In this post, we take you through the top WooCommerce security tips to prevent your eCommerce store from being compromised by malicious users. You can go about planning and implementing them in different ways, but there’s an easy and effective solution to optimize your site’s security, which we also discuss here.

Understanding the Importance of WooCommerce Security

Before diving into the essential security tips for your WooCommerce store, it’s crucial to understand why securing your online store is of paramount importance and the common security threats you should be aware of.

Why Securing WooCommerce Stores is Crucial

1. Customer trust and reputation: When customers shop online, they trust you with their sensitive information, such as personal data and payment details. A security breach can lead to a loss of customer trust and tarnish your brand’s reputation, which can be challenging to recover from.
2. Financial loss: A compromised store can lead to fraudulent transactions, which may cause financial losses for both you and your customers. Hackers may also hold your website hostage with ransomware, demanding payment for the release of your site.
3. Legal consequences: Data breaches can lead to legal issues and penalties, especially with strict data protection regulations like the GDPR (General Data Protection Regulation) in place. Non-compliance can result in hefty fines and potential lawsuits.
4. Loss of business continuity: A successful cyber attack can cause your WooCommerce store to go offline, disrupting your business operations and leading to a loss of sales.

Common Security Threats for Online Stores

Being aware of the common security threats your WooCommerce store may face can help you proactively implement security measures. Some of the most prevalent threats include:

1. Brute force attacks: Hackers systematically try different password combinations to gain unauthorized access to your website. Using strong, unique passwords and implementing multi-factor authentication can help mitigate this risk.
2. SQL injection: This is a type of attack where hackers insert malicious SQL code into your website’s database, allowing them to view, modify, or delete sensitive information. To protect against this, ensure that your website’s code is secure and up-to-date.
3. Cross-site scripting (XSS): In an XSS attack, a hacker injects malicious scripts into your website, potentially compromising user data and even hijacking user accounts. Secure coding practices and using security plugins can help prevent these attacks.
4. Malware: Malicious software, or malware, can infect your website, causing various issues such as data theft, website defacement, or unauthorized access. Regularly updating your software, using security plugins, and scanning for malware can help keep your WooCommerce store secure.
5. Phishing: Phishing attacks involve the use of deceptive emails, messages, or websites to trick users into revealing sensitive information or credentials. Educate your staff and customers about potential phishing attacks and implement security measures to detect and block phishing attempts.

9-Point Checklist to Strengthen Your WooCommerce Security

Here’s a look at the ways in which you can increase your WooCommerce security. Some of these security measures you can easily implement on your own, while others will require intervention from WordPress experts.

1. Hire a vetted WordPress security professional

The number one most effective action you can take to keep your WooCommerce store secure is to hire a WordPress security professional. From installing a basic SSL certificate all the way through to implementing firewalls to protect against brute force attacks on larger eCommerce sites, hiring a security professional frees you up to focus on other parts of your store, such as managing orders and keeping track of inventory. 

How to find a WooCommerce security expert

You have many options, including DIY, hiring an agency, or finding a freelancer on the numerous marketplaces on the web. Agencies that provide WordPress security experts generally pack different services in a package, so if you choose this option, watch out for any services that you may not need.

On freelancer marketplaces, you can pay extra to have a selection of vetted WP developers, or you’ll have to assess them yourself. On these sites, you pick the best bids, and there’s no assurance that a freelancer will bid on projects in which they feel competent, simply because the site doesn’t make this requirement explicit.

The better option is to find a security expert on Codeable:

• Codeable is a freelancer platform specializing in WordPress. 
• It matches your project to vetted WordPress/WooCommerce professionals who have worked on security projects similar to your own. This removes the guesswork and helps ensure that you have the right individual for the job.
• What sets Codeable apart from generic freelance marketplaces is that you’ll only work with experts who are able to execute your project successfully. You can enjoy peace of mind knowing that you have access to WooCommerce security professionals who have consented to the project after thinking carefully about it.
• Codeable is a great option for smaller projects or one-off tasks like security audits. It works out cheaper than hiring an agency and saves you significant time for strategic activities.

The hiring process is easy, and there is no obligation for you to hire if you change your mind about your WooCommerce security and maintenance plans.

2. Keep your plugins up-to-date

Updating your plugins and themes is essential – here’s why:

• Hackers can exploit vulnerabilities in plugins and themes, and start attacking your website through those plugins/themes. They may succeed in accessing business and customer data to sell on the dark web, transfer funds or perpetrate fraud, among other illegal acts.

• Outdated plugins are responsible for 91% of security breaches, making updates necessary. Moreover, thousands of websites are hacked daily. If hackers have their way with your store, they may pass on malicious code to unsuspecting users to your site. Or they may launch a DDoS attack to slow down or shut down your website, causing downtime, which has been sent to cost an average of $5,600 a minute.

• Plugin and theme updates come with bug fixes and performance improvements. The latest versions fix issues identified in previous software versions, and may even add new features. Maintaining plugins/themes keeps them usable and secure.

To update WordPress themes or plugins, visit the ‘Updates’ tab in your WordPress Admin. We recommend that you first update the themes/plugins on a staging site – a clone of your live website – to test the changes before applying them to your live site. This is because updating a plugin can sometimes cause ‘fatal errors’ due to the plugin code being incompatible with the code used in core WP files.

If you have a technical background, you can more easily set up your staging site. If not, a professional can set it up for you, helping ensure that updates are fine to install. You can look after your WooCommerce security and also avoid any consequences arising from update issues.

3. Choose a dedicated WooCommerce hosting provider

Do you need special hosting for WooCommerce? Well, given how the average WooCommerce site is database-intensive and has to accommodate high traffic, a dedicated WooCommerce hosting company is a better fit than a regular hosting service. From the point of WooCommerce security, such a provider can be expected to provide specialized support covering all necessary areas on your site.

Here are some of the security features to review when you’re looking for a hosting provider:

• SSL certificates to enable an encrypted connection and block hackers from seeing names, addresses, passwords, credit card numbers, and other sensitive data.

• Automated backups to get your site back up and running in the event of an attack.

• Attack monitoring to detect and mitigate attacks in real-time.

• 24/7 support from knowledgeable WooCommerce hosting experts on call to help you with security concerns.

• A built-in staging environment to safely test plugins and changes to your store before you push them live.

On performance, you may want to focus on the uptime guarantee promised by the provider. If you have a large WooCommerce site with many products and attract substantial traffic daily, nothing less than a 99.9% uptime guarantee will do.

4. Set up a firewall using a WordPress security plugin

Even if your hosting provider supplies you with a firewall, setting one up at the website level will add another layer of security, preventing unauthorized access to your computer network. You can use a plugin to set up a firewall, and add more customization if you have advanced technical knowledge. WordFence is a trusted firewall for WordPress. It is a complete WordPress security plugin, offering a suite of functions, such as:

• A web application firewall (WAF) that identifies and blocks malicious traffic

• Protection against brute force attacks which block users after a defined amount of incorrect login attempts

• Malware scanning to identify malicious software that hackers might have installed on your site

• Enables login security such as reCAPTCHA and two-factor authentication

Many of the most important WordFence features are available with the free version. Upgrading to the premium version costs $99 per year, and comes with advanced features like real-time IP blocking and firewall rules that protect sites from new threats and malware as soon as the WordFence team detects them.

It is possible to manually implement the features that all-in-one security plugins like WordFence offer. Some are quite easy to do but have special requirements. For example, if you want to set up your own firewall, you need full access to your server, which is not possible unless you use a dedicated server. In addition, you’ll need to work in the command-line interface, which is simple and pleasurable only if you have web development skills.

5. Make your login page more secure

Your website’s admin area is under threat of brute force attacks, which attempt to gain access to your WP-admin by trying various combinations of usernames and passwords. Brute force attacks or the use of stolen credentials account for over 80% of breaches within hacking. There are some WooCommerce security actions you can take to increase the security of the admin login page for your store:

Change your username from ‘admin’ to something else

A common trick for hackers is to exploit the default WordPress admin username, which is ‘admin’, to try and log into your account. Early versions of WordPress defaulted to the ‘admin’ username, so it’s possible that store owners are in the habit of using it. Changing ‘admin’ to another name is necessary to reduce the risk of Wp-admin attacks, and there’s nothing to it! Here are the steps:

1. Go to > add new user
2. Create a new user with your desired username, and give it the ‘administrator’ role
3. Log out of the previous ‘admin’ account and log into the new account
4. Go back to the list of users and delete the old ‘admin’ account

Enable two-factor authentication (2FA)

Two-factor authentication requires two methods to verify your identity. It acts as the second line of defense for restricting access to your WordPress admin account. You can enable it with an authenticator app, which adds 2FA to the accounts you want to protect.

Authenticator apps generate a one-time code that you can use to confirm that it is you who is logging in to your WP admin account. You’ll first need to set up an authenticator device on your smartphone or tablet. During this process, the app will generate a secret key that you save to your phone by scanning a QR code or manually typing the code if your phone doesn’t have a camera. With this, the app’s server and your phone have a copy of the secret key. Thereafter, every time you enter your username and password to log in, the app sends an access code – usually a six-digital number – that you type to sign in to your admin account.

