their WordPress core, their site crashes.

Updating WordPress add-ons (plugins, themes, and widgets)

There a number of problems you could run into while updating WordPress add-ons. Since the developers could be pressed for time or not have the expertise, they can’t make sure that their updates are compatible with every single version of WordPress. As a result, they could be incompatible with previous updates of WordPress Core. Moreover, even add-ons that are coded to be backward compatible might not be developed with other add-ons in mind. Lastly, add-ons’ updates contain significant security patches and bug fixes, which change the way they work and hence cause conflicts. One example of this was the security patch for RevSlider (a premium carousel plugin), that changed the way the plugin worked.

As a result, updating even just one plugins could cause your site to break. If compatibility issues between WordPress Core and an add-on are a concern, the safest route to take, would be to ask the plugin developer to release an update for the plugin, while also looking for alternatives that work with your other add-ons.

The key to keeping your WordPress site secure, is to update every part of your WordPress site. The consequences to your site, its data, and your site’s visitors are all too great to not update.

2. Buying/using bad add-ons

As mentioned, WordPress add-ons don’t necessarily have the stringent code quality or security measures in place that WordPress Core does.This is why it’s important for WordPress users and site owners to pay attention to pick a good theme/plugin. Every good add-on has one basic characteristic– it has has good code. But even if you don’t know how to judge the code of a theme/plugin, there are a few characteristics which you spot:

They’re available via a reputed source: This means they’re on the WordPress.org repository, or with well-known theme/plugin seller, like Themeforest, Elegant themes, etc. Just as with material goods, buyers should be wary of a premium theme being available on a questionable website at a huge discount.
They have good reviews and ratings from genuine, long-time users.
They’ve stood the test of time: The longer a theme or plugin has been available, the more bug fixes and security updates they should have.
They get updated often and have been recently updated (in the past 2 months) from the developer’s side

Installing a bad theme/plugin could have a number of consequences for your site, whether in a way that affects function (such as slowing down your site), or in a malicious way, such as sending spam mail on your site’s behalf. Apart from all this, having an add-on with malicious code on your site causes search engines to mark your site as malicious, and hence blacklisted.

3. Using bad login practices

There are a number of simple login mistakes that WordPress site owners make, from sticking with easy to guess credentials, to staying logged in on their sites. This makes it easier for hackers, who usually use bots (just like search engine crawler bots), to look for websites with vulnerabilities.

Sticking with the default username (admin) reduces the time bots need to crack your login credentials, by 50%. Combining that with the use of a weak password only makes attacks on the login page (like a Brute Force attack, or a Dictionary attack) that much easier. Once the bots crack your login credentials, the hacker can login as you, and legitimately perform admin-level functions. This is why it’s important to enforce good login practices, and secure your WordPress login page. A couple of other simple ways (and there are more ways) to protect your login page are renaming the administrator account to reflect a different username. WordPress site owners have to look out for legitimate ways to harden their login page though– some widely recommended practices such as moving your login page to a custom URL, are unnecessary, and can ruin your site’s user experience.

4. Making every contributor to the site an ‘administrator’

WordPress sites have different system users with different levels of access, in order to give the site owner the power to assign responsibilities to different users. This also serves as a way to give those with fewer responsibilities, the access to only specific areas they need access to. This principle (known as the Principle of Least Privilege), is one of the basic elements of security on any system.

WordPress has five different user roles:

Super admin or Admin: Has full control over add-ons, content, files, and users on the site. (Super admin is someone who has Admin access over multiple sites, and controls the network administration for those sites too).
Editor: Has full control over content and files, can publish anyone’s content, and is allowed to add script tags for formatting.
Author: Can only create, modify, publish and delete their content.
Contributor: Can only read, edit and delete content. No publication rights.
Subscriber: Can only read content. No other rights

So say you run a successful news website or a blog with a regular guest blogger contributing once a month… You would best assign the guest blogger the role of ‘Contributor’ or ‘Author’.

Assigning the ‘Admin’ role instead, however, will put your WordPress site at a greater risk. Just imagine what would happen if they deleted a post by another author, a plugin or even an Editor by mistake!

Giving users unrestricted access could also allow hackers to exploit your site more easily. A good example of this kind of damage, was how TechCrunch got hacked by OurMine, a commercial security group that hacks accounts to publicize their services. The site was hacked using one of its contributors’ accounts.

5. Being a hoarder

Keeping old add-ons and users presents a number of opportunities to hackers. As a site-owner, it is only natural to experiment with plugins and themes. In the process though, it is easy to forget about unused add-ons in your site’s repository. However, since you no longer use them, you also don’t update them. This opens up your site to a number of exploits.

