WordPress 101

How to Keep your Website Secure from Hackers

Websites tend to be “If you build it, they will come”, but this also means hackers will want to come to check out your site as well. Is there anyway stop them from coming? There are simple steps in WordPress security and the first step is one of the most important actions to take. That is making the step to a proactive approach (instead of a reactive process) and to do it TODAY. Any website, even the simplest of test sites, and the site that does not get any traffic can be infected if not maintained properly.

The bulk of WordPress websites that are infected is typically due to out-of-date core, theme, or plugin files, use of insecure logins, or a brute force attack. Mostly though it is due to not being updated regularly or logins. I have watched first hand a brute force attack on a test site that was not indexed by Google and had no visitors. However, while nothing is ever completely and utterly full proof, there are simple steps to take to avoid the bad things that could happen. Let me share some simple steps anyone can take to keep their online presence safe and secure that require a little bit of time and no coding on your part.

Secure Passwords ALWAYS

A great password is the first line of defense to keep the unsavory people and bots out of your websites. When a bot comes to try to get into a WordPress dashboard, the first thing they try to use when logging in is “admin” and “password” as that combination is the most widely used login STILL. Changing it around to be “Pa$$w0rd” does not make it any more secure either. This is due to the fact it still reads as “password”. Names or anything that will still read as a legible words or phrases are the easiest and quickest hacked passwords.

Typically, all passwords should be at least 12 characters that are illegible, containing upper and lowercase letters, numbers, and special characters. The more characters in the password, the harder it is to break. If you want to test how secure your passwords are, check the How Secure Is My Password checker. This will show you how long it would take a computer bot to break your password. The checker told me that it would take a desktop PC about 377 billion years to crack one of my passwords. That is when you know you have a great password!

Passwords should also be unique to that login and only one login. The more you use the same password, the greater opportunity that it could become found and used against you. Imagine if you used the same password on all logins. It would take a bot or a person less than 5 minutes to find out your email, website, banking, and all of your online information. No one wants that to happen. Again, always use secure and unique passwords. It is also advisable to use a password keeper like LastPass or 1Password to keep your passwords secure, but we will get to that later.

Security plugins can help!

There are many types of security plugins that do a full range of options. You can use more than one security plugin on your site as long as you do not have them set to do the same things. Here is a list of some great WordPress security plugins that are available.

Jetpack – I use the multi-functional plugin Jetpack on all of my sites. They have a few features built in for security measures.

Monitor – Jetpack will notify you when your site goes down and when it comes back up again. Always be in the know when your customers can not access your website.
Protect – Protect used to be a stand alone plugin called BruteProtect. It was one of the highest used plugins to block out brute force attacks. Automattic acquired it last year and now has it built into Jetpack.
Manage – Jetpack’s Manage lets you update your plugins, themes, and core of all of your self hosted websites from one dashboard and gives you the opportunity to have automatic updates.

iThemes Security (formerly Better WP Security) – While iThemes Security is NOT a security firewall, it does give great benefits to securing a website without having to change any the code yourself. They do have a free and a Pro version.

WordFence – While I do love WordFence’s scanner, I typically only have it downloaded to a site when I am double checking to make sure all malware has been deleted. If you feel like your site has been infected, WordFence can detect any WordPress file that has been changed from it’s original form. If you do choose to use WordFence, and you can enable all options, do not run it with iThemes Security, Jetpack’s Protect, or the Sucuri Security as they can cause conflict with each other. If you do choose to use WordFence with iThemes Security, only have the scanner active on WordFence.

SiteLock – SiteLock WordPress Plugin provides complete website security management without leaving WordPress. Users can access their SiteLock Dashboard from within their WordPress back-end, allowing you to focus on what’s most important—your business, your passion, your word.

Sucuri Security – Sucuri has both a Firewall and an AntiVirus that can help block the bad guys and bots out of your website for good. Sucuri has the most widely used WordPress firewall in the industry. You can run the Sucuri CloudProxy Firewall with iThemes Security but get the list of the CloudProxy IP’s from Sucuri to put in your IP WhiteList in the iThemes Security settings.

Two-factor Authentication is a must!