Here’s an example of how to set up 2FA using WordFence:

1. Download an authenticator app such as Google Authenticator to your smartphone or tablet
2. Install and activate WordFence 
3. Go to the ‘login security’ page in WordFence
4. Open your authenticator app and scan the QR code that shows in WordFence
5. Click ‘download’ in the recovery code section – this gives you a set of codes that you can use in the event that you lose access to your authenticator app
6. Enter the 6-digit code from your authenticator app
7. Click ‘activate’

6. Require strong passwords for store accounts

WooCommerce offers you the flexibility to create a store that suits your business model. This includes providing different access levels within teams. Securing the store accounts of all your team members is a simple way to harden WooCommerce security.

While employees understand that their passwords should be strong, they still tend to use weak passwords that can be hacked in less than a second. A strong password policy can reiterate the necessity to create complex passwords. Rather than having only some roles like store manager or administrator create secure passwords, enforcing a password complexity policy for all users is the safer option.

One way to achieve this is by using the iThemes Security plugin to force store accounts to set strong passwords for themselves. Here’s how you can go about it:

1. Install and activate the plugin
2. On the setup page, choose ‘eCommerce’ as the type of website
3. Select ‘Self’ as the user
4. When the plugin asks ‘do you want to secure your user accounts with a password policy?’, set the toggle to ‘yes’

7. Create unique passwords for all third-party eCommerce platforms

An often overlooked aspect of WooCommerce security is the vulnerability of the different accounts that you use for services connected to your WooCommerce store to password hacks. Using the same password for all the services you have connected to your WooCommerce store makes a hacker’s job easy. Here’s what you should consider doing instead:

• Set distinct passwords across all your payment gateways like Stripe and PayPal, your hosting, and any other third-party services that you use for your WooCommerce store. Even if one of your passwords is exposed, your other accounts will be safe.

• Make sure that the passwords are sufficiently distinct from one another. Reusing passwords by simply changing or adding a digit or character is ineffective.

8. Maintain regular backups of your store

Although backups won’t protect your site against hackers, they ensure that you have access to your valuable data if your site gets compromised. Having backup copies of your data can help get your site back online after a cyberattack or other events, such as a hardware failure or crash due to a traffic spike. Daily backups ensure that your customer, order and product information can be restored when unforeseen events strike, and that business continuity is maintained to avoid losing customers and revenue.

A handy solution is to use a real-time WordPress backup plugin like BlogVault. Real-time backup offers the ability to restore data to any point in time, and is especially useful if you have a large database that faces the constant threat of security-related issues.

9. Secure your database

Your WordPress database stores all the information on your website, making it an attractive target. WordPress uses MySQL as its database management system. The PHP code in your WordPress site contains SQL commands to communicate with the database. One of the ways SQL can be hacked is when the hacker uses a piece of SQL code to manipulate a database and gain access to valuable information. This type of attack is an SQL injection and is common among database-driven websites.

Fortunately, there are ways to secure your WordPress database – here are two to help you get started:

Change the default table prefix

The default table prefix for WooCommerce stores is wp_. Leaving this setting at the default opens up your store to SQL injections. You can change this setting in PhpMyAdmin when you set up your store or use a plugin like DB Prefix. Be sure to back up your WP database before making any changes to table prefixes. And if you have quite a bit of WordPress maintenance and security updates planned, you could direct website visitors to a maintenance page or a temporary page.

Secure your wp-config file

The wp-config.php file is the most important file in your WooCommerce store as it contains all your store’s database information – including admin passwords. By moving this file up from its default position in the root subdirectory to a higher subdirectory, it becomes more difficult for potential hackers to locate it.

Note: Codeable is not affiliated with any of the (plugin) recommendations mentioned in the post.

10. Educate employees and customers on security best practices

No matter how many security measures you put in place, the human element can still pose a risk to your WooCommerce store’s security. Educating both employees and customers on security best practices is crucial to maintaining a secure online store environment. Here are some key areas to focus on:

• Regular security training: Ensure that your employees receive regular training on the latest cybersecurity threats and how to avoid them. This includes recognizing phishing attempts, using secure passwords, and adhering to safe browsing habits.
• Clear communication of security policies: Ensure your employees understand the company’s security policies and guidelines. This includes the proper handling of sensitive data, access controls, and reporting any suspicious activity.
• Encourage customers to use strong passwords: Educate your customers on the importance of using strong, unique passwords for their accounts. You can also implement a password strength meter during account registration to encourage the creation of secure passwords.
• Share security tips and resources: Regularly share security tips and resources with your customers through blog posts, email newsletters, or social media. This can help raise awareness about potential threats and promote a culture of security among your customer base.
• Offer a secure checkout experience: Make sure your customers feel confident about the security of their data during the checkout process. Display security badges, use HTTPS, and provide transparent information about your security measures.

Recovering from Data Loss or Corruption

Despite your best efforts to secure your WooCommerce store, data loss or corruption can still occur due to various reasons, such as hardware failures, software bugs, or even human error. Having a plan in place to recover from such events is crucial to minimize downtime and maintain business continuity. Here are some key steps to help you recover from data loss or corruption:

• Assess the situation: Determine the extent of the data loss or corruption and identify the cause. This will help you decide on the best course of action for recovery and prevent the issue from recurring.
• Restore from backups: If you have been maintaining regular backups of your store, you can restore your data from the most recent backup. This is the quickest and most reliable way to recover your lost or corrupted data. Ensure that you verify the integrity of the backup before restoring it to avoid further issues.
• Use data recovery tools: In case you do not have a backup or the backup is also corrupted, you can use data recovery tools to try and retrieve your lost data. There are various data recovery tools available, both free and paid, that can help you recover data from your server or local machine. Keep in mind that the success of these tools depends on the extent of data loss or corruption.
• Contact your hosting provider: If you are unable to recover your data using the above methods, reach out to your hosting provider for assistance. They may have additional backups or recovery options available that can help you restore your lost or corrupted data.
• Learn from the experience: After recovering your data, analyze the event to understand what went wrong and how you can prevent it from happening again. Implement additional security measures, improve your backup strategy, and educate your team on best practices to minimize the risk of future data loss or corruption.
• Communicate with your customers: If your WooCommerce store experiences downtime or issues due to data loss or corruption, it’s essential to keep your customers informed. Communicate the situation through email, social media, or a notice on your website, and provide updates on your recovery progress. This helps maintain trust and transparency with your customers, and they will appreciate your efforts to keep them informed.

Next Steps: Taking Action to Secure Your WooCommerce Store

Having a Woocommerce security plan in place enables you to respond effectively to existing and new cybersecurity threats. Managing WordPress- and eCommerce-specific security issues proactively is imperative to carry out business disruption-free, avoid financial losses due to hacking, and maintain customers’ trust.

WordPress security experts from Codeable can help you manage your security risk. 

Submit your project and mitigate your security concerns promptly. Codeable is cost-friendly and offers a money-back guarantee, so you can test it out with a small task and then determine whether you’d like to use it for a bigger security project.

The post 10 Essential Security Tips for WooCommerce Stores appeared first on Codeable.

In this post, we’ll delve into the benefits of building a custom login page and walk you through the steps of creating one using either plugins or code. We’ll also discuss the option of working with a Codeable expert to create a custom login page for you.

Whether you’re a solopreneur or business owner looking to take your website to the next level by making a custom WordPress site or a tech-savvy individual interested in improving your WordPress plugin development skills, this guide is for you.

Why should you create a custom WordPress login page?

There are many reasons why you might want to consider building a custom WordPress login page for your website. Here are just a few:

• Branding: A custom login page is a great way to make a strong first impression on your visitors and add some personality to your website. Whether you’re a freelancer creating a website for a client or a business looking to brand the login process for your employees and customers, a custom login page can help you stand out from the crowd.
• Differentiation: If you regularly log into multiple WordPress websites, a custom login page can help you differentiate between them and make it easier to keep track of which website you’re logged into.
• Additional Information: The default WordPress login page only includes a few basic fields, but a custom login page can allow you to collect additional information from your users. This could be for security purposes, or for any other reason that you might need to gather more data from your visitors.
• Customized Security Measures: With a custom login page, you can also customize the security measures in place to protect your website and user data. For example, you can add additional authentication methods like two-factor authentication or CAPTCHA to prevent bots from accessing your site.
• Improved User Experience: A custom login page can also improve the user experience for your visitors. By adding custom graphics and branding elements, you can make the login process more visually appealing and easier to use. You can also customize the error messages that users see when they enter incorrect login information for easier logins.

Building a custom login page is a great way to add some personality to your WordPress website and improve the user experience for your visitors. Regardless of your purpose for creating one, a custom login page can help you look more professional and brand the login experience.

Expert tips for creating a custom WordPress login page

Designing a custom WordPress login page can be a fun and rewarding project, but it’s important to keep a few key considerations in mind to ensure a professional and user-friendly result. Here are some expert tips to help you create a custom CSS login page that stands out:

• Use Relevant Images and Graphics: Images and graphics are an important part of any custom wordpress website design, and they can help convey your brand message visually. When creating a custom login page, be sure to use relevant images and graphics that reflect your brand and add value to your design.
• Keep it Simple: Don’t overcrowd your design with too many elements, as this can make it difficult for users who aren’t familiar with WordPress or who aren’t tech-savvy. Instead, focus on creating a clean and simple design that’s easy to navigate.
• Align Elements Properly: Make sure all elements on your login page are aligned properly and that there are no gaps between them. This will give your design a professional look and make it easier for users to find what they need.
• Use Relevant Colors: Choose colors that match your brand identity rather than going for random colors just because they look nice. This will help give your design a cohesive look and make it feel more professional.
• Make Text Readable: Finally, be sure to make all text on your login page readable and ensure that it doesn’t overlap with other elements on the page. This is especially important for password fields, as overlapped text could cause problems for users when they try to log in.

