5 Ways to Improve Your WordPress Security

5 Ways to Improve Your WordPress Security

According to their own statistics, WordPress is used as the backbone for 30% of all websites today. It’s no surprise that so many people choose WordPress when building a website. The software offers functionality and customization at an affordable price with options for all different types of users.

However, the size of the WordPress community makes the software a prime target for hackers online. Plus, the increasing number of themes and plugins available could introduce various new vulnerabilities for people to exploit.

This is not meant to be a scare piece. In fact, quite the opposite. WordPress is an amazing tool that can take your blog or business to the next level. Following some simple recommendations to improve your WordPress security can help you enjoy the power of WordPress without opening yourself up to online threats.

Ready to ensure your WordPress security is up to the test? Here are some solutions you can start putting into place today.

1. Choose a Secure Username and Password

This may seem like an obvious solution but it is often overlooked by many users. One major example of this is using “Admin” as a username. By using a default-style username, hackers already know half of the information needed to gain access to your WordPress website.

Try creating unique usernames and avoid using names for authors or contributors that may appear on your site. This simple username practice can save you a lot of grief down the road.

In addition, making a secure password can thwart a lot of attempts to breach your WordPress security. There are a number of methods to ensure you have a secure password. Most importantly, don’t reuse passwords on multiple sites, don’t use common phrases, and make passwords as long as possible.

2. Only Use Trusted Plugins and Follow Updates

One of the biggest threats to WordPress security is third-party plugins or themes that are not offered by WordPress. There are tens of thousands of plugins available from WordPress and even more are available from third-party sources like GitHub and Code Canyon.

It would be alarmist to say that people should avoid third party-plugins. Even plugins available from the WordPress repository could pose a threat. You should always read reviews and ratings for a plugin before choosing to install it on your website.

In addition, you need to ensure that the plugins you use are being updated. Automatic updates can protect you from old vulnerabilities that have been patched. If plugins are no longer offering updates, then you may want to consider looking for a similar plugin with better support to help with WordPress security.

3. Enable Two-Factor Authentication for Login

A strong username and password are great, but they still can’t protect against some forms of data theft. Even if a hacker is able to get your login and password, two-factor authentication can stop them in their tracks and alert about attempts to circumvent your WordPress security.

There are a number of plugins available from the WordPress repository that enables two-factor authentication using the most popular methods available including Google Authenticator, SMS, and email.

Of course, two-factor authentication is only as secure as the second method used to verify your login. You should also enable two-factor authentication on other services that allow it including your email account.

4. Remove Unused Themes and Plugins

If you have been using WordPress for some time, then you may have installed themes or plugins that are no longer in use because you have found other services that you prefer.

Just like updating existing plugins in a timely manner is important, so is removing unused themes. Best practice for protecting your WordPress security is to remove any themes and plugins that you are not using as soon as you stop using them.

This helps remove the clutter of unused plugins that can build up over time and eliminates additional areas where hackers could find vulnerabilities. Only keep the plugins you are actually using. If it’s not in use, then you should uninstall it immediately.

5. Backup Your WordPress Site Regularly

When all else fails, you can count on a recent backup to save the day. This is true for your own personal computer, your smartphone, as well as your WordPress site. Sometimes, despite your best efforts, there may be a security breach or loss of data unrelated to any security issue.

The easiest way to get back up and running is to reinstall your WordPress site from a backup. There are a number of services and plugins that help you back up your WordPress site. Research the options and find the one right for you.

Always Stay Vigilant to Ensure WordPress Security

5 Ways to Improve Your WordPress Security

Keeping your site safe and secure is an ongoing job. Use these best practices to help protect your WordPress security and always stay on top of the latest news and updates.

The more effort you put into WordPress security, the fewer opportunity hackers have to destroy your business and your hard work.

WP Updates Updater Code Changes

In case you had not noticed, back when we released our big update we changed the updater code and they way you download the wp-updates-plugin.php and wp-updates-theme.php for themes and plugins. This had no affect on plugins and themes using the old code, but improved the code going forward.

The wp-updates-plugin.php and wp-updates-theme.php files are now generated specific to your theme or plugin and accessed from the plugin or theme screen. That means the call to the WPUpdatesPluginUpdater or WPUpdatesThemeUpdater now has your plugin or theme ID as a suffix, eg. WPUpdatesThemeUpdater_101. This means the plugin or theme ID is no longer required as a parameter:

require_once('wp-updates-plugin.php');
new WPUpdatesPluginUpdater_x( 'http://wp-updates.com/api/2/plugin', plugin_basename(__FILE__) );

We have just released an update to the wp-updates-plugin.php file for plugins. This fixes an issue we have recently encountered if there is a free plugin hosted on the WordPress.org repository with very similar name to a premium plugin on WP Updates. If the free version has a higher version number than the premium plugin, WordPress shows an update available for the premium plugin but will actually serve the update of the free version.

To apply this fix to your premium plugin login to your dashboard and select the plugin you want to update. Download the new version of the wp-updates-plugin.php file and make sure you have updated the code in your plugin to call the WPUpdatesPluginUpdater if you haven’t yet done so, to reflect the aforementioned changes.

Sellwire License Integration

If you use Sellwire to sell your themes and plugins you can now benefit from the new licensing we have just released. This means that you can now limit updates to plugins and themes with valid licenses from Sellwire, just like we introduced not that long ago for Envato marketplaces. You will now see a new integration option in the settings page for Sellwire. Once you have added that you can add and save your Sellwire API key.

