{"id":272,"date":"2024-08-09T09:15:48","date_gmt":"2024-08-09T08:15:48","guid":{"rendered":"https:\/\/neoxea.com\/blog\/?p=272"},"modified":"2024-08-10T09:38:26","modified_gmt":"2024-08-10T08:38:26","slug":"wordpress-security-guide","status":"publish","type":"post","link":"https:\/\/neoxea.com\/blog\/wordpress-security-guide\/","title":{"rendered":"WordPress Security Guide 2024"},"content":{"rendered":"\n<p>In this WordPress Security Guide we have put together a huge collection of secure activities you can build to protect your WordPress.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_1ca2b1-be, .wp-block-kadence-advancedheading.kt-adv-heading272_1ca2b1-be[data-kb-block=\"kb-adv-heading272_1ca2b1-be\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_1ca2b1-be mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_1ca2b1-be[data-kb-block=\"kb-adv-heading272_1ca2b1-be\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_1ca2b1-be img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_1ca2b1-be[data-kb-block=\"kb-adv-heading272_1ca2b1-be\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h2 class=\"kt-adv-heading272_1ca2b1-be wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_1ca2b1-be\">Is WordPress Secure?<\/h2>\n\n\n\n<p>Short answer: yes. But let\u2019s dig into more details as there are things you can do to improve the security of your WordPress installation and prevent attacks and vulnerabilities from affecting your company website, e-commerce shop, or blog.<\/p>\n\n\n\n<p>If you\u2019re a Neoxea customer, many of the steps required to better protect your WordPress are present out of the box with our WordPress Hosting services.<\/p>\n\n\n\n<p>WordPress&nbsp;usually gets a bad reputation for being prone to security vulnerabilities and not being a safe platform to use for a business website. Most of the time is due to the fact that users ignore security best practices.<\/p>\n\n\n\n<p>Outdated WordPress core installation, theme, plugins, user\/credentials\/authentication management,&nbsp;poor server administration,&nbsp;and lack of security knowledge open ways for hacking practices every single day.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>WordPress&nbsp;powers over ~40% of all websites&nbsp;on the internet, and with thousands of themes and plugins available, it\u2019s not surprising that vulnerabilities exist and are constantly being discovered.<\/p>\n<\/blockquote>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_d8e61c-75, .wp-block-kadence-advancedheading.kt-adv-heading272_d8e61c-75[data-kb-block=\"kb-adv-heading272_d8e61c-75\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_d8e61c-75 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_d8e61c-75[data-kb-block=\"kb-adv-heading272_d8e61c-75\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_d8e61c-75 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_d8e61c-75[data-kb-block=\"kb-adv-heading272_d8e61c-75\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h2 class=\"kt-adv-heading272_d8e61c-75 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_d8e61c-75\">WordPress Vulnerabilities<\/h2>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_657749-06, .wp-block-kadence-advancedheading.kt-adv-heading272_657749-06[data-kb-block=\"kb-adv-heading272_657749-06\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_657749-06 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_657749-06[data-kb-block=\"kb-adv-heading272_657749-06\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_657749-06 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_657749-06[data-kb-block=\"kb-adv-heading272_657749-06\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_657749-06 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_657749-06\">Backdoors<\/h3>\n\n\n\n<p>The aptly named backdoor vulnerability provides hackers with hidden passages bypassing security encryption to gain access to WordPress websites via abnormal methods \u2013&nbsp;wp-Admin,&nbsp;SFTP, FTP, etc. Once exploited, backdoors enable hackers to wreak havoc on hosting servers with cross-site contamination attacks \u2013 compromising multiple sites hosted on the same server. In Q3 2017&nbsp;Sucuri reported&nbsp;that backdoors continue to be one of the many post-hack actions attackers take, with<strong>&nbsp;71%&nbsp;<\/strong>of the infected sites having some form of backdoor injection.<\/p>\n\n\n\n<p>Backdoors are often encrypted to appear like legitimate WordPress system files, and make their way through to&nbsp;WordPress databases&nbsp;by exploiting weaknesses and bugs in outdated versions of the platform. The&nbsp;<a href=\"https:\/\/blog.sucuri.net\/2011\/08\/timthumb-security-vulnerability-list-of-themes-including-it.html\" target=\"_blank\" rel=\"noreferrer noopener\">TimThumb fiasco<\/a>&nbsp;was a prime example of backdoor vulnerability exploiting shady scripts and outdated software compromising millions of websites.<\/p>\n\n\n\n<p>Fortunately, prevention and cure of this vulnerability are fairly simple. You can scan your WordPress site with tools like&nbsp;SiteCheck&nbsp;which can easily detect common backdoors. Two-factor authentication, blocking IPs, restricting admin access, and preventing unauthorized execution of PHP files easily take care of common backdoor threats, which we will go into more below.&nbsp;<a href=\"http:\/\/cantonbecker.com\/work\/musings\/2009\/how-to-search-for-backdoors-in-a-hacked-wordpress-site\/\" target=\"_blank\" rel=\"noreferrer noopener\">Canton Becker<\/a>&nbsp;also has a great post on cleaning up the backdoor mess on your WordPress installations.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_c582ec-ca, .wp-block-kadence-advancedheading.kt-adv-heading272_c582ec-ca[data-kb-block=\"kb-adv-heading272_c582ec-ca\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_c582ec-ca mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_c582ec-ca[data-kb-block=\"kb-adv-heading272_c582ec-ca\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_c582ec-ca img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_c582ec-ca[data-kb-block=\"kb-adv-heading272_c582ec-ca\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_c582ec-ca wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_c582ec-ca\">Pharma Hacks<\/h3>\n\n\n\n<p>The Pharma Hack exploit is used to insert rogue code in outdated versions of WordPress websites and plugins, causing search engines to return ads for pharmaceutical products when a compromised website is searched for. The vulnerability is more of a spam menace than traditional malware but gives search engines enough reason to block the site on accusations of distributing spam.