By following these expert tips, you can create a custom WordPress login page that’s both visually appealing and user-friendly.

How to create a custom login page 

Creating a custom login page in WordPress is a relatively simple process, and you have the option of using a plugin or coding it yourself. There are plugins for user registration, custom login pages, and more to help you on your way. Here’s a step-by-step tutorial to help you get started:

Using a custom WordPress login plugin

1. 1. Choose a plugin: There are a number of plugins available that can help you customize your login experience on WordPress. Some popular options include LoginPress, Custom Login, and Custom Login Page Customizer. For this tutorial, we’ll use LoginPress.
2. 2. Install LoginPress: Go to your WordPress dashboard > Plugins > Add New.
3. 3. Choose your plugin of choice: Once you’ve selected a plugin, click “Install Now” and “Activate” to add it to your WordPress website. 
   4. Access the plugin: After the plugin has been installed, you’ll be able to access it through the Settings menu in your admin dashboard.

1. 5. Customize the login page: Use the options provided by the plugin to customize your login page, including replacing the WordPress logo with your own, changing the background image, and customizing the login form. You can also use the plugin to replace error messages and customize other aspects of the login process.

You can see that LoginPress will include a WordPress site login template that you can modify. By replacing the WordPress logo, removing the background image, changing the background color, and making other small changes, your login page will transform completely.

Here’s what the login screen template page looked like out of the box once LoginPress was activated:

And here’s what it looked like after a few small changes to the background, padding, colors, and logo:

Keep in mind that while using a plugin can be a quick and easy way for beginners to create a custom login page, it may have limitations and may not provide as much customization as coding your own page. Additionally, the free version of the plugin will always keep the “Powered by LoginPress” message at the bottom right of your login page.

Coding your own custom WordPress login page

Coding your own custom login page lets you do just about anything you want. Let’s look at a couple of examples.

Customizing the logo on the ​​WordPress login page

Here, we’ll show you how to add a custom logo to the WordPress login page by adding code to the functions.php file. These are the steps:

1. Upload the Logo to Your Website: Get your logo in either PNG or JPG and upload it to your WordPress website. You can do this by going to the Media library in your dashboard and clicking “Add New.”
2. Get the URL of the Logo: Once the logo has been uploaded, you’ll need to get the URL of the image file. You can do this by clicking on the image in the Media library and copying the URL from the address bar in your web browser.
3. Edit the functions.php File: Next, you’ll need to edit the functions.php file in your theme. You can do this by going to the Appearance menu in your dashboard and clicking “Editor.”
4. Add the Code Snippets: In the functions.php file, add the following code:

function custom_login_logo() {

echo ‘<style type=”text/css”>

    h1 a {

        background-image: url(YOUR_LOGO_URL_HERE) !important;

    }

</style>’;

}

add_action(‘login_head’, ‘custom_login_logo’);

5. Replace the URL: In the code, replace “YOUR_LOGO_URL_HERE” with the URL of your custom logo.
6. Save the File: After you’ve added the code, be sure to save the functions.php file.

Note: it’s always a good idea to test the code on a staging or development environment before implementing it on a live website to catch any potential issues before they affect your users. Codeable’s recommended WordPress hosts, Kinsta and WP Engine, both offer staging.

Removing the WordPress language switcher from the login page

WordPress 5.9 introduced a language switcher for the login page. This changes the language for logged-in users (only in the backend). 

You can disable this with the following code to your functions.php file:

add_filter( ‘login_display_language_dropdown’, ‘__return_false’ );

Again, using staging is best practice here to ensure your custom login page is created safely.

There are other more advanced options you may want to consider, like redirecting the generic wp-login page to a custom page and creating custom login attempts messages. For this, you’ll either want to go through a plugin or ask a developer to create those for you to avoid any issues with the code on your page.

Hiring an expert to build your custom Login page

If you’ve followed along with this guide, you should now have a good understanding of how to build a custom login page in WordPress. However, creating a custom login page can be a time-consuming process, especially if you’re not familiar with coding or plugin development.

That’s where Codeable comes in. Codeable is a platform that connects you with WordPress experts who can help you build any kind of website, including eCommerce stores, membership sites, and custom login pages. With Codeable, you can save time and effort finding the perfect plugin or attempting to code the login page yourself, and you can be confident that you’re working with an expert who is qualified and experienced in building custom WordPress websites.

Codeable offers affordable prices and a streamlined process that makes it easy to get started. So if you want to create a custom login page for your WordPress website, consider hiring an expert from Codeable. With their expertise and experience, you can save time and effort and be confident that you’re getting a professional and user-friendly result. Find a Codeable Expert.

Disclaimer: Codeable is not affiliated with any of the plugin recommendations detailed in the post.

The post How to Build a Custom WordPress Login Page (Complete Guide) appeared first on Codeable.

The benefits of regular WordPress maintenance are numerous. For one, you’ll boost your site’s security and load times. But there are also less apparent advantages, like improving your site’s ranking and lowering your bounce rate. After all, speed optimization is a huge part of core web vitals. It directly impacts the user experience, and search engines prioritize that over all else.

Companies with in-house technical teams can easily schedule, run and keep track of WordPress maintenance tasks. But smaller organizations and solopreneurs may have a more challenging time figuring out what to do and find the time to actually do it. 

When you handle WordPress maintenance on your own, you run a few risks for your business and website. For instance, you might not be aware (or have the know-how) to conduct all the necessary checks, and as such, put your site’s security in jeopardy. On the other hand, while taking more time and effort, a DIY approach can save you money (providing you know what you’re doing).

Fortunately, there’s another option for small businesses looking for reliable WordPress maintenance: hire a WordPress expert to manage your website maintenance tasks for you.

That said, is maintenance really vital for your website? This article explores what best WordPress maintenance entails and how to find a WordPress expert to manage your website maintenance (should you need one).

What It Takes to Maintain a WordPress Website

Some WordPress tasks are more basic than others. So, providing you have a foundational understanding of WordPress and some rudimentary knowledge of CSS, PHP (WordPress core), and HTML, that should be enough to handle simple updates. 

That said, developer-level skills are necessary for a thorough maintenance process that benefits your site in the long run. Below are just some of the required skills for carrying out expert WordPress maintenance:

• Knowledge of version control systems
• An understanding of command-line interfaces
• A familiarity with object-oriented programming

…To name a few.

Besides custom development skills, you’ll also need a clear plan in place to help organize your WordPress maintenance tasks. This serves as a reminder of what needs checking, when, and how often. 

A WordPress Maintenance Plan

While many tasks can be performed without putting your website into maintenance mode, you’ll need to conduct heavy WordPress maintenance every now and again, which, of course, requires this mode. 

When you put your website into ‘maintenance mode,’ visitors can’t view your site. As such, any in-depth WordPress maintenance needs planning ahead of time to ensure you lose as little traffic as possible.

Maintenance Mode

Although switching your site to maintenance mode has its disadvantages – most notably, a disruption in eCommerce sales and a loss of traffic, there are some perks:

• You can hide broken pages from visitors while you’re fixing them.
• It gives you space to tweak your website settings, template, or plugins without your visitors seeing what’s going on.
• It’s also good for SEO – by signaling to search engines that your website’s periodically down for maintenance, they won’t index any changes that look incomplete. As a result, your rankings remain intact.

You can put your website into maintenance mode with or without a plugin. WordPress automatically enables maintenance mode when you start an update. To turn it on manually, you’ll have to edit WordPress’ .htaccess file on your server. Here, you can write a few lines of code to redirect all traffic to maintenance.html. To customize the maintenance page, you’ll have to construct code to style the HTML and CSS.

Alternatively, with a plugin like WP Maintenance Mode, you can easily customize the maintenance notice your visitors see, to read something like ‘coming soon’ or whatever else you think is appropriate.

Things to Note Before Starting Your Website Maintenance

The last thing you want is for your maintenance operations to drag on so that you endure prolonged downtime. As such, it’s good practice to audit problem areas on your site before officially scheduled maintenance commences. That way, you know precisely what to address while your site’s in maintenance mode. Run a performance test and audit your content and SEO (Google Analytics is a great starting point). This is also an excellent time to check your website’s speed to determine whether significant optimizations are necessary. 

Maintenance Tasks

Next, let’s look at which maintenance tasks are the most vital and, as such, should always be included in your WordPress maintenance plan:

WordPress Backups

A site backup acts like WordPress website insurance. It ascertains that in the rare case something goes wrong, you don’t lose everything. Site backups protect you against any type of attack. So, no matter what happens, you can restore a previous version of your website. 

Don’t wait to learn this lesson the hard way. Many WordPress experts believe daily backups are necessary. While that sounds like lots of manual work, you have options:

Manual Backups

You can manually backup your WordPress site if you have access to the server it’s hosted on. You can run a built-in backup using your managed WordPress hosting provider’s cPanel. Or, you could conduct your own backup, independent of server software or WordPress plugins. 

If you opt for the latter, this involves logging into your server. Then, downloading and compressing all your folders and loose files to store in a location of your choosing. As you’ve probably gathered, you need to be comfortable navigating your WordPress site’s database to do this.

