Secure Your WordPress Website How to Protect Yourself from Hackers, Spammers, Scrappers, and Imbeciles
Mari Kane
Blogsite Studio The Articles in this ebook are copyright Mari Kane. All rights reserved.
No part of any of the content of this ebook may be reproduced in any form by any means without prior written permission of Mari Kane.
This ebook is licensed for your personal enjoyment only and may not be shared or re-sold If you would like to share this book with another person, please purchase an additional copy for each recipient.
If you’re reading this book and did not purchase it, or it was not purchased for your use only, then please subscribe to Blogsite Studio.com to receive your own copy.
Thank you for respecting the hard work of this author!
This book was produced using Pressbooks.com, and PDF rendering was done by PrinceXML.
Secure Your WordPress Website © Mari Kane, Blogsite Studio. All Rights Reserved, except where otherwise noted. Contents
1 INTRODUCTION
4 How to Take Control Of Your Web Presence Now
10 The Best Tips to Securing WordPress Websites and Keeping Hackers Out
15 The 27 Best WordPress Security Plugins to Prevent Hacking
21 Backup and Restore Your WordPress Site and Sleep Better at Night
29 WordPress Under Brute Force Attack: Targeting Admin Usernames
32 Use Mantras as Passwords to Achieve Web Nirvana
35 3 Ways to Protect Your Email Address From Hackers and Spammers
41 How to Kick Content Scrapers in the Balls
48 Damn that Referrer Spam from Google Analytics
53 How SSL CertiZcates Give Your URL the Cone of Silence 60 After the Hack: How to Restore Your WordPress Website
64 SOMETHING ABOUT MARI KANE ALL-RIGHTS- RESERVED
66 WORDPRESS EBOOKS BY MARI KANE ALL- RIGHTS-RESERVED SECURE YOUR WORDPRESS WEBSITE | 1
Introduction
I remember a time after I started blogging when I never thought about web security. I lived in a cocoon of denial padded by the belief that my little wine blog contained nothing anyone would want to steal. No state secrets, no credit card information. I knew hackers were out there, but I believed they just hit sites for banks and retailers.
That was my age of innocence.
Then, I learned about brute force attacks and how hackers will use bots to bang on your login door until it breaks down. Once inside, they inject malware that turns a site into a zombie to spread the malware to visitor’s computers and sites.
That was the end of my Internet innocence.
In the last few years, my BlogsiteStudio.com site has been hacked a couple of times. The Zrst was due to a vulnerability in a plugin. The second was the result of a phishing attack that I fell for because of the coincidental timing related to another issue I was having on my server. Cleaning up the messes they left was a harrowing and infuriating experience, and a huge drain on time, not to mention expensive.
I’ve seen client sites get hacked, possibly because of their unchanged “Admin” usernames, outdated versions of WordPress, plugin vulnerabilities – who knows what all. Cleaning them up was painful, especially when a current backup was not available and caused a loss of data. SECURE YOUR WORDPRESS WEBSITE | 2
Then, there is the scraping of email addresses, inadvertently left in the site’s content, which leads to a proliferation of spam coming to that email’s inbox. I’ve seen that happen too.
Even neutral little Google Analytics is not above the fray. Fake sites use bots to send requests to a site so that the URL will turn up on your analytics dashboard and tempt you to click on the link to Znd out who the hell they are, which drives up their tra\c count.
I tell you, it’s a bot-eat-bot world out there and you can no longer trust your little content site to remain safe. You have to take precautions to insure the safety of your site, and that’s what this ebook is all about: securing your WordPress website.
The following chapters are all posts from BlogsiteStudio.com written over the past four years and updated to re[ect changes on the infobaun.
I put them all together to show you what evil can befall an unprotected website and to give you a road map to protecting yours. And, how to recover from the nightmare of being hacked.
If you’ve purchased this ebook from a retailer, please review it on their site and subscribe to Blogsite Studio.com to receive my weekly doses of advice as well as to have the Zrst opportunity to download future ebooks.
Please follow me on Twitter @blogsitestudio, Facebook, Google+ and Linkedin. And contact me if you have any questions about WordPress.
Thanks and enjoy Secure Your WordPress Website!
Mari Kane @blogsitestudio SECURE YOUR WORDPRESS WEBSITE | 4
Chapter 1 How to Take Control Of Your Web Presence Now
So you had a web site professionally designed and for the longest time your site worked swimmingly – until suddenly it doesn’t.
You can’t get your “computer guy” on the phone, or in email, or by text, and you don’t have the logins to get into the Administrator Dashboard.
Or, your domain stops resolving and you have no idea where it’s registered, and then you Znd out your web designer is on vacation.
Don’t let this happen to you!
If you have a website that is intrinsic to your business, you must make it your business to know everything about that site.
A Website is like a house with a hundred working parts. A home owner would never leave the keys to their house in the hands of the real estate agent. Neither should you rely on your web designer to hold the keys to your site.
I don’t just mean controlling your domain registration and WordPress installation, but also your hosting account, theme developer, Google accounts, and much more. All assets that require logins and email addresses in order to access their various settings. SECURE YOUR WORDPRESS WEBSITE | 5
Without these credentials you could be hobbled in an emergency.
You might have contracted with a web agency or IT Zrm to manage all the intricacies of your web presence using state of the art systems and platforms. Or, your web designer might o]er to host your site on a server space they resell, and maintain your installation.
It doesn’t matter if you work with a large or small web company, as long as you have all the logins to your properties.
I spoke about this with Omer Segoly of TechTone, a Vancouver company that provides IT services and tech support.
He said he often has new clients come to him who don’t know how to access their domain or their back end or who need to clean up a hack and their designer is unavailable. In those cases, he has to chase down accounts, and dig things up, which he says is not fun and is expensive for the client.
He Znds the biggest issue is with domains.
“Agencies and designers register domains under a big master account they maintain. So, instead of creating separate Godaddy accounts for each client’s domain, they amalgamate the domains on the master account, giving them ownership, in e]ect.”
He told me a story of an agency where one partner walked away with all the credentials, leaving the other partner with no access to the client’s accounts. Not only do some agencies take ownership of domains, they overcharge for renewals.
I see it again and again, when we know a domain should only cost $12 – $15 a year, some companies over bill much more than that. When we sign up new clients, we make sure they have access to all their web properties. We don’t take ownership of anything we make it easy for them to disengage if they need to, though we do such a good job they don’t. SECURE YOUR WORDPRESS WEBSITE | 6
Each of his new clients receives an email with Cpanel logins, ftp coordinates, nameservers, and IP address, with the advice to keep the message in a secure place for web designers they might hire in the future.
I have seen companies that don’t do that, possibly because they have a low-tech server set-up that’s not segmented to diSerent accounts, so any access means access to all accounts on the server.” (Techtone uses Amazon Web Servers (AWS).
When it comes to payment gateway, he says, clients must have full access from the get go.
We’ll create a Stripe account for the client, give them access, and have them connect to their bank. Once it’s ready we’ll connect the APIs and take care of the rest, but we don’t take ownership over the payment gateway account ever.
Omer is also a big fan of two-factor authentication and he likes Last Pass for managing passwords anywhere.
How to take control of your web presence If you’ve got a professionally designed site, but you’re a little fuzzy on how it all works, here is a website checklist for auditing the site. As the site owner, you should know everything on this list.
Start by checking whois.net to see what information is publicly available about your domain.
DOMAIN Make sure your domain is registered with a reputable and certiZed registrar and that you yourself are the named administrator on the account.
Read More: It’s 2016: Do You Know When Your Domain Name Expires? SECURE YOUR WORDPRESS WEBSITE | 7
HOSTING Your site should live in a good quality, well-policed neighborhood. Know whose servers are being used and read about the company’s record for security, updates, and uptime.
Read More: Web Hosts Recommended by Advanced WordPress Group
BACKUPS Find out who does them, how often, where the backups are stored and what kind of Zles are backed up.
Read More: Backup and Restore Your WordPress Site and Sleep Better at Night
EMAIL Does it come from the web host or another service? How is integrated into all aspects of your web presence?
SSL Is a SSL certiZcate included with your web hosting account? (Hopefully, since a Secure Socket Layer is practically de rigueur these days and is rewarded by Google with higher rankings.) Make sure your SSL is auto-renewing.
WORDPRESS Is your WordPress core software automatically updated? If not, Znd out who is responsible for updates: you, your web designer, or the web host.
