Is my Website Impacted By The log4j Vulnerability?

You may have seen news about the recent log4j vulnerability issue that is currently circulating. We’re hoping to provide some short insight, and help you ensure that your website is safe and secure.

log4j is a component for Java servlets. If your website is using WordPress, it is using PHP as its server side language (not Java). Most smaller WordPress websites themselves will not be affected by this vulnerability, however websites with third party integrations and plugins may be using software that relies on Java programming.

The best way to protect your website from any vulnerabilities is to ensure that your website software and all plugins are up-to-date. If you are concerned about this vulnerability, or future potential ones, our recommendation is to update your website software to the most recent, stable versions.

At Iceberg, we take security vulnerabilities very seriously, and have maintenance plans in place to ensure our customers websites remain secure.

If you need website help, or have questions about your website’s security, you can always contact our team online or give us a call at 763-350-8762.

The post Answering log4j Vulnerability Questions appeared first on Iceberg Web Design.

Google notified website owners of this important change via Google Search Console and through a series of e-mails to webmasters. Many businesses were scrambling to get their websites converted to HTTPS – a development task that could take many hours, depending on the size of the website being converted.

Back Up. What is HTTPS Again?

In technical terms, HTTPS (HTTP over SSL) is the use of Secure Socket Layer (SSL) as a sublayer under regular HTTP application layering.

In other words, HTTPS is a secure connection between a website and your computer. Information passed between your computer and a website running under HTTPS is encrypted before it is sent, and information coming from the website to your computer is encrypted as well. On a HTTP connection, information is not encrypted.

This is important, because if the connection between your computer and a website is interrupted, or somehow picked up by a third party, sensitive information could be viewed by the person or software application looking in. Putting your name, e-mail address, phone number, credit card numbers, password, and other information into a non-HTTPS website could, potentially, put you at risk for identity theft.

IP With Ease has a few graphics that make the distinction more clear:

Google’s Deadline: “October”

Google wasn’t incredibly clear when the “HTTPS doomsday” would hit, but they did reference a few different dates for HTTP treatment. This isn’t new news – Google has been telling business owners since September of 2016 that this change was inevitable.

Now that October is here, the staff at Iceberg Web Design has been monitoring non-HTTPS web pages to see if we can highlight the changes. Surprisingly, Firefox seems to be ahead of Chrome with their non-secure warnings!

Current Behavior: Google Chrome

Published on October 9, 2017 – current/most recent Google Chrome version on macOS Sierra is 61.0.3163.100

When visiting a website running under http:// with a contact form, the Google Chrome browser’s address bar prominently displays “Not Secure”. This is the same behavior that Chrome was exhibiting in September.

We anticipate this warning will change in the coming weeks, as Google indicated this on their blog post from September 2016:

Current Behavior: FireFox

Published on October 9, 2017 – current/most recent Firefox version on macOS Sierra is 56.0

Interestingly, FireFox has actually taken a firmer approach to HTTPS than Chrome has. When visiting a website running under http:// with a contact form, Firefox’s browser address looks like this:

A little bit more noticeable than Chrome’s warning, we think. Firefox takes this one step farther: when entering a password into a password form on a non-HTTPS website, there is an AJAX pop-up warning the website visitor that their connection is not secure. Here is a visual of what that looks like:

Current Behavior: Safari

As far as we can tell, there are no indications on Safari that a website running under HTTP is not secure.

Now What?

It seems the Internet is still slowly catching on to Google’s requirement. Most well-known brands moved their websites to HTTPS early in 2017, if not even before (Facebook moved to HTTPS way back in 2013). But not all large websites have made the switch – IMDb, for example, is still just running under HTTP. We speculate that the reason they haven’t yet made the switch is because they have such a massive website, pulling in a lot of ads and media files. For a website to function entirely under HTTPS, all embedded media must, in turn, be hosted under HTTPS.

Questions About HTTPS?

Some of this is pretty technical. We’re happy to answer any questions you have – just drop us a line to support @ icebergwebdesign.com, or give us a call at 763-350-8762.