Automatic Backups

Alternatively, you can go for the much easier option, running automatic backups. Most hosting providers offer an automated backup service, so you don’t need to do anything. They’ll schedule the backup and store files securely. Then, should you ever need to, you simply request your service provider rolls back the site to a specific version.

Paid backup services are also available. However, the downside of these is that their pricing is usually expensive – especially when you’re starting out. Plus, you don’t have your website’s files at your disposal, which means you don’t have as much control. 

If control and ownership over your website backups are essential to you, manual backups are the way to go. That said, there are plugins available that automate this task while providing more control and ownership over your files. With this option, you enjoy the best of both worlds!

A few examples of such plugins include VaultPress and UpdraftPlus.

Pro Tip: When choosing a plugin, double-check it’s regularly updated and highly rated by WordPress users. Backups aren’t something you can gamble with!

Website Updates

Site updates are necessary when your WordPress theme or plugins are updated with security patches or extra functionality or when WordPress launches a new version of its software. Outdated software is more vulnerable to attack, so it’s worth keeping up with this. 

WordPress automatically updates itself if it can. It likely already does this for minor updates. However, you can also enable WordPress to update itself automatically for more significant versions too. The same goes for your chosen theme and downloaded plugins. You can turn on automatic updates for these too.
While automatic updates present less work on your part, there are more risks involved. In some cases, you don’t want to update a tool or software unless you’re sure the latest version will work seamlessly with your website. Many site owners have run into issues with plugin updates. Typically, it’s best to wait a couple of weeks to allow the theme/plugin developers to identify any glitches and fix them. Then, you can pull the trigger and install these updates manually. 

Website Security Monitoring

Website security comes with its own maintenance regime, ranging from backups to regularly changing your website’s password. But, to adequately protect yourself against attacks and security breaches, you should also periodically review your site’s access and error logs. 

Sometimes, unusual activity isn’t detected until it is too late. Your site might already be under attack before you start noticing that it slows down or your rankings drop. You can work with a security audit plugin like the iThemes security scanner to perform these checks regularly. 

As mentioned in the previous section, security updates are also vital. However, these can sometimes cause compatibility issues that can break your website. That’s why security isn’t something you should handle yourself unless you’re confident you know what you’re doing. 

For the same reason, any updates should be performed on a WordPress staging site and in maintenance mode first. That way, you can rest easy knowing the update won’t jeopardize your site’s operation or aesthetic.

Performance Updates

Performance updates ensure your site’s loading speeds remain high so that visitors don’t have to wait long before your website becomes fully interactive and visible. This is worth keeping on top of, especially when you consider that as many as 46% of users won’t revisit poorly performing websites.

There are several tasks involved in performance optimization and maintenance. Many of them you can do by yourself, including:

• Clearing your cache using a caching plugin
• The optimization of your database
• Optimizing content and images for the web
• Clearing spam comments from blog posts
• Testing WordPress forms
• Finding and fixing broken links
• Identifying 404 errors and correcting them

You should also remove any plugins you no longer use and clear any commands in your code that don’t do anything. 

Final Checks

After completing all the WordPress maintenance tasks listed on your plan, perform a few final checks. This is paramount for ensuring everything runs smoothly when your website’s back in operational mode. For instance, you should re-validate your site after making any customizations to the code or style sheets. It’s imperative your site conforms to expected standards and is interpreted the way you want it by various browsers and search engines.

You should also check every aspect of your website thoroughly to ensure everything works before eventually logging out of maintenance mode!

Are You Ready to Better Maintain Your WordPress Website?

Your WordPress maintenance process isn’t something to be taken lightly. Adequate WordPress maintenance ensures your site performs at its best and doesn’t fall prey to ever-evolving attacks. 

We hope your takeaway from this article is that maintenance is vital to your site’s safety and health. Only through regular cloud backups and a consistent security maintenance schedule can you ensure you won’t lose your hard work. As maintenance is so vital, you should never perform these crucial tasks yourself unless you have the skills, time, and resources. This is especially true of more significant security updates and website edits. These should always be handled professionally. In doing so, you avoid compromising the health of your site.

You can hire a fully-fledged WordPress agency or professional freelance support services to handle your maintenance plan. Codeable experts can be hired for regular WordPress maintenance and they’re all vetted. You can submit your project today to get a free estimation with no obligation; it’s 100% risk-free!

The post Is WordPress Maintenance Really Vital for Your Website? appeared first on Codeable.

Security isn’t the cherry on top, it’s the cake.

Given the abundance of security tips you can find online, though, you might be fooled into thinking you can handle security on your own. And to an extent, it can be true if you have some technical knowledge. Yet, even some developers or tech-savvy WordPress users fall short on advanced security techniques.

That’s why I asked an experienced WordPress security expert more about the needs and processes related to security and why, most of the times, it is best to entrust the task to professionals.

The main topic I’d like to dig into is: how can a security expert (really) help you out?

Let’s dive in!

Help configuring security plugins properly

WordPress is known for the level of customizations it offers. Plugins exist for almost every function possible so is the case with security. You just add the plugin and voilà! It handles all the work for you, provided that it is configured properly. This is where a professional comes into play. WordPress developer and Codeable expert Liam Bailey explains:

If the user doesn’t know how to properly configure security plugins, then they’re not going to do the job properly. In that case, they’d hire a professional to come in and make sure that they configured the plugins correctly for them to give them the maximum security that these plugins are able to provide.

Configuration of such plugins done right is the baseline to an effective protection.

Conduct a security audit

A security expert knows where and how to look for potential vulnerabilities. It’s their job. They can be called in to conduct a security analysis, known as an audit, for your website to ensure you’re protected from all sides. Liam elaborates:

For websites that are handling large numbers of traffic or handling credit card numbers and sensitive information, or that have a large userbase of users with logins and such, it’s a wider net cover, a harder site to protect. A security professional would come in and do a comprehensive audit on that site. It’s a security professional’s job to know all the types of attack that a site will be vulnerable to that necessarily the layman wouldn’t even need to know what they were. There’s a cross-site request forgery attack, for example, cross-site scripting, man-in-the-middle, SQL injection, session hijacking, brute-force attack and many more.

Vulnerabilities depend on the nature of your website

The nature and popularity of your website plays a vital role in determining the level of threat or risk that it is at. Specifically, no one would be interested in hacking your site if, for example, you’re just showcasing your work or are a cooking blog. If there’s no sensitive information you site’s handling, you probably could call it a day by installing security plugins, to be honest.

However, if you’re running an eCommerce store with a large customer base, vulnerability concerns are significantly higher. If you are handling sensitive information and you do have something you want to protect, then you really need to be trying to break your site. And that’s where a security professional comes in handy:

Things online are basically insecure. There is a way into most systems and most things, and if you don’t have a professional looking at these things, then you are leaving yourself vulnerable. For the average WordPress site, the vulnerabilities can be there, but they might never be found because nobody’s ever tried to exploit it. As long as everything is updated, and you have security plugins to secure against 90% of attacks, you’ll be fine. But if there was, say, a site sale and stuff, and it had money going through it or personal information, the same vulnerability would be there and it would, of course, be exploited because hackers would be trying to gain access to that site in a much more persistent basis. So the vulnerability would be found and it would be exploited.

Finding these vulnerabilities is a technical aspect that goes way beyond setting up a security plugin. Because of that, most people can’t do that themselves and that’s when they would hire a professional.

Security has to be top of mind when your website features custom code

Things get a bit scarier here yet they’re super important to be aware of.

When you’re hiring a developer who’s not a security expert to build a custom theme or plugin from the ground up, it’d be a good idea to get the code checked over. In fact, the possibility for them to introduce new vulnerabilities, without even knowing they’re doing it, is there.

That doesn’t mean each developer has to be a security expert to deliver secure code. Following best practices, good procedures, along with up-to-date software will prevent the vast majority of possible scenarios.

My point wants to highlight how easy you could get exposed to vulnerabilities, even for standard and well-known procedures (as working with a developer to create custom code). Liam puts it this way:

iThemes Security can protect against attacks that we know about and the main flow of attacks that you will be vulnerable to. But for every vulnerability that is known about WordPress, somebody’s had to discover that. So your site could be vulnerable to a vulnerability that nobody knows about. It’s a security professional’s job to come in and check your site over, making sure you’re not vulnerable, that the plugins that have been installed aren’t doing something, they aren’t possibly conflicting with each other to make a vulnerability, or a plugin that gives or takes data isn’t leaving you vulnerable to SQL injection attacks and such like.

Penetration testing

Large websites handling lots of sensitive data are strongly recommended to perform penetration testing. This process involves hiring a security professional who acts like a hacker to identify potential areas and elements from where someone might break into your site. Liam explains this:

A penetration tester will try the full range of attacks on all the areas of your site where attacks might be possible, like every form on your site, they’ll try every input field to make sure that it’s not going to be exploitable by SQL injection, for example. Even better they will use the same tools the hackers use for scanning and finding vulnerabilities, so it won’t be as time-consuming as you may think but definitely worth the money.

What are the typical investment costs for improving a WordPress website security level?

As with this type of questions, it’s hard to give a one-size-fits-all answer because there are many elements here that pile up for the final price. The main ones are:

• Type of website (standard vs handling transitional/sensitive data).
• Size and traffic.
• Number of pages, elements, and areas.
• Quality and quantity of custom code.
• Level of security required.