<\/p>\n\n\n\n<p>Moving parts of a Pharma Hack include backdoors in plugins and databases, which can be cleaned up following the instructions from&nbsp;<a href=\"http:\/\/blog.sucuri.net\/2010\/07\/understanding-and-cleaning-the-pharma-hack-on-wordpress.html\" target=\"_blank\" rel=\"noreferrer noopener\">this Sucuri blog<\/a>.<\/p>\n\n\n\n<p>However, the exploits are often vicious variants of encrypted malicious injections hidden in databases and require a thorough clean-up process to fix the vulnerability. Nevertheless, you can easily prevent Pharma Hacks by using recommend WordPress hosting providers with up-to-date servers and regularly updating your WordPress installations, themes, and plugins.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_51124b-c8, .wp-block-kadence-advancedheading.kt-adv-heading272_51124b-c8[data-kb-block=\"kb-adv-heading272_51124b-c8\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_51124b-c8 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_51124b-c8[data-kb-block=\"kb-adv-heading272_51124b-c8\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_51124b-c8 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_51124b-c8[data-kb-block=\"kb-adv-heading272_51124b-c8\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_51124b-c8 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_51124b-c8\">Brute-force Login Attempts<\/h3>\n\n\n\n<p>Brute-force login attempts&nbsp;use automated scripts to exploit weak passwords and gain access to your site.<\/p>\n\n\n\n<p>Two-step authentication,&nbsp;limiting login attempts,&nbsp;monitoring unauthorized logins, blocking IPs, and using strong passwords are some of the easiest and highly effective ways to prevent brute-force attacks. But unfortunately, a number of WordPress website owners fail to perform these security practices whereas hackers are easily able to compromise as much as&nbsp;<a href=\"http:\/\/www.forbes.com\/sites\/jameslyne\/2013\/09\/06\/30000-web-sites-hacked-a-day-how-do-you-host-yours\/\" target=\"_blank\" rel=\"noreferrer noopener\">30,000&nbsp;websites in a single day<\/a>&nbsp;using brute-force attacks.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_bd9c70-e5, .wp-block-kadence-advancedheading.kt-adv-heading272_bd9c70-e5[data-kb-block=\"kb-adv-heading272_bd9c70-e5\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_bd9c70-e5 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_bd9c70-e5[data-kb-block=\"kb-adv-heading272_bd9c70-e5\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_bd9c70-e5 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_bd9c70-e5[data-kb-block=\"kb-adv-heading272_bd9c70-e5\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_bd9c70-e5 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_bd9c70-e5\">Malicious Redirects<\/h3>\n\n\n\n<p>Malicious redirects&nbsp;create backdoors in WordPress installations using FTP, SFTP, wp-admin, and other protocols and inject redirection codes into the website.<\/p>\n\n\n\n<p>The redirects are often placed&nbsp;in your .htaccess file&nbsp;and other WordPress core files in encoded forms, directing the web traffic to malicious sites. We will go through some ways you can prevent these in our WordPress security steps below.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_cbcf3e-1c, .wp-block-kadence-advancedheading.kt-adv-heading272_cbcf3e-1c[data-kb-block=\"kb-adv-heading272_cbcf3e-1c\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_cbcf3e-1c mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_cbcf3e-1c[data-kb-block=\"kb-adv-heading272_cbcf3e-1c\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_cbcf3e-1c img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_cbcf3e-1c[data-kb-block=\"kb-adv-heading272_cbcf3e-1c\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_cbcf3e-1c wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_cbcf3e-1c\">Cross-Site Scripting (XSS)<\/h3>\n\n\n\n<p>Cross-Site Scripting (XSS) is when a malicious script is injected into a trusted website or application. The attacker uses this to send malicious code, typically browser-side scripts, to the end-user without them knowing it. The purpose is usually to grab cookie or session data or perhaps even rewrite HTML on a page.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.wordfence.com\/learn\/how-to-prevent-cross-site-scripting-attacks\/\" target=\"_blank\" rel=\"noreferrer noopener\">According to WordFence<\/a>,&nbsp;Cross-Site Scripting vulnerabilities are the most common vulnerability found in WordPress plugins by a significant margin.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_58bc5b-eb, .wp-block-kadence-advancedheading.kt-adv-heading272_58bc5b-eb[data-kb-block=\"kb-adv-heading272_58bc5b-eb\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_58bc5b-eb mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_58bc5b-eb[data-kb-block=\"kb-adv-heading272_58bc5b-eb\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_58bc5b-eb img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_58bc5b-eb[data-kb-block=\"kb-adv-heading272_58bc5b-eb\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_58bc5b-eb wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_58bc5b-eb\">Denial of Service<\/h3>\n\n\n\n<p>Also, known as DOS, it\u2019s the most dangerous of them all, Denial of Service (DoS) vulnerability exploits errors and bugs in the code to overwhelm the memory of website operating systems. Hackers have compromised&nbsp;<a href=\"http:\/\/www.incapsula.com\/blog\/wordpress-security-alert-pingback-ddos.html\" target=\"_blank\" rel=\"noreferrer noopener\">millions of websites<\/a>&nbsp;and raked in&nbsp;<a href=\"http:\/\/www.voiceofgreyhat.com\/2012\/11\/DDoS-Attack-From-Anonymous-Cost-PayPal-3.5-Million.html\" target=\"_blank\" rel=\"noreferrer noopener\">millions of dollars<\/a>&nbsp;by exploiting outdated and buggy versions of WordPress software with DoS attacks.