how to secure your wordpress website

Click Here To Get Free Instant Access For 4 Traffic Generation Videos

How To Secure Your WordPress Website

Introduction

Website security is a bit like health insurance – you never really worry about it until you absolutely,

positively need it and it‘s just too darn late to get it. You may think,

―Naw, that‘s never going to happen to ME.‖

Well, better think again!

Every day, hosting servers get fried, hackers break into accounts, websites mysteriously disappear,

and whole businesses are completely lost.

Scared yet?

You should be.

That is, unless you‘ve already got the proper website protection and security in place. If you don‘t,

then this report could make a huge difference to your online future.

There is no time like right now to get your website completely secure and protected from unwanted

attacks, hackers, and other unexpected disasters.

In this article, we‘re going to be specifically talking about websites and blogs set up using the

WordPress platform.

There are a lot of great tools available for WordPress that make it easier than ever to automate your

website backups and protection.

Keep reading for tips on backing up your website, using plugins to protect against spam, scouring

your site files for signs of hacking, and actions to take when your sites ARE hacked.

And don‘t procrastinate!

You opened up this report for a reason and I want to urge you very strongly to not only read it right

now, but to take immediate action and protect your site TODAY.

http://www.slumdogmarketer.com/subscribe


If you don‘t, you may regret it, and probably sooner rather than later.

So let‘s get started!

Why You Must Protect Your WordPress Website

Are you aware that your website is hosted on a computer? Yes, the term ―server‖ is just a fancy term

for a PC sitting in an office building or warehouse somewhere.

Most people don‘t realize that the internet is not quite as ‗virtual‘ as it seems.

It may feel like it‘s out there in cyberspace, but your website is actually a bunch of files on a computer

sitting somewhere in a completely physical building.

You already know that computers can have technical difficulties, as you‘ve probably suffered through

multiple episodes of trouble with your own computer.

And so your hosting server, which is also a computer, can run into trouble too. It can get overloaded

and go bust, or it can get hacked.

Sometimes it blurps and needs to be rebooted. Any of these things can shut it down for a short or

even a long period of time.

Many people assume that it is the responsibility of their hosting company to keep their website safe.

That is just not the case and I‘m sure if you go right now and scour the hosting agreement you

signed, you will see that the responsibility of protecting your website and your business rests entirely

with you.

We are going to get into the how of it very shortly, but let‘s start by talking about the why.

Why should you protect your website against hackers and other unexpected issues?

The obvious answer is that you don‘t want to lose all the hard work you‘ve put into building your

website and your business.

Trust me, this happens for real.

I belong to a mastermind group of very smart women entrepreneurs.



Just recently, I got to witness firsthand how being unprepared for problems and having holes in your

security set-up can have devastating consequences.

Many women in my network lost weeks of work and whole websites when their hosting server

unexpectedly went down for just 24 hours! There were technical problems that the host couldn‘t fix.

At first, some ladies were very angry that their host let this kind of thing happen, but then, they slowly

came to realize that they really should have had their own security measures in place.

Here are just a few of the ways your website can become compromised:

− Website hosting issues

− Hackers add code or take down your site

− Malicious employee or contractor messes with your site

− An upgrade creates errors and takes down your site

− Website mysteriously disappears without reason (True story – this happened to a client of mine!)

I would say any one of those possibilities is a good reason for taking action.

Is WordPress Weak and Vulnerable to Attacks?

Some people argue that WordPress isn‘t the best platform for security because it is open source

(free), which means that hackers can easily access the software to find holes in its security.

I disagree completely with this reasoning.

Yes, WordPress is free and hackers have easy access to it, but who are we kidding?

Hackers love a challenge and they can just as easily download pirated copies of ANY website design

software they want.

The fact that WordPress is a free, open platform makes it actually more secure.

The reason can be summed up by the following quote:

―None of us is as smart as all of us‖ ~ Ken Blanchard

Most website software programs are designed by ONE company with a limited number of employees.

Yes, WordPress has one creator as well, but the community that works on the program to various

degrees is massive.