To protect the site owner from themselves, web designers often give them logins for reduced access, like Author. That’s Zne for normal use, but be sure you also obtain logins for an Admin account that you can access in an emergency.
THEME If the web designer has established a rapport with the theme developer, it would be helpful to have their contact information as well as the terms of a support contract. You might need help with the theme after falling out with the web designer. SECURE YOUR WORDPRESS WEBSITE | 8
Read More: How Custom WordPress Themes are Worse than Premium Themes
GOOGLE ANALYTICS AND TOOLS If you have a Google account you can access the Analytics and Search Console accounts that your designer should have set up. Make sure the designer shares with you Full access to those accounts, not just Read/Comment access.
Read More: 4 Fun Ways to View Your Google Analytics
PAYMENT GATEWAYS Anything to do with your money must be controlled by you alone. Once your web designer opens a Stripe account and you enter your bank info, they will connect API’s (Application program interface) to the site. Then, you should change the account passwords for security.
EMAIL LISTS Is your site taking email addresses and sending them to an email marketing platform? It should as this is the best way to securely build lists and send pretty alerts and campaigns to your subscribers. Have all access to this account.
ECOMMERCE Are you selling books, admission to events, or access to online courses promoted through a Picatic, Udemy or Amazon? Have all those logins and URLs at hand.
PREMIUM PLUGINS If your web designer set up a premium plugin on your site, you want to be able to get support or manually renew it in the event of your designer going AWOL. Logins, terms, support URLs, please.
Read More: 61 of the Best WordPress Plugins for 2015
AFFILIATES Has your computer guy placed a\liate ads on your site? You have to be sure the a\liate account is registered in your name SECURE YOUR WORDPRESS WEBSITE | 9
with your contact info and tax ids. Check your activity often with the a\liate and monitor the appropriateness of the ads.
CUSTOM CSS If your web designer made customizations to the style sheet in your theme and years later you update or change the theme, those expensively made customizations could be lost. It’s a good idea to know they are stored somewhere, whether in a child theme or in a plugin, and better yet to have access to a text copy of the code.
Details, Details…. Yep, that’s a lot of information to know about your website, but it’s all absolutely necessary to future proof your site from disaster.
When I build a website I give each of my clients a lengthy list of site details in a text document that they can keep on their hard drive for future reference.
I know the future is mysterious and if this is my last day on earth, I want my clients to be able to go forth to make updates and changes to their sites.
If your web designer has not done so already, send them this prepared list, Site Details PDF, to complete for you.
Control of your web presence is important. Don’t let someone else have it. SECURE YOUR WORDPRESS WEBSITE | 10
Chapter 2 The Best Tips to Securing WordPress Websites and Keeping Hackers Out
Website hacking has been out of control in the past year, with WordPress being the biggest target for brute force attacks, malicious code injections, and numerous other compromises. Your site may have already been hacked without your knowledge. If they haven’t already, what will you do to prevent a hacker from invading?
The Zrst thing to understand is the why of WordPress hacking.
Why Hack You? Why would anyone want to break into your innocent little brochure site that contains no sensitive data worth stealing?
The reasons hackers are attracted to your little WordPress site are mostly:
• WordPress is so popular, it presents a wide Zeld of sites to exploit. • With WordPress being so accessible, hackers know that most users are not savvy to security. • Once broken into, hackers install spam robots and redirects and malicious code in your site.
Don’t let a hack happen to you! SECURE YOUR WORDPRESS WEBSITE | 11
Secure WordPress sites you operate by following these suggestions according to your knowledge and skill level. You don’t have to get every point, but you can use this as a checklist.
Basic WordPress Security Tips Update WordPress Every time WordPress releases a new version, update your site. Every time. They’re not releasing new versions just for the fun of it.
Update Plugins Only use plugins with good reputations, and every time a plugin developer releases a new version, update that plugin on your site. Plugin security vulnerabilities are a common way to get hacked.
Read More: Update Your Site or Die Trying
Delete Old/Unused Plugins If you’re not using a plugin, delete it. An old and moldy plugin is as insecure as a non-updated plugin.
Use Spam Killer Plugins Comment spam is a perennial security issue. Use a plugin like Akismet to kill spam dead. (Also, update your Akismet to version 3.1.5, as a security vulnerability was found last week.)
Use a Secure Hosting Company Make sure your web host has basic security certiZcates and uses the latest version of cpanel, MySQL, etc.
Use a Security Service on Your Host Server Web hosts o]er security services like Sitelock or TrustWave to protect your site at the server end. Employ one.
Use Secure Themes Install themes created by reputable developers and be wary of free themes not distributed through WordPress. Same for premium themes which tend to be slightly more secure.
Read More: 8 Things to Look for in a New WordPress Theme SECURE YOUR WORDPRESS WEBSITE | 12
Use Obscure Usernames Never use “admin” or any word vaguely associated with your site’s content.
Use Strong Passwords and Change Frequently Create long, complicated password sentences or use a password generator o]ered in WordPress V. 4.3.1 Frequently change passwords in WordPress, hosting panel and for FTP.
Use Security Plugins Install one or more of: Wordfence, WP Security Firewall, iThemes Security (formerly Better WP Security), Sucuri Security, Bulletproof Security, Acunetix WP SecurityScan, All-In-One WP Security & Firewall (my fave), 6Scan Security, BruteProtect.
Backup Database
1. Use backup plugins to save data on your server 2. Email or download Zles of you database to your computer’s hard drive 3. Download database Zles to Dropbox or cloud server 4. All of the above
Use Anti-Virus Software on Your Computer Prevent hackers from getting to your site through your computer’s hard drive by using Anti-virus software.
Beware Email Links and Attachments Use common sense by not clicking on suspicious links or attachments sent to you via email. They could infect your computer and by extension, your WordPress site.
Advanced WordPress Security Tips Use 2-Step Password Authentication Google Authenticator and Clef Authenticator require additional logins on your phone.
Use a Firewall A Zrewall acts as a barrier to keep hackers out of your site or server. Firewall security can be purchased as a service or SECURE YOUR WORDPRESS WEBSITE | 13
bundled in premium plugins. (Free with All In One WP Security & Firewall)
Block Evil IPs After monitoring brute force attacks through security plugins, paste evil IP addresses into relevant plugin modules or in your .htaccss Zle.
Change /wp-admin URL Some security plugins like All-in One allow you to change your login URL from “/wp-admin” to something like “/keepouthackers.”
Change User Nicename in MyphpAdmin Database Prevent your username from leaking out by changing the user_nicename in your database. When “/author/“ shows up, viewer will see a name di]erent from your actually username.
Change Admin User ID Make it harder for hackers to Znd your username when guessing you are “author=1” by changing your User ID to something like, “5643”
Change SALTs in wp-con:g It’s a good idea to change the SALTs encrypted passwords that relate to your site, either manually or by using the iThemes security plugin.
Rename Database Pre:x In phpMyAdmin on your server, change the wp_ preZx of table names so hackers won’t know where your database is.
Protect wp-uploads :les Prevent php injections into your uploads Zle.
Check File Permissions All directories should be 755 or 750. All Zles should be 644 or 640, except wp-conZg.php, which should be 440 or 400.
Blog Long and Prosper Hopefully, your site will never get hacked, but if it does, SECURE YOUR WORDPRESS WEBSITE | 14
remember that it’s not the end of the world. Your site will recover.
The key is being ever vigilant against email come-ons and brute force attacks that could eventually harm your site. SECURE YOUR WORDPRESS WEBSITE | 15
Chapter 3 The 27 Best WordPress Security Plugins to Prevent Hacking
When it comes to protecting your site from evil doers, you should start by installing some powerful WordPress security plugins.
Plugins will act as your site’s bouncer, Zghting o] brute force and spam attacks, as well as being your inside agent, working to gather intelligence on who is targeting your site.
This comprehensive list includes plugins to Zght hackers, kill spam, protect logins, as well as saving backups. All of these plugins are highly rated and regularly updated, and best of all, they’re free.
Some, though, o]er premium versions to give you yet more protection for your site.
Check ’em out!
