WordPress is inherently a highly-secure platform. The security team is made up of a number of experts who work hard to deal with security concerns at every new update. However, no site is totally safe, which means there are still vulnerabilities you’re liable to experience.

In this article, we’ll consider five of the most common WordPress security threats and how to prevent them using the best practices. Let’s go!

How We’ve Chosen the Most Common WordPress Attacks

For the purpose of this article, we’ll be basing our advice on the Open Web Application Security Project (OWASP) ranking. Since 2001, OWASP has been an integral part of the promotion of security and trustworthiness online. They are a nonprofit foundation that works hard to improve software integrity on the internet.

The project sets a clear goal of comprehensive data collection and achieves it by leveraging the OWASP Azure Cloud Infrastructure to collect, analyze, and store data contributed. In essence, volunteers can simply contribute data by sending a CSV/Excel file by email or uploading it to a contribution folder.

OWASP uses this data collection and analysis system to compile a list of the Top Ten security risks sites encounter regularly. With about 275 local chapters worldwide, the project has grown a reputation for helping organizations to develop and maintain trustworthy software applications.

The 5 Most Common WordPress Attacks (And How to Prevent Them)

If your WordPress site’s security is a priority, this list will help you to know the attacks to look out for and how to prevent them. Let’s begin!

1. Injection Flaws

The most prominent vulnerability you’re likely to encounter on your WordPress site is a code injection flaw. You mostly experience an injection when your site lets users enter data through a vulnerable entry point, such as a contact or login form.

When the data entered is not ‘validated’, you can be susceptible to this attack. SQL injections are the most common but other types such as NoSQL, OS, and LDAP injections may also be an issue.

Injection flaws often lead to access denial, data loss and corruption, disclosure to unauthorized parties, and even total host takeover.

The best approach to prevent injection involves separating commands from queries on your site. WordPress developers can use certain SQL controls such as LIMIT to prevent this. Site owners can also take advantage of security plugins (such as Malcare) to keep their websites protected.

2. Broken Authentication

Broken authentication occurs when there’s a vulnerability in the implementation of identity and session controls. The strength of a site’s authentication control is highly dependent on session management.

If this is not implemented properly, hackers can compromise your keys, passwords, and session tokens. In most cases, you may end up suffering identity theft, social security fraud, and disclosure of highly sensitive information.

If you want to minimize the risk of broken authentication, you should implement multi-factor authentication on your site. What’s more, look to replace the default credentials you’re given when creating a new WordPress site. Weak password checks should also not be an option, especially for admin users.

3. Cross-Site Scripting (XSS) Attacks

Very similar to injection attacks, XSS attacks occur at entry points into site – such as user input fields. These attacks happen when automated applications detect any form of XSS on your site. It can be exploited to sneak untrusted data into a new page that lacks proper validation or an existing one through user-inputted data.

Cross-site scripting lets the attacker execute code remotely within the victim’s browser. This way, they can either steal their credentials or deliver malware. You can prevent an XSS attack by making use of two strategies.

The first strategy is to ensure that network requests generated from one page doesn’t gain access to data on another. Likewise, your website must be able to differentiate between regular input and malicious code. Frameworks such as React JS escape this attack by design.

Generally, preventing XSS attacks starts with good development practices. For a site owner, choosing a strong, secure theme is vital.

4. Sensitive Data Exposure

Sensitive data exposure can be considered a data breach. When sensitive data is being transferred or stored on your site, you must put adequate measures in place to ensure that hackers can’t lay their hands on it. Otherwise, if exposed, attackers can steal passwords, credit card details, session tokens, and much more besides.

Apart from putting your own sensitive data at risk, your site visitors can also be victims. This is why you must do your best to keep data secure on your site.

In a bid to escape this type of attack, it is important that you never store data in plain text or accept data sent over non-HTTPS connections. For site owners, a suitable SSL certificate can help you encrypt the most sensitive data across networks.