Any login that you can have a two party authentication on, it is always advisable to use. There are different ways this can be set up. There can be a CAPTCHA, a Google Authorization code, or a simple math question to prove that you are a human. With some options now, you can have a choice of fingertip or facial recognition on mobile as well. If you choose to use any of these, make sure that each person accessing the dashboard has their own unique login. Shared logins can cause issues especially if using the Google Authorization code that is sent to a single cell phone.

iThemes Security Pro – Has multiple two-factor options including CAPTCHA. Google Authorization, and simple math.
Two-Factor – Works right out of the box.
Google Authenticator – Uses two-factor authentication by the Google Authenticator app for Android/iPhone/Blackberry.

Always update all the things!

The biggest reason malicious code gets into a website is due to a found vulnerability in code for a plugin, theme, or in an outdated core file. This is easily remedied by having your website on a regular update cycle. Some site agencies and owners will have a set day of the week to update their website, while others will update every time they login. There are plugins that can help keep your sites updated. Please make sure you are updating your site at least once per month. It is recommended to update sites once a week at minimal. We update our sites as soon as they come through however, we do test the updates on a staging server before updating the live site.

Here are some options to help you run your site updates

Jetpack – Handle all of your Jetpack connected sites in one WordPress.com dashboard
ManageWP – A comprehensive dashboard for updating, backups, and security options.
iThemes Sync – Sync up to 10 sites for free so there is one dashboard to update, run BackupBuddy, and unlock iThemes Security lockouts.
WP Staging – Gives you the ability to build a staging site to test updates on before updating your live site.

Always have a backup

There is very little that is more important than having a backup system in place. As long as there is a full backup of the website including the database, you will never lose your website. No loss will ever be permanent. There are numerous ways to backup a website, some are automated, some are manual. It is up to you to decide which way you want to keep them. Do not leave it up to your hosting company unless you have direct access to the backups. If the backups are made with a plugin. always send your backups somewhere other than your server.

Here are site backup services that CSG recommends.

Updraft Plus – They have a free and premium version to backup your website.
Jetpack’s Site Backups – Built into the popular Jetpack plugin
BlogVault – A premium backup service that has white-label options.
BackupBuddy – A premium backup plugin that integrates with iThemes Security and Sync.

Other tips that are equally important

While these do not fit into their own category, they are just as important to remember and to follow.

Always use SFTP when using a file manager if it is available.
Using SSH or WP-CLI is even better!
Never, ever have your files and directories wide open at 777 or 666! That will leave them wide open and executable by everyone. Especially hackers!
Use a complex and unique username and password for your site’s database.
Use a password manager to keep track of your logins. Passwords should never be so easy that you remember them and you should never save them to your browser. LastPass and 1Password are great tools that can be used on all popular browsers and on your mobile devices.
Do not EVER send passwords in an email. Attach them as a zipped text document. You can also use a sharing program like One Time Secret or Password Pusher.
Always have an antivirus on your machine to stop the automatic downloads from a malicious websites. Even if you are using a Mac, have an antivirus active on your machine.
Use a VPN when using public WiFi. There are many good choices out there in every price rage.

Following these simple steps can keep you and your online presence safe. Securing your site today will save you from having to pay to get your site cleaned tomorrow. If you find your site is hacked, Can’t Speak Geek can help you through cleaning a hacked website.

Oh no! My WordPress site got hacked!

It is every single website owner’s worst nightmare to realize that their website has been hacked. Infected sites can wreak havoc for everyone and cause a lot of damage in its wrath. It is a very serious matter that should be tackled as soon as the infiltration has been discovered. However, the first thing to do at this moment, is take a slow, deep breath, and know that your website will be up and running clean once again. Listed below is my step-by-step guide for anyone with an infected WordPress website who is wondering what to do next. [Read more…] about Oh no! My WordPress site got hacked!

The Need For Maintenance

I get asked all the time “what is the big issue with maintenance? My site is online. Why should updating or backing up the site matter?”

First websites are not build them and forget them like many people think they are. Too often when a site is built by someone else, they forget to tell the site owner that there are certain things that need to happen once they turn the site over to the user. This can end in bad news for the site owner later down the road. Maintenance can take just a few minutes each month and can save you a lifetime of headache in the long run.

Backups are essential!