Thousands of people are involved in doing things like updating the software, creating plugins and

making easy-to-use templates. It‘s a huge community effort.

This means that as soon as there is a problem, someone finds it almost immediately. And when they

do, the creators of WordPress work hard and fast to solve the issue, and each time, they also release

a brand new Security Update.

Just compare that dedication to other companies whose updates are much less frequent, and whose

community is much, much smaller, and you‘ll see the advantage and value of WordPress.

Common Problems That Can Take Down a Website

It‘s time to dig into the gory details of what can happen to your website. Here are the most common

problems that can either take your site down completely or cause problems that you‘d rather avoid.

Problem #1: Hacked Website

Getting your website hacked is definitely the most feared of all potential website issues. You don‘t

want someone inside your site messing around and breaking things.

It‘s a lot like having someone break into your house, take stuff, break stuff or just completely destroy

the place.

A hacker can do any number of things to your website, including the following:

− Add unwanted links that you can‘t see.

− Add unwanted links that you can see.

− Add viruses that attack your visitors‘ computers.

− Delete your site completely (and even replace it with a nice ―You‘ve been hacked by XXX‖ message

complete with a skull and cross bones image).

− Delete website files.

− Take control of your site and lock you out.

Problem #2: Hosting Company Issues

As mentioned before, every website is hosted on a computer. And we all know that a computer, as a

piece of man-made technology, can sometimes go bad.

Please don‘t make the mistake of totally relying on your hosting company to protect your site and

expect that they‘ll never have any technical issues.

The vulnerable part of your hosting company is the server where they host your website. It could

crash, get hacked or even be required to shut down. My hosting company recently had to deal with

the latter.



They were required by the city to shut off their servers for about eight hours. As you can imagine, that

was a huge inconvenience and potential loss of revenue for many website owners.

But at least, the hosting company knew it was coming, and once they were able to turn their servers

back on, things went back to normal.

However, if a company has an unexpected server problem, the damage could get much more

unpredictable — and longer-lasting.

You could end up losing valuable data or even your whole website if you don‘t have a recent backup.

It‘s not uncommon for a server to catch fire, either. This could happen for various reasons, but as far

as you‘re concerned, it‘s once again an unexpected issue that can lead to total disaster if you‘re

unprepared.

If you‘re prepared, however, it may be just an inconvenience. You‘re in charge of which it will be,

starting right now.

Other potential hosting issues include poor customer service. Your needs may outgrow their

capabilities, or they may be not providing the kind of quality you expect.

It‘s a good idea to have your backups ready and handy so that you can make a quick switch of hosts,

should the need arise.

Problem #3: Someone or Something Messes Up Your Website

It could be you, or it could be your webmaster, but it‘s also quite possible that your website could get

inadvertently messed up while you‘re adding a plugin, upgrading a theme, or updating to the latest

version of WordPress.

If you‘re not prepared, you could lose your whole website.

Important Note: You should always back up your site before doing any kind of updates!

Problem #4: A Disgruntled or Clumsy Employee

This may not be an obvious issue, but it can be a real threat.

Whether you work with a virtual assistant, or you have an employee in your office who works on your

website, you hopefully know that it‘s important to limit their capabilities within WordPress to match

their responsibilities (and the level of trust you have in them).



For instance, there is no reason one of your regular contributing authors should have admin rights

and be able to change your site‘s theme or install new plugins.

Top WordPress Security Plugins

A distinct advantage of WordPress is that it has a whole community of very loyal developers who are

creating new plugins (add-ons) all the time.

Even better, WordPress creators, developers, and users are very diligent when it comes to security.

Yes, hackers are fast and smart, but the community as a whole does its very best to stay ahead of

the game.

There are a number of security plugins you can use to stop hackers and other threats to your website.

We don‘t have the space to cover them all, but the ones we‘ve listed will go a long way towards

keeping your website safe — provided you install and use them!