The post Update On Chrome’s HTTPS Requirement: Firefox Takes The Lead! appeared first on Iceberg Web Design.

Beginning in October, the Chrome browser will display a “NOT SECURE” warning when users enter text into a form field on a website using HTTP. This means any website with a simple contact form will be labeled insecure. This is part of Google’s long term plan to communicate the connection security of websites.

As users become more and more aware of these types of notices (most browsers already display a green lock for HTTPS sites) and browsers throw more and more warnings, the benefits of switching to HTTPS begin to easily outweigh the costs. HTTPS is very quickly becoming essential for your website.

How do I migrate my website to HTTPS?

1. Obtain an SSL certificate. At Iceberg we offer a shared SSL certificate free to all current hosting customers.
2. Update all internal links that link to other pages within your website.
3. Put 301 redirects in place as necessary.
4. Ensure any embedded content is also using HTTPS.

As always, we are happy to answer any questions you have. Give us a call at 763-350-8762.

The post Say Yes to HTTPS appeared first on Iceberg Web Design.

Let’s start with the basic technology. HTTP (Hyper Text Transfer Protocol) refers to the protocol used to transfer information back and forth from your web browser to the server where the website, and all of it’s associated files, lives. A normal visit to a website includes hundreds of transmissions back and forth as you click links to request pages and your browser receives the information requested and arranges it on your screen. For a website using HTTP, your browser really doesn’t care how the information gets transferred back and forth.

In contrast, HTTPS implements an additional, secure protocol called SSL to transfer information back and forth (hence the “S” on the end). All the data transferred is encrypted with a security code uniquely established between your browser and the web server, so no other parties can intercept and access the information. An SSL certificate is implemented by the web host and validates the identity of the website.

If your website is transferring sensitive information, such as credit card numbers for online purchases or personal information for banking or medical purposes, then you clearly need to have a valid SSL certificate and ensure all traffic uses HTTPS. But what about small business websites? Does it make sense to just encrypt everything all the time? Here are a few factors to consider if you are thinking of making the move to HTTPS.

1. The cost of the SSL certificate

Depending where your website is hosted, there may be an annual cost for an SSL certificate, and it could be in the form of a dedicated certificate and IP address, or a shared SSL certificate in a shared hosting environment. At Iceberg Web Design, most of our custom web development projects come with a free shared SSL certificate. Many existing Iceberg customers can add on an SSL certificate to their hosting plan at no additional charge.

2. Time required for updating internal links

Your website likely contains many links that lead to other pages within your website. Any links that contain the full url of your site will need to be updated to the https:// url. Depending on the size of your website and number of links, it may take up to several hours of development time to fully check the site, update the links, and add any necessary re-directs.

3. Embedded content

If you restrict your website to a secure protocol, that protocol also requires any embedded content in your website to also be served over a secure connection. For example, if you have a page on your website that uses an iframe to pull in content from an external source, that source also needs to use the HTTPS protocol.

4. Security

A commonly held misconception is that HTTPS will improve the overall security of your website. While HTTPS transmits data more securely between a web browser and web server, it does not provide protection against brute force attacks against your database. A better way to protect your website from hackers is to use complex passwords that change frequently, lock-down login if multiple frequent login attempts are detected, and if necessary, providing an additional layer of protection with htaccess passwords.

5. Google Rankings

With Google including site encryption as a ranking signal in its ever evolving algorithm, many companies are anxious to make the switch in order to boost their SEO ranking. It should be worth noting, however, that this is a very small component of the Google’s ranking system, and companies who do not have HTTPS will likely see no negative impact on their rankings over this one issue alone. Frequent updates to content, utilizing social media and having accurate business listings, as well as off-site SEO efforts, are far more important in seeing improved ranking results.

Just like anything other business decision, you will need to decide for yourself whether the benefit will outweigh the time and cost required to switch to HTTPS. Contact Iceberg with any questions you have about switching your website to HTTPS. We’re always happy to help!