<\/p>\n\n\n\n<p>Although financially motivated cybercriminals are less likely to target small companies, they tend to compromise outdated vulnerable websites in creating&nbsp;<a href=\"http:\/\/www.informationweek.com\/attacks\/wordpress-site-hacks-continue\/d\/d-id\/1111748\" target=\"_blank\" rel=\"noreferrer noopener\">botnet chains to attack<\/a>&nbsp;large businesses.<\/p>\n\n\n\n<p>Even the&nbsp;latest versions of WordPress&nbsp;software cannot comprehensively&nbsp;defend against high-profile DoS attacks, but will at least help you to avoid getting caught in the crossfire between financial institutions and sophisticated cybercriminals. And don\u2019t forget about October 21st, 2016. This was the day the internet went down due to a DNS DDoS attack. Read more about&nbsp;why it is important to use a premium DNS provider&nbsp;to increase your WordPress security.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_b99d02-ed, .wp-block-kadence-advancedheading.kt-adv-heading272_b99d02-ed[data-kb-block=\"kb-adv-heading272_b99d02-ed\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_b99d02-ed mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_b99d02-ed[data-kb-block=\"kb-adv-heading272_b99d02-ed\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_b99d02-ed img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_b99d02-ed[data-kb-block=\"kb-adv-heading272_b99d02-ed\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h2 class=\"kt-adv-heading272_b99d02-ed wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_b99d02-ed\">WordPress Security Guide<\/h2>\n\n\n\n<p>According to&nbsp;<a href=\"http:\/\/www.internetlivestats.com\/watch\/websites-hacked\/\" target=\"_blank\" rel=\"noreferrer noopener\">internet live stats<\/a>&nbsp;over 100,000 websites are hacked every day.<\/p>\n\n\n\n<p>That\u2019s why it\u2019s so important to take some time and go through the following recommendations below on how to better harden your WordPress security.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_5b6362-25, .wp-block-kadence-advancedheading.kt-adv-heading272_5b6362-25[data-kb-block=\"kb-adv-heading272_5b6362-25\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_5b6362-25 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_5b6362-25[data-kb-block=\"kb-adv-heading272_5b6362-25\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_5b6362-25 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_5b6362-25[data-kb-block=\"kb-adv-heading272_5b6362-25\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_5b6362-25 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_5b6362-25\">Invest in Secure WordPress Hosting<\/h3>\n\n\n\n<p>When it comes to WordPress security, there is much more than just locking down your site, although we\u2019ll give you the best recommendations on how to do that below. There is also web server-level security for which your WordPress host is responsible. We take <a href=\"https:\/\/neoxea.com\/security\/\" target=\"_blank\" rel=\"noreferrer noopener\">security very seriously here at Neoxea<\/a> and handle a lot of these issues for our clients.<\/p>\n\n\n\n<p>It\u2019s very important that you&nbsp;<strong>choose a host that you can trust with your business<\/strong>. Or if you are hosting WordPress on your own VPS, then you need to have the technical knowledge to do these things yourself. And to be honest,&nbsp;trying to be a sysadmin to save $20\/month&nbsp;is a bad idea.<\/p>\n\n\n\n<p><a href=\"http:\/\/codex.wordpress.org\/Hardening_WordPress\" target=\"_blank\" rel=\"noreferrer noopener\">Server hardening<\/a>&nbsp;is the key to maintaining a thoroughly-secure WordPress environment. It takes multiple layers of hardware and software level security measures to ensure the IT infrastructure hosting WordPress sites is capable of defending against sophisticated threats, both physical and virtual.<\/p>\n\n\n\n<p>For this reason, servers hosting WordPress should be updated with the latest operating system and (security) software as well as thoroughly tested and scanned for vulnerabilities and malware.<\/p>\n\n\n\n<p>Server-level firewalls&nbsp;and intrusion detection systems should be in place before installing WordPress on the server to keep it well-protected even during the WordPress installation and website construction phases. However, every software installed on the machine intended to protect WordPress content should be compatible with the latest database management systems to maintain optimal performance. The server should also be configured to use secure networking and file transfer encryption protocols (such as&nbsp;SFTP instead of FTP) to hide away sensitive content from malicious intruders.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_bbf141-f4, .wp-block-kadence-advancedheading.kt-adv-heading272_bbf141-f4[data-kb-block=\"kb-adv-heading272_bbf141-f4\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_bbf141-f4 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_bbf141-f4[data-kb-block=\"kb-adv-heading272_bbf141-f4\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_bbf141-f4 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_bbf141-f4[data-kb-block=\"kb-adv-heading272_bbf141-f4\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_bbf141-f4 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_bbf141-f4\">Use Latest PHP Version<\/h3>\n\n\n\n<p>PHP is the backbone of your WordPress site and so using the latest version on your server is very important. Each major release of PHP is typically fully&nbsp;<a href=\"http:\/\/php.net\/supported-versions.php\" target=\"_blank\" rel=\"noreferrer noopener\">supported for two years<\/a>&nbsp;after its release. During that time, bugs and security issues are fixed and patched on a regular basis. As of right now, anyone running on version PHP 7.1 or below no longer has security support and is exposed to unpatched security vulnerabilities.