I tell clients and new users all the time “nothing is every permanent if you have a backup.” This should be learned back in the high school paper writing times and then carried with you for the rest of your life. Remember staying up late writing a paper and then closing down your machine without saving to find out the next morning the paper was gone? Imagine that happening when you are working on your website. Any time you are adding a new plugin, editing any of the files, or changing any functionality of the site, it is crucial to make a backup first. This is for when things break, you always have a backup to revert to. Plugins like BackWPUp, BlogVault, Jetpack, and Backup Buddy can help you to setup automatic updates of your site. Just remember to have them sent to a place other than your server for safe keeping. Most plugins have a cloud option or you can have them sent to a Dropbox account or AWS S3 storage canister.

Updates are crucial!

A major line of defense from hackers is updates. Security experts preach often about the necessity of updating a site. They are not wrong.

Updates are made for three reasons.

The Release of New Features
To Fix A Bug/Outdated code
To Fix A Security Vulnerability.

Updating the core, plugin, and theme files when they come through will keep known vulnerabilities at bay. It is always best to update your site on a staging environment to test before making the live changes. If you do not have the option for a staging site, always run a backup before updating for if you need to revert the site back due to conflicts.

Remove any unused plugins and themes

It goes along with the old saying, “if you are not going to use it, get rid of it.” If there are plugins that are sitting in “deactivated” mode, it is best to delete them and then re-add them when you need to use them again. The WordPress Plugin Repository has a fantastic feature where you can save your most liked plugins as “favorites” in your profile. That way you never have to search for the ones you like to use.

As for themes, it is best practice to only keep the theme in use and the most recent WordPress default theme to use for conflict checks if needed. All the other plugins should be removed from your site.

Inspect your site regularly

You know your site better than anyone else. Take the time to look at the front end of your site to ensure that everything is working properly. Definitely do this after running updates on your site. Look for any console and visual errors on your site. Doing this regularly can close the gap from any issues on your site being noticed by your visitors before you know they are there.

Change Your Password

With all passwords, you should be changing them every 6 months to a year. Your password is your first defense at keeping unwanted people out of your site. You can see more of what Can’t Speak Geek thinks about passwords by reading Preaching About Passwords. Also, make sure your passwords are unique and not easily remembered. The harder to remember, the harder it is for password crackers to guess.

Keep up with the commenting

Spam comments can fill up a database very quickly these days. Using something like Akismet can keep unwanted comments off your site and out of your database. It is still good measure to check on your comments often and approve them to share the conversation on your blog posts.

Check your forms

Your forms are what can connect a first time visitor of your site into becoming a customer. If your forms are not working, then your leads from your forms will stop as well. We recommend making a test submission to your forms monthly to ensure they are working properly.

Test your e-Commerce portals

Every so often, we recommend monthly, run a test purchase through your site. The last thing you want is to find out you have lost sales due to your checkout not working. If you are testing your checkout on a regularly basis, you will know before your customers do if something is wrong and can fix it before you lose any sales.

Performance Testing

How is your site holding up? Make sure that it is not suddenly slowing down or performing horribly due to changes on your site. Google still looks at site speed as a very important piece of where you will be in their list. I suggest using Pingdom and GT Metrix for performance testing.

Put 404’s to rest along with Broken Links

If a user tries to go to a place on your site that does not exist, it will cause a 404 to happen. Now, 404 errors that happen because a reader accidentally mistyped an address are normal and nothing to be worried about, but when 404 errors happen due to a page that is no longer available can cause bad user experience and people to leave your site.

Broken links happen when you have links to outside sites that no longer work. We see this often when linking to other blog posts and/or YouTube videos.

It is a good measure to check on 404’s and broken links to ensure that all links work on your site. The plugin Broken Link Checker does. great job in taken care of both issues. If you need to make redirects for your site, I would recommend the plugin Redirection.

These basic maintenance steps are essential to keeping your site online and running properly. Site maintenance is key. In the event you would rather have someone else to take care of the maintenance of your site, there are companies that can help. Companies like WP Site Care, 13Core, and WP Buffs can help you with updates and backups so you don’t have to.

What I have found to handle GDPR Requirements

The EU’s GDPR (General Data Protection Regulation) is coming up pretty quick. May 25, 2018 will be here before you know it. This law was actually approved back in April 2016 however had a grace period of two years before it went into full effect. Trying to understand all of the information out there is about like trying to understand tax laws with its 11 chapters and 99 articles. Most of the time it leaves you cranky and your head throbbing.