If we split the world of WordPress security into two, where setting up correctly a security plugin on one end and a more complex task such as a full penetration testing on the other, we’re probably looking at $200/$250 for the former to a minimum $2k/$2.5K and up for an in-depth professional penetration testing. In Liam’s words:

It all depends on the site, the number of pages, but also how popular the site is: if it’s a big brand name, they can attract hackers more easily and frequently. Depending on the number of pages, the number of databases/database tables, files. It will also be related to how many of the things there are to check against. But yeah, it would certainly run in the thousands of dollars for even the average site to do a full penetration testing suite.

Wrapping up

If your business depends on your WordPress website, getting hackers taking it down would cause major issues. And that’s not only for eCommerce owners but that’s also true for many other business websites where you don’t sell directly anything to your clients other than “yourself”. Can you imagine if hackers could take control of your personal website where you display your portfolio, and they just start messing with it and redirect it to porn pages? What happens when your prospects will start googling your name and click on it?

What I’m trying to say is:

You don’t have to be Amazon-big to start thinking about security and acting proactively. Now is the best time to improve it.

If you think you have the skills to improve your WordPress website’s security level in a proper manner you might, of course, do it yourself. However, be warned that failing to configure the plugin correctly or update any part of the website in the wrong way could mean disaster and end up costing you a lot more than hiring a professional in the first place.

At the end of the day, if you didn’t raise your eyebrows when reading “penetration testing” above, you might have a good working knowledge around security and can probably take care of it on your own. If, on the other hand, you fall outside this category, you’re highly recommended to get help from a professional because:

You would hire a security professional to really give you an extra layer of robust security or, if you’re a complete layman, to put the security in place for you.

This blog post features Liam Bailey who is the developer behind Webby Scots with over 500 successfully delivered projects for clients through Codeable. An expert in many areas of WordPress, Liam also studies and specializes in website security. Liam has helped many happy clients improve their WordPress sites including also working in-house at Codeable before returning to freelance and help more clients from all over the world.

The post Why Would You Hire A Security Expert For Your WordPress Website? appeared first on Codeable.

But what does a security expert do to make your website more secure? What should you expect them to work on? Thanks to Codeable Expert and Security Expert Liam Bailey, you’ll now have your answers!

Curious to get them? Great, let’s start!

What you need before starting any WordPress security work

Getting help from a security expert to improve your WordPress website is a recommended practice that starts with having all that your expert is going to need handy. Preparing prior to engaging with a developer will allow the whole process to run as smoothly as possible. This results in a positive outcome that will make you happy: you save money because there’s no delays or back and forth to grant access, logins, etc.!

So what do you need before hiring a WordPress security specialist?

When it comes to security, you’d want to have:

• A new user with admin privileges created for the security expert.
• The correct path to login into your WordPress website. Note: the default is yoursite.com/wp-login.php (reachable by yoursite.com/wp-admin) but it’s advisable to change it for, guess what, security reasons.
• FTP login credentials: strictly speaking they’re not needed but will become super useful to have because a seemingly innocuous change in wp-admin can cause a PHP error, and if your developer doesn’t have FTP access they can’t fix it.

Now that you know what you’ll be asked right after hiring the developer, let’s see what steps are usually taken by a developer for improving the security on WordPress websites.

Conducting a security audit

As any websites is unique, its security fallacies and area of improvements can range widely. That’s why it’s usually by assessing the current status of things that a security project starts with. This well-known and critical procedure has a name: security audit. As Liam explains:

Much like an accounts audit, a security audit for a small business WordPress website revolves around checking all of the security arrangements that are in place for your site to protect against foul play and to ascertain any discrepancies.

This means that through a security audit the developer is making sure whether you have everything correctly set up, if you’re using weak passwords and usernames, what plugins are you using and if they’re updated or not, and any area or element that could be exploited by a hacker. In other words, they will do a thorough check of everything that falls into WordPress security best practices.

Once they have a clear picture on how your website is doing, the next step is installing and setting up a security plugin.

Setting up security plugins

One of the things that makes WordPress extensively popular is how easily it could be enhanced with plugins. And when it comes to security improvements there are three names that keep showing up in online threads, groups, and security blogs: iTheme Security, Sucuri Security, and Wordfence Security.

These plugins are great not only because they come as free plugins, even though there are premium services connected to them for those interested. These security plugins are just great at their job and really increase the security level of any WordPress website.

Problem is if they were to be configured incorrectly you could end up with false positives, error messages, incomplete scan procedures, and even being locked out from your own website (with iTheme Security). Since your goal here is to improve your website’s security, having a security expert taking care of the setup process on your behalf is a no-brainer. Says Liam:

After I’ve gathered info and deeply checked my client’s website, I usually go on and install one of the well-known WordPress security plugins if they don’t have it already. My top choice is iTheme Security. After installing it, I configure it properly and let the client know about what’s been changing. If they already have iTheme installed, I check its configuration and make sure they’ve configured it correctly. At that level, I would also check the main areas of their website again to see if everything works the way it should.

Does your security improve with more security plugins?

No, it doesn’t. And it won’t because there might be redundancies and features that can affect each other on an operational level. In fact, if you install both Sucuri Security and WordFence Security you might get an error message such as “Unable to Properly Scan Your Site”.

This is, of course, something you can fix by whitelisting Sucuri’s IP address on the WordFence dashboard but that’s not the point here. The point I’m trying to make is that having one of these plugins is more than enough when we talk about how many security plugins you should have.

Security projects for big websites

As the size of the website grows, so does their security requirements. They require many more levels of protection to deal with everyday threats. The security for these organizations is therefore different because of the complexity and technicalities involved. As Liam clarifies:

The security audit in the _n_th degree for the larger site and the higher profile site is called penetration testing, a full suite of tools that you can bring in to test the site for vulnerabilities. You actually act as a hacker. You’re using the scanning tools that and the exploit tools the hackers are using to try to break down the site’s security, and finding out where they can get in, and blocking the holes.

Hack repair and cleanup

If your WordPress website got hacked, there are a few more steps involved in your security project. Specifically, hackers usually try to inject what’s called backdoors into your website. Without going into technical details, these files feature hidden executable code that doesn’t actually show it’s executable so they’ll hide what they’re doing.

When working with a Security expert, their job is to find these malicious files and remove them by hunting them down in each and every part of your website. Once backdoors are removed and everything is safely restored, then it’s time to install and set up one of the security plugins you’ve heard about before.

Wrapping up

Your WordPress website’s security should never be taken for granted, like a set it and forget it task, that you should take care just once in your lifetime. Outdated plugins and themes, weak usernames and passwords, weak hosting solutions, all add up to making your website more prone to attacks and likely getting hacked.

There are several ways to improve the security of your WordPress website you could do on your own, but only with the help of a security expert, you can really rest assured everything that could be done will be done. Properly.

This blog post features Liam Bailey who is the developer behind Webby Scots with over 500 successfully delivered projects for clients through Codeable. An expert in many areas of WordPress, Liam also studies and specializes in website security. Liam has helped many happy clients improve their WordPress sites including also working in-house at Codeable before returning to freelance and help more clients from all over the world.

The post The Down-To-Earth Guide To Working With a WordPress Security Specialist (And What To Expect) appeared first on Codeable.

According to WordPress developer and Codeable expert Liam Bailey:

The number of hackers who are trying to find exploits, some for good, some for ill, is a vast amount. And because of the popularity of WordPress, these exploits are quickly being discovered, exploited and/or publicized.

Now that you just launched your freshly “baked” WordPress website it’s time you and I have the talk. Can you handle the truth? Well, here it is: your login and password are the only things you have in place to keep hackers off your website.

It’s freaking scary, I know. Actually, there are 4 unquestionable truths about a new WordPress website security you ought to know. Don’t worry too much, for now. There’s plenty of room to improve.

Ready to start? Great!

Untouched WordPress files are prone to attack

A new install of WordPress gives you a functioning site and a working database. The main issue is those vanilla WordPress files and database entries contain all the information a hacker or other data thief may want.

As Liam points out:

Everybody knows that the `wp-login.php` file is most sites’ login form. So it’s an immediate entry point for brute force attackers. They (the bots) don’t have to go around looking for your login form.

This means that bots can repeatedly attack a WordPress login page for as long as they like. Or just until they gain access to your website.

Same story for your website database: the default wp_ prefix is what a new WordPress install comes with. Specifically, all items stored in your database will begin with that single prefix. This overly-known factor might help attackers and hackers do nasty things to your database. Most notably an attack known as an SQL injection, where hackers can create a separate admin user with full access to your entire WordPress website.

That’s why leaving files (and folders) untouched can really harm a WordPress install but it’s something that could be easily be improved, as Liam notes:

Renaming your database prefix and moving your WP login file, it’s basically one-off processes. And once they’re done, they’re finished. It’s not something that’s constantly running.

Not updating your WordPress core files, themes, and plugins opens your website to security flaws

When the WordPress team releases a new version, it’s full of security patches. Many people will leave their WordPress installations without updating them for long periods. Hackers know this and actively seek those WordPress sites out.

Explains Liam:

If you don’t keep your WordPress updated it’s basically giving the hackers a free ride. All they’ve got to do is find that you’re using an old version, and they can get straight in exploiting the vulnerabilities that are already known. In fact, there are tools that practically do it for them. I could do it, you could do it, they are doing it.