5. XML External Entities (XXE)

This type of attack arises due to old or poorly managed eXtensible Markup Language (XML) processors. These evaluate references to external entities within XML documents. In the process, an attacker can exploit an incorrectly configured XML parser that accepts XML directly or through XML upload. In other words, they can now access any XML input that makes references to external entities.

XXE can be used to execute a Denial of Service (DOS) attack, extract your data, or even implement a remote request from your server as well. Developer expertise goes a long way in identifying and dealing with XML external entities.

To prevent this attack as an end user, you’ll want to keep your core WordPress installation up to date. XXE concerns are usually at a fundamental code level, and are patched during version updates of core software.

Conclusion

While the core WordPress software is continually updated to mitigate major security threats, plugins and themes can be a major source of concern for users – especially if they’re poorly coded. In essence, the more attention you pay to your site’s security, the less the probability of having to deal with these issues.

In this post, we’ve looked at five of the most common WordPress attacks today. Let’s recap them quickly:

1. Injection flaws
2. Broken authentication
3. Cross-site scripting (XSS) attacks
4. Sensitive data exposure (SSL Certificates can help avoid this)
5. XML external entities (XXE)

The post The 5 Most Common WordPress Attacks (And How to Prevent Them) appeared first on GIWS Blog.

With the increasing menace of hackers online, web security has become an even hotter topic than ever before. This is why you’ll want to provide secure authentication and encrypt all connections on your web development projects, along with following other best practices.

In this post, we’ll share a web security checklist for developers to help foolproof your applications. However, we’ll first quickly examine why security should be a top priority. Let’s get started!

Why Web Security Is Important in Development

It’s estimated that a cyberattack occurs somewhere on the internet every 39 seconds. What’s more, about 68 percent of business leaders feel their cybersecurity risks are increasing. When malicious software infects a website, it can easily gather data or even hijack all its computer resources.

In other words, attackers can gain access to sensitive data that belong to both existing and new site visitors. Apart from stealing their information, automated hacking tools can also infect computers. Due to the thousands of new malware created daily, you’ll need to stay at the top of your game to keep your site – and your clients’ – continuously protected.

The financial impact of web attacks is significant as well. It’s generally way more expensive to carry out a site cleanup that it is to keep online assets protected. Since a lot of user information is at risk during cyberattacks, companies stand to lose huge sums of money in the process.

In fact, data breach costs are now said to exceed 20 percent of a business’ revenue on average. It’s also believed that cybercrime will cost the world approximately $6 trillion dollars by 2021. Even if you manage to contain the financial and technical damages caused by cyberattacks, your customer base will still be affected negatively.

On average, it takes about 314 days to fully contain a data breach. Your site may be down most of this time and your customer loyalty and credibility will take a significant hit. Some organizations lose as much as 20 percent of their customer bases in the process.

With all these important factors at risk, it becomes imperative to pay close attention and protect your projects. Let’s consider the standard web security checklist we recommend you follow in order to maintain a tight ship.

A Security Checklist for Web Developers (5 Points)

Building your clients’ websites with security in mind will save you, your clients, and their sites’ end-users a great deal of trouble. Here’s a five-point web security checklist that can help you keep your projects secure.

1. Choose a Secure Web Host

The security of your websites and applications begins with your web host. It’s almost impossible to have a secure project if your provider doesn’t use hardened servers and properly managed services.

When choosing a web host, it’s important to compare your options based on how well they manage their servers and what tools they offer to safeguard your projects. Although it’s almost impossible to offer 100 percent assurance, a secure provider will generally provide the following:

• Secure Operating System (OS) and software
• Reliable backups and restore functionality
• Support for Secure Sockets Layer (SSL) protocol
• Industry-standard uptime
• Malware scanning and protection
• Distributed Denial of Service (DDoS) attack mitigation
• Firewall implementation

Typically, web hosts enlist SSL certificates as one of their main offers. This feature is critical for encrypting the connection between your website’s server and visitors’ browsers. Another feature your web host must include is the ability to scan for malicious software.

