WordPress Advanced Security
And Performance
(WASAP)
prevent phishing, hacking and malware
See the screenshot below?
A search for the keywords "site hacked" on Google, brings up a WordPress.org page as the #1 result.
And WordPress sites are amongst the most hacked in the world.
And that is not because of some issue with WordPress. It is mainly a combination of a few different things:
- WordPress being so popular, that 1 out of every 5 web sites online runs on WordPress.
- Most WordPress sites run on cheap and relatively inexpensive shared hosting
- Even if you had a dedicated server, your web host is not going to spend the time of their top techies trying to sure your WordPress installation.
- WordPress has tons of third-party plugin and theme developers developing code for it. And many of them are so poorly programmed, that even simply using some of these plugins is like using a megaphone in a shady neighborhood in the middle of the night, announcing that you're alone and unarmed, and that you have tens of thousands of dollars in cash, and that you're just waiting to get mugged, beaten up and and stolen from.
Based on our experience managing and monitoring tens of thousands of WordPress installations, we have found some common issues with WordPress installations, and here are the solutions that need to be proactively implemented in order for your web site to remain secure:
Login security
- You need to be able to lock down automated login attempts into your WordPress admin page and prevent Brute Force login attempts
- You need to be able to lock out login attempts and blacklist IP's based on number of failed login attempts, attempts to log in with invalid usernames, too many password reminder attempts
- Hide admin user name in WordPress errors
- Prevent users from registering using "admin" username
- Whitelist your own IP's of yourself and your staff to prevent your own team from getting locked out
- Hide the WordPress version
- Block IP's of users who are generating too many "404" (Page not found) errors - because it means they're trying to scan for a vulnerability on your site
- Blacklist repeat offenders
- Notify you when there are lockouts
File Vulnerabilities & Hack Attempts
- You need to be able to continuously scan for hacked files
- Scan your plugin files against the WordPress repository to make sure no one has secretly hacked into your system and modified files and injected them with Malware
- Scan for known malicious file signatures
- Scan for attacks from known malicious IP's
- Scan comments for known dangerous URLs and suspicious content
- Scan for out of date plugins, themes and WordPress versions
- Scan theme files against repository versions for changes
- Scan for unauthorized DNS changes
- Scan files outside your WordPress installation
- Ability to whitelist certain files from being scanned in order to increase performance
- Prevent Directory browsing
- Filter out attempts to abuse WordPress's built in Ping-back/Track-back features by allowing you to completely disable it if you want to.
- Filter Suspicious Query Strings in the URL: These are very often signs of someone trying to gain access to your site but some plugins and themes can also be blocked.
- Remove file writing permissions from certain files so that hackers cannot modify your wp-config.php file or insert malware and phishing code into your critical WordPress files.
Administration Security
- If you're not going to be publishing content 24 hours, you can set an "Away Mode" so that the site is under lockdown most of the time, which by itself greatly reduces your risk of getting hacked
- Be able to automatically back up your entire database every day just in case you need to revert back to an earlier version
- Detect file changes on your site and notify you
- Enable you to lock down the WordPress admin login area by changing the default admin login URL to something custom - something only you know. Just this hiding itself greatly reduces brute force attempts because going to the usual http://YourSite.com/wp-admin/ will result in a "404 Page Not Found" error. If they can't even find the login page, then it secures your web site that much more.
WordPress Tweaks
- Remove WordPress Generator Meta Tag
- Remove the RSD (Really Simple Discovery) header which is not used by most people
- Display Random Version: Display a random WordPress version and remove the actual WordPress version completely so that hackers can't find out which version you are using and try to use vulnerabilities in that version to get in.
If you think you will try to patch all of the security risks above using a bunch of different WordPress plugins, then you're leaving yourself extremely vulnerable, because you may end up with 50 different plugins, and that cannot be good for your site's performance.
Enter: The WordPress Experts From DAP
With the help of a couple of custom configured WordPress security plugins, we are able to highly customize and fine tune more than 900 different configuration options to make sure 95% of all commonly known vulnerabilities, risks and security holes are completely patched and locked down.
You will not be able to do this on your own unless you are a hard-core WordPress geek and techie like we are at DigitalAccessPass.com.
And if you try to hire a security expert or a security company to come in and do this for you, they will easily charge you a couple of thousand dollars for their time and expertise.
WordPress Advanced Security And
Performance (WASAP)
If You Have A Clean Site (Prevention)
Get WASAP For Only $299
If Your Site Has Already Been Hacked (rescue)
Get WASAP For Only $499
Disclaimer: Remember that in a day and age when even web sites of multi-nationals and Fortune 100 companies are getting their servers hacked and secure data stolen, your $5-to-$50-a-month cheap hosting company stands no chance against a professional cyber criminal determined to hack in to your site. So our service does NOT guarantee that you will never get hacked. But what it does do, is that once we plug all the loopholes, security holes and back-door entries into your web site, and harden and strengthen WordPress itself, then the chances of your getting hacked become very slim. And that's really the best you can do to protect yourself short of getting rid of WordPress, all WordPress plugins, getting a dedicated security team costing you tens of thousands of dollars a month in salaries. DAP itself is very secure, and does not store any kind of sensitive customer billing information on your site. So the WASAP service more than sufficiently locks down your web site from casual hackers and script-kiddies who're just out to do some mischief. |