Here are some of the top WordPress Security Plugins:

Plugins for Backups

• WP-DB-Backup – This is a free plugin that will back up your WordPress database. What it will not

do is backup your website‘s files (PDFs, widgets, themes, plugins, or other HTML files), so you will

have to save those separately if you use this plugin.

http://wordpress.org/extend/plugins/wp-db-backup/

• Backup Buddy – This is a premium (which means you have to pay for it) plugin that does a whole

lot more than the free ones. You can schedule whole site backups (that include site files) daily,

weekly, etc.

Click Here To Know More About Backup Buddy

Plugins For Spam

• Akismet – I‘m sure you know that spam is a big problem on blogs. Akismet is the program that

comes already installed with WordPress. All you have to do is activate it. However, you will need to

get an API key to do so, a key you can get from WordPress.org (for free).

Once properly activated, Akismet will filter out your spam comments and send them directly to the

trash. It works very well. Akismet is free for most use (blogs making less than $500/mo are

considered ―personal‖ use), but there‘s a charge for high traffic profitable blogs (―business‖ use).

http://wordpress.org/extend/plugins/akismet/

http://wordpress.org/extend/plugins/wp-db-backup/

http://www.1shoppingcart.com/app/?af=1361450


http://wordpress.org/extend/plugins/akismet/



• Bad Behavior – This is another spam blocking plugin. Unlike Akismet, it is free for everyone. In

addition to the basic spam blocking features, the Bad Behavior plugin also blocks spambots from

even seeing your site, which can also help improve your site‘s load time.

http://wordpress.org/extend/plugins/bad-behavior/

**Important Note** – This plugin will currently expose your WP admin email address to spammers.

While this may be worked around by using a gmail address that you don‘t mind showing to a

spammer, it brings up a bigger issue.

Always review the user comments on the WordPress plugin page prior to installing any plugin! Doing

this can help you avoid some major headaches.

Plugins for Login Protection

Brute force attacks on your site attempt to guess your login information by simply trying to log in over

and over again. This is done by an automated robot, so it can be very persistent.

Of course, your first line of protection is having login information that isn‘t easily guessed (admin not

named ―admin‖ and a strong password).

After that you‘ll want to use one of these plugins to temporarily lock out the pesky robot‘s computer.

• Login Lockdown – http://wordpress.org/extend/plugins/login-lockdown/

• Limit Login Attempts - http://wordpress.org/extend/plugins/limit-login-attempts/

Plugin For Other Security Issues a. Wp Security Scan – This plugin will scan your WordPress

passwords, files, database and others to see if there are any known vulnerabilities in your site. It will

also suggest corrective action to problems found.

http://wordpress.org/extend/plugins/wp-security-scan/

WordPress Plugin Tips

1. Stick With WordPress.org – When searching for and downloading plugins you are safest if you

stick with WordPress.org. If you get plugins from any other sources or websites be sure you are

getting it from a trusted source. Plugins can create vulnerabilities in your WordPress installation and

unknowingly allow problems in.

2. Keep Them Updated – Good plugin creators will keep their plugins up to date. You will get a

notice within your WordPress installation that you need to update your individual plugins. Do this right

away! Protecting your WordPress website is an ongoing process. The worst thing you can do is look

at this list, feel overwhelmed and do nothing. Just pick one thing to get started, get that all set, and

http://wordpress.org/extend/plugins/bad-behavior/

http://wordpress.org/extend/plugins/login-lockdown/

http://wordpress.org/extend/plugins/limit-login-attempts/

http://wordpress.org/extend/plugins/wp-security-scan/



move on to the next. Or if you just don‘t have time to do this yourself, hire a virtual assistant, hand

them this report and ask them to do it for you. WordPress security is important. Hackers or server

crashes won‘t wait until you make time to get this done. Take a bit of time and get yourself set up with

some of these great plugins right away.

How to Back Up Your WordPress Website

Okay! I think I‘ve convinced you that it‘s extremely important to back up your WordPress website,

correct? Not only that, but I also hope I‘ve convinced you that it‘s absolutely, positively non-

negotiable.

Before I show you some methods for backing up your website, I think it‘s important to talk about the

different pieces that make your WordPress website run.