The post The Nitty Gritty on HTTP vs HTTPS appeared first on Iceberg Web Design.

If you decide to sell a product online, you have many options to choose from when looking for software to power your online store.

The most popular website publishing platform today is WordPress. In fact, more than 25% of all websites today are powered by WordPress, with the closest competitors not even coming close. WordPress is popular for a number of reasons. Our website development firm uses WordPress as our primary publishing platform for quite a few reasons:

• WordPress is Open Source, meaning that the software is, ultimately, free and the license allows you to modify it as you need.
• Because it is Open Source, WordPress is consistently being updated for features and security.
• WordPress is fully expandable, with thousands of free and premium add-ons readily available.
• WordPress is, by far, the most user-friendly website publishing platform for our customers, who don’t need to know HTML to update their website.

Given the global popularity of WordPress, it isn’t surprising that WooCommerce, a popular e-commerce add-on for WordPress, is the leading global e-commerce platform today.

What is WooCommerce?

WoocCommerce is a free e-commerce add-on (plugin) that embeds directly into any WordPress website. This cool open source plugin is capable of selling any product straight from your website. When you install WooCommerce on your website, the entire basic online purchasing process is set up for you: product management, adjustable price points, shopping cart, and checkout process.

To add WooCommerce to your WordPress site, simply go to the Plugin section, perform a search for WooCommerce, and download and install. Once WooCommerce is activated, you will be able to edit all of the settings to configure your unique online store and begin selling.

WooCommerce: The Good

Many businesses turn to this popular plugin to implement what complicated coding would take several hours and heaps of money to create.

There are a lot of delightful features to the WooCommerce plugin, and it is difficult to create an exhaustive list of all of the great features WooCommerce includes out-of-the-box. Let’s take a look at some highlights:

• Free: WooCommerce in its basic form doesn’t cost you a dime; many of its add-ons are also free.

• Lots of Add-ons Available: A variety of free/paid add-ons means WooCommerce leaves no stone unturned. With multiple ways to pay and different types of orders, your customers can have the ability to shop online, create online bookings, or personalize their orders.

• Easy to Use: This is a plug and play add-on. One installed you can simply enter your product information, add your PayPal account, and let it do its thing. It comes with every page template you need for checkout, so you don’t miss any steps in the buyer’s journey. WooCommerce even has an onboarding guide that walks you through the entire process.

From the customer’s vantage point, buying from a WooCommerce-powered website is incredibly smooth. Like any other online store you select your products, shipping, and payment methods. No need to contact the business directly, or go through any hoops – the entire online purchasing experience is streamlined.

• Adjustable Shipping Rates and Taxes: WooCommerce allows adjustable shipping and tax costs. You enter a flat rate based on the location of your customers and chose if you want to include taxes. You can make some items ship for free and others cost or even base the shipping fee on how ‘bulky’ the item is.
• Coupon Integration: Got a special? Easily set up online coupons for your customers!

• Mobile Friendly: Everyone is browsing and buying via their phones these days, which is why it’s important your site is mobile friendly. Of course, your main website needs to be mobile-friendly as well, but WooCommerce is built to perform exceptionally well on mobile devices.

• Order History, Order Status, Customer Accounts: Shoppers appreciate a website where they can fully manage their orders. WooCommerce makes this easy, with an integrated account section for your customers, and customizable e-mail templates to keep your customers updated about the status of their orders.

WooCommerce: The Bad

No plug-in is perfect; WooCommerce is no exception and has drawbacks you should weigh carefully against your business plan. Long term advantages of using WooCommerce should be as important as the short term—you want this add-on to grow with you, not hinder you. With that being said, there are some things that are not too attractive about WooCommerce.

• Doesn’t come with themes: WooCommerce’s look and feel is based on your current WordPress theme. This isn’t necessarily a bad thing, if your theme integrates with WooCommerce, and you enjoy tweaking and personalizing your site. However, it will take some time to set the store to your exact tastes. We set up the vast majority of our websites in WordPress and can help customize your WooCommerce installation to match the rest of your website.