Hacker Protection
WORDFENCE Secure your website with the most comprehensive WordPress security plugin. Firewall, malware scan, blocking, live tra\c, SECURE YOUR WORDPRESS WEBSITE | 16
login security & more. By Wordfence 1+ Million Active Installs
BULLETPROOF SECURITY Secure WordPress Website Security Protection: Firewall Security, Login Security, Database Security & Backup. By AITpro | Edward Alexander 100,000+ Active Installs
ANTI-MALWARE SECURITY AND BRUTE-FORCE FIREWALL This Anti-Malware scanner searches for Malware, Viruses, and other security threats and vulnerabilities on your server and it helps you Zx them. By Eli Scheetz 100,000+ Active Installs
ITHEMES SECURITY (FORMERLY BETTER WP SECURITY)
Take the guesswork out of WordPress security. iThemes Security o]ers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin. By iThemes 800,000+ Active Installs
SUCURI SECURITY – AUDITING, MALWARE SCANNER AND SECURITY HARDENING
The Sucuri WordPress Security plugin is a toolset for security integrity monitoring, malware detection, audit logging and security hardening. By Sucuri, Inc 300,000+ Active Installs
ALL IN ONE WP SECURITY & FIREWALL A comprehensive, user-friendly, all in one WordPress security and Zrewall plugin for your site. By Tips and Tricks HQ, Peter, Ruhul, Ivy 500,000+ Active Installs
SHIELD WORDPRESS SECURITY
The Most Comprehensive and Highest-Rated Security System for WordPress (formerly the WordPress Simple Firewall). By iControlWP 50,000+ Active Installs SECURE YOUR WORDPRESS WEBSITE | 17
Read More: The Best Tips to Securing WordPress Websites and Keeping Hackers Out
Anti Spam
AKISMET
Akismet checks your comments against the Akismet Web service to see if they look like spam or not. By Automattic 1+ Million Active Installs
SI CAPTCHA ANTI-SPAM
Adds Secure Image CAPTCHA on the forms for comments, login, registration, lost password, BuddyPress register, wpForo Register, and WooCommerce checkout. By Mike Challis 300,000+ Active Installs
SPAM PROTECTION BY CLEANTALK
Spam protection, anti-spam, all-in-one, premium plug-in. No comments spam & users spam, no contact form & WooCommerce spam. Forget spam. By СleanTalk 50,000+ Active Installs
WP-SPAMSHIELD ANTI-SPAM
All-in-one WordPress spam protection, with NO CAPTCHAs, challenge questions or other inconvenience to site visitors. By Scott Allen 100,000+ Active Installs
ANTI-SPAM
No spam in comments. No captcha. By webvitaly 100,000+ Active Installs
Login Protection
MINIORANGE 2 FACTOR AUTHENTICATION
This plugin provides various two-factor authentication methods as an additional layer of security for wordpress login. We SECURE YOUR WORDPRESS WEBSITE | 18
Support Phone Call, SMS, Email VeriZcation, QR Code, Push, Soft Token, Google Authenticator, Authy, Security Questions(KBA), Woocommerce front-end login, Shortcodes for custom login pages.
By miniOrange 6,000+ Active installs
LOGINIZER
Loginizer is a WordPress security plugin which helps you Zght against bruteforce attacks. By Raj Kothari 400,000+ Active Installs
LOGIN SECURITY SOLUTION
Security against brute force attacks by tracking IP, name, password. Idle timeout. Maintenance mode lockdown. By Daniel Convissor 20,000+ Active Installs
Read More: Use Mantras as Passwords for Web Nirvana
Backups and Restoration
UPDRAFTPLUS WORDPRESS BACKUP PLUGIN Backup and restoration made easy. Complete backups; manual or scheduled (backup to S3, Dropbox, Google Drive, Rackspace, FTP, SFTP, email + others). By UpdraftPlus.Com, DavidAnderson 1+ Million Active Installs
WP DATABASE BACKUP
Create & Restore Database Backup easily on single click. Manual or automated backups (backup to Dropbox, Google Drive, Amazon s3, FTP, Email). By Prashant Walke 60,000+ Active Installs
BACKWPUP
Schedule complete automatic backups of your WordPress installation. Decide which content will be stored (Dropbox, S3…). By Inpsyde GmbH 500,000+ Active Installs SECURE YOUR WORDPRESS WEBSITE | 19
BACKUP GUARD
Backup Guard is the best backup choice for WordPress. Backup, restore, clone, duplicate or migrate your website with few clicks. By BackupGuard 80,000+ Active Installs
WPBACKITUP
Backup, restore, clone, duplicate or migrate your site e]ortlessly with WPBackItUp. By WPBackItUp 30,000+ Active Installs
BLOGVAULT REAL-TIME BACKUP
Backup by blogVault is the most reliable way to perform WordPress backup for your site. It is the easiest way to backup, restore or migrate your sites. By Backup by blogVault 20,000+ Active Installs
WORDPRESS BACKUP TO DROPBOX
Keep your valuable WordPress website, its media and database backed up to Dropbox in minutes with this sleek, easy to use plugin. By Michael De Wildt 90,000+ Active Installs
XCLONER
XCloner is a full backup and restore plugin for WordPress, it will backup and restore both Zles and database. By Liuta Ovidiu 70,000+ Active Installs
WP-DBMANAGER
Manages your WordPress database. By Lester ‘GaMerZ’ Chan 100,000+ Active Installs
Read More: Backup and Restore Your WordPress Site and Sleep Better at Night SECURE YOUR WORDPRESS WEBSITE | 20
Email Protection
OBFUSCATE EMAIL
Obfuscate email addresses to deter email harvesting spammers, while retaining the appearance and functionality of hyperlinks. By Scott Reilly 10,000+ Active Installs
EMAIL ADDRESS ENCODER
A lightweight plugin to protect email addresses from email- harvesting robots by encoding them into decimal and hexadecimal entities. By Till Krüss 80,000+ Active Installs
Read More: 3 Ways to Protect Your Email Address From Hackers and Spammers
SSL Helper
REALLY SIMPLE SSL
No setup required! You only need an SSL certiZcate, and this plugin will do the rest. By Rogier Lankhorst 100,000+ Active Installs
SSL INSECURE CONTENT FIXER
Clean up WordPress website HTTPS insecure content. By WebAware 70,000+ Active Installs
Stay secure! SECURE YOUR WORDPRESS WEBSITE | 21
Chapter 4 Backup and Restore Your WordPress Site and Sleep Better at Night
Backing up your website is one of the fundamental aspects of web security.
So much can happen on the Internet: Hackers strike. Servers go down. Files get corrupted. Any number of calamities can befall your website and wipe out years of hard work.
With the Web being so dangerous these days, it’s crucial to have a complete copy of your precious website Zles on hand in case of a disaster.
Question is, how are you going to backup your Zles? And, once you backup, how can you be sure the Zles will work on a new install?
In this tutorial we’ll discuss ways to backup and restore WordPress sites.
These techniques are useful not just in the case of disaster, but also for migrating a site to another web server, which is something you might otherwise pay a developer to do.
Restore WordPress site in two parts When backing up and restoring a site, it’s important to know SECURE YOUR WORDPRESS WEBSITE | 22
that there are two parts of the installation: WordPress Zles and your database.
Think of the database as your brain and WP Zles as your home.
Your brain contains all the thoughts and memories you’ve accumulated over the course of your entire life.
Your home is where you store your brain to protect it from the great outdoors.
But if your home was lost, you could always get a new one, thanks to homeowners insurance. If you loose your brain, you will need to be reborn in order to accumulate all the data you lost.
Which is more valuable?
WordPress php Zles consist of the following:
• WordPress Core Installation • WordPress Plugins • WordPress Themes • Images and Files • JavaScript and PHP scripts, and other code Zles • Additional Files and Static Web Pages
The MySql database contains posts, pages, comments, categories, tags, custom Zelds, users, and other options such as site urls etc. generated on your site,
The database requires the WordPress core Zles to manipulate the organization of its information on your site.
Backing up is not hard to do There are lots of ways to back up your Zles and database. Here are most of them.
HOSTING BACKUP Your web host will provide a regular back up of your site if you ask them to or pay for it. Each host is di]erent so ask yours what they o]er. SECURE YOUR WORDPRESS WEBSITE | 23
BACKUP PLUGINS There are lots of backup plugins to choose from. They perform the backup similarly by placing the Zles on your server directory, but they o]er di]erent features.
Backup plugins feature:
• Optimization by purging unused data from your Zles • Sending backups to server, email, Dropbox, hard drive • Schedule automatic backups • Storage options like FTP, SFTP and FTPS
Here is a list of some of the most popular backup plugins compared.
WORDPRESS EXPORT The quickest way to make a backup is by going to Tools>Export and installing the WordPress export plugin.
Once installed, you can export all or some of your Zles into a single XML Zle and download that to your hard drive This SECURE YOUR WORDPRESS WEBSITE | 24
Zle format, WordPress eXtended RSS or WXR, will contain your posts, pages, comments, custom Zelds, categories, and tags.