When backing up your website, you need to make sure you get all these pieces in place or you won‘t

have a complete backup.

Your WordPress Website is Made Up Of:

−WordPress Files: Includes your all the PHP and CSS files that make your WordPress installation

work. It also includes anything you‘ve added such as your themes, your plugins, images, and any

other files you may have uploaded.

−Database: A database is where your pages and posts are stored.

−Other Files: If you‘ve uploaded anything outside of WordPress (via ftp, cPanel, Dreamweaver, etc)

then these will be files that are separate from your actual WordPress site.

So let‘s get to the bones of it and talk about exactly how you back up your WordPress website.

Option 1: cPanel Backup

This step requires that you have cPanel in your hosting account. Most people who have WordPress

installed will have used cPanel to do so. cPanel allows for an easy script installation process using

either the Simple Scripts or the Fantastico program.

If you don‘t have cPanel, check with your hosting company to see if they have a manual backup

option you can perform within their system.

To do a cPanel backup, follow these steps:

1. Login to cPanel through your hosting.



2. Scroll to ―Files‖ > ―Backup Wizard.‖

3. Click ―Backup.‖

4. The system will then start a backup of your entire website and all files. This may take some time

depending on how many files you have.

5. cPanel will usually email you when your backup is ready. Then all you need to do is log back in to

your cPanel and download your backup.

6. I recommend you save your three most recent backups.

What if your website is corrupted for a while and your only backup contains those same bad files. It‘s

a smart idea to store your backups on a portable hard drive (so you can easily move it to another PC

or take it with if you when evacuating away from the next hurricane).

One of the problems with doing manual backups is that you‘re likely to forget. So while I absolutely

recommend you do manual backups on whatever schedule you can work out, I would not recommend

relying on it as your only backup method.

Option 2: WordPress Plugin Backup

There are some plugins out there that allow you to back up your entire website. One such plugin is

the Backup Buddy by iThemes.

It is a premium (paid) plugin but well worth the peace of mind you achieve by knowing that your sites

are backed up automatically.

Backup Buddy is unique because it does a full backup of your whole WordPress installation and all

website files.

Here‟s how to do it:

1. Buy, download, and install Backup Buddy

2. Click on ―Backup Buddy‖ in the left side menu.

3. Click on ―Backups‖ from the Backup Buddy dropdown menu.

4. Do a full backup and download it to your computer (for remote storage off your host server).

5. Set up scheduled backups by clicking on ―Scheduling‖ from the Backup Buddy section.






6. Choose where you want to send the backup, and save.

Now you have two easy ways to back up your entire website. I recommend you use both and save at

least your last three backups so you have complete protection.

WordPress Software Security Updates Are Not Negotiable!

Running a WordPress website is not a ―set it and forget it‖ deal. If you want to protect your website

from hackers and other potential problems, you need to make sure you keep up with the software

updates, and that includes security updates.

As mentioned before, WordPress is undergoing constant development. This is a very good thing as

you get the most cutting edge features, functions and security.

But there is also a downside: You must keep up with the updates in order to keep your website or

blog safe.

Fortunately, keeping up with updates is not really that difficult.

When you login to your WordPress dashboard it should be pretty obvious if you need to update either

WordPress or one of the plugins.

In the graphic above, you‘ll see that the number next to the Updates link is the total number of plugin,

theme or WordPress core updates available. And, the yellow bar at the top shows that a new version

of WordPress has been released.

WordPress Updates

If a main WordPress update is available it is shown prominently at the top of the dashboard and pretty

much begs for you to do the update.

While WordPress updates are pretty rock solid with few errors, you should always do a full site

backup using cPanel before you click the ―Please update now‖ link.

In the unlikely (but inevitable) event that something goes wrong, you and your hosting service will be

thanking your lucky stars that you had a full and timely backup available.

After your full site backup is completed (including downloading to your computer), click on either the

―Updates‖ or ―Please update now‖ link.



Unless you have been instructed to do otherwise by your hosting service, use the ―Update

Automatically‖ button to update your site. It is quick, easy and rock solid.