• It’s a Resource Hog: Generally, website hosting plans include specific upload space and resources. WooCommerce can eat up a lot of it so you may have to budget for a better hosting plan.

• Plugins Slow Down Performance: Incorporating lot of WordPress plugins can slow down the performance of your site. WooCommerce is no different, especially as it takes up a lot of space and memory.

• Prices Can Add Up: While WooCommerce includes a lot of features out-of-the-box, many store owners will find that they need to purchase premium plugins in order to achieve the e-commerce website their business needs. WooCommerce has released a number of premium (paid) extensions to improve store performance, and there are hundreds of other online market places and authors with premium WooCommerce extensions available.  E-commerce features such as allowing customers to book services, sign up for subscription products, or personalize their products with images or text fields will require the purchase of a premium plugin license. These licenses often run on a per-year subscription basis, and can cost anywhere from $29-$500 per year depending on the feature you need.

WooCommerce: The Ugly 

If you are trying to put together a website without support from a professional development company, WooCommerce may not be the best fit for you. There are many downsides to WooCommerce that are down right ugly – and may be a deal breaker for the average DIY business owner. If you are the type of person who prefers to build your own website, consider these downfalls to WooCommerce before you sink hundreds of hours into building your store.

• Coding and Scripting Conflicts: While one of the great features of WooCommerce is the ability to customize it with plugins, more often than not two independent plugins written by different authors may clash, and create chaos on your website. This is because most premium WordPress plugins use script libraries to function, which may conflict with the script libraries other plugins are using.We have worked with customers who, for example, have a great website add-on (let’s say a Wish List) on their WooCommerce website, and later wished to add an AJAX sorting plugin. The two plugins conflicted with one another and the site had a host of issues, from PHP and jQuery warnings, to broken page layouts. Unless you are familiar with the languages that WordPress and WooCommerce plugins are written in (PHP, jQuery, Javascript, and MySQL), you won’t be able to troubleshoot scripting conflects. You can always hire a professional to assist, but this will come with a high price tag. It’s best to know what you’re getting into before you hit download.

• Vulnerable to Hacking: WordPress is particularly subject to hacking, as is WooCommerce because they are open source (coding is easily available to everyone). If you use WordPress/WooCommerce we advice you have a reliable developer and hosting provider who can keep your website updated and is clued in to new security releases.

Is WooCommerce Right For Your Business?

WooCommerce is wonderfully user friendly, and great for online stores. But you must ensure you have the support and help of professionals alongside it if you want peace of mind.

At Iceberg Web Design, our experienced developers can create your WooCommerce store, while making sure that you don’t experience any of the bad or ugly features outlined above. We also offer secure, managed WooCommerce hosting, full support, and we guarantee security updates and virus mitigation should any issues arise.

The post WooCommerce: The Good, The Bad, And The Ugly appeared first on Iceberg Web Design.

Choosing a Content Management System (CMS) can be a daunting task. Between Joomla, ModX, Ruby on Rails, Drupal, Concrete5, DotNetNuke, Umbraco, TinyCMS, and WordPress, among others, there are certainly plenty of options to choose from.   In this article we discuss why we build a vast majority of our websites in WordPress and what advantages it has over other CMSs.

Keep Up to Date on the Latest Technology

One main reason WordPress has kept its market share over the years is the constant improvement of the application. Regular updates to WordPress have added more features that allow users to include all types of content. From Fortune 500 companies, to government institutions, e-commerce businesses and membership websites, many organizations have found WordPress a perfect fit.  At this time there are 48,225 plugins for WordPress, allowing nearly endless options for users. Getting these plugins to communicate properly with your website and each other typically calls for hiring a company who works regularly with WordPress and has extensive knowledge of it’s framework, to ensure design and functionality are implemented flawlessly.