<\/p>\n\n\n\n<p>And guess what? According to the official&nbsp;<a href=\"https:\/\/wordpress.org\/about\/stats\/\" target=\"_blank\" rel=\"noreferrer noopener\">WordPress Stats<\/a>&nbsp;page, as of writing this, over&nbsp;<strong>57% of WordPress users are<\/strong>&nbsp;<strong>still on&nbsp;PHP 5.6 or lower<\/strong>. If you combine this with PHP 7.0, a whopping 77.5% of users are currently using PHP versions that are no longer supported. That is scary!<\/p>\n\n\n\n<p>Sometimes it does take businesses and developers time to test and ensure compatibility with their code, but they have no excuse to run on something without security support. Not to mention the huge performance impact running on older versions has.<\/p>\n\n\n\n<p>Don\u2019t know which version of PHP you are currently on?&nbsp;Most hosts typically include this in a header request on your site. A quick way to check is to run your site through&nbsp;<a href=\"https:\/\/tools.pingdom.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Pingdom<\/a>. Click into the first request and look for a&nbsp;<code>X-Powered-By<\/code>&nbsp;parameter. Typically this will show the version of PHP your web server is currently using. However, some hosts will remove this header due to security reasons. Neoxea removes this header by default to keep your site safe.<\/p>\n\n\n\n<p>Here at Neoxea we only recommend using stable and supported versions of PHP, including 7.2, 7.3, 7.4, and 8.0, PHP 5.6, 7.0, and 7.1 have been phased out. You can even switch between PHP versions with a click of a button from within the cPanel Control Panel, PHP Select under the software category.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_906073-85, .wp-block-kadence-advancedheading.kt-adv-heading272_906073-85[data-kb-block=\"kb-adv-heading272_906073-85\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_906073-85 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_906073-85[data-kb-block=\"kb-adv-heading272_906073-85\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_906073-85 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_906073-85[data-kb-block=\"kb-adv-heading272_906073-85\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h2 class=\"kt-adv-heading272_906073-85 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_906073-85\">Always Use the Latest Version of WordPress, Plugins, and Themes<\/h2>\n\n\n\n<p>Another very important way to harden your WordPress security is to always keep it up to date. This includes WordPress core, plugins, and themes (both those from the WordPress repository and premium). These are updated for a reason, and a lot of times these include security enhancements and bug fixes. We recommend you to read our in-depth guide on how&nbsp;WordPress automatic updates&nbsp;work.<\/p>\n\n\n\n<p>Unfortunately, millions of businesses out there running outdated versions of WordPress software and plugins, and still believe they\u2019re on the right path to business success. They cite reasons for not updating such as \u201ctheir site will break\u201d or \u201ccore modifications will be gone\u201d or \u201cplugin X won\u2019t work\u201d or \u201cthey just don\u2019t need the new functionality\u201d.<\/p>\n\n\n\n<p>In fact, websites break mostly because of bugs in older WordPress versions. Core modifications are never recommended by the WordPress team and expert developers who understand the risks involved. And WordPress updates mostly include must-have security patches along with the added functionality required to run the latest plugins.<\/p>\n\n\n\n<p>Did you know that it has been reported that&nbsp;<a href=\"https:\/\/www.wordfence.com\/blog\/2016\/03\/attackers-gain-access-wordpress-sites\/\" target=\"_blank\" rel=\"noreferrer noopener\">plugin&nbsp;vulnerabilities represent 55.9%<\/a>&nbsp;of the known entry points for hackers? That is what WordFence found in a study where they&nbsp;interviewed over 1,000 WordPress site owners that had been victims of attacks. By updating your plugins you can better ensure that you aren\u2019t one of these victims.<\/p>\n\n\n\n<p>It is also recommended that you only install&nbsp;trusted plugins. The \u201cfeatured\u201d and \u201cpopular\u201d categories in the WordPress repository can be a good place to start. Or download it directly from the developer\u2019s website. We strongly discourage any use of&nbsp;nulled WordPress plugins and themes.<\/p>\n\n\n\n<p>First off, you never know what the modified code might contain. This can easily end up in your site getting hacked. Not paying for premium WordPress plugins also doesn\u2019t help the community grow as a whole. We need to support developers.<\/p>\n\n\n\n<p>Here\u2019s how to properly&nbsp;delete a WordPress theme.<\/p>\n\n\n\n<p>You can use an online tool like&nbsp;<a href=\"https:\/\/www.virustotal.com\/#\/home\/upload\" target=\"_blank\" rel=\"noreferrer noopener\">VirusTotal<\/a>&nbsp;to scan a plugin or theme\u2019s files to see if it detects any type of malware.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_260c0d-7d, .wp-block-kadence-advancedheading.kt-adv-heading272_260c0d-7d[data-kb-block=\"kb-adv-heading272_260c0d-7d\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_260c0d-7d mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_260c0d-7d[data-kb-block=\"kb-adv-heading272_260c0d-7d\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_260c0d-7d img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_260c0d-7d[data-kb-block=\"kb-adv-heading272_260c0d-7d\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_260c0d-7d wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_260c0d-7d\">How to Update WordPress Core<\/h3>\n\n\n\n<p>There are a couple of easy ways to update your WordPress installation. If you are a Neoxea customer we provided automatic backups&nbsp;with a one-click restore option. This way you can test new versions of WordPress and plugins without having to worry about it breaking anything.&nbsp;Or you could also the first test in our&nbsp;staging environment.