The quick rundown of GDPR

Identifiable data is protected. Any data that can be used as identifiable for a visitor falls under the GDPR. This includes and not limited to name, email address, sex, race, age, address, phone number, and birth date.
It requires that consent is given. If you have the opt-in box checked by default, you need to change it so it is unmarked by default.
Parental consent will be required to process any and all personal data of children under the age of 16, can vary per member state in the EU (country) but it will not be below the age of 13.
It gives the visitor the right to know what information is being stored about them and why it is being stored.
It gives visitors the right to have their information to be removed at their request.
If any data is ever lost, stolen, accessed without permission, the authorities must be notified within 73 hours of the breach becoming known along with every single person whose data was accessed.
Any new site must be made with privacy in mind. Data requests should be strictly controlled and only given when required.
Data can only be used for the reason it was given at the time it was given. Then it must be securely deleted when the data is no longer needed.
A visitor can request their information at any time, transfer that data, or have it removed.
It also allows national authorities to impose fines on companies breaching the regulation.

While this is an EU law, it affects every single person on the web in one way or another. For all of us in the United States who feel that the DGPR does not apply to them, the first thing you need to know is that if your site has a form, e-commerce, blog subscription, comments, or even a contact me, you will need to have your site GDPR compliant. If your site can be reachable by someone in the EU and it is collecting any type of information, that means you! Also, please do not consider just blocking EU IP addresses as that does not really work either. With the help of VPN’s, your site can still be accessible to the EU and still falls in the realm of the GDPR regulations. If you fail to comply, the EU can still fine you up to €20 million per infringement or up to 4% of the annual worldwide turnover. That can put a small site/business out-of-order.

What you can do to become GDPR Compliant

First things first, please take a look at the information you are collecting. Inspect your forms, checkout pages, comments, Google Analytics, IP addresses, etc. Make sure you cover all the ways you collect information in your Privacy Policy.

Now, most of you already have a Privacy Policy on your site, or at least I hope you do. You can find my standard one here. I have adopted two now though as the other is the GDPR complaint Privacy Policy. Please make sure you review your Privacy Policy to ensure it is compliant.

If you have any opt-in boxes or forms with boxes, you must ensure that they are UNCHECKED by default.

Another item that all sites will need is a Data Viewing and Removal option for visitors. You can find mine on the GDPR Personal Data page. A visitor to your site will now be able to remove their data from your site at any given time.

If you have questions, talk to a lawyer. Find one that is well versed in GDPR. In the long run, it is always better to pay a lawyer a few hundred dollars than possibly millions in fines.

Tools to make compliance easier

In my research of how to handle the GDPR changes for my clients, I have found two options to assist in being GDPR compliant.

First, if you do not have a Privacy Policy on your site and you have no idea where to start, then I suggest this plugin: GDPR Framework. The first thing I noted with this plugin is you must be on at least PHP version 7.0 on your server. It is very easy to set up and gives you a compliant Privacy Policy. It is what I used to build the GDPR complaint Privacy Policy I have on Can’t Speak Geek. It also has the data removal form built-in as well. You will need to make both pages (Privacy Policy and the removal form page) but GDPR Framework will build the content for you. The data removal tool is auto built via a short code.

If you already have a rockstar of a Privacy Policy and just need the data request and tracker then I suggest using the plugin GDPR Compliance. It seems to be the most stable and is well supported. Their UI is very user-friendly and it will scan your site for any items on your site that needs attention to be GDPR Compliant. The plugin currently supports Contact From 7, Gravity Forms, WooCommerce, and WordPress Comments and claim on their site to support more at a future date.

Both plugins are free in the WordPress plugin repository and easy to configure. Please do your due diligence before choosing any option to become GDPR Compliant.

TL;DR: Get your website ready for GDPR. If you have questions, ask someone. Don’t just sit back and do nothing. It could become a very costly issue.

DISCLAIMER: Using my guide does not guarantee compliance to GDPR. This post gives you general information and ideas, but is NOT meant to serve as complete compliance package. Compliance to GDPR is a risk-based ongoing process that involves your whole business. Can’t Speak Geek is not eligible for any claim or action based on any information or functionality provided by this post or this website.

Passwords, Attacks, and Security oh my!

Michele got the chance to talk Beginner’s WordPress Security at WordCamp Montreal this weekend. WordCamp Montreal is always a great camp to go to and always has a great lineup of speakers.

Here are the slides from Michele’s talk.