Grow Your Market Share

We use WordPress for a majority of our projects because most of our customers are looking to have a high ranking on Google and the other major search engines. WordPress allows us to use best practices for Search Engine Optimization (SEO), that makes it easier for us to rank our customers website. With the exposure of a being found easily on Google, we can help businesses generate a high return on their investment with their web presence. Our main goal is to solve the business needs for our customers and the SEO functionality of WordPress allows us to accomplish this by optimizing their content to rank on Google.

Don’t Let the Hackers Win

In this day and age cyber security is a top concern of any business that relies on their website to perform. Hackers are continuously trying to find loopholes to break into WordPress websites. Not to worry though, Iceberg Web Design has you covered. With regular updates being released, we stay on top of making sure that your website is updated, working correctly and protected from viscous hackers. These updates are very effective in keeping your website safe as long as you are paying attention to their release. This is why it is important to hire a professional team that works on a daily basis with WordPress and its updates to prevent hackers from disrupting your business.

Content is King in This Jungle

There is a saying “content is king” and this rings true for any successful website. To support this mantra, WordPress allows us to integrate different types of multimedia within our customers website. Then having the ability to train our clients to be able to update multimedia such as video, audio and text allows them to make changes themselves or hire us for a nominal fee. The importance of having good content that keeps your website visitors interested in what you have to offer and the information that surrounds your products or services. This is key to a healthy website that produces positive results.

Achieve Results

The ability of WordPress websites to be able to capture information from a visitor that wants to take action and talk with someone is a great feature. Building out your sales funnel is not only important for a business as a whole, but also the ability to incorporate it into your website to capture potential customers information. There are plugins that allow you to export information into email campaigns and incorporate retargeting to stay visible. Being able to incorporate contact forms, squeeze pages and your companies contact info in a creative way that spurs a “call to action” is one of the reasons why we choose WordPress so often.  Consumers want to be able to easily find the content they are looking for, reach out if they want to learn more about your goods and services and often times make purchases directly online. We find that the customizability of WordPress allows us to solve our customer’s business solutions on a daily basis.  This is why we choose WordPress for 95% of the websites we develop at our Minneapolis website development firm.

The post Why WordPress? appeared first on Iceberg Web Design.

A few weeks ago we published this article explaining what you can do to help prevent your WordPress Website from being hacked. The article outlines a number of WordPress Plugins and hosting security measures that we use to ensure that our customers’ websites remain free of malware.

But beware – your website isn’t the only password-protected service that can be subject to hacking. Hackers are always on the lookout for a way to break into e-mail accounts, and unfortunately e-mail hacking is something that we see happen from time to our own customers.

You’re minding your own business, going about your every day e-mailing, when suddenly you start receiving hundreds of “Failure Notice” e-mail messages from MAILER_DAEMON, indicating that an e-mail message you tried to send has failed.

It is possible that your e-mail address has simply been spoofed – but another possibility is that your e-mail security has been compromised, and you need to take action to stop the attack. If your e-mail service is through Iceberg, let us know and we can check the server logs to see which is most likely the case, and recommend a plan of action to you.

The big question: WHY? 

Krebs on Security posted an article last summer that explains the value of a typical e-mail account to a hacker.

Many hackers will compromise an account to send out spam messages – either as a way to try to make money, or a way to distribute viruses and malware, which they can use to in turn break into more e-mail accounts.

But your e-mail account gives hackers access to much more than just a means to send messages. Your address book contains a list of contacts with real, working e-mail addresses: more people to add to their mailing list. E-mails from all of your online accounts: Facebook, UPS, Amazon, and your banks, are delivered to you. Your e-mail address is the login you use for Facebook, Google, YouTube – and if you use the same passwords across the web, your hacker now has the key to your personal information here.

Use strong passwords

We cannot stress enough the importance of using a strong password on your e-mail – and all – online accounts. Don’t use your mother’s maiden name. Don’t use your dog’s name. Don’t use sequential numbers, and don’t use the word “password”.

The most common passwords used in 2013 were: “123456”, “password”, “12345678”, and “qwerty”.