The XML Zle download is quick and easy and good for simple content sites. Below, I’ll show how to import that XML Zle into a new WordPress installation.
General Backup Tips
SPREAD OUT BACKUPS The WordPress Codex and current consensus recommends keeping at least three backups on Zle, in case of corruption or loss, and to store the backups in di]erent places on di]erent mediums – CD, DVD, external hard drives, Cloud storage, Drop box – as well as on your hosting server.
TIME YOUR BACKUPS Always, everytime and routinely backup your site before upgrading to a new version of WordPress. Before upgrading your theme or any plugins, hey, it can’t hurt to backup.
Read More: New Year’s Internet Resolutions You Can Make Too
Restoring or migrating Once you’ve made a backup of your site, it’s a good idea to upload the backup to a new WordPress environment.
Restoring your site proves that all your Zles are intact and non- corrupted, so if disaster strikes, you have peace of mind knowing those Zles work.
The caveat here is that your backup should be pristine and untainted by hacking. If your Zles have bugs it makes no sense to spread those bugs to another server.
RESTORE WITH XML FILE Restoring a site with an XML Zle is the easiest, fastest way to move your site to another place.
XML is a single Zle that contains pure code and is best used SECURE YOUR WORDPRESS WEBSITE | 25
Open the XML Zle in a browser and here’s what you see. on simple sites. Once you’re moved the XML Zle into the new house, you’ll need to spend a lot of time rearranging the furniture in order to match the old house.
Here’s how you do it:
1. In Tools>Export, install an Export plugin and export All Content. 2. Install a new WordPress on desired server and install the sites Theme there. 3. Change new installation’s Reading settings to match the original site – ie. Posts or Static front page. If static, create Home and Blog pages Zrst. 4. Change Permalinks to match old site. 5. Install WP Importer plugin in Tools>Import. Assign Authors – Import Attachments, Media, posts, pages, portfolio.
There’s lots to customize here, especially menus, sliders, front page. But at least the move was fast and easy.
Restoring Manually Using a plugin, back up and download the .tar and .sql Zles to your hard drive. SECURE YOUR WORDPRESS WEBSITE | 26
In Cpanel, create a subdomain on the new server. Something like http://newsubdomain.olddomain.com will be your URL for this restored site.
Create ftp client for that subdomain if your zipped WP Zles (.tar) exceed the server’s upload limit of say, 500MB.
Open that new directory and upload your .tar.zip Zle. Or use the ftp client to transfer larger Zles.
Extract tar.zip and copy or move Zles to the new subdomain directory.
Now that everything is in place, you need to make your brain aware of its new house.
CREATE NEW DATABASE
IN CPANEL, CLICK ON MYSQL DATABASE WIZARD
1. Create a database SECURE YOUR WORDPRESS WEBSITE | 27
2. Create Database User(s) 3. Assign Privileges (all)
IMPORT .SQL DATABASE In Cpanel click on phpMyAdmin. Find and click on your new database. Click Import. Browse to .sql Zle and upload. Hit Go.
EDIT DATABASE OPTIONS Click Options, click edit and change URL and Sitename to new subdomain name.
Do Search for old URL and name and update accordingly.
EDIT CONFIG.PHP FILE In Cpanel, go to File Manager and navigate to Public folder. Find and open the new directory. Select the conZg.php Zle and click on Edit tool.
Change the MySQL database name, username and password according to the above. Save changes.
Enter newsubdomain.olddomain.com and check your work. All should look the same as the original site.
Add /wp-admin (or your custom extension) and login. Check your image links to ensure they are pointed correctly, or change them. SECURE YOUR WORDPRESS WEBSITE | 28
Here is an excellent tutorial on how to backup and restore a WordPress site, in this case on the same server.
Try it, you’ll like it If you’ve never worked with your server Zles or database, restoring a WordPress site might be a cathartic exercise for you. Nothing will build your conZdence more than successfully preserving your website’s Zles and migrating them to another location.
Compete digital satisfaction, that’s what it is. SECURE YOUR WORDPRESS WEBSITE | 29
Chapter 5 WordPress Under Brute Force Attack: Targeting Admin Usernames
April of 2013 was a scary time in the WordPress world.
First, a popular plugin that I’d used and recommended, Social Media Plugin, was found to be infected with malware that injected unwanted advertising into sites. I immediately deleted that plugin, even though it was eventually restored to the WorldPress plugin directory in a form of application probation.
Then, I learned from Ars Technica that an all-out “Brute Force Attack” was being committed on WordPress sites by a powerful Botnet that attacked US banks the previous year.
The botnet, they said, is seeking out, among other things, default user names like “Admin.”
Holy sharesite, I said to myself. One of my sites had “admin” as the user name! I had to change it.
How to fend o] a brute force attack
CHANGE ADMIN USERNAME The way you got stuck with the Admin username was, at some point during the WordPress install, your server gives “admin” to you and if you didn’t change it, you’re stuck with it. I wasn’t SECURE YOUR WORDPRESS WEBSITE | 30
paying attention at the time and got stuck with the “admin” username.
Problem is, once an install is launched the username can’t be changed just by simply re-entering a di]erent one. There are some complicated ways of changing the login by going into Zles in the server database, but who has time for that?
But here’s the easy way to change your Username:
Go to Users> Add New and simply add a new user with the role of “Administrator.” Now your site has two Administrators.
Copy your personal info from the old Admin user to the new one, which must have a di]erent email address, of course.
Then, log out and log in with the new account, and delete the old “Admin” user. When you delete a user, WordPress automatically asks who should that user’s posts be attributed to. Attribute the posts to your new user account, under whatever name you entered.
Delete the Admin user, and boom – the new user is now the Administrator with all the posts properly attributed.
This process takes about 2 minutes to complete.
INSTALL SECURITY PLUGINS But that is not all that is recommended to fend o] a Brute Force Attack. Experts suggest installing a security plugin to stop the Bot from automatically attempting to login to your site.
I use Login Security Solution and have set the allowed login attempts to 2 and told it to tell me whenever there is a failed login attempt. I also asked it to log me out after 15 minutes if there is no activity.
The next day I found eight alerts from Login Security Solution saying, “Attack Happening to Tasting Room ConZdential”
The Zrst, dated Saturday 11:07 pm, read:
“There have been at least 10 failed attempts to SECURE YOUR WORDPRESS WEBSITE | 31
log in during the past 120 minutes that used one or more of the following components:
Component Count Value from Current Attempt ———————— —– ——————————– Network IP 1 87.253.162 Username 10 admin Password MD5 1 f73c383d54473ee1286209c0102044e3
The Login Security Solution plugin (0.35.0) for WordPress is repelling the attack by making their login failures take a very long time. This attacker will also be denied access in the event they stumble upon valid credentials.
Further notiZcations about this attacker will only be sent if the attack stops for at least 120 minutes and then resumes.”
Each attack used the craziest password combinations, but they all tried to use the login, “admin.” Did I dodge a bullet or what?
I’m still nervous, after reading that the host of three of my sites, HostGator, is a major target of the bots.
If your site uses the username, “Admin,” change it immediately! And install a security plugin to warn you of an attack.
Don’t think a brute force attack can’t happen to you. SECURE YOUR WORDPRESS WEBSITE | 32
Chapter 6 Use Mantras as Passwords to Achieve Web Nirvana
For Internet users, passwords have become the keys to our online lives. Every website you want to interact with requires a login and password, so that means having a lot of passwords.
How in the world do you create umpteen passwords and maybe commit them to memory?
I myself have over 100 passwords that I use on a regular basis that should be changed almost as regularly.
According to Microsoft, passwords should be changed every three months. They should contain at least eight letters, have a combination of three upper/lower case letters, punctuation, symbols and numbers. And never use the same password twice. Cyber thieves love it when you do that.
Also, they say not to use dictionary words (as opposed to what, I don’t know) backward spelling, common misspelling and abbreviations, sequences, repetitions, or personal information.
WordPress now includes a Password Generator in its core, but let’s admit, they’re boring, meaningless and impossible to remember.
What else can you use as a password? SECURE YOUR WORDPRESS WEBSITE | 33
Try using a mantra.
Mantras In various Indian religions, “a mantra is a Sanskrit term for a sound, syllable, word or group of words that are considered to be capable of creating transformation.”