The next step is edit the theme or plugin (this example is for a plugin) and select to ‘Verify Updates With’ with Sellwire. You will need to set the version of your plugin, so that all subsequent versions will be verified against Sellwire. Then enter the Sellwire File ID (found in Sellwire when you edit the file, under Licensing).

You will need to make some changes to your plugin. There is a new version of the plugin updater class that is now accessible when you are managing the versions of your plugin. Download the wp-updates-plugin.php file and replace the old file in your plugin. You will notice the code to instantiate the updater class now has a third parameter, the license key.

require_once('wp-updates-plugin.php');
new WPUpdatesPluginUpdater( 'http://wp-updates.com/api/2/plugin', plugin_basename(__FILE__), $license_key );

Once you have made the changes and released the new version of your plugin, all future updates will only be delivered if the user has entered a valid purchase code for your plugin.

That’s it – updates for your themes and plugins sold with Sellwire are now verified.

Big Update

We have been working hard recently making WP Updates better than ever, and today we have pushed a large update live!

Envato Integration

Many of our users are Envato authors selling their themes on ThemeForest and plugins on CodeCanyon and an often requested feature is verification of purchases before updates are delivered. We have listened and we have delivered.

There are a number of steps to set up the Envato verification. First, if you visit the Settings page in WP Updates you will now see a section at the bottom for Integrations. You can select ‘Envato Marketplaces’ from the drop down and click ‘Add’ to enable the integration. Then you can fill out your Envato API key and your author username.

The next step is edit the theme or plugin (this example is for a plugin) and select to ‘Verify Updates With’ with Envato Marketplaces. Then enter the ThemeForest or CodeCanyon item id.

You will need to make some changes to your plugin. There is a new version of the plugin updater class that is now accessible when you are managing the versions of your plugin. Download the wp-updates-plugin.php file and replace the old file in your plugin. You will notice the code to instantiate the updater class now has a third parameter, the license key.

require_once('wp-updates-plugin.php');
new WPUpdatesPluginUpdater( 'http://wp-updates.com/api/2/plugin', plugin_basename(__FILE__), $license_key );

To enable the verification you will need to collect and store the purchase license code from your customers within your plugin and then grab that code (e.g. using get_option()) to pass in as the license key parameter.

Once you have made the changes and released the new version of your plugin, all future updates will only be delivered if the user has entered a valid purchase code for your plugin.

That’s it – updates for your themes and plugins sold on ThemeForest and CodeCanyon are now verified.

Plugin readme.txt

Previous to this update whenever you released a new version of a plugin you would have to enter the changes that would appear in the ‘Changelog’ section of the plugin popup in the WordPress dashboard. However, now if your plugin zip file contains a valid readme.txt, then all the plugin details including Changelog, FAQs and Installation are displayed to the user as they are with free plugins on the WordPress.org repository.

When you add or edit a plugin you will see a checkbox where you can enable the readme.txt feature.

Sellwire Integration

If you are selling your themes and plugins with Sellwire you would have previously had to upload new versions of your zip files on Sellwire then on WP Updates. But now we have integrated the two services and you will see, on the Settings page under ‘Other Settings’, your WP Updates API key which you can use in Sellwire to connect the services so that updates to file versions in Sellwire are pushed over to your WP Updates items.

More

For plugins that don’t have a readme.txt, you can now add a Compatible WordPress version (the greatest version of WordPress the plugin works and is tested with) when you add a new version, so that when the update is shown as available in the WordPress dashboard it will display if it is compatible with the install’s version of WordPress, according to you, the author.

You can choose in the settings what will be displayed on the dashboard – both themes and plugins, only themes or only plugins. This is handy for pure plugin or theme authors so the dashboard is simplified.

Discounted Yearly Pricing Options

As part of our commitment to making WP Updates as user friendly as possible we’ve decided to add discounted yearly pricing options. This means that you can pay for WP Updates on a yearly basis (rather than a monthly basis) and get a 10% – 20% discount depending on which package you choose. This is great for long term customers or startups that need to plan a tight budget.

At the time of writing the yearly plans are priced as follows:

  • Solo Package: $99/year (save 10%)
  • Agency Package: $296/year (save 15%)
  • Enterprise Package: $855/year (save 20%)

We hope these new pricing options will help make WP Updates even easier to adopt for all your automatic updating needs.

New Reports Pages

Today we’ve pushed live a nice new addition to our web app. Users that are on paid subscription plans can now see two new reports pages, a Downloads Report and a Site Report.

In the Downloads Report you can see

  • A graph visualising downloads for your themes/plugins for the last 30 days.
  • A downloads summary table showing your total theme/plugin downloads for the last 30 days, lasy year and all time.
  • A detailed breakdown of all your themes & plugins and exactly how many downloads each version has received.

In the Sites Report you can see

  • A list of the last 100 downloads for your themes/plugins showing the URL of the site that download them, which theme/plugin was downloaded, when it was downloaded and what version of WordPress the site was using.
  • A breakdown of what version of WordPress the sites have been using for the last 100 downloads of your themes/plugins.

We hope these reports provide a crucial insight into how your customers are using your automatic updates so you can better serve their needs.