Forgetting to delete old users (especially contributors) long after they’re gone, allows hackers access your site legitimately after a previous hack (like a Brute Force attack). This is one of the ways WordPress site owners are hacked for a long time without even knowing about it.

6. Not checking past uploads

Similar to hoarding add-ons and users, WordPress site owners also fall in the trap of never cleaning out their Media Library, the uploads folder, or the includes folder.

Hackers know this too. This is why they could easily upload a hack-file that looks like an image, and execute a hack later. This is how a number of exploits on the TimThumb vulnerability were carried out.

This method could also be used to create a backdoor. So even if malicious code is removed, and the WordPress site is kept up to date, it will still be susceptible to hacks.

7. Not having a reliable backup solution to depend on

Having a backup solution for your WordPress site is paramount to security. Not only does having a clean backup of your WordPress site make it easier to restore your site in case of a hack or blacklisting, it also allows you to scan your site’s code for irregularities and fire-fight more efficiently. However, most WordPress site owners don’t realize that the solutions they’re relying on are not dependable, until it’s too late. Backups must be the perfect disaster recovery solution, so they should be fool-proof, and adhere to the best WordPress security practices. Not only should they be independent of the WordPress hosting service, but they should be independent of your site, be stored in multiple locations, and have both: WordPress files and database encrypted and backed up.

If your site encounters a problem caused by anything as disastrous as your hosting provider being hacked to the deletion of files, not having a good backup plan would lead to your site experiencing a long downtime or worse.

The mistakes listed in this article are basic, and yet widely committed by WordPress site owners. Keeping your WordPress site secure lies not in being sure of impenetrability (because there is no such thing as a perfectly secure site), but in making it harder for hackers to achieve their target.

If you commit, or have committed any of these simple mistakes in the past, the best way to ensure that there is no malicious code on your site, would be to invest in an intelligent auto hack cleaner for WordPress sites, like MalCare.

Does Your WordPress Host Address These Data Center Pain Points Effectively?

Suhas 11 months ago

A data center is a complex entity in WordPress hosting. Do you know the different parts of a data center, what can go wrong in each of those parts, and how it can affect your WordPress site? Find out.

Many factors in different parts of a data center and its operations affect the performance of your WordPress sites. This could be due to a number of factors from simple hardware failures, to a breakdown in power supply.

Breaking a data center down broadly will help us to understand these issues, and what can go wrong, in a clear manner.

Parts Of A Data Center

Building Shell
IT Equipment
Electrical Infrastructure
Mechanical/Cooling Infrastructure

Operational & Other Issues

Human Errors
Hacks
Natural Disasters & Accident

What Can Go Wrong In Different Parts Of A Data Center?

Building Shell

Generally, little thought is given to the structure which houses the servers and all its accompanying equipment because its layout and design is the first line of defence against any errors. Right from setting up the perimeter as well as the first line of defence, to determining the amount of equipment that can reasonable be stocked in any place the layout of the building is the definitive factor.

The building and how the layout is designed within it can also effectively implement access control protection in the form of magnetic strip cards, registry, etc. These points are crucial to ensuring that your WordPress site is secure.

Access control must be a concern for WordPress site owners looking for hosting services. Otherwise, slip-ups like the one that occurred at Joyent (the case when an operator error rebooted the entire section of compute nodes simultaneously), will be a serious issue with which to contend.

Mistakes are bound to happen even when all the checks are in place because there will human, software or hardware errors. It is just that there are ways to reduce the frequency of such errors. However, you cannot always plan for accidents.

A driver in an SUV fell unconscious, and the vehicle accelerated towards the end of the road, hit curb going aerial and damaged the wall of building knocking out the generator inside it. The building was owned by Rackspace and as result of the accident clients had to experience hours of unexpected downtime.

IT Equipment

This refers to

Servers
Storage
Communications equipment

Servers

A host of hardware, software and operational issues can cause server failures. Hardware issues usually occur due to overheating, power surges and physical damage caused due to accidents or natural disasters. Software issues occur overtime if there is lack of maintenance or due to malware or viruses. Even if the equipment is not completely damaged such issues can cause your site to lag, delay your site load times, or your site pages may not load at all.

Storage

Hard disks have failure rates and along with heat, natural wear and tear, and power surges all lead to failure. This is true of all hardware equipment in data centers.

Communication Equipment

Communication equipment like a network switch failing can cause serious outages even though it is not an aspect of web hosting we pay much attention to.

Web hosting businesses are facing increasing demands to remain competitive and keep the prices down. At the same time there is consolidation with a single company owning many brands of web hosting under it. So, downtime from a network switch failure can have a ripple effect, and can affect multiple hosts at the same time.