The most famous mantra is “Om,” pronounced “Oooohhhhhhhmmmmmmmm” during meditation. It is placed at the beginning of most Hindu texts as a sacred incantation to be intoned at the beginning and end of a reading of the Vedas or prior to any prayer.
Mantras are like statements of intention that can be used to focus one’s attention on a particular action or subject. So if you would say a mantra at the start of a reading or prayer, why not use them in passwords when logging in to your WordPress site?
Password Fun Having a full sentence of positive, intentional and inspirational words to type in before beginning an online task, you will not only focus your attention and intent, you’ll also have a bit of fun.
Mantra passwords like, “Mywritingisawesomein11/13,” or “1053ReadersWillLoveThisToday!” overqualify as strong passwords in an online password checker. Best of all, they’ll put you in a positive mental frame.
If you are logging into a Flickr account try something like: “101photosofIrelandlookgreat!”
A PayPal password might be: “MakingMoreMoneyin2012$.”
An airline frequent [yer account password could re[ect your travel bug with: “Gettingaboardfor30days&nights.”
If you change your passwords frequently enough, they can re[ect a series of progressions toward a goal like: “500NewSubscribersin12/13.” SECURE YOUR WORDPRESS WEBSITE | 34
For even more fun, you can make your username a question to answer with your password.
You probably want to exclude trendy phrases and cultural references from your matra login or password.
Mantracize your Passwords There’s a lot you can do with mantra passwords. Reinforce good habits, describe your cat, play with words – it’s all good as a mantra password. Just remember to add caps, numbers and symbols, and the hackers will never be able to crack your code.
And who knows? Mantra passwords could be your ticket to Web nirvana. SECURE YOUR WORDPRESS WEBSITE | 35
Chapter 7 3 Ways to Protect Your Email Address From Hackers and Spammers
Does your email address get spam? Have you noticed an increase of spam since building your website? Is that email spam driving you crazy?
If you answered yes to the above then it’s time to Znd a way to protect your email address from the hackers who scrape websites for email addresses and then sell them to spammers who Zll your inbox with crap.
Email spamming is a huge business because believe it or not, it works. There’s a sucker born a day who will click a strange link and download malicious code to their computer to place yet more spam on the internet. Yet more will actually engage with spammer and even buy something!
They have to be stopped!
Email spam stats According to statistica.com, email has actually dropped in the past two years from 71% in April of 2014 to 54% in December of 2015.
Securelist.com shows that spam comes from everywhere in the SECURE YOUR WORDPRESS WEBSITE | 36
world, but the biggest exporters are the USA (we’re #1!), Vietnam and China, in that order.
Canadians should take small comfort that only 1.2% of spam is aimed at them. Germany at 18.4%, Brazil at 11% and Russia at 7.5% are the top three targets.
Trojan-Spy.HTML.Fraud.gen is the most popular malicious program sent through email spam.
So not only is spam a constant annoyance, it’s quite dangerous.
Read more about email spam.
How email scraping works The way your email gets on a spam list is through web site scraping. If your email address is visible, then it is scrappable. Scrapers use sophisticated tools to scrape sites by the thousands per minute. Why these tools are not illegal is beyond me.
Why should I bother to victimsplain’ their evil techniques? Here’s some sales text I pulled from the site of one scrapping tool developer, in their own words:
ScrapeJerks has a powerful multi-threaded email scraper which can harvest email addresses from webpages, it also has proxy support so each request is randomly assigned a proxy from from your list to keep your identity hidden or prevent sites blocking your by IP address due to too many queries. The ScrapeJerks email harvester also works with https URL’s so it can work with sites like FaceBook and Twitter that require a secure connection. It also has an adjustable user-agent option, so you can set your user-agent to Googlebot to work with sites like SoundCloud.com or you can set it as a regular browser or even mobile device for compatibility with most sites. When exporting you also have the option to save the URL along with the scraped email address so you know where each email came from as well as Qlter options to extract only speciQc SECURE YOUR WORDPRESS WEBSITE | 37
emails. Because the Email Grabber function is multi-threaded, you can also select the number of simultaneous connections as well as the timeout so you can conQgure it for any connection type regardless if you have a powerful server or a home connection. If you need to harvest URL’s to scrape email addresses from, then ScrapeJerks has a powerful Search Engine Harvester with 30 diSerent search engines such as Google, Bing, Yahoo, AOL, Blekko, Lycos, AltaVista as well as numerous other features to extract URL lists such as the Internal External Link Extractor and the Sitemap Scraper. Also recently added is an option to scrape emails by crawling a site. What this does is allows you to enter a domain name and select how many levels deep you wish to crawl the site, for example 4 levels. It will then fetch the emails and all internal links on the site homepage, then visit each of those pages Qnding all the emails and fetching the internal links from those pages and so on.
Personally, I think the developers of this tool should be in jail, but that’s another matter.
Your exposed emails You can Znd instances of exposed email addresses by Zrst doing a site search. Search for a speciZc email addresses, or for the link preZx, “mailto:”
The easiest way to create an email link in WordPress is also the easiest way for hackers to scrape your email address: by placing “mailto:” in the link box.
By clicking this link, a users’ email client pops up and creates a pre-addressed email message, ready to complete: SECURE YOUR WORDPRESS WEBSITE | 38
Here is how a scraping tool sees that email address like that in the web site code:
And then the scraper grabs it, using a tool such as the ScrapeJerks described above. Don’t let that happen!
So, the problem is email scrapers. The question is how to protect your email address from them. The solutions are many and varied. Here are three.
Spell out email addresses This is the oldest solution in the book, spelling out mari [at] marikane [dot] com.
It’s also one of the lamest. Users then have to type the address into their email message which increases the chance of mistakes, and it reduces usability.
Basic, but unsophisticated.
Contact Forms Contact forms do a great job of hiding email addresses.
There are problems with contact forms, though. One is user’s resistance to Zlling out the annoying Captcha code that Zlters spambots. Also, users may not like to use a form unless there is an option of sending a copy of the message to themselves. Or, users want to put your email in their database, though hopefully not to spam you.
If you have a contact page and have a lot of “mailto:” links pointed to the URL’s address, I suggest Znding and changing all those links to your Contact page link
This can be done easily using a plugin like Search and Replace. SECURE YOUR WORDPRESS WEBSITE | 39
Search for “mailto:[email protected]” and replace with ““
That way, when the old “mailto:” link is clicked, users will be directed to the Contact page, and the email scrapers will be none the wiser.
Obfuscate email plugin What if you have a site that links to many di]erent email addresses, not just the one connected to the Contact page? Say, your professional association’s web site.
All those members who innocently place their email addresses in a “mailto:” link are at risk of have them scrapped and added to some American’s spam list.
What to do? Obfuscate.
There are plugins that will Znd those “mailto:” links and obfuscate the addresses with code.
The easiest one I’ve found is appropriately named Obfuscate Email and is ready to work right out of the box. Seriously, all you have to do is activate it, save the default settings, refresh the pages and boom! All email addresses are replaced with jibberish on the back end while retaining the appearance and functionality of an email link on the front end. SECURE YOUR WORDPRESS WEBSITE | 40
To see it in action you must refresh the page, then view the Source in your web browser and Znd the email in question. You’ll see that it looks like this.
Best of all, this is how the email scrapers see your email address.
Voila! Email scrapping foiled!
Protect Your Email Address now Don’t drown in email spam and if you are already swamped, plug that dike now!
One way or another, you’ve got to protect your email address from hackers and spammers or they will make your life miserable. SECURE YOUR WORDPRESS WEBSITE | 41
Chapter 8 How to Kick Content Scrapers in the Balls
People will do anything these days to post free content. Instead of writing something fresh, they would rather copy posts from your site and post them on their own. It’s much less evil than it is lazy.
Content scrapers think that by including a by-line at the top of the post and an attribution at the bottom – or not – that it’s “curation. But it’s still copyright infringement. I’ve found that even Content Marketing “experts” will scrape content, and then advocate the practice as “Curation,” like it’s a smart thing to do.
What exactly is content scraping According to Google, examples of scraping include:
• Sites that copy and republish content from other sites without adding any original content or value • Sites that copy content from other sites, modify it slightly (for example, by substituting synonyms or using automated techniques), and republish it • Sites that reproduce content feeds from other sites without providing some type of unique organization or beneZt to the user • Sites dedicated to embedding content such as video, images, or other media from other sites without substantial added value to the user SECURE YOUR WORDPRESS WEBSITE | 42
How content gets scraped Your content can be scraped through any number of ways, both overt and covert.