Important note about updating Plugins:

Just like before you install a new plugin, always read about the changes to the plugin prior to

installing the update. Many times there are changes in the plugin‘s behavior that you may not

necessarily want.

Important note about updating Themes:

If you have made **any** changes to your theme (tweaking things in style.css or changes to the

template files), the changes will be overwritten when the theme is updated. Be ready to re-do the

changes after updating.

The only way to avoid this is to create a child theme specifically for your changes, but that is kind of

an advanced subject outside of the scope of this report. (See the WordPress codex for more

information:http://codex.wordpress.org/Child_Themes). Update your site‘s plugins using the built-

in WordPress automatic update capabilities. Unless it is a Premium plugin, there really shouldn‘t be a

reason for you to have to do anything complicated (like download the update then use FTP to get it

on your site). For Premium plugins you will want to always follow their specific instructions.

Additional Security Measures

We‘ve talked about backing up and updating your website in detail. But there are other security

measures you can take to protect your website from problems.

Here are some suggestions:

Always use an admin name other than “admin”. When you initially install WordPress you can

choose the username for the main admin account. Do not use the default ―admin‖; choose something

original instead.

Brute force scripts (hacking scripts) trying to guess your password will assume the username ―admin‖

is in place… Let them make that false assumption and keep them out of your site!

Use a Secure Password: I bet you‘ve heard this one before. You shouldn‘t use the same password

for all your websites and logins. You also shouldn‘t have a simple password like your kid‘s or pet‘s

name.

Make your passwords long, over 8 characters, and use a combination of uppercase, lowercase,

numbers and symbols for best protection.

http://codex.wordpress.org/Child_Themes



Change Admin Passwords Occasionally: Change all admin-level passwords. I say occasionally

because the schedule really depends on your business practices.

For instance, if you outsource your WordPress maintenance or administration to different people all

using your main admin account, you would be wise to change your password more frequently that if

you are the only admin.

Delete Unused Accounts: If you have any user accounts on your WordPress installation that you

are not using anymore, be sure to remove them.

Register Domains Elsewhere: If you need to move your websites because of problems with your

host, you‘ll be glad to have your domain name registered elsewhere.

This will allow you to quickly move domains by simply pointing the nameservers at your domain

registrar to your new hosting service.

Monitoring Your Site Files: Sometimes hackers get into your website, make changes and leave

without making a big fuss. This might go completely unnoticed by you if you‘re not careful!

Periodically check your website‘s files for signs of intrusion to make sure everything is in order. One

easy way is to glance at the file‘s modified date.

Taking extra measures to protect your WordPress installation may take some extra time, but if it saves you from an attack, it will be well worth it.

Of course, there‘s no way to absolutely guarantee that you‘ll never be hacked or have other

problems. However, you‘ll find that the more educated and prepared you are, the less likely it is that

you‘ll have to deal with the fallout later.

Guests & Employees – Keeping It Safe

Many website and blog owners have other people logging into their website. It‘s common to let guest

bloggers or columnists have their own username and password so they can log in and add their own

posts, saving the blog owner time and work.

It‘s also very common to outsource your website or blog updates to a virtual assistant or other

freelancer who will have to be able to log in and publish on your website.

Here are a few rules for keeping your WordPress website safe in these situations:

1. Do NOT give administration access – You should keep your admin access protected always.

The reason is not necessarily that your guests or employees might do anything malicious with the

admin access, although that has been known to happen.



Instead, you are opening up a security risk in that they may have their passwords broken or hacked,

which could allow someone else to get in through their account. The more ways to access your

account are out there, the more likely it is that a hacker could find one.

2. Grant the lowest access level required – Always grant the lowest level of access that someone

needs to complete the job.

3. Change Passwords – When someone leaves the company, make sure you change your

passwords or delete their user account altogether.

Being Prepared When Security Fails

What if your website security fails despite all your best efforts and preparations? The first thing I can

tell you is to be prepared for this eventuality.

Don‘t think that just because you‘ve taken all the proper precautions, you‘re completely protected.

