•         Improve Security
•         Fix Bugs
•         Adding Features and Functionality

Improve Security

The best way to improve your WordPress site’s security is to update your WordPress themes and plugins. While you are at it, remove any plugins that you don’t use to minimize the risk of a hacker exploiting them. There has an uptick in attacks on WordPress sites lately, so it’s a good idea to make it as challenging as possible for hackers to get into yours.

One Customer’s Story of Getting Hacked

We recently worked with a customer whose site got hacked. Thankfully, we found the issue the day it happened and removed all the malicious code. We then had to restore the site, update all security keys and reset all the account passwords, which was time-consuming and expensive for the customer. The plugins were all out of date, the WordPress core was two full versions behind current, so while it is impossible to know precisely how the breach happened, the most likely culprit was the WordPress core being so out of date.

Fix Bugs

Updating WordPress plugins and themes also fixes bugs and general conflicts between plugins. While some people become annoyed when they see it is time to update, again, they should feel good about the fact that the developer of the plugin or theme is doing their due diligence to release an update when they have found something that can adversely affect your website either now or in the future.

One Customer’s Story of a Buggy Plugin

A recent story Recently, a customer’s form stopped working because the ReCaptcha wouldn’t validate. The issue turned out to be a conflict with the Autoptimize plugin – which is used to make your site faster by optimizing CSS, JS, Images, Google fonts, and more. – Seems unrelated, right? But updating the plugin solved the ReCaptcha issue.

Adding Features and Functionality

Updating your WordPress Plugins isn’t just about security and squashing bugs. It’s also done to ensure you have the most up-to-date features and functionality available for your website. Developers work hard to create plugins. So reputable developers will release updates when they learn that there is an issue with the plugin they need to fix or improve. Sometimes they even make special requests.

WP Docs

We had used WP Docs on websites to organize forms for customers in the past and liked how it worked. It did lack one thing, however. It didn’t let you sort the documents by date. This was a feature that one of our customers wanted for their website, so our developer contacted the plugin author to see if they could help. They agreed it was a great idea and said they would include it with the next update. Sure enough, when version 1.7.3 was released, sorting the documents by date was part of the premium features.

Updating Your Plugins Is Easy

Why Should You Keep Your WordPress Plugins Updated? Because it can be made super easy! Iceberg Web Design customers can purchase quarterly or monthly maintenance packages and get all their plugins updated and their forms tested regularly by our website professionals. Contact us today to learn more!

The post Why You Should Keep WordPress Plugins Updated appeared first on Iceberg Web Design.

We recommend all internet users reset their passwords on accounts containing sensitive information, such as bank accounts or online stores where your credit card data is saved.

Additional information about the Heartbleed Bug can be found at http://heartbleed.com.

A tool has been released for the public to check their websites as well as sites they visit frequently for the Heartbleed bug. This tool is available here: http://filippo.io/Heartbleed/

Iceberg Web Design takes security on our hosting servers very seriously. We want to ensure our customers that this vulnerability is no longer in place on our servers. As soon as a patch was released for the vulnerability, system administrators took immediate measures to secure all servers running OpenSSL. We have confirmed that none of our hosting servers nor accounts have been affected by this vulnerability.

We continue to closely monitor our servers, and there are no signs that any malicious activity occurred as a result of this vulnerability. Although there is no direct threat for your data, it is a general security precaution to have your passwords changed regularly.

Please do not hesitate to contact us directly if you have any additional questions about the Heartbleed bug or your account security.

The post “Heartbleed” Bug in OpenSSL appeared first on Iceberg Web Design.

If you recently ordered a Content Management Website Development package from Iceberg, chances are your website is powered by the popular Open Source Content Management System, WordPress.

We have been working with WordPress since our business was started in 2005. We have followed the software’s progress as it moved from a blogging platform into a very powerful content management system that is behind some of the most popular websites on the Internet. As of August 2013, WordPress is used by more than 18.9% of the top 10 million websites online.

Unfortunately, as the software’s popularity has risen, so have attempts to exploit – or hack – the software. In this digital age, unfortunately hacked websites a commonplace. Your own website may have even been hacked at one point.

Iceberg Web Design takes website hacking very seriously, which is why we do all that we can to protect our customers’ websites from being exploited. Though WordPress itself has many security features built in, there are a number of things that you can do to strengthen the admin side of your website even more.

We utilize a number of additional security measures when we develop WordPress websites. From the use of security plugins to common sense practices when setting up your website, keeping the software updated, and strong security measures on our hosting servers, we are doing as much as we can to prevent hacking attempts before they even begin.

Following are 8 security steps that we take to ensure that our customers’ WordPress websites do not fall victim to hacking attempts.

#1: Don’t Use “admin” as Your Login ID

When WordPress was first released, it came with a pre-defined Admin username of – you guessed it – “admin”.

Many hackers use software that continually tries to log in using one username and hundreds or thousands of password combinations. The most common username used for WordPress hacking attempts is “admin.”

#2: Use A Strong Password

I can recall more than 4 cases over the last 10 years when we helped clean a hacked website because the website owner was using the username and password combination: admin/password.