For e-commerce site owners, it’s important to consider your web host’s compliance with the Payment Card Industry (PCI) security standard. This protects customers’ information for all types of card payments. If your host does not support it directly, then it must be compatible with other third-party providers of PCI-compliant shopping cart APIs.

2. Encrypt All Connections and Secure User Logins

Once you’ve chosen a secure web host, the next point you need to consider is encrypting all your connections. This is especially important for websites that require any form of registration or transaction.

As we already mentioned, using an SSL certificate is a prime place to start. You can further secure your site by implementing Hypertext Transfer Protocol Secure (HTTPS).

Protecting pages requiring authentication should also be a major priority. Incorporate a highly protective password standard that requires users to register with secure credentials.

It is also important to store passwords on your site using strong encryption. Technologies such as ‘bcrpyt’ make it impossible to retrieve passwords in the event of a data breach.

Likewise, if auto-registration is enabled on your site, be sure to provide only unique, unpredictable usernames. Other equally important factors to consider include OAuth implementation and password reset tokens.

3. Use a Web Application Firewall (WAF)

A WAF is an extremely powerful tool that can save you and your business a great deal of hassle. It’s very useful for detecting and preventing attacks, especially from automated bots.

The primary use of a firewall is to monitor Hypertext Transfer Protocol (HTTP) traffic, which is significantly more susceptible to security risks than HTTPS traffic. Our ModSecurity firewall and similar tools efficiently mitigate common attacks such as SQL injections, Cross-Site Scripting (XSS), cross-site forgery, and more.

In essence, when you deploy a WAF, a shield is generated between your web application and the internet. Every web client must pass through it before reaching the server. A set of pre-defined rules filters out malicious traffic and protect sites from vulnerabilities.

4. Keep Your Database Secure

Another security loophole hackers can easily exploit is the website database. Typically, you’ll have to store a lot of information (about your business and customers) on your web application’s server. However, make sure to store only the data you truly need.

Always treat sensitive data such as credit card details, email addresses, and other identifying information as carefully as possible. It can become costly if mismanaged. As a rule of thumb, endeavor to encrypt all data that identifies users.

Some low-cost options to consider include encryption at rest such as Amazon’s AWS Aurora. This will efficiently secure on-disk data. Similarly, you may want to curate a list of all the tools you use for storing client information. This may include databases, document systems, GitHub, Dropbox, and more.

If you or your business is subject to the General Data Protection Regulation (GDPR), you’ll want to dedicate time and resources to fully comprehend and adhere to its requirements. Google lost a whopping $57 million thanks to this in 2019. These policies may apply differently to various web development projects.

5. Try to Hack Yourself

The last box you need to tick on this web security checklist is to try to hack your own project. Since this is what attackers and their bots aim to do, the best way to stay ahead of them is to try it first. Hacking yourself is a way of self-auditing your web applications to see how they fare against common cyber attacks.

You can start by performing penetration testing. Also known as a ‘pen test’, this involves attempting to breach your application systems (APIs, servers, etc.)

Even after testing your own app, you may also want to run it by other developers and beta users to explore its functionality beyond normal use. You can consult this detailed Open Web Application Security Project (OWASP) checklist to see various ways to test your projects.

Conclusion

For every business to be truly profitable on all online platforms, top-notch security is an important factor that must be catered to. As a web developer, it’s your duty to deliver this on all your projects.

Let’s take one more look at the important points you’ll want to bear in mind to secure your web development projects:

1. Choose a secure web host.
2. Encrypt all connections and secure user logins.
3. Use a Web Application Firewall (WAF).
4. Keep your database secure.
5. Try to hack yourself.

Are you currently facing any security challenges on your website? Check out our other blog posts and knowledge base for more tips!

Featured Image Credit: Unsplash.

The post A Security Checklist for Web Developers (5 Points) appeared first on GIWS Blog.

What is FTP?