<\/p>\n\n\n\n<p>To update WordPress core you can click on \u201cUpdates\u201d in your WordPress dashboard and click on the \u201cUpdate Now\u201d button.<\/p>\n\n\n\n<p>You can also update WordPress manually by&nbsp;downloading the latest version&nbsp;and uploading it via SFTP.<\/p>\n\n\n\n<p>Important! Overwriting the wrong folders could break your site if not done correctly. If you are not comfortable doing this, please check with a developer first.<\/p>\n\n\n\n<p>Follow the steps below to&nbsp;<a href=\"https:\/\/codex.wordpress.org\/Updating_WordPress\" target=\"_blank\" rel=\"noreferrer noopener\">update your existing installation:<\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Delete the old&nbsp;<code>wp-includes<\/code>&nbsp;and&nbsp;<code>wp-admin<\/code>&nbsp;directories.<\/li>\n\n\n\n<li>Upload the new&nbsp;<code>wp-includes<\/code>&nbsp;and&nbsp;<code>wp-admin<\/code>&nbsp;directories.<\/li>\n\n\n\n<li>Upload the individual files from the new&nbsp;<code>wp-content<\/code>&nbsp;folder to your existing&nbsp;<code>wp-content<\/code>&nbsp;folder, overwriting existing files. Do NOT delete your existing&nbsp;<code>wp-content<\/code>&nbsp;folder. Do NOT delete any files or folders in your existing&nbsp;<code>wp-content<\/code>&nbsp;directory (except for the one being overwritten by new files).<\/li>\n\n\n\n<li>Upload all new loose files from the root directory of the new version to your existing WordPress root directory.<\/li>\n<\/ul>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_a81aa9-b5, .wp-block-kadence-advancedheading.kt-adv-heading272_a81aa9-b5[data-kb-block=\"kb-adv-heading272_a81aa9-b5\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_a81aa9-b5 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_a81aa9-b5[data-kb-block=\"kb-adv-heading272_a81aa9-b5\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_a81aa9-b5 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_a81aa9-b5[data-kb-block=\"kb-adv-heading272_a81aa9-b5\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_a81aa9-b5 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_a81aa9-b5\">How to Update WordPress Plugins<\/h3>\n\n\n\n<p>Updating your WordPress plugins is a very similar process to updating WordPress core.&nbsp;Click into \u201cUpdates\u201d in your WordPress dashboard, select the plugins you want to update, and click on \u201cUpdate Plugins.\u201d<\/p>\n\n\n\n<p>Likewise, you can also update a plugin manually. Simply grab the latest version from the plugin developer or WordPress repository and upload it via FTP, overwriting the existing plugin within the&nbsp;<code>\/wp-content\/plugins<\/code>&nbsp;directory.<\/p>\n\n\n\n<p>It\u2019s also important to note that developers don\u2019t always keep their plugins up to date. The team over at WP Loop did a great little analysis of just how many WordPress plugins in the repository aren\u2019t up to date with the current WordPress core.&nbsp;<a href=\"https:\/\/wploop.com\/old-outdated-wordpress-plugins\/\" target=\"_blank\" rel=\"noreferrer noopener\">According to their research,<\/a>&nbsp;<strong>nearly 50% of the plugins in the repository have not been updated in over&nbsp;2 years<\/strong>.<\/p>\n\n\n\n<p>This doesn\u2019t mean the plugin won\u2019t work with the current version of WordPress, but it\u2019s recommended that you choose plugins that are actively updated. Out of date plugins are more likely to contain security vulnerabilities.<\/p>\n\n\n\n<p>Use your best judgment when it comes to plugins. Look at the \u201cLast Updated\u201d date and how many ratings a plugin has. As seen in the example below, this one is out of date and has bad reviews so we would most likely recommend staying away from it. WordPress also has a warning at the top of most plugins that haven\u2019t been updated in a while.<\/p>\n\n\n\n<p>There are also a lot of resources out there to help you stay on top of the latest WordPress security updates and vulnerabilities. See some of them below:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"http:\/\/www.wpsecuritybloggers.com\/blog\" target=\"_blank\" rel=\"noreferrer noopener\">WP Security Bloggers<\/a>: An awesome aggregated resource of 20+ security feeds.<\/li>\n\n\n\n<li><a href=\"https:\/\/wpvulndb.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">WPScan Vulnerability Database<\/a>:&nbsp;Catalogs over 10,000 WordPress Core, Plugin and Theme vulnerabilities.<\/li>\n\n\n\n<li><a href=\"https:\/\/db.threatpress.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">ThreatPress<\/a>:&nbsp;Daily updated database of WordPress plugins, themes, and WordPress core vulnerabilities.<\/li>\n\n\n\n<li><a href=\"https:\/\/wordpress.org\/news\/category\/security\/\" target=\"_blank\" rel=\"noreferrer noopener\">Official WordPress Security Archive<\/a><\/li>\n<\/ul>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_f9d221-48, .wp-block-kadence-advancedheading.kt-adv-heading272_f9d221-48[data-kb-block=\"kb-adv-heading272_f9d221-48\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_f9d221-48 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_f9d221-48[data-kb-block=\"kb-adv-heading272_f9d221-48\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_f9d221-48 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_f9d221-48[data-kb-block=\"kb-adv-heading272_f9d221-48\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_f9d221-48 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_f9d221-48\">Lock Down Your WordPress Admin<\/h3>\n\n\n\n<p>Sometimes the popular strategy of&nbsp;<strong>WordPress security by obscurity<\/strong>&nbsp;is appropriately effective for an average online business and WordPress site.&nbsp;If you make it harder for hackers to find certain backdoors then you are less likely to be attacked.&nbsp;Locking down your WordPress admin&nbsp;area and login is a good way to beef up your security. Two great ways to do this is first by changing your default wp-admin login URL and also limiting login attempts.