SCRAPED VIA RSS If your site has an RSS Feed, and it should, you’re making it very easy to scrape your content. Scrapers use the feed to deliver your text, images and links right to their service.
One way to combat scrapers is to change your RSS Feed to from Full to Summary, so they only get the Zrst paragraph. Trouble is, all your Feed recipients would get the Summary, and you may not want that.
HACKING SCRAPING Content scrapers can become almost like hackers in the way they use fetching, AJAX, CSS Hooks and Markup to steal your content. Don’t believe me? Read what this assho…er, scraper has to say.
SCRAPING TOOLS In my post, The Di]erence Between Content Scrapers and Eels, I mentioned that, Google might advise against web scraping, but it does o]er a Chrome app called Web Scraper to make the scraping easier!
Do scrapers merely select your text and images, copy them and paste them into their site? I don’t think so. Content scrapers are too lazy for that. So don’t bother using a plugin to prevent text selection. That will only frustrate you when you need to copy something yourself.
Draw your line Some people say content scraping is a good thing for deep link building and to just let it happen. Others say, scraping is like whack-a-mole, that you can take one down and another pops up.
What I say is you should be vigilant and pick your battles with SECURE YOUR WORDPRESS WEBSITE | 43
content scrapers by deciding what line has to be crossed before you’ll take action.
For me, since most of my stu] was scraped from Business2Community.com, with which I had an agreement to curate my stu], my line was drawn at the links.
• If a scraper posted an entire article, links and all, and did not link back to Blogsitestudio.com, they were on my shit list. • If the scraper did not include any attribution, they were really on my shit list. • If a scraper attributed a full post to themselves, boy did I let them have it!
But that’s just me. You might have shorter lines in the sand.
Ways to kick content scrapers in the balls There is no reason to let content scrapers get away with copying and proZting from your writing. Here are more ways to kick them in the balls.
EMAIL A LEGALESE LETTER Start nice. Email the scraper a sober, non-threatening letter, written by a lawyer or like a lawyer. State the fact that they are using your content illegally, point out the law as it applies to the Digital Millennial Copyright Act (DMCA), and make a demand.
Be sure to include a deadline so they know you’re ready to take it to the next level.
NO EMAIL – TRY SOCIAL MEDIA Some sites are so shady, they don’t even have a Contact page or link to email of any kind. But maybe the Admin has a name. Try Googling that. If you Znd the person on social media, make a connection and send your demand letter that way.
I found one of my scrapers on Linkedin and invited him to connect, which he did. I sent my demand letter to him, but he ignored it. SECURE YOUR WORDPRESS WEBSITE | 44
NO EMAIL OR SOCIAL – TRY COMMENTS If the scraper has no email on the site and no name to search for social media, just about the only thing you can do is place the demand letter – or an excerpt – in the post’s comments. If the site is on auto-pilot, the comment will appear. If it’s being moderated, the scraper is forced to see the demand letter.
Takedown #1 – Thanks to WordPress.com
The problem with commenting is that it might lead to an online Zght, and that can look messy.
Request a Takedown Having no satisfaction from contacting the content scrapers directly, your next option is to complain to the hosting company under the auspices of DMCA.
HOSTED SITES What’s great about your scraper being hosted by a free platform, like WordPress.com, is that you can complain directly to them and they will be your enforcer. After all, hosts don’t want to condone copyright infringement any more than a normal person would, corporations being people and all.
I appealed to these complaint departments, and googling the provider and “DMCA’ will get you to the same pages. Their forms are easy to complete. Include your personal information, the infringing URL, the source URL, and a description.
In my experiences, the hosts acted quickly and decisively in their takedown of my scraped posts, sometimes notifying me with an email. SECURE YOUR WORDPRESS WEBSITE | 45
Here are the providers to whom I’ve complained so far:
• WordPress.com • Blogger.com • Tumblr.com
SELF HOSTED SITES If the scraper has a self-hosted site, it takes a bit more work to Znd the correct ISP with whom to complain.
You can check Whois.net to Znd the infringing site’s hosting provider. Sometimes it’s not so easy, especially if they pay to conceal the information.
The Name Server is the host to whom you will complain.
USING DCMA You can certainly craft a letter using the language of the DMCA and the pertinent information.
Here is a sample DMCA Takedown Request you can use. You can send that to the abuse email for the ISP, whilst CCing the site owner.
I found that DMCA o]ers a DIY Takedown service called Website Protection Pro that is pretty cool. For $10 per month (or less with a coupon found on the Internet) you can use the service for an unlimited number of cases. They provide you with forms to complete, which you save as PDFs and send to ISPs.
So, for $7 bucks I used the DMCA DIY Takedown service and was surprised to Znd that not only was my scraped content removed, but the entire site was taken down!
The Managed Takedown service also o]ers a Lookup Tool to Znd the correct ISP for the infringing site, similar to Whois.net. And, DMCA o]ers badges to place on your site to let scrapers know you have “protection.”
(The “Content Marketing” scraper whose site was removed promptly contacted me through Facebook to apologize. I SECURE YOUR WORDPRESS WEBSITE | 46
checked out his other site where his most current post described the art of content “curation.” Bugger.)
Also, the Chilling E]ects database collects and analyzes legal complaints and requests for removal of online materials, helping Internet users to know their rights and understand the law. The data enables them to study the prevalence of legal threats and lets Internet users see the source of content removals.
Screw the scrapers If getting a scraped post or site taken down is not satisfying enough, you can hit scrapers harder where it hurts.
In How to Identify Content Thieves and Hit Them Where it Hurts, Jennifer Mattern outlines more fun ways to kick content scrapers in the balls.
GETTING STOLEN CONTENT DE-INDEXED FROM SEARCH ENGINES
First, I contact the major search engines with DMCA requests to have the infringing material removed from their search results. This way, if the scraper happens to be getting any search traRc, that can be shut down.
STRIPPING THEIR AD REVENUE
If the site owner is using an ad network to serve ads on the infringing content, report them to the network. They’re almost guaranteed to be in violation of the ad network’s terms. After all, the advertisers paying that ad network don’t want their ads running alongside illegally-published material. So the network is in a position to take action. If they have private advertisers, you could also reach out to them. Chances are they’ll discontinue their ad contracts if they Qnd out their company is associating with a site owner who openly breaks the law. Some won’t. And it won’t always be worth your time if there are many private advertisers. SECURE YOUR WORDPRESS WEBSITE | 47
GO ABOVE THEIR HEAD
This site was also hotlinking my images (instead of hosting a copy themselves, they were loading it directly from my server to their site, which steals your bandwidth)…I had a bit of fun redirecting image Qles to an “I steal content” image when they were loaded from his site.
TAKE ADVANTAGE Benjamin Ehinger, in How to Prevent Content Scraping on Your Work, describes An Approach Allowing You to Take Advantage of Content Scrapers.
• Auto Link Keywords – With a plugin, such as SEO Smart Links, you can actually replace keywords with aRliate links. This will help you gain even more links pointing to your aRliate account when a scraper steals your content. • Internal Linking – When you add a large amount of internal links to your posts, scrapers will actually link back to your posts when they use your content. This is a good way to get backlinks and steal some of their visitors. • Use an RSS Footer – With the RSS Footer plugin or the feature in WordPress SEO by Yoast, you can create an RSS Footer. This can be customized however you want and you can promote your own products in your RSS. This will help you when a content scraper steals your content.
Do something If your posts have been scraped, whatever you do, don’t do nothing to kick content scrapers in the balls.
Please do something to make lazy-ass site owners think twice about stealing your content and possibly damaging your reputation, sucking your link juice, outranking your original posts, and making the Internet a cesspool of repetitive content.
You’ll be helping to make the Internet a better place. SECURE YOUR WORDPRESS WEBSITE | 48
Chapter 9 Damn that Referrer Spam from Google Analytics
When it comes to annoyances, referrer spam is right up there with hacking. Few things are more irritating than seeing a bunch of [akey URLs in your Google Analytics dashboard pretending they’re sending hits to your site.
Referrer spam is where fake websites use bots to pound your site with requests, which makes their URLs show up on your Google Analytics dashboard. Spammers hope you will click on those links and give their sham site tra\c, or better yet, inadvertently link back which helps to bump their site’s search engine rankings
At best, referrer spam bots totally skew your Google Analytics results. So when you want to show your stats to a client, potential advertiser or sponsor, the numbers of unique visitors are exaggerated and your bounce rate is 100%. It looks terrible! SECURE YOUR WORDPRESS WEBSITE | 49
Ghost spam is even dodgier since it doesn’t actually interact with your site, but it leaves a trail of fake data in its wake.