File Transfer Protocol (FTP) is a network protocol used to transfer files between computers over the web. Users granted access can receive and transfer files in the FTP server known as the FTP host/site.

FTP provides basic, unencrypted file transfer capabilities to connect users over the internet. Developed in 1971 and thoroughly used throughout the 90s, this file-sharing option is now an archetype of the past, replaced by SFTP and SSH.

The thing is, FTP wasn’t designed to be secure and has many security vulnerabilities like:

• Packet Sniffing. FTP is plain text which means it’s not encrypted. All transmissions, logins, passwords, and data are readable by anyone on the network.
• Brute Force Attacks. Because FTP isn’t encrypted, it’s highly susceptible to hackers systematically checking frequently used passwords until the correct password matches.
• Anonymous FTP Vulnerabilities. Anyone can access older or anonymous FTP servers without needing a username or password.
• Port stealing. Hackers can guess the next open port or use a PORT command to gain access as a go-between.

FTP doesn’t provide any safeguards preventing even the most inexperienced of hackers. Additionally, federally compliant organizations or networks can’t use FTP because of its lack of security. In fact, in 2017, the FBI issued a notice and warning about the potential for data breaches in the healthcare system for organizations using FTP.

How to Secure Your Data

Easy, don’t use FTP. Seriously. There are other protocols like SFTP, FTPS, and HTTP. SFTP (Secure File Transfer Protocol) is the refreshed, secure version of FTP.

Other ways to keep your data secure:

• Frequently update your protocols. Attacks over protocols occur when you slack on updating your system.
• Install an SSL (secure socket layer) certificate. SSLs encrypt the data on your website.
• Use 2FA (two-factor authentication). Minimize the chances of hackers breaching your server.

There’s definitely a time and a place for using FTP. An FTP server allows you to organize your files, provide access to other users to download these files remotely, and also set permissions for what users can and can’t do to your files. If you choose FTP, we recommend having your own private FTP server with a strong password. This way, you can transfer your files easily, but without security concerns.

Despite its security concerns, FTP remains available for file sharing but isn’t recommended for most uses. When using FTP, ensure you’re following every security protocol possible and consider using other alternatives like HTTPS or SFTP.

The post Is FTP Secure? The Complete Breakdown of FTP Hosting and If It’s Right for You appeared first on GIWS Blog.

Fortunately, by implementing some simple security tactics and performing regular checks, you can make your site much less vulnerable to attack. This can help you avoid losing customers, traffic, revenue, or confidential information due to a preventable security breach.

In this post, we’ll discuss why protecting your WordPress site is more important than ever. We’ll then share nine of our top tips for boosting your site’s security. Let’s get started!

An Introduction to WordPress Security

WordPress powers over 40 percent of the web, which makes it an attractive target for hackers. If a malicious third party manages to identify a vulnerability with one WordPress website, they could potentially use that same security loophole against the millions of other websites that are built on the same platform.

With this mind, it’s unsurprising that attacks against WordPress are on the rise. Wordfence recorded 4.3 billion attempts to exploit vulnerabilities in 2020. When asked about web security, over 70 percent of developers, freelancers, and agencies confirmed that they are increasingly worried about their websites. In fact, 25 percent of respondents confirmed they’d had to deal with a hacked website in the month prior to participating in the survey.

The WordPress team has a strong track record of identifying and addressing vulnerabilities in the platform. However, no software is perfect. In addition, many website owners choose to extend WordPress core with themes and plugins. These third-party products can add new designs and features to your site – but can also add new security vulnerabilities.

According to Patchstack’s security whitepaper, third-party plugins and themes account for 96.22 percent of detected WordPress security vulnerabilities. The total number of active and vulnerable theme and plugin installations detected throughout 2020 came in at a staggering 70 million.

If a hacker does manage to take control of your site, the consequences could be disastrous. The attacker might deface your site, steal your data, or redirect your loyal customers to a spam website.

The impact of these malicious activities can be far-reaching. They may include a loss of trust amongst your customers and missed sales, right through to potential legal action due to your failure to protect your visitors’ information.