Think of a website attack or major issue as you would think of a house fire. You can take precautions

to prevent a fire in your home, but sometimes you just can‘t prevent it.

So in addition to preventative measures, we also prepare for the worst. We create fire routes, we

have fire extinguishers, we keep fire alarms handy and we have a meeting place for loved ones.

Why not do the same for your website?

Create a plan of what you would do if security were to fail. Here are some ways to be prepared for a

website hack or a security failure:

• Back up, back up, back up! – Yep we‘ve talked about this more than once already, but it‘s worthy

of another reminder. Back up as often as needed. Keep more than one backup copy — and keep

them in separate places.

• Have ALL of your login information – If you hired someone to install or design your website, it‘s

quite possible that there are logins you don‘t even have access to.

My recommendation to you is that you change that right now. At the end of this report you‘ll find some

checklists, including one for critical website information.

Take that list and complete the information, print it and then store it digitally in two places so you have

it ready to go when you need it! This step is very important.

• Call your host – Ask your hosting company what happens if a server crashes or your website gets

hacked. Some people are very surprised to discover that their hosting company provides NO

protection against loss in these cases. Find out now, not later.



• Have a backup host – Not only do you want to back up your files, but you‘ll want to check around

for a backup hosting company that you can quickly move to if need be.

It might be a good idea to already have an account with this second host so you know how they work,

and so you can move quickly if needed. It‘s also a good idea to register your domain name

somewhere other than with your hosting company.

That way, you can access your domain for transfer if the hosting company is unresponsive.

• Hire a „Techie‟ – If all of this is just too much for you and you simply don‘t want to handle it, find

someone who can. Hire someone before you EVER have a problem and build that relationship with

them so that when a problem does occur, they‘re ready and able to help you, fast.

So there you have it. This report contains information that could very well save you thousands upon

thousands of dollars and/or hours.

And that‘s no joke. I hope you‘ll take the advice, do your backups, and secure your websites. That

way, you won‘t discover one morning that you‘ve lost years of work in the blink of an eye.

Printable WordPress Security Checklist

After you‘ve gone through the different sections of this report, you‘ll need to get to work. I have

included three checklists for you. Print these out as a guide to help you get everything done quickly.

WP Security Setup Checklist:

a. Install WP-DB Backup or Backup Buddy

b. Install Akismet or Bad Behavior

c. Install Login Lockdown

d. Limit Login Attempts

e. Install Wp Security Scan

f. Schedule Automated Website Backups

g. Take Inventory of Your Website Files – ALL Files

WP Security Maintenance Checklist:

Schedule these tasks on a regular, appropriate basis.

a. Back Up Manually Using cPanel

b. Check WP Security Scan

c. Manually Check Site Files

d. Change Passwords

e. Update Themes

f. Update WordPress




g. Update Plugins

h. Delete Inactive Users and WordPress Installations

Critical Website Information Checklist:

Have this information handy and also keep it in a safe place!

a. WordPress Logins

b. Domain Registrar Login

c. Hosting Company Login

d. Email Logins & Settings

e. FTP Login Information

f. Google Accounts

Conclusion

I remember when I first heard about backing up my website. To be honest, I found it all too confusing,

too complicated, and too much trouble. So I didn‘t take action and simply hoped for the best.

Meanwhile, I heard people warning me of the risks of not backing up my websites and taking proper

security measures, but I figured I didn‘t have time and nothing bad would ever happen to me anyway.

Then one day after I had grown a significantly sized business and website, I asked myself: ―What if I

lost my entire website, TODAY? How would that feel?‖

The answer was: ―I‘d be devastated‖.

Honestly, I don‘t know what I‘d do if the last few years of hard work just disappeared into thin air. It

would be very hard to recover.

I was lucky, and I know it. I‘ve never had an attack on my site (knock on wood) but I have known

many people close to me that weren‘t so lucky. And trust me, I no longer leave my security to chance.

Please take this report and this warning seriously, and learn how to back up your sites. You will be so

glad you did if you ever have a problem with your website! And even if you don‘t. After all, peace of

mind can be priceless!


how to secure your wordpress website

Documents