Plugins and themes add a lot of extra features and functionality to WordPress sites. This is especially true for eCommerce stores. Along with the WordPress team, plugin and theme developers patch security holes and release updates routinely as well.

When it comes to updates, Liam says:

Make sure your plugins, your themes, and your WordPress are all up-to-date. That is probably the biggest factor as well as having good security plugins to protect you against the main forms of attacks.

Half the work to prevent your website from being hacked is keeping it current: your WordPress core files, your theme, and plugins, even if they’re custom coded, should always be kept updated to their latest versions.

In addition, you should not forget to get rid of unused plugins, theme files, and inactive users. Those are usually forgotten, left silently running in your WordPress install but they can provide a way in to those seeking to do harm.

Your current hosting providers might lack in security

Your hosting provider is a key player when it comes to your website security. Today there’s abundance of WordPress-optimized hosting providers you should check because they have extra layers of security in place for WordPress sites and ensure that your own site stays updated.

WP Engine, Cloudways, Kinsta are trusted providers you should check out. As Liam notes:

Managed WordPress hosts are really bang-on with the security. They’ve already got their own steps in place for things like fail2ban, and they block users if they fail to log in too many times. They know the main ways that people are coming in to attack your WordPress site and they protect against it. They’re already protecting you is an extra step in the defense, and they also force you to update plugins and themes, which is a really big risk area if you’re not doing that.

If you’re not using any security plugin, you’re threatening your website security

WordPress has more than 52.3K available plugins in its repository. And when security is on your plate, there are 3 plugins that will improve the security of your site immensely: iThemes Security, Wordfence, and Sucuri Scanner.

In fact, Liam thinks that:

iThemes Security, Wordfence, and Sucuri Security are the three main plugins that, if set up properly, will really secure the average WordPress site against 99% of attacks.

These plugins and services can really help with all the aforementioned concerns. That includes changing database prefixes and securing your core WordPress files. They won’t slow down your site, and they won’t interfere with your business. But setting them up properly can be hard for some, that’s why you might want to consider hiring a professional to do that for you. Usually, in the 2-hour time frame.

Wrapping up

Your new WordPress website consists of several moving parts, which can work as loopholes to malicious attackers if you don’t do anything. Securing those parts properly doesn’t cost much if you compare to the potential loss you’re preventing from happening. And sometimes, for very basic needs, security might even come free, thanks to specific plugins. However, you must keep in mind that security is never a single task; it requires consistent maintenance and upkeep to have everything working the way it should.

This blog post features Liam Bailey who is the developer behind Webby Scots with over 500 successfully delivered projects for clients through Codeable. An expert in many areas of WordPress, Liam also studies and specializes in website security. Liam has helped many happy clients improve their WordPress sites including also working in-house at Codeable before returning to freelance and help more clients from all over the world.

The post 4 Scaring Yet Undeniable Truths About Your New WordPress Website Security appeared first on Codeable.

Your website is like a fort, and it’s up to you to ensure that you have enough archers on the battlements to ward off intruders. Fortunately, there are a few things you can do to reduce the odds of you ever becoming a victim of hackers.

Let’s take a look at what you can do to make your WordPress Site more secure starting today:

1. Use a strong username and password

It all begins with your username and password. So start with making sure you pick a username that’s hard to guess. You’d be surprised how many people use the default “Admin” username for their WordPress site.

The problem with that is if someone is trying to hack your website, “Admin” is the first username they would try 100% of the times. Using that as your username is giving potential hackers half of the information they need to break into your site. WordPress developer and Codeable expert Liam Bailey says:

Don’t have ‘Admin’ as your administrator username. Use something, if possible, that you’ve randomly picked like a random string of letters and numbers.

The goal here is to come up with something unique no one would guess.

As for the password, you should use one that is called a strong password, i.e. something that is at least 16 characters featuring numbers, symbols, and letters (uppercase and lowercase). If you think this is too hard, consider using a password generator like LastPass, which will take care of generating a strong password (and store it safely) on your behalf.

There’s no need to go through all the work of hardening a website if the username and password have already been compromised. The most important step of all is keeping your login details secure at all times. That’s why security experts often suggest changing your passwords a few times a year.

Next thing to look at is your website’s “components”: plugins and themes.

2. Keep plugins and themes updated

WordPress updates are an important part of any WordPress users’ life. They’re important not only to improve core files, or performances of a given plugin or theme with their latest release. Updates are meant to fix bugs and security loopholes that get discovered among users. Updates are your best friends when it comes to security.

Would you leave your best friend hanging at your door? Nah, I don’t think so.

That’s why, when you get notified of a newer version of a plugin, theme and WordPress core files in your WordPress dashboard, it means you should be updating them. As Liam brings to attention:

The next step to make your website more secure is to make sure your plugins and your WordPress are up to date. Why? If you went into Google right now and searched for known WordPress vulnerabilities or known WordPress plugin vulnerabilities, there are lists of known vulnerabilities for older versions of WordPress as long as your arm. What’s more, the hackers have scanning tools just like Googlebot, but these are crawling the net to find websites using outdated software with known vulnerabilities, including WordPress. The minute they [hackers and their scanners] find one, it’s flagged up ready for the next stage of the attack. If you don’t let them in the first step, then they can’t go any further.

3. Install good security plugins

There are many security plugins that will help you beef up the security of your WordPress site even if you have limited (or even no) technical knowledge. Liam suggests:

One of the best security plugins that I used is iThemes Security because among the different aspects it takes care of, it makes sure you’re not using ‘Admin’ as your username, secures file permissions, and a host of other things which really make the WordPress site more secure.

What Liam refers to here is those alert messages saying either your username is wrong, or your password doesn’t match with that username. These strings of words can be gold to anyone who’s trying to breach into your WordPress website. Removing this type of information keeps attackers in the dark, and that’s a good thing.

If you’re obsessed by speed and want to keep your site fast, you might want to check MalCare which packs a complete set of security features without bloating your pages.

Wrapping up

Newer versions of your plugins and themes, as well as those of WordPress core files, are continuously released. And if your website features any custom code, keeping up with security becomes even harder because you always have to be sure all updates “get along” with your custom code. Those here are just a few of the many things that can be done to harden your WordPress site. And sure, they give you a good level of security, making it more secure than 61% of WordPress websites.

But that’s just a small part, yet important, of the overall picture related to the security of your website. Security is not a set-and-forget-it task, one that can be done by adding some plugins, a strong password, some other tweaks, and then move on. Security it’s an ongoing, compound process whose goal is adding as many layers as possible and sharpen them to keep undesirables out.

This blog post features Liam Bailey who is the developer behind Webby Scots with over 500 successfully delivered projects for clients through Codeable. An expert in many areas of WordPress, Liam also studies and specializes in website security. Liam has helped many happy clients improve their WordPress sites including also working in-house at Codeable before returning to freelance and help more clients from all over the world.

The post What Are The First Steps For Securing A WordPress Website? appeared first on Codeable.

That’s a common approach to security, but it’s completely wrong. If you want to improve your WordPress website’s security, it’s mainly a game of preventing “bad things” from happening.

So, what do you do if you happen to be the latest victim of a hack? Here are some tips to significantly lower the chance of losing control of your website after it’s been hacked, all supported by a security expert’s professional expertise.

Restore from a clean backup

You might have noticed this in other situations: backups of your website are vital assets you can’t afford not to have. So, before your website is hacked, the most important action you need to take is to ensure you’re backing up all that you need, namely:

• WordPress core files (the actual WordPress software)
• Your plugins
• Your theme, which often also include parent theme and child theme
• Your Database

Then, when you find out your website’s been hacked, all you would have to do is restore the backup in a few clicks. In one fell swoop, you will have removed the hack and get the website back up and running.

That would be the easiest, most frictionless scenario to revert your WordPress website to its non-compromised instance. But that almost never occurs: things are usually way more complicated than this. What’s more restoring the backup is nothing more than a first step, you are only restoring a website that is vulnerable to attack and proven as such.
But even worse, your backup may only appear to be clean, in many cases, hackers break into a site and leave backdoors sometime before doing anything like adding links to their favorite Russian porn sites in your footer. And in this case, each time you restore a backup it won’t be long before they are letting themselves back in through the back-door. As WordPress developer and Codeable expert, Liam Bailey explains:

In some cases the hack’s actually already been there and it’s not been noticed. So, even though you’ve got backups for two weeks and you put this backup back in place, you’ve still actually got malware on your site, or what they call ‘backdoors’.

If that’s your case, you need to restrict site access before starting cleaning. Liam recommends a 3-step process for this:

1. Block the site off so that it’s only accessible on your computer’s IP address
2. Have every user with access change their passwords, this includes passwords to the WordPress site and your FTP password for the server
3. Scan the site to ensure you’re removing all the backdoors

Cleaning up backdoors

Wait a minute: what are backdoors? How do they affect your website?

Explains Liam:

Backdoors are like files with executable code in them that doesn’t actually show you the executable code. Usually, it’s base64-encoded or otherwise obfuscated (hidden) so they’ll hide what they’re doing.

Now things get a bit technical here, that’s why working with a security expert is the most common choice.

To find backdoors you might want to use a maintenance plugin such as Wordfence which will show some malicious files. As you find them, you should not only delete them but also take a snippet of each and everyone. Now that you have a collection of how some of those malicious files hideously populating your website “look like”, you have an opportunity to search for others featuring similar strings.