9 Ways to Keep Your WordPress Website Secure in 2021

WordPress may be a favorite target amongst hackers, but that’s no reason to switch to a different Content Management System (CMS). Let’s take a look at nine tips that you can use to harden and protect your WordPress website against common attacks.

1. Choose a Hosting Provider That Prioritizes Security

The most important way to keep your WordPress website safe is to choose a hosting provider that prioritizes security. Wherever possible, we recommend opting for a hosting solution that offers built-in security features and tools.

At GIWS, we take security seriously, which is why all of our hosting packages include the Cloudflare Web Application Firewall (WAF). This tool can help protect your site against brute-force attacks in which a hacker tries to submit many different passwords and usernames in the hopes of guessing the combination correctly.

Our hosting plans also come with the cPanel control panel and Softaculous installer. This popular installer provides access to a wide range of add-ons, tools, and software, including many that can help you protect your website.

Running outdated software can make your site more vulnerable to attack. If you do choose to install additional software via Softaculous, then we’ll email you every time an update becomes available. This ensures you won’t miss any critical security updates or bug fixes that can help bolster your site’s security.

If you do have a security concern, then it’s important to address it straight away. That’s why we also offer 24/7 customer support to all of our hosting customers.

2. Install a Secure Sockets Layer (SSL) Certificate

Without a Secure Socket Layer (SSL) certificate, malicious third parties may be able to intercept the data your website sends and receives. This includes login credentials and payment details. If a hacker manages to access this information, it could damage your reputation and destroy users’ trust in your website. It may even land you in legal hot water due to data protection laws.

An SSL certificate can help ensure your private data remains private by transferring information via Hypertext Transfer Protocol Secure (HTTPS) instead of Hypertext Transfer Protocol (HTTP). As the name suggests, HTTPS is more secure than HTTP, as it enables you to encrypt any data that flows in and out of your website.

To help you meet this important security requirement, we provide several different types of SSL certificates:

After procuring your SSL certificate, we’ll send you an SSL Token via email. You can install your certificate by adding it to your website.

If you’re a cPanel user, then you can log into your account and launch the SSL Status:

We’ll then ask some simple questions about your website and your certificate. After providing these details, AutoInstall SSL will upload your certificate and your data will be encrypted.

3. Implement a Content Delivery Network (CDN)

If a malicious third party manages to break into your site using a brute-force attack, they could wreak havoc. They might steal your data, deface your site, or even delete your WordPress website entirely.

You can help protect your site against brute-force attacks by using a long, complex password that features a mix of numbers and symbols, plus uppercase and lowercase letters. However, some hackers use automated scripts and bots to bombard your site with thousands of login credentials. Even if you follow password best practices, your site may still fall victim to a brute-force attack.

To protect against these automated scripts and bots, you may want to consider using a Content Delivery Network (CDN). Although this tool is often used to improve website performance, it can also block malicious requests from ever reaching your site.

This may prevent hackers from hammering your site with login credentials. At GIWS, we offer the Cloudflare CDN to all our customers:

In addition to offering brute-force protection, Cloudflare’s network is designed to monitor and mitigate Distributed Denial-of-Services (DDoS) attacks. In this scenario, a hacker floods your network with so much malicious traffic that it exceeds your website’s capacity to process requests, at which point legitimate requests may be ignored.

You can configure your Cloudflare CDN by logging into cPanel and navigating to Software > Cloudflare. You can then follow the onscreen instructions to ensure Cloudflare is set up correctly for your particular website.

4. Use Plugins and Themes Safely

WordPress has huge directories of themes and plugins that can help you create beautiful, feature-rich websites. However, these third-party extensions can also make your site vulnerable to attack. In 2019, 97.2 percent of WordPress vulnerabilities were related to plugins.