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_2e4e78-5b, .wp-block-kadence-advancedheading.kt-adv-heading272_2e4e78-5b[data-kb-block=\"kb-adv-heading272_2e4e78-5b\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_2e4e78-5b mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_2e4e78-5b[data-kb-block=\"kb-adv-heading272_2e4e78-5b\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_2e4e78-5b img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_2e4e78-5b[data-kb-block=\"kb-adv-heading272_2e4e78-5b\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_2e4e78-5b wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_2e4e78-5b\">How to Change Your WordPress Login URL<\/h3>\n\n\n\n<p>By default your WordPress site\u2019s login URL is domain.com<strong>\/wp-admin<\/strong>. One of the problems with this is that all of the bots, hackers, and scripts out there also know this. By changing the URL you can make yourself less of a target and better protect yourself against brute force attacks. This is not a fix-all solution, it is simply one little trick that can definitely help protect you.<\/p>\n\n\n\n<p>To&nbsp;change your WordPress login URL&nbsp;we recommend using the free&nbsp;<a href=\"https:\/\/wordpress.org\/plugins\/wps-hide-login\/\" target=\"_blank\" rel=\"noreferrer noopener\">WPS Hide login<\/a>&nbsp;plugin or the premium&nbsp;<a href=\"https:\/\/perfmatters.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">Perfmatters<\/a>&nbsp;plugin. Both of the plugins have a simple input field. Just remember to pick something unique that won\u2019t already be on a list that a bot or script might attempt to scan.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_94258d-b0, .wp-block-kadence-advancedheading.kt-adv-heading272_94258d-b0[data-kb-block=\"kb-adv-heading272_94258d-b0\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_94258d-b0 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_94258d-b0[data-kb-block=\"kb-adv-heading272_94258d-b0\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_94258d-b0 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_94258d-b0[data-kb-block=\"kb-adv-heading272_94258d-b0\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_94258d-b0 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_94258d-b0\">How to Limit Login Attempts<\/h3>\n\n\n\n<p>While the above solution of changing your admin login URL can help decrease the majority of the bad login attempts, putting a limit in place can also be very effective. The free&nbsp;<a href=\"https:\/\/wordpress.org\/plugins\/wp-cerber\/\" target=\"_blank\" rel=\"noreferrer noopener\">Cerber Limit Login Attempts<\/a>&nbsp;plugin is a great way&nbsp;to easily setup lockout durations, login attempts, and IP&nbsp;allowlists and denylists.<\/p>\n\n\n\n<p>If you are looking for a more simple WordPress security solution, another great alternative is the free&nbsp;<a href=\"https:\/\/wordpress.org\/plugins\/login-lockdown\/\" target=\"_blank\" rel=\"noreferrer noopener\">Login Lockdown<\/a>&nbsp;plugin.&nbsp;Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. And it is completely compatible with the WPS Hide login plugin we mentioned above.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_a1409d-25, .wp-block-kadence-advancedheading.kt-adv-heading272_a1409d-25[data-kb-block=\"kb-adv-heading272_a1409d-25\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_a1409d-25 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_a1409d-25[data-kb-block=\"kb-adv-heading272_a1409d-25\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_a1409d-25 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_a1409d-25[data-kb-block=\"kb-adv-heading272_a1409d-25\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_a1409d-25 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_a1409d-25\">How to Add Basic HTTP Authentication (password protection)<\/h3>\n\n\n\n<p>Another way to lock down your admin is to add HTTP authentication. This requires a username and password before being able to even access the WordPress login page. Note: This generally shouldn\u2019t be used on eCommerce sites or membership sites. But it can be a very effective way to prevent bots from hitting your site.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_4553de-12, .wp-block-kadence-advancedheading.kt-adv-heading272_4553de-12[data-kb-block=\"kb-adv-heading272_4553de-12\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_4553de-12 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_4553de-12[data-kb-block=\"kb-adv-heading272_4553de-12\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_4553de-12 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_4553de-12[data-kb-block=\"kb-adv-heading272_4553de-12\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_4553de-12 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_4553de-12\">Apache<\/h3>\n\n\n\n<p>If you are using a cPanel host, you can enable password-protected directories from their control panel. To set it up manually,&nbsp;you will first need to create a&nbsp;<code>.htpasswd<\/code>&nbsp;file. You can use this handy&nbsp;<a href=\"http:\/\/www.htaccesstools.com\/htpasswd-generator\/\" target=\"_blank\" rel=\"noopener noreferrer\">generator tool<\/a>. Then upload the file to a directory under your wp-admin folder, such as:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>home\/user\/.htpasswds\/public_html\/wp-admin\/htpasswd\/<\/code><\/pre>\n\n\n\n<p>Then create a&nbsp;<code>.htaccess<\/code>&nbsp;file with the following code and upload it to your&nbsp;<code>\/wp-admin\/<\/code>&nbsp;directory. Make sure you update the directory path and username.