Technically, the process it’s usually performed via SSH leveraging the grep command, which allows the user to search for a given text in your files content. This will highlight files with malicious codes as well as completely new files or code strings that have been created by the hackers. Liam explains:

The good thing about ssh and grep is once you know what you are looking for you can find and delete all malicious files on the server in one fell swoop, although a dry run is advisable.

The same principle as grep (namely regular expression or pattern matching) can be used to clean up the database too.

Re-think about your hosting provider

In case you don’t have a recent backup of your website, it won’t be possible to get things back the way they used to be after a hack. And this is where a good hosting provider with a good backup system and security in place excels.

Says Liam:

I think WP Engine’s got a really good system because that does a complete snapshot of the entire install. So it’s really giving you a complete coverage backup, which is good.

If your current hosting provider doesn’t have this kind of system, you can either back up the files manually or use a plugin like Updraftplus, which gets the job done really well for the average site. But if your site has a lot of pictures, be careful as updraft can eat up a lot of resources with sites with lots of large images, in some extreme cases it can cause server faults.

Having a good and reliable backup system is just one thing you should evaluate your current hosting provider on. And it’s no secret that cheap hosts not only have slower server stacks but also lack further tools and resources that might be critical in the event of a hacked site.

Re-thinking why you’ve opted for a cheap hosting solution, instead of a more professional one, usually makes you realize you made your decision solely based on your possibility to save on costs. If you add in how much trouble, the time needed and the overall stress of not knowing when things will be back to normal, I’m sure you no longer think of that choice as a smart one for your business.

Wrapping up

If your WordPress site’s been hacked, it’s never an easy and quick fix. It all gravitates around how secure you’ve built (or grown) your own ecosystem: your website, your users and their passwords, your plugins, and themes. The better you are at keeping all these secure and updated, the lower the chances for your website to be breached.

But the real key element you can’t live without is a clean backup, your only chance to revert things back to normal as fast and close to the latest version of your website as possible. Without a good backup, there are no guarantees that you can restore the website as it was before.

Considering how costly a hack can be for your business, it’s important that you don’t leave anything to chance. Make sure you have a reliable backup system in place (or have a hosting provider do that for you), so you know you can always get back on track whenever your site is comprised. And get back to sleeping tight.

This blog post features Liam Bailey who is the developer behind Webby Scots with over 500 successfully delivered projects for clients through Codeable. An expert in many areas of WordPress, Liam also studies and specializes in website security. Liam has helped many happy clients improve their WordPress sites including also working in-house at Codeable before returning to freelance and help more clients from all over the world.

The post My WordPress Website Got Hacked. What Should I Do Now? appeared first on Codeable.

Security should never be taken for granted, no matter how “big” or “famous” your website is. Actually, there are several ways and best practices to improve the security level of your website.

When people talk about security, they usually bring on the table another term that unfortunately has very little to do with a website’s level of security: I’m talking about SSL certificates. The misconception relies on a wrong idea on how these SSL certificates actually work and relate with security.

In this post, and thanks to an experienced security expert, I’ll explain the nitty gritty important details around SSL certificates, leaving out all the technicalities and “obscure” lingo that usually comes when talking about this topic.

SSL certificates vs security: do they even relate?

An SSL (Secure Sockets Layer) certificate is an easy and cost-effective way to protect sensitive data shared among websites from being intercepted by hackers. An important thing that I want to stress right from the beginning is that an SSL certificate doesn’t protect your website from attackers. SSL certificates are all about keeping your visitor’s information secure in transit.

In other words, having just an SSL certificate isn’t enough to improve your website security. For that, there are tactics, tools, and things to perform regularly that go perfectly along with having an SSL certificate installed.

What is an SSL certificate?

WordPress developer and Codeable expert Liam Bailey says:

An SSL certificate is like the gas board man’s ID badge.

Residents are careful to check IDs before letting utility workers or service people into their homes. Liam likens the SSL certificate to the privacy chain across a doorway. The chain allows the door to open slightly so the person inside can evaluate what’s on the other side.

The certificate itself is a public digital document. When users type in your website URL, your SSL certificate tells them the site is owned by a legitimate company. As Liam points out:

An SSL certificate is a hard and fast way to make sure that the website you’re being served is the website you’re trying to use.

Because hackers can hijack your URL and divert traffic to malicious sites that steal your customer’s money, identity, and information. An SSL certificate lets visitors know that your website, and their information, are all safe.

How does an SSL Certificate increase your users’ security?

SSL improves WordPress your visitors and users’ security level in two ways. On one hand, as an SSL certificate prevents connection to malicious websites, your users will be reassured nothing suspicious is happening. On the other, it protects sensitive data transfer via encryption, which is a way to encode data in a way that’s understandable by the two only parts involved in the transfer: your user’s browser and your website.

Specifically, an SSL certificate secures data as it travels between computers in three steps:

1. Users enter your URL into a browser. The browser asks the requested server to identify itself before a connection is granted.
2. The requested server sends the SSL certificate to the browser.
3. The browser verifies the certificate is authentic and up-to-date. A connection is approved.

For example: when you buy something on Amazon, your credit card information is sent through a secure and encrypted connection to Amazon’s servers. If by any chance, a hacker managed to intercept that data, they would not be able to “read” it (understand it) without the unique key used to encode your sensitive data and immediately created and handled without you even noticing.

Have you ever stumbled upon an alert message like this one?

Well, this type of alerts happens when your browser comes across a suspicious or expired certificate. When this occurs, users are cautioned not to enter personal information on unauthenticated sites to lower risk of identity or data theft. Here’s how to check if a site’s connection is secure for Chrome.

Do you need an SSL certificate?

As of 2017, SSL certificates are becoming more and more adopted by website owners because they provide several benefits with a low price tag, one of which is showing a commitment to customer safety. As Liam recommends:

I personally think everyone should have SSL for many reasons. In fact, as SSL use becomes more and more widespread, and it becomes the norm, then not having one could even come to be seen like you’re not trying to protect your users.

Top 3 benefits that an SSL certificate brings you

• It’s a simple way to protect your customers.
• Google uses SSL certification in SEO rankings.
• An active SSL certificate shows your users they can trust you and your website.

How do you get an SSL certificate?

There are several ways to get an SSL certificate but for many business websites, Liam suggests using LetsEncrypt, an SSL certificate provider that releases free-to-use certificates. Liam recommends it also because he believes the service offers a high level of data safety.

The majority of hosting provider supports LetsEncrypt as part of their in-house services, so you can ask them for help. If your hosting provider doesn’t offer this support or you have a more complex website, such as a membership area or an eCommerce store, you should think of hiring a security expert to get it set up correctly and then forget about it.

Liam believes an SSL certificate is always worth the minimal investment you need to make for a proper configuration:

It’s really not going to be over-the-top expensive.

Wrapping Up

SSL certificates are an effective way to increase customer trust and should be part of your broad security strategy. They keep hackers from diverting your traffic to fake sites and keeps customer data out of the wrong hands. In addition, Google has started labeling websites without SSL certificates as “not secure”, welcoming their users with warning messages. On top of that, the investment required to have an SSL certificate in place is pretty low, if not 0 for those who are able to take care of it themselves.

Now, hold on for a second and question yourself: when I tell my visitors and customers I do care about their data and privacy being secure, am I also doing anything I can to prove it to them?

Liam Bailey is the developer behind Webby Scots with over 500 successfully delivered projects for clients through Codeable. An expert in many areas of WordPress, Liam also studies and specializes in website security. Liam has helped many happy clients improve their WordPress sites including also working in-house at Codeable before returning to freelance and help more clients from all over the world.

The post Do I Need an SSL Certificate On My WordPress Website? appeared first on Codeable.

There’s a high chance you might have met with one of this alert messages already. Or, even worse, users reached out to you saying your website or eCommerce store isn’t secure according to Google. And, correct me if I’m wrong, you were caught on short, someone might even have panicked at that time. And if you’re still trying to understand what this fuss is all about, this guide is for you.

In this guide, I’ll go through all the main elements pertaining to SSL certificates to provide you with a clear picture of what they are and how they work, but above that, whether you as a website/eCommerce store manager will need to have them in place.

Ready to start? Let’s dive in!

A little history of the SSL certificate

They say “to know your future you must know your past”, right? Put into a closer, business perspective, I’d rephrase that with “to better assess whether you’ll need an SSL certificate, get to know why they’ve been created”. So before getting our hand dirty with actual tips and suggestions here’s some information to SSL certificates from their early days.

It was March 1995 when Netscape, the most adopted web browser in the ’90s (before Internet Explorer gained its market share), decided to actually do something to increase the security between a client and a server communicating. To an extent: they wanted to make the Internet safer. That’s why early in that year, they deployed Netscape Navigator 1.1 giving birth to the Secure Sockets Layer Protocol (SSL in short). As we now know:

Netscape’s goal was to create an encrypted data path between a client and a server that was platform or OS agnostic. Netscape also embraced SSL to take advantage of new encryption schemes such as the recent adoption of the Advanced Encryption Standard (AES) considered more secure than Data Encryption Standard (DES).

But it was after 2003 that SSL certificates started to be taken more seriously, as the US Government deemed AES secure enough to be used for classified information. And from those early days, through different iterations and versions, SSL certificates are nowaday trusted and implemented by many websites.