I don’t think I need to go into detail about how important it is that you choose a strong password for your WordPress login – or all online accounts you have. The more difficult your password is to guess, the more difficult it will be for hackers to gain access to your website. Use a combination of capital and lowercase letters, punctuation marks, and numbers.

If you’re having problems coming up with a password, here is a link to a random password generator you can use (we recommend choosing at least 12 characters for a very strong password!)

#3: Keep the software updated

As soon as software is released, hackers are working around the clock to find a way to exploit it. In turn, the software developers are working to secure the software and prevent hackers.

Every new release of WordPress contains fixes and patches that address vulernabilies that hackers may find. If you keep your website and plugins running on outdated software for too long, you are running the risk of being exploited.

As part of Iceberg’s monthly website hosting service, we update all WordPress websites we develop as soon as we determine the most recent release is stable and compatible with our themes and plugins.

#4: Limit Login Attempts

Have you ever forgotten the password for your e-mail or online bank account, only to try logging in 20 times and eventually be met by a screen telling you that you’ve attempted to log in too many times, and the account is temporarily locked?

A similar security measure works for your WordPress installation. There are a number of plugins that will do this, but the one we use most frequently is called “Limit Login Attempts.”

This plugin gives uses a set number (default is 4) of attempts to log into the WordPress admin screen. If a user fails to login in after 4 attempts, access to the Admin page is disabled for a set period of time. The plugin checks the IP address of the user attempting to log in, and can be set to ban a computer or IP address completely if the number of failed login attempts becomes excessive.

#5: Get Login Notifications

Another option to keep hacking attempts at bay is to be notified instantly by e-mail whenever someone attempts to log into your website.

The WP Security Login Notification can keep an eye on your website and let you know exactly when people are accessing – and trying to access – the admin side. Every time someone tries to log into the back end, you will receive an notification e-mail that includes the time, IP address, and username that was attempted. You’ll also be notified whether the login attempt was successful or failed.

For websites with a lot of login traffic (e-commerce websites, for example) this may not be the best option. If you have orders coming in frequently, or customers accessing their accounts, you’ll end up receiving a mass number of e-mails every time a customer logs in. However, for websites with only a few users this plugin is also a great way to keep track of how often your users are logging in to manage content on your website.

If you install a login notification plugin like this one and notice that your website is still receiving multiple failed logins per day, it may be time to consider hardening the WordPress installation with .htaccess protection (the next step).

#6: Use .htaccess Protection on the wp-login.php File

You can add some extra protection to your website by placing a server-level password on your wp-login.php file. Unless you are familiar with password encryption and advanced website editing, this is typically something that you will want to contact your website hosting provider about.

.htaccess protection will add a pop-up box login, which is required before a user even hits the standard WordPress admin login page. This is the strongest level of protection you can place on your WordPress installation: it prevents hacking attempts before they even start. Robots and automated computers scanning the web for insecure WordPress installations will give up on trying to hack your website as soon as they hit the admin file.

Unfortunately, this strong WordPress protection is not suitable for every website. E-commerce websites, for example, need to allow their customers to access many of the Admin files in order to check out and manage their account. In this case, preventing access to the admin file would also be locking out legitimate customers. Fortunately, utilizing a number of the other options outlined here will still drastically reduce your chances of being exploited.

Iceberg Web Design places this .htaccess protection on all WordPress websites we develop that do not have public customer logins.

#7: Make Daily Backups

One of the features of Iceberg Web Design’s hosting service is that we perform daily backups of all website files, databases, and e-mail accounts. In the unfortunate event that your website has been exploited, we have the ability to quickly revert the site to a pre-hacked version.

There are WordPress Backup Plugins that you can download and install on your own website. However, we recommend also checking with your hosting provider to see if they provide server-level backup services for your site.

#8: Use a Reliable Website Hosting Provider

Choosing a secure, reputable website hosting provider is your first step in insuring that your website remains hack-free. A huge percentage of exploited WordPress websites are in part because of hosting vulnerabilities.

There are many choices when it comes to website hosting service, and it can be easy to lean towards the company that offers the cheapest solution. Don’t simply choose the cheapest website hosting service you can find – make sure you do your research to find out who is behind the service. “Mega” hosting providers can sell their services for cheap because they have hundreds of thousands of websites on their servers. However, this value hosting can lead to security vulnerabilities in the future.

Iceberg Web Design’s website hosting servers are located at the SAVVIS Datacenter in Boston – one of the most secure datacenters in the world. We also have introduced an additional security measure on our hosting servers to prevent WordPress from being hacked. If our servers detect more than 20 unsuccessful login attempts in 15 minutes, the Admin page of your WordPress installation will automatically be locked for 20 minutes. This will encourage the hackers to move on.

Questions?

Please feel free to contact us if you have any additional questions or concerns about your WordPress installation. We work hard to ensure that our customers’ websites remain free of exploits, and strive to do all that we can do protect them.

If you have any other great tips for securing WordPress websites, please leave them in the comments below!

The post Secure your WordPress Installation: How to prevent hacking attempts before they even start appeared first on Iceberg Web Design.