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>AuthName \"Admins Only\"\nAuthUserFile \/home\/yourdirectory\/.htpasswds\/public_html\/wp-admin\/htpasswd\nAuthType basic\nrequire user yourusername<\/code><\/pre>\n\n\n\n<p>The one caveat to doing it this way is that it will break AJAX (admin-ajax) on the front-end of your site. This is required by some third-party plugins. Therefore you will also need to&nbsp;<a href=\"https:\/\/core.trac.wordpress.org\/ticket\/12400#comment:23\" target=\"_blank\" rel=\"noopener noreferrer\">add the following code<\/a>&nbsp;to the above .htaccess file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;Files admin-ajax.php&gt;\nOrder allow,deny\nAllow from all\nSatisfy any\n&lt;\/Files&gt;<\/code><\/pre>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_e5b35c-84, .wp-block-kadence-advancedheading.kt-adv-heading272_e5b35c-84[data-kb-block=\"kb-adv-heading272_e5b35c-84\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_e5b35c-84 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_e5b35c-84[data-kb-block=\"kb-adv-heading272_e5b35c-84\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_e5b35c-84 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_e5b35c-84[data-kb-block=\"kb-adv-heading272_e5b35c-84\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_e5b35c-84 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_e5b35c-84\">Nginx<\/h3>\n\n\n\n<p>If you are running&nbsp;Nginx, you can also restrict access with HTTP basic authentication. Check out&nbsp;<a href=\"https:\/\/www.nginx.com\/resources\/admin-guide\/restricting-access-auth-basic\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">this tutorial<\/a>.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_faa8e9-d8, .wp-block-kadence-advancedheading.kt-adv-heading272_faa8e9-d8[data-kb-block=\"kb-adv-heading272_faa8e9-d8\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_faa8e9-d8 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_faa8e9-d8[data-kb-block=\"kb-adv-heading272_faa8e9-d8\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_faa8e9-d8 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_faa8e9-d8[data-kb-block=\"kb-adv-heading272_faa8e9-d8\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_faa8e9-d8 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_faa8e9-d8\">Lockdown a URL path<\/h3>\n\n\n\n<p>If you\u2019re using a web application firewall (WAF) such as Cloudflare or Sucuri, they also have ways to lock down a URL path. Essentially you can set up a rule so that only&nbsp;your IP address&nbsp;is able to access your WordPress admin login URL. Again, this generally shouldn\u2019t be used on eCommerce sites or membership sites as they also rely on accessing your site\u2019s back-end.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloudflare has a&nbsp;<a href=\"https:\/\/support.cloudflare.com\/hc\/en-us\/articles\/115001595131-How-do-I-Lockdown-URLs-in-Cloudflare-\" target=\"_blank\" rel=\"noopener noreferrer\">lockdown URL feature<\/a>&nbsp;in their Pro and higher accounts. You can set up a rule for any URL or path.<\/li>\n\n\n\n<li>Sucuri has a&nbsp;<a href=\"https:\/\/kb.sucuri.net\/firewall\/Whitelist+and+Blacklist\/blacklisting-path\" target=\"_blank\" rel=\"noopener noreferrer\">blacklist URL path feature<\/a>. You could then whitelist your own IP.<\/li>\n<\/ul>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_24a541-46, .wp-block-kadence-advancedheading.kt-adv-heading272_24a541-46[data-kb-block=\"kb-adv-heading272_24a541-46\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_24a541-46 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_24a541-46[data-kb-block=\"kb-adv-heading272_24a541-46\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_24a541-46 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_24a541-46[data-kb-block=\"kb-adv-heading272_24a541-46\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_24a541-46 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_24a541-46\">Take Advantage of Two-Factor Authentication<\/h3>\n\n\n\n<p>And of course, we can\u2019t forget two-factor authentication! No matter how secure your password is there is always a risk of someone discovering it. Two-factor authentication involves a two-step process in which you need not only your password to login but a second method. It is generally&nbsp;a text (SMS), phone call, or time-based one-time password (TOTP). In most cases, this is 100% effective in preventing brute force attacks on your WordPress site. Why? Because it is almost impossible that the attacker will have both your password and your cellphone.<\/p>\n\n\n\n<p>There are really two parts when it comes to two-factor authentication. The first is&nbsp;<strong>your&nbsp;account and or dashboard<\/strong> that you have with your web hosting provider. If someone gets access to this they could change your passwords, delete your websites, change DNS records, and do all sorts of horrible things.<\/p>\n\n\n\n<p>The second part of two-factor authentication pertains to&nbsp;<strong>your actual WordPress installation<\/strong>. For this there are a couple of plugins we recommend:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/wordpress.org\/plugins\/duo-wordpress\/\" target=\"_blank\" rel=\"noopener noreferrer\">Duo Two-Factor Authentication<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/wordpress.org\/plugins\/miniorange-2-factor-authentication\/\" target=\"_blank\" rel=\"noopener noreferrer\">Google Authenticator<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/wordpress.org\/plugins\/two-factor-authentication\/\" target=\"_blank\" rel=\"noopener noreferrer\">Two Factor Authentication<\/a><\/li>\n<\/ul>\n\n\n\n<p>Many of these have their own Authenticator Apps you can install on your phone:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.duosecurity.duomobile&amp;hl=en_US\" target=\"_blank\" rel=\"noopener noreferrer\">Android Duo Mobile App<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/itunes.apple.com\/us\/app\/duo-mobile\/id422663827\" target=\"_blank\" rel=\"noopener noreferrer\">iPhone Duo Mobile App<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.google.android.apps.authenticator2&amp;hl=en\" target=\"_blank\" rel=\"noopener noreferrer\">Android Google Authenticator App<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/itunes.apple.com\/us\/app\/google-authenticator\/id388497605?mt=8\" target=\"_blank\" rel=\"noopener noreferrer\">iPhone Google Authenticator App<\/a><\/li>\n<\/ul>\n\n\n\n<p>After installing and configuring one of the above plugins, you will typically have an additional field on your WordPress login page to enter your security code. Or, with the Duo plugin, you first log in with your credentials and are then required to choose an authentication method, such as Duo Push, call, or passcode.