It is best to diversify your backups in multiple locations to avoid being caught by surprise when facing such situations.

Electrical Infrastructure

While the IT equipment represents the business of the data center, electrical infrastructure is what allows it function. Electrical infrastructure refers to the power supply and power backup equipment. Much of the claims that data centers make regarding uptimes and site performance depend on uninterrupted power supply. This means having effective and adequate power backups is crucial.

For a WordPress site owner, this information could help decide the hosting service to host their site on.

Power failures occur when the backup equipment is not tested- if the batteries are functioning and charged, if the power backup system kicks in immediately, etc. Otherwise sites might go down unexpectedly leading to losses.

Mechanical Infrastructure

Mechanical infrastructure helps regulate the temperature and this plays a crucial role in site performance and determines how dependable your hosting service is. Unregulated temperature can have serious impact on your site performance.

Rise in temperature can also occur when too many sites are hosted on servers. This overworks the cooling equipment in the data center, and as a result fans may fail and exacerbate the problem.

Asking your web host about the access control, power backup and and cooling they have could be crucial to know the estimating site’s uptime and performance; especially if you have large site with many media files.

WordPress Backups Are A Necessity

Apart from this WordPress hosting services face the usual problem of hacking. In this case even if the vulnerability exploited was not on your site but your data center is hacked affecting your site, then you could not only lose your site but your WordPress backups as well as any personal/sensitive information which may be stored on your site. Sometime such losses are irreparable. Not simply because of the impact of the hack which itself may be severe but hacks have forced data centers our of business entirely. In such cases you may not be able to recover your data at all.

While there are many specialized WordPress hosting services available and the number is growing, it is important that you ensure that your site’s backups are not stored on web host’s servers or equipment. That way you can access your backup even in the case of any such failure. This is simply a good way to make WordPress backups and increase redundancy.

WordPress backups are not a luxury but a necessity. While hosting service have gotten more efficient demand and competition has also grown. This especially true for WordPress hosting. With growth of WordPress the number of hackers targeting the platform has also grown. Added to these familiar threats, data centers continue to be affected by natural disasters and accidents.

It may be important to know where the data centers of your WordPress hosting service are located and how prone those locations are to natural disasters. In such cases you may also want to ask your hosting service the kind of preparations they have in place in case of such eventualities.

Now that you know broadly all the pain points of a data center and how it can affect your site, opt for a WordPress backup service like BlogVault which secures your backups and diversifies their location effectively. After all redundancies are useless if they are exposed to the same danger to which your WordPress site is exposed.

Sign In

Sign Up

Ruby 10 months ago

Ease of Use

Easier Account Control

Optimized for Teams

New, Improved Features

Backup features

History

Download Backup / Upload Backup

Migrate

Auto Restore

Test Restore

Backup Now

Management Features

Manage Plugins

Manage Users

Security Features

Secure Site

Hacked Files

Auto Clean

Scan now

Better Navigation

Ruby 11 months ago

1. Writing down your passwords on paper

Pros

Cons

2. Storing your passwords in a password-protected file

Pros

Cons

3. Using a password manager

Pros

Cons

Ruby 11 months ago

Guidelines for Setting a Strong Password/Passphrase for Your WordPress Site:

1. Longer passwords are stronger passwords

2. Strong passwords don’t have common replacements

3. Strong passwords contain uncommon words

4. Strong passwords don’t contain your publicly known details

5. Strong passwords use a combination of uppercase, lowercase, and special characters

Ruby 11 months ago

What is login protection?

2. Enforcing a strong password

4. Using Captcha

5. Setting an expiry-time for your login page

6. Limiting login attempts

1. Hiding your login page by moving it to a custom URL

2. Modifying your user enumeration and hiding your WordPress username

Ruby 11 months ago

Why hackers attack the login page

Why change your username?

How to change the username on WordPress

1. From your WordPress site’s dashboard

2. Using a plugin

3. From phpMyAdmin

Be careful of the ways you use to ‘protect’ the login page.

Suhas 11 months ago

How To Make WordPress Backups Locally

Manual WordPress Backup Downloads

cPanel

Plugins

Storing WordPress Backups Locally

Pros and Cons of Storing WordPress Backups Locally

Storage Space

Security of WordPress Backups

Malware

Storage Location

Organization

Restoration Issues

Ease of Use

Suhas 11 months ago

WordPress Host Hardware Issues

Your WordPress Site Is Hacked

Hosting Provider Issues

Natural Disasters & Accidents

Software Issues

Updating WordPress Plugins & Themes

Human Errors

Site owners

Accidental file deletions