For those who want to know more about the history of SSL/TSL with lots of details, this timeline from Ivan Ristić shows it perfectly.

What does an SSL certificate do? What are its main benefits to a website?

Enough with history! Now it’s time to better understand how an SSL certificate works and how, when implemented, could benefit a website or eCommerce store.
On a business perspective, there’s no need to go into many tech details yet you’d need to know how an SSL certificate affects your website. Here’s a great tutorial to start with:

As you could now imagine, an SSL certificate it’s your way – as website/eCommerce store owner – to show your users security is in place and the communication of data is encrypted. Your users will also notice a different visual sign of a valid SSL certificate in their browser, like a lock icon, a green bar, etc., depending on the certificate you’re using (more on different types of certificates later on).

So, what are the main benefits of implementing an SSL certificate into your website?

Now that you have an idea on how SSL certificates work, it’s time to see how they could benefit your website and eCommerce store.

Encrypted communications and data

Do your users have to log-in to access pages on your website? Does your website have to handle sensitive information, such as credit cards, security numbers, etc? Well, without an SSL certificate, which encrypts all communications back and forth, these types of data could be “intercepted” by a hacker pretty easily as they’d be plain text.

Performance and HTTP/2

The world is moving to the newer version of the HTTP protocol called HTTP/2 because, on top of several improvements, it features higher performances(we’re talking performances of 50-70% percent better than sites over HTTP/1.1). How come this has to do with SSL certificates? Well, if you’d like to take advantage of HTTP/2 you’d be required to run your website or eCommerce store on HTTPS.

SEO and rankings

In 2014, Google said that HTTPS is now a ranking factor. Therefore a lot of website owners started to switch from HTTP towards HTTPS because they didn’t want to be penalized by the almighty search engine. By analyzing 1 million search results, Brian Dean found out that HTTPS, in fact, correlates with higher rankings on Google’s first page:

Building trust

Along with the other benefits here above, an SSL certificate assists you in a key aspect: it builds trust among your users. It shows them they’re engaging with a secure website, one where their credit card information are taken care of in a secure and encrypted way for example. You don’t need me to tell you how trust in business is important.

Do I need an SSL certificate?

In this journey within the SSL certificates world, after seeing the benefits, we finally have come to a turning point.

Will you need an SSL certificate at the end of the day? Is your website or eCommerce store the perfect candidate for it?

Don’t take these questions as technical ones. Asking whether or not to use a tool to build trust in your customer is a business question. Asking yourself how to improve the security of sensitive data is also a business question.

And to help you out find your answer, I’ve created this list for you.

You’d need to have an SSL certificate, if…

• you run an eCommerce store
• you run a paid membership website
• you run any types of transactional website (online banking, financial account management, wire transfers, and the like)
• your website requires users to log-in
• your website has forms that handle personal data, credit card information or any other sensitive data from your users
• your website allows users to chat on the website

Because of the benefits highlighted above, if you’re managing a website or eCommerce store that falls under one of these descriptions, you’ll need to have an SSL certificate implemented.

Here I’m not talking about a nice-to-have technicality that would improve some non-critical aspect of your website. Here it’s a matter for your business to take advantage of the current state of things in the “Online World” while keeping it all secure for your users.

But what if you have a “standard” website, like a personal website with a portfolio showing off your work, for example? What about an informational website where users come to read and be informed about a topic? Well, if that’s your case you’re not urged, as other website owners, to act now and get you an SSL certificate, hence move to HTTPS. Still moving to HTTPS has plenty of advantages and, even if today is not critical to your website, tomorrow it’ll be the standard.

Better be prepared soon, right?

To give you some perspective, here’s some data from the HTTP Archive showing the percentage of websites that redirect to HTTPS amongst the top 500K sites:

Growing from 5.5% in mid-2015 to 12.4% in mid-2016, the number of HTTPS websites has more than doubled in a year!

What will you need to install an SSL certificate?

As this guide isn’t meant to show how to technically implement an SSL certificate (that could be the topic for a whole new blog post), nonetheless I outlined the main steps and actions you’ll need to take and removed all the technicalities.

Here following you’ll find the bare bones to transitioning from a non-secure, certificate-less, HTTP life to a more secure, SSL-empowered, HTTPS future. This is what you’d need to do:

1. You need to understand what type of SSL certificate it’s a good fit for your website and purchase it (more info below, keep reading)
2. You need to install your SSL certificate on your website
3. You need to set up 301 redirects from HTTP to HTTPS
4. You need to thoroughly test your website for broken links and mixed content issues

Now let’s see each item on the list with more details…

1. SSL certificates: where to buy one

You can find SSL certificates from SSL certificate vendors or, in many cases, directly by asking your hosting provider about them. There are literally hundreds of website through which you could buy your own certificate like some of the most trusted such as Comodo, Symantec, GeoTrust, or Thawte.

What types of SSL certificates are there?

Before buying, it’s better to understand what types of SSL certificates are available and what they do.

So, let me help you with that. SSL certificates divide into four different types:

Domain Validation Certificates, primarily used to verify a domain ownership. You could recognize them by seeing this on your browser:

Organization Validation Certificates, primarily used to prove that a company is a registered along with a domain validation. The business name is shown on certificate details. You could recognize them by seeing this logo somewhere on their page:

Extended Validation Certificates, to be eligible for this certificate a business owner has to submit necessary business documents to prove their business existence. Usually, it’s big companies who use this type of certificates such as banks. You could recognize them by seeing this on your browser:

Wildcard SSL certificate, this type of certificate allows you to secure your domain and all sub-domains with a single certificate:

My personal suggestion is to buy your SSL certificate through your own hosting provider and ask them what type of certificates might be a good fit for your website or eCommerce store.

Back to the main list, now…

2. How to add an SSL certificate to your website

There are three ways you could accomplish this task, specifically:

a) You could ask your hosting provider if they do provide this kind of service and if they do, you’re in great luck! Note: not all hosting providers offer such service, so don’t get mad if your hosting doesn’t provide that to you. Maybe start to think about changing your hosting provider to a more professional one.

b) You could learn and do it yourself but, please, be cautious because you could “break your website” really bad if things aren’t deployed correctly.

c) You could hire a somebody on Codeable to properly implement your desired SSL certificate, move your website or eCommerce store to HTTPS and leave you with a peace of mind. Quick and easy.

3. Implement 301 redirects, re-add your website to Google Search Console and updated Google Analytic

When moving your website to HTTPS you should also take care to notify Google of this transition. How do you do that? Yes, with 301 permanent redirects.

But there’s one thing many forget when switching to an HTTPS domain, and that is adding – again – your website to Google Search Console (formerly “Google Webmaster Tools”). Even if it’s still your exact same website, after switching to HTTPS, Google treats it as a new domain.

Same story goes for Google Analytics. So fire up GA, navigate to Administration › Property Settings and pick HTTPS as your default domain:

4. Thoroughly test your website for broken links and mixed content issues

After you flip from HTTP to HTTPS, thanks to your new SSL certificate, it’s time to check everything and test extensively all your links to see if any resulted broken during the transition. Along with these tests, you should also check that now all your website and eCommerce store assets are served through HTTPS to prevent mixed content issues from happening.

To collect data quickly about your website and see if anything went through correctly, you could start with a tool such as Qualys Lab, which will scan your website to check if your SSL certificate is installed properly.

Right now, there’s still one topic left uncovered, something you’ve been dying to ask right from the beginning, i.e. “How much is going to cost me an SSL certificate?”

How much does an SSL certificate will cost you?

The price for an SSL certificate can fluctuate quite a bit, depending on several factors, so take these numbers with a grain of salt and use them as a guideline.

SSL certificate prices can range from $8/year up to even $5k+/year for some Wildcard SSL certificates. Discounted prices might occur if you buy certificates for more than 1 year (not all vendors provide them).

For those on a budget, there are also free SSL certificates to check out such as Let’s Encrypt, a service provided by Internet Security Research Group (ISRG).

Top 5 things you should take into account (and never forget) when moving to HTTPS

Here’s a list you’d want to keep handy, right before moving your website to HTTPS because it outlines things you can easily forget about or just don’t know they might happen to you:

1. Traffic drops for a while, even significantly, but that’s just temporary.
2. Don’t forget about your CDN: if you use a CDN, you need to make sure that your CDN supports HTTPS.
3. You’ll experience some broken links: the more links your website or eCommerce store features, the higher the chance some of them might be broken after your switch to HTTPS. Fix that by leveraging 301 redirects. The same could happen to links to your images, so be on the lookout for that to happen and be prepared in advance.
4. Don’t forget to tweak Google Analytics to correctly gather data on your website again (switch to HTTPS as default domain).
5. Add your HTTPS website to Google Console again and re-submit a new sitemap.

Wrapping things up

As you could see, there’s a lot of things involved when people talk about SSL and HTTPS. The goal of this guide is to provide you with tools and information to understand the importance of moving your website or eCommerce store towards a more secure future. It’s never been the case to leave users data unprotected and, definitely, it’s not today, with such an abundant list of options you can choose from.

Encrypted data, secure communications, and trust. These are non-debatable pillars any great online business should thrive on and, thanks to SSL and HTTPS, you’ll be running one of those great businesses.

The post The Quick And Dirty Business Guide To SSL Certificates For WordPress Website Owners appeared first on Codeable.