Worse, spam bots can make your site part of a botnet, where your site is more easily accessed across hundreds of IP addresses around the world.
At worst, spam bots inject malicious code into your site to make it part of that botnet, and to forward yet more spam and viruses.
It’s not a pretty picture.
Hopefully, you have anti-virus software on your computer, since that is often the way spam is forwarded.
Read More: The Best Tips to Securing WordPress Websites and Keeping Hackers Out
There are several popular ways to damn that referrer spam, but unfortunately they don’t all work. I’ll show you those two Zrst and then I’ll give you a tool that does indeed work to damn your referrer spam to hell.
.htaccess Zle Some people recommend adding referrer spam URLs to the .htaccess Zle to presumably turn the bot back at the door. But you have to be careful. The .htaccess Zle, like wp-conZg, is sensitive enough to the workings of your site that one false character can shut it down.
Here’s a video tutorial that discusses comment spam and how to block it in an .htaccess Zle:
Security plugins, like All in One Security have places to paste the spammy URLs and will code them in for you. SECURE YOUR WORDPRESS WEBSITE | 50
The downside to this method is constantly adding new referrer spammers that come along. What a hassle! And, it doesn’t always work.
Google Analytics Filters The other recommended way to block referrer spam is set up on Google Analytics itself. You are going to All Filters to Add Filter to View and Zll out the necessary information for each and every spammy URL.
Here’s a video tutorial to show you how to simply hide referrel spam from your Google Analytics results.
Again, the downside is continually adding all the spammers that hit your site. This is even more work that the .htaccess Zle. And still the buggers slip through!
Loginix
While researching this post, I stumbled upon the Loganix Ghost/ Referral Spam Tool. I’ll admit to being skeptical when I read their site, but since the tool is free, I decided to give it a try. SECURE YOUR WORDPRESS WEBSITE | 51
With Loginix you can see the referral spam as well as real tra\c.
Once conZrmed, I clicked on a link that opened a browser window and had me choose a view to Zlter and create a segment.
This video shows how Loginix works.
When I got to the GA dashboard I just needed to create a new segment to select the loganix Zltered view. With both All Sessions and loganix.net selected you can see the di]erence between the spammed view and the clean view.
As for the downside of staying up to date with the newest spambots, that happens once per week when you receive the Loganix link to upload their updated Zlter.
So instead of copy/pasting URLs into the Google Analytics Zlter or your .htaccess Zle, you upload the tool to your Analytics dashboard once a week, select the view, and that’s it!
I’ve been watching a handful of sites on my Google Analytics dashboard and the Loganix tool deZnitely works. Better for some sites than others. The sites that have been hacked in the past still get spam, probably being part of a botnet.
The company does warn that the tool is 97% accurate, so there’s that. Give it a try! SECURE YOUR WORDPRESS WEBSITE | 52
Damn that referrer spam Of course, nothing of these methods work retroactively, which makes doing something immediately more urgent.
It would be great if Google would make our lives easier by working their algorithmic magic to make all referrer spam go nowhere, but until that Zne day this is what we have to work with. SECURE YOUR WORDPRESS WEBSITE | 53
Chapter 10 How SSL Certi8cates Give Your URL the Cone of Silence
The SSL CertiZcate has been kicking around for a while as yet another tool in the website protection toolbox.
You’ve seen it before, the “s” at the end of “http” and the tiny green lock icon with the word, “Secure” next to it. Those have appeared in the address bar of big sites for a long time and you probably always thought https was just for the most high tra\cked ecommerce sites on the Web.
Now, https is showing up everywhere: on small blogs and medium sized business sites, and you’re wondering if your sites should have https too.
The answer is, yes, all web sites should have SSL certiZcates to give the URL a “https” preface.
What are SSL CertiZcates? The acronym “SSL” stands for Secure Sockets Layer, which is a worldwide standard in security technology. SSLs enable communication between a web browser and a web server to be encrypted and is particularly important for protecting sensitive information like credit card numbers, usernames, passwords, emails, etc. from being stolen or tampered with by hackers. SECURE YOUR WORDPRESS WEBSITE | 54
Read More: The Best Tips to Securing WordPress Websites and Keeping Hackers Out
First, the SSL authenticates the identity of the website and guarantees to visitors that they’re not on a bogus site. Then, the SSL encrypts any data being transmitted the site and the visitor.
If you want a cultural reference, SSL creates a “cone of silence” between the website and the user.
To create this secure cone of silence, you need to create a SSL certiZcate (or “digital certiZcate”) and install it on your web server.
SSL TYPES Not all SSL CertiZcates are created equal. There are three di]erent types of SSL.
• Single – secures one fully-qualiZed domain name or subdomain name • Wildcard – covers one domain name and an unlimited number of its subdomains • Multi-Domain – secures multiple domain names
VALIDATION TYPES The level of SSL validation also varies depending on the amount of investigation into the site’s owners. And money.
DOMAIN VALIDATION This level is the cheapest SSL and it covers basic encryption and veriZcation of the ownership of the domain name registration.
ORGANIZATION VALIDATION In addition to basic encryption of the site’s content and veriZcation of ownership of the domain name registration, Organization Validation also authenticates personal details of the owner.
EXTENDED VALIDATION This provides the highest degree of security because of the thorough examination it requires. In addition to ownership of the domain name registration and entity SECURE YOUR WORDPRESS WEBSITE | 55
authentication, the legal, physical and operational existence of the entity is veriZed.
Extended Validation also give your site the added perk of having the site name featured in the URL in a bright green font.
Why your site should have a SSL The most fundamental reason a site needs a SSL CertiZcate is because it collects and stores personal and sensitive information. Those could be:
Usernames and passwords Credit card numbers Bank information Names, addresses Birthdates Social security numbers Business contracts Email lists Medical records
So you say to yourself, my little blogsite doesn’t sell anything, and all the name and emails I collect are stored on the secure servers of Mailchimp or AWeber. Why does my site need an https?
This brings us to the peripheral, but more crucial reason to obtain SSL certiZcation:
Google demands https Since August of 2014, Google has used HTTPs as a signal for ranking in its search engine:
For now it’s only a very lightweight signal—aSecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all SECURE YOUR WORDPRESS WEBSITE | 56
website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
That bit about “over time”? Well, the time is now.
In September of 2016, Google said:
Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
Imagine how a warning like that would a]ect your tra\c, as well as your users’ conZdence in your site?
As for getting a SSL bump, I noticed more tra\c to this site last fall after getting a https preZx, so there’s that.
Where to get SSL There are a number of SSL CertiZcate Authorities authorized to issue digital certiZcates to people and companies, both free and paid.
PAID SSL You can Znd and compare them at SSL Shopper.
While the certiZcate may be the same across the board, each provider will have di]erent levels of products, prices and customer support on o]er. SECURE YOUR WORDPRESS WEBSITE | 57
According to SSL Shopper, the cheapest Single Domain Name SSL CertiZcate appears to be $17 for 3 years from GeoTrust.
FREE SSL But, if you like free things, there’s a new SSL kid in town and it’s name is Let’s Encrypt.
According to their About page:
Let’s Encrypt is a free, automated, and open certiQcate authority (CA), run for the public’s beneQt. It is a service provided by the Internet Security Research Group (ISRG). We give people the digital certiQcates they need in order to enable HTTPS (SSL/ TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.
Here’s how the Let’s Encrypt domain validation works.
Let’s Encrypt is o]ered through almost all the major web hosting providers. This particular site receives Let’s Encrypt support through our host, Cloudways.
Free SSLs are also o]ered by Cloud[are. They o]er a shared SSL certiZcate on their free plan.
And coming soon for individuals and businesses is FreeSSL, a free SSL certiZcate project from Symantec.
After the SSL is installed Once your SSL CertiZcate is installed and conZrmed through a tool like SSL Checker, there are still some tasks to complete.
If you’re building a brand new site and SSL was the third thing SECURE YOUR WORDPRESS WEBSITE | 58
you did after registering the domain name and opening a hosting account, you’re in for smooth sailing. Build on!
But if you’re switching an existing site to https, there are a few more miles to go before you sleep.
ON WORDPRESS You’ll need to change the addresses on your General Setting pages from “http” to “https.”
To reconZgure all your blogsite’s pages and posts to the SSL protocol, install a plugin like Really Simple SSL, which automatically detects your settings and conZgures your website to run over https.