To help protect your website, you should only install plugins from reputable sources. Wherever possible, we recommend using the official WordPress Plugin Repository, as it has strict security guidelines:

Alternatively, you can purchase themes and plugins from reputable third-party marketplaces such as CodeCanyon. Even if you’re using a quality source, it’s still smart to evaluate the theme or plugin, including examining when it was last updated:

We also recommend checking the software’s reviews, particularly the most recent ones. A spate of negative comments may indicate a security issue with the latest release.

Themes and plugins also add code to your site, which may contain vulnerabilities. A responsible developer will work hard to close any security loopholes discovered in their theme or plugin, and will often release an update that contains a solution for any recently-discovered vulnerabilities. For this reason, it’s important to keep your themes and plugins up-to-date.

According to WPBeginner, 86 percent of sites are hacked due to outdated software. To minimize your risk, it’s important to install updates as soon as they become available:

At some point, you may no longer require a particular theme or plugin. If you simply deactivate the software in question, then hackers may still be able to exploit its code. For example, hackers commonly target individual PHP files within a specific plugin.

If you simply deactivate the theme or plugin, then those PHP files will remain accessible and will therefore still be exploitable. This means that it’s crucial to delete extensions that you no longer require.

5. Install a Web Application Firewall (WAF)

Themes and plugins can potentially introduce vulnerabilities to your website. Ideally, when such a problem is discovered, the theme or plugin developer will rush to patch the issue and release an update.

However, this isn’t always the case, as some complex vulnerabilities may take time to fix. While we’d always recommend removing insecure software, this isn’t always feasible. For example, perhaps the plugin in question delivers your website’s core functionality.

If you do need to continue using a vulnerable plugin, then you can make it more difficult for hackers to abuse these known security loopholes. One method is to use a Web Application Firewall (WAF) to filter out malicious requests before they reach your WordPress website. This can also protect your site against Cross-Site Scripting (XSS) attacks.

There are several WAF plugins available for WordPress. However, the Wordfence endpoint firewall is a popular option:

After installing and activating Wordfence, it’s a good idea to leave this plugin in Learning More for at least a week before enabling its firewall. This can help you avoid false positives, where Wordfence blocks legitimate activities.

While the plugin is in Learning Mode, you should perform as many different actions as possible on your WordPress website. This gives Wordfence the best possible chance of learning how to protect your site while also permitting normal activity and visitors through its firewall.

You can put Wordfence into Learning Mode by navigating to Wordfence > Firewall. Then open the Web Application Firewall Status dropdown and select Learning Mode:

Save your changes, and Wordfence will start monitoring your site. When you’re ready to take Wordfence out of Learning Mode, you can enable the firewall by navigating to Wordfence > Firewall. Then open the dropdown and select Enabled and Protecting.

6. Activate Two-Factor Authentication (2FA)

It’s important to protect your website with a strong password. However, there are some password-based attacks where the strength of your login credentials has no impact on whether that attack succeeds or fails.

This includes credential stuffing attacks, where a hacker attempts to break into your dashboard using thousands, or even millions of username and password combinations. There are even keystroke logging programs that can monitor your keyboard and record every single thing you type, including your password.

One way to protect against these attacks is to enable Two-Factor Authentication (2FA). After activating this feature, anyone trying to access your WordPress website will need to enter the correct login details and then pass an additional security check – such as responding to a push notification on their phone or entering a code sent to their email address – to access your site.

By activating 2FA, you can make it significantly more difficult for a third party to gain access to your website. You can set up 2FA using a mobile application such as Google Authenticator or Microsoft Authenticator:

After installing your chosen mobile app, GIWS customers can enable 2FA by logging into their accounts and navigating to Account > Edit Account Details. You can then select Security Settings in the left-hand menu:

On the subsequent page, select Click here to enable. You’ll then be guided through the process of linking your WordPress site to your authenticator mobile app:

As part of this process, we’ll provide you with a backup code. If you ever lose access to your authenticator app, then you can use this code to recover your WordPress website. To avoid getting locked out of your site, it’s vital that you make a note of this code and keep it somewhere safe.