These passwords may be easy for you to remember – but they are also very easy for any person to guess, and even more easy for a password cracker to guess when trying 200 login attempts per minute on your account.

How does my password get stolen?

There are a number of ways your e-mail password could be compromised. Here are a few:

• It was easy to guess: If you aren’t using a strong password, then it is very possibly for your friends or associates to be able to break into your account just by guessing. A hacker may also try to break into your e-mail account using a dozen or so very common passwords – and if you’re using a password like “password1” they are very likely to succeed!

• Brute-force attacks: A (http://en.wikipedia.org/wiki/Brute-force_attack) brute-force attack happens when a hacker (usually using an automated script) tries to log into your e-mail account systematically entering all possible combinations of keyboard characters until the correct one is found. This type of attack can slow a server to a halt, given the sheer amount of traffic that is accessing the email login page. Fortunately, Iceberg Web Design’s hosting servers are constantly checking for this type of attack, and are able to respond quickly by blocking the IP address that the attack is coming from if a brute force attack is suspected.

• Computer viruses: Some computer viruses and malware scripts have the ability to capture your password, or monitor your keyboard strokes to determine what username/password combinations you are using. We strongly recommend having an up-to-date virus scanning program on all computers you use, and running them on a regular basis.

• Password crackers: If a hacker is able to get an encrypted version of your password, either through a virus or another security breach, they can run a password cracker script to nail down a match.

How do password crackers work?

Your username and an encrypted copy of your password is stolen from your computer – either directly by a hacker, or through a virus or malware script. The password cracker then runs a program in their computer against a dictionary, and uses some basic human behavior knowledge to continually create passwords until they find a match between the encrypted value they took from you, and the value they generated in their random password file.

So, imagine you used one of the most common passwords out there: your dog’s name with your birth date and a punctuation mark tacked on the end for “extra security”: Bailey79!

A password cracker is going to generate hundreds of millions – if not more – passwords. Since ‘Bailey’ is a fairly common pet name, and people are notorious for combining simple words with numbers and punctuation marks, the cracker will start generating passwords like this:

• bailey
• Bailey
• bailey1
• Bailey1
• bailey1!
• Bailey1!
• etc…
• bailey78!
• Bailey78!

And for a cracker that can generate millions of passwords in a few seconds, it isn’t going to take long at all for them to find a match.

What happens next?

Your password has been compromised. A real person – or a computer – now has access to your e-mail account. So what’s next?

If your e-mail has been hacked, then the hacker will likely start using your address to send out massive amounts of SPAM e-mails. One indication that this has happened could be a massive amount of MAILER DAEMON / returned undeliverable e-mails starting to fill up your mailbox. Since the hacker is sending out massive amounts of spam using your account, chances are they are going to be sending junk to messages that either reject the spam, or that don’t exist – and unfortunately you are the one who is going to receive all of the returned error messages.

Note: a large amount of returned e-mail messages could also be an indication of e-mail spoofing –  which is not an indication that your e-mail account has been hacked.

Hosting Server Security:

If we notice that your e-mail address has been compromised, we will temporarily suspend the outgoing mail service to immediately stop the problem. This is one of the security features of our e-mail hosting service. We closely monitor our server logs, and will contact you after we are certain that your account has been compromised.

Reset your password:

If we determine that your e-mail password has indeed been compromised, you will be asked to reset your e-mail password (in some cases, we may reset it for you if we believe that there is a risk to your identity from the hacking). We also recommend having every e-mail password at your domain reset as well, just as a security precaution.

Run a virus scan:

Since it is very possible that your password was compromised from a virus or malware, we suggest that you immediately run virus and malware scans on all computers in your office, and at home, that you have used to access your e-mail account from.

Monitor the mail server:

Once we have determined that the account is no longer compromised, we will re-enable your outgoing mail server. We will monitor the mail server logs closely for a while to ensure that the account does not become compromised again.

Questions? Drop us a line!