AT GOOGLE Google Analytics will need a new account. This time, pull the dropdown to “https” during registration. Take the new code snippet and replace the old code with it in your Theme Header.
In your dashboard you’ll have both accounts visible. The old http account will drop o] and the new https will begin tracking at the time of installation.
Webmaster Tools needs a new account as well, fronted by the “https” preZx. Do what you did before to verify it. SECURE YOUR WORDPRESS WEBSITE | 59
Stay secure WordPress has just updated to version 4.7.3 and you know what that means. A security Zx.
So please update your site now.
Stay safe out there! SECURE YOUR WORDPRESS WEBSITE | 60
Chapter 11 After the Hack: How to Restore Your WordPress Website
Nothing can ruin a day more than discovering your web site has been hacked.
Maybe the home page has been replaced by a Cialis ad. Or, the layout of the site has changed. Or, you can’t login to the Dashboard. Or, your site is blocked by a Google malware alert.
Gahhhh!
After all the hard work you’ve put into your precious website, being hacked can make you feel angry, violated, and a little bit dirty. And traumatized.
But to save your site, you have to put your emotions aside and get to work, thinking as clearly as possible. And, fast!
Here is a list of what to do after the hack, to clean up the site and make it whole again. This list is in the general order of action depending on your knowledge.
I’ve noted the minimum WordPress [uency necessary to accomplish each action.
B – Beginner User, I – Intermediate Designer, A – Advanced Developer SECURE YOUR WORDPRESS WEBSITE | 61
Post-Hack Recovery Tips
REQUEST HELP FROM YOUR HOST For obvious reasons, it’s in your web host’s interest to contain infections on their servers. They might have resources to do something swiftly, like revert to a clean backup, refer you to a cleanup team, or at the very least, give you useful information.
HIRE A PROFESSIONAL – B If you are not a web developer – able to locate and delete malware – and are feeling overwhelmed, hire a professional to clean up your site. If you don’t know someone locally, there are services online to help. For instance, Sucuri o]ers a $199 cleanup that includes one year of protection.
REFER TO THE WORDPRESS CODEX – B The WordPress Codex o]ers a step-by-step method of recovering from a hack.
SCAN THE SITE – I Use your site’s security plugin to scan the site for recently modiZed Zles, malware, and date stamps. In addition to isolating the infection, this will help you decide how old of a backup you may need to install. If you don’t have a security plugin already installed (tsk-tsk) use a site like Sucuri SiteCheck or Web Inspector to check your site.
CHECK SERVER LOGS ON SERVER – I To Zgure out how a vulnerability was exploited, comb the server’s Error Logs for clues. It might just lead to the a Zle you can easily delete.
CLEAN HACKED FILES – A Depending on what your scan and logs say, clean the malicious code or removed the infected Zles. This requires some knowledge and experience and should not be attempted lightly.
REINSTALL THE WORDPRESS CORE – I If you are unable to clean the Zles individually, replace the SECURE YOUR WORDPRESS WEBSITE | 62
WordPress core Zles in wp_admin and wp_includes through your Cpanel. If scans indicate that malware was injected into your content, Znd a recent backup of your wp_content folder and replace that too.
RESTORE THE BACKUP DATABASE – I Use the clean backup of wp_content saved to your hard drive or Cloud and restore it to a clean new installation of WordPress. Check thoroughly before repointing domain.
Read More: Backup and Restore Your WordPress Site and Sleep Better at Night
REMOVE UNKNOWN USERS – B This can be done from the Dashboard or Cpanel. Find and delete anyone with Admin privileges that don’t deserve them. Heck, delete anyone suspicious.
CHANGE ALL PASSWORDS – B If you are locked out of the WordPress site, go to your Cpanel database and change the passwords for WordPress. While there, change passwords for your hosting account and FTP access.
Read More: Use Mantras as Passwords for Web Nirvana
CHANGE YOUR SALTS – I Salts are secret authentication keys that live in your wp_conZg.php Zle that protect the encryption of login information for your WordPress cookies. They can be changed anytime to harden your WordPress installation, but after the hack is an excellent time to prevent the bad guys from breaking back in. Go to WordPress.org to generate new SALTs.
SCAN YOUR COMPUTER – B Use computer scanning software to Znd and kill infections you downloaded to your machine. Because how can you use an infected computer to clean up your website when it will just reinfect it? Try using software from Avast, BitDefender, Kaspersky, or Norton to scan and clean your hard drive. SECURE YOUR WORDPRESS WEBSITE | 63
CREATE A CLEAN BACKUP – B Once your site has been cleaned up, save a backup right away just in case your site is re-hacked.
GET OFF THE BLACKLISTS – B Search engines may have alerted you with malware warnings and will put you on a black list. Once your site is clean, notify Google, Bing, Yandex, and McA;ee immediately.
USE A MANAGED SECURITY SERVICE – B A company like Trustwave will provide security testing and Zrewalls, among other services. Sitelock is a popular service o]ered by many web hosts.
After the Hack is Gone Ok, now breathe. Stretch and do a good twist. Relax, knowing the worst of the worst is over.
But don’t delude yourself into thinking lighting doesn’t strike twice, because hackers will. When they know your site has been breached once, they will hover like vultures, ready to dive bomb another vulnerability.
Diligence is the best coarse of action after the hack. Update WordPress and plugins religiously. Backup regularly. Scan often. Heed warnings. Avoid outdated software.
Don’t give an inch or you’ll let the bastards win! SOMETHING ABOUT MARI KANE
It was wine that got Mari Kane into WordPress.
In 2007, after 15 years of writing for print, she launched the wine blog, Tasting Room Con:dential, on Blogspot.com. Eventually though, she wanted more functionality and more control of her blog.
In early 2010, while working on a Master CertiZcate of Internet Marketing through the University of San Francisco, Mari took the plunge into WordPress. She quickly realized that WordPress is a lot like wine: you can learn something new about it every day – forever.
In June of 2011, she went pro by starting BlogsiteStudio.com, blogging about how to use WordPress and designing WordPress blogsites. Later that year, she launched WordPress Workshop, a Meetup to coach users about WordPress.
Since then, Mari has spoken about WordPress at WordCamp Vancouver and Las Vegas, at the BC Association of Travel Writers Symposium, Vancouver Business Network Meetup, the Vancouver Beer Bloggers Meetup, YVR Bloggers Meetup and the SECURE YOUR WORDPRESS WEBSITE | 65
Blog Mastery Conference. She has been a regular on the web show, Women Talking Tech, talking about all things technology.
Her message: it’s fun to use WordPress, you just have to know how.
In 2013, Mari wrote a blog series called “Create a WordPress Website” to give her readers a step-by-step guide to setting up a new site.
That series evolved into an ebook of the same name. Create a WordPress Website in Ten Easy Steps is available at blogsitestudio.com, at Amazon.com and at Smashwords.com.
Escalate Your WordPress Website: Twelve Ways to Blog at a Higher Level is Mari’s follow-up ebook, published to educate users on more cool ways to use WordPress
Secure Your WordPress Website: How to Protect Yourself from Hackers, Scrappers, Spammers and Imbeciles is Mari’s third in a series of WordPress emanuals.
Please subscribe to BlogsiteStudio.com to receive alerts for Mari’s weekly posts, as well as having the earliest opportunity to download future ebooks.
You can follow her on Twitter @blogsitestudio, Facebook, Google+ as well as Linkedin.
And if you’re planning to publish an ebook of blog posts, Mari heartily endorses Pressbooks, with or without the watermarks.
To get a 25% discount on Pressbooks exports, just go to the Upgrade page and enter this code at checkout: MARIKANE WORDPRESS EBOOKS BY MARI KANE
Get all of Mari Kane’s WordPress Ebooks!
Secure Your WordPress Website: How to Protect Yourself from Hackers, Spammers, Scrappers, and Imbeciles A guide to stopping evildoers from breaking into your website, stealing data, and injecting malware. Plus, what to do after the hack.
Available at BlogsiteStudio.com or Amazon.com SECURE YOUR WORDPRESS WEBSITE | 67
Escalate Your WordPress Website: Twelve Ways to Blog at a Higher Level Loaded with advanced techniques to make your WordPress website more useable, your blog posts more sharable, and all your work more searchable on Google.
Available at BlogsiteStudio.com or Amazon.com
Create a WordPress Website in Ten Easy Steps Learn the 10 steps to building and launching a WordPress website in the order you need to perform each task.
An essential guide for business people who want to get started on the Web.
Available at BlogsiteStudio.com or Amazon.com