7. Consider Disabling XML-RPC

Pingbacks are a way to notify other websites that you’ve linked to their content, and vice versa. By default, they’re enabled in WordPress. While this feature can make it easier to respond to comments that mention your site, it can also make your website more vulnerable to DDoS attacks.

WordPress pingbacks are made possible by the XML-RPC interface. However, an attacker might use this feature to bombard your site with pingbacks. This can overload your server and might even take your site offline. For this reason, you may want to consider disabling the XML-RPC interface using the REST XML-RPC Data Checker.

If you do decide to disable pingbacks, then install and activate this plugin in your WordPress dashboard. Then navigate to Settings > REST XML-RPC Data Checker. Next, select the XML-RPC tab and choose Disable XML-RPC API interface:

Now you just need to save your changes and pingbacks will be disabled for your website. If you don’t want to use a plugin, then you can block all incoming XML-RPC requests before they’re passed to your site.

This technique does require you to edit your site at the code level, so it’s wise to create a full backup before proceeding. If you’re an GIWS customer, we provide two backup tools that you can access via cPanel:

After creating a backup, connect to your server via File Transfer Protocol (FTP) using an FTP client such as FileZilla. You can then open your .htcaccess file for editing and add the following:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Don’t forget to save your changes and re-upload the file to your server. To verify that XML-RPC is now disabled, head over to XML-RPC Validator and enter your website’s URL. If XML-RPC is disabled, then the Validator should display an error message.

8. Remove the WordPress Theme Editor

By default, you can modify your theme using WordPress’ built-in theme editor. While this is helpful for creating custom themes, it’s also a way for hackers to inject malicious code into your website:

If you don’t need the theme editor, then you may want to consider disabling it. This requires you to edit your website’s code, so we recommend creating a backup before proceeding.

To disable the editor, you’ll need to connect to your server using an FTP client. You can then open your wp-config.php file and add the following after the line that reads “That’s all, stop editing! Happy publishing”:

define( 'DISALLOW_FILE_EDIT', true );

Save your changes and the theme editor will disappear from your WordPress dashboard. If you need to restore the theme editor at any point, then simply connect to your server using FTP and remove the line of DISALLOW_FILE_EDIT code.

9. Protect Your Database Against SQL Injection Attacks

A hacker may attempt to gain access to your WordPress account by injecting malicious SQL queries into your MySQL database. Hackers can launch these SQL injection attacks via any content that accepts user input. This includes many website staples, such as comment sections and contact forms.

Since MySQL is vulnerable to injection attacks, it’s important to keep your database up-to-date. It’s also important to protect your MySQL database with a strong password that has no connection to your website, company, or you as an individual. Here, it may help to use a password generator such as Strong Random Password Generator or LastPass:

You can also make it more difficult for hackers to identify your database by using a unique database name. GIWS customers can change their WordPress database name at any point by logging into cPanel and then accessing the phpMyAdmin tool.

In the left-hand menu, select the database that you want to rename. Then open the Operation tab:

Here, enter the name that you want to use and click on Go. When prompted, opt to reload your database.

Conclusion

As one of the world’s most popular Content Management Systems, hackers are always eager to uncover vulnerabilities in WordPress themes, plugins, and core. If a malicious third party does manage to identify a security loophole, they could potentially use it to launch attacks against millions of WordPress websites – including yours.

By following some simple security precautions, you can immediately make your site less vulnerable to attack. It’s important to start with the fundamentals by vetting all of your themes and plugins carefully and installing an SSL certificate. Once you have a strong foundation, we recommend exploring more advanced security tactics, such as enabling 2FA and disabling the theme editor and XML-RPC when possible.

Your choice of hosting provider is also crucial for security. All of our GIWS packages include features, tools, and add-ons specifically designed to help keep our customers safe, including HackScan Protection, Cloudflare, and a dual firewall. Check them out today!

The post 9 Ways to Keep Your WordPress Website Secure appeared first on GIWS Blog.