If you have any additional questions, please don’t hesitate to contact Iceberg Web Design! We take internet security very seriously, and are happy to answer any questions or concerns you have about your website hosting or e-mail service.

The post Brute Force Attacks on your E-mail Account appeared first on Iceberg Web Design.

We recommend all internet users reset their passwords on accounts containing sensitive information, such as bank accounts or online stores where your credit card data is saved.

Additional information about the Heartbleed Bug can be found at http://heartbleed.com.

A tool has been released for the public to check their websites as well as sites they visit frequently for the Heartbleed bug. This tool is available here: http://filippo.io/Heartbleed/

Iceberg Web Design takes security on our hosting servers very seriously. We want to ensure our customers that this vulnerability is no longer in place on our servers. As soon as a patch was released for the vulnerability, system administrators took immediate measures to secure all servers running OpenSSL. We have confirmed that none of our hosting servers nor accounts have been affected by this vulnerability.

We continue to closely monitor our servers, and there are no signs that any malicious activity occurred as a result of this vulnerability. Although there is no direct threat for your data, it is a general security precaution to have your passwords changed regularly.

Please do not hesitate to contact us directly if you have any additional questions about the Heartbleed bug or your account security.

The post “Heartbleed” Bug in OpenSSL appeared first on Iceberg Web Design.

If you recently ordered a Content Management Website Development package from Iceberg, chances are your website is powered by the popular Open Source Content Management System, WordPress.

We have been working with WordPress since our business was started in 2005. We have followed the software’s progress as it moved from a blogging platform into a very powerful content management system that is behind some of the most popular websites on the Internet. As of August 2013, WordPress is used by more than 18.9% of the top 10 million websites online.

Unfortunately, as the software’s popularity has risen, so have attempts to exploit – or hack – the software. In this digital age, unfortunately hacked websites a commonplace. Your own website may have even been hacked at one point.

Iceberg Web Design takes website hacking very seriously, which is why we do all that we can to protect our customers’ websites from being exploited. Though WordPress itself has many security features built in, there are a number of things that you can do to strengthen the admin side of your website even more.

We utilize a number of additional security measures when we develop WordPress websites. From the use of security plugins to common sense practices when setting up your website, keeping the software updated, and strong security measures on our hosting servers, we are doing as much as we can to prevent hacking attempts before they even begin.

Following are 8 security steps that we take to ensure that our customers’ WordPress websites do not fall victim to hacking attempts.

#1: Don’t Use “admin” as Your Login ID

When WordPress was first released, it came with a pre-defined Admin username of – you guessed it – “admin”.

Many hackers use software that continually tries to log in using one username and hundreds or thousands of password combinations. The most common username used for WordPress hacking attempts is “admin.”

#2: Use A Strong Password

I can recall more than 4 cases over the last 10 years when we helped clean a hacked website because the website owner was using the username and password combination: admin/password.

I don’t think I need to go into detail about how important it is that you choose a strong password for your WordPress login – or all online accounts you have. The more difficult your password is to guess, the more difficult it will be for hackers to gain access to your website. Use a combination of capital and lowercase letters, punctuation marks, and numbers.

If you’re having problems coming up with a password, here is a link to a random password generator you can use (we recommend choosing at least 12 characters for a very strong password!)

#3: Keep the software updated

As soon as software is released, hackers are working around the clock to find a way to exploit it. In turn, the software developers are working to secure the software and prevent hackers.

Every new release of WordPress contains fixes and patches that address vulernabilies that hackers may find. If you keep your website and plugins running on outdated software for too long, you are running the risk of being exploited.

As part of Iceberg’s monthly website hosting service, we update all WordPress websites we develop as soon as we determine the most recent release is stable and compatible with our themes and plugins.

#4: Limit Login Attempts

Have you ever forgotten the password for your e-mail or online bank account, only to try logging in 20 times and eventually be met by a screen telling you that you’ve attempted to log in too many times, and the account is temporarily locked?

A similar security measure works for your WordPress installation. There are a number of plugins that will do this, but the one we use most frequently is called “Limit Login Attempts.”

This plugin gives uses a set number (default is 4) of attempts to log into the WordPress admin screen. If a user fails to login in after 4 attempts, access to the Admin page is disabled for a set period of time. The plugin checks the IP address of the user attempting to log in, and can be set to ban a computer or IP address completely if the number of failed login attempts becomes excessive.

#5: Get Login Notifications

Another option to keep hacking attempts at bay is to be notified instantly by e-mail whenever someone attempts to log into your website.

The WP Security Login Notification can keep an eye on your website and let you know exactly when people are accessing – and trying to access – the admin side. Every time someone tries to log into the back end, you will receive an notification e-mail that includes the time, IP address, and username that was attempted. You’ll also be notified whether the login attempt was successful or failed.

For websites with a lot of login traffic (e-commerce websites, for example) this may not be the best option. If you have orders coming in frequently, or customers accessing their accounts, you’ll end up receiving a mass number of e-mails every time a customer logs in. However, for websites with only a few users this plugin is also a great way to keep track of how often your users are logging in to manage content on your website.

If you install a login notification plugin like this one and notice that your website is still receiving multiple failed logins per day, it may be time to consider hardening the WordPress installation with .htaccess protection (the next step).

#6: Use .htaccess Protection on the wp-login.php File

You can add some extra protection to your website by placing a server-level password on your wp-login.php file. Unless you are familiar with password encryption and advanced website editing, this is typically something that you will want to contact your website hosting provider about.

.htaccess protection will add a pop-up box login, which is required before a user even hits the standard WordPress admin login page. This is the strongest level of protection you can place on your WordPress installation: it prevents hacking attempts before they even start. Robots and automated computers scanning the web for insecure WordPress installations will give up on trying to hack your website as soon as they hit the admin file.

Unfortunately, this strong WordPress protection is not suitable for every website. E-commerce websites, for example, need to allow their customers to access many of the Admin files in order to check out and manage their account. In this case, preventing access to the admin file would also be locking out legitimate customers. Fortunately, utilizing a number of the other options outlined here will still drastically reduce your chances of being exploited.

Iceberg Web Design places this .htaccess protection on all WordPress websites we develop that do not have public customer logins.

#7: Make Daily Backups

One of the features of Iceberg Web Design’s hosting service is that we perform daily backups of all website files, databases, and e-mail accounts. In the unfortunate event that your website has been exploited, we have the ability to quickly revert the site to a pre-hacked version.

There are WordPress Backup Plugins that you can download and install on your own website. However, we recommend also checking with your hosting provider to see if they provide server-level backup services for your site.

#8: Use a Reliable Website Hosting Provider

Choosing a secure, reputable website hosting provider is your first step in insuring that your website remains hack-free. A huge percentage of exploited WordPress websites are in part because of hosting vulnerabilities.

There are many choices when it comes to website hosting service, and it can be easy to lean towards the company that offers the cheapest solution. Don’t simply choose the cheapest website hosting service you can find – make sure you do your research to find out who is behind the service. “Mega” hosting providers can sell their services for cheap because they have hundreds of thousands of websites on their servers. However, this value hosting can lead to security vulnerabilities in the future.

Iceberg Web Design’s website hosting servers are located at the SAVVIS Datacenter in Boston – one of the most secure datacenters in the world. We also have introduced an additional security measure on our hosting servers to prevent WordPress from being hacked. If our servers detect more than 20 unsuccessful login attempts in 15 minutes, the Admin page of your WordPress installation will automatically be locked for 20 minutes. This will encourage the hackers to move on.

Questions?

Please feel free to contact us if you have any additional questions or concerns about your WordPress installation. We work hard to ensure that our customers’ websites remain free of exploits, and strive to do all that we can do protect them.

If you have any other great tips for securing WordPress websites, please leave them in the comments below!

The post Secure your WordPress Installation: How to prevent hacking attempts before they even start appeared first on Iceberg Web Design.