<\/p>\n\n\n\n<p>This method can easily be combined with changing your default login URL, which we went over earlier. So not only is your WordPress login URL something only you know, but it now requires extra authentication to get in.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_4dedac-b0, .wp-block-kadence-advancedheading.kt-adv-heading272_4dedac-b0[data-kb-block=\"kb-adv-heading272_4dedac-b0\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_4dedac-b0 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_4dedac-b0[data-kb-block=\"kb-adv-heading272_4dedac-b0\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_4dedac-b0 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_4dedac-b0[data-kb-block=\"kb-adv-heading272_4dedac-b0\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_4dedac-b0 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_4dedac-b0\">Use HTTPS for Encrypted Connections \u2013 SSL Certificate<\/h3>\n\n\n\n<p>One of the most overlooked ways to harden your WordPress security is to&nbsp;install an SSL certificate&nbsp;and run your site over HTTPS. HTTPS (Hyper Text Transfer Protocol Secure) is a mechanism that allows your browser or web application to securely connect with a website. &nbsp;A big misconception is that if you aren\u2019t accepting credit cards that you don\u2019t need SSL.<\/p>\n\n\n\n<p>Well, let us explain a few reasons why HTTPS is important beyond just eCommerce. Many hosts, including Neoxea, offer free SSL certificates with Let\u2019s Encrypt.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_d06b23-39, .wp-block-kadence-advancedheading.kt-adv-heading272_d06b23-39[data-kb-block=\"kb-adv-heading272_d06b23-39\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_d06b23-39 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_d06b23-39[data-kb-block=\"kb-adv-heading272_d06b23-39\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_d06b23-39 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_d06b23-39[data-kb-block=\"kb-adv-heading272_d06b23-39\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_d06b23-39 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_d06b23-39\">Security<\/h3>\n\n\n\n<p>Of course, the biggest reason for HTTPS is the added security, and yes this does pertain strongly to eCommerce sites. However, how important is your login information? For those of you running multi-author WordPress websites, if you are running over HTTP,&nbsp;every time a person logs in, that information is being passed&nbsp;to the server in plain text.&nbsp;<strong>HTTPS is absolutely vital in maintaining a secure connection<\/strong>&nbsp;between a website and a browser. This way you can better prevent hackers and or a middle man from gaining access to your website.<\/p>\n\n\n\n<p>So whether you have a blog, news site,&nbsp;agency, etc., they can all can benefit from HTTPS as this ensures nothing ever passes in plain text.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_26fad7-3c, .wp-block-kadence-advancedheading.kt-adv-heading272_26fad7-3c[data-kb-block=\"kb-adv-heading272_26fad7-3c\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_26fad7-3c mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_26fad7-3c[data-kb-block=\"kb-adv-heading272_26fad7-3c\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_26fad7-3c img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_26fad7-3c[data-kb-block=\"kb-adv-heading272_26fad7-3c\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_26fad7-3c wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_26fad7-3c\">SEO<\/h3>\n\n\n\n<p>Google has officially said that&nbsp;<a href=\"https:\/\/webmasters.googleblog.com\/2014\/08\/https-as-ranking-signal.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">HTTPS is a ranking factor<\/a>. While it is only a small ranking factor, most of you would probably take any advantage you can get in SERPs to beat your competitors.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_2466cb-96, .wp-block-kadence-advancedheading.kt-adv-heading272_2466cb-96[data-kb-block=\"kb-adv-heading272_2466cb-96\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_2466cb-96 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_2466cb-96[data-kb-block=\"kb-adv-heading272_2466cb-96\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_2466cb-96 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_2466cb-96[data-kb-block=\"kb-adv-heading272_2466cb-96\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_2466cb-96 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_2466cb-96\">Trust and Credibility<\/h3>\n\n\n\n<p>According to a survey from&nbsp;<a href=\"http:\/\/downloads.globalsign.com\/acton\/attachment\/2674\/f-0360\/1\/-\/-\/-\/-\/increase-conversions-with-SSL.pdf\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">GlobalSign<\/a>, 28.9% of visitors look for the green address bar in their browser. And 77% of them are worried about their data being intercepted or misused online. By seeing that green padlock, customers will instantly have more peace of mind knowing that their data is more secure.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_47404e-ba, .wp-block-kadence-advancedheading.kt-adv-heading272_47404e-ba[data-kb-block=\"kb-adv-heading272_47404e-ba\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_47404e-ba mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_47404e-ba[data-kb-block=\"kb-adv-heading272_47404e-ba\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_47404e-ba img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_47404e-ba[data-kb-block=\"kb-adv-heading272_47404e-ba\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_47404e-ba wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_47404e-ba\">Referral Data<\/h3>\n\n\n\n<p>A&nbsp;lot of people don\u2019t realize is that HTTPS to HTTP referral data is blocked in Google Analytics. So what happens to the data? Well, most of it is just lumped together with the \u201cdirect traffic\u201d section.&nbsp;If someone is going from HTTP to HTTPS the referrer is still passed.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_dacd50-72, .wp-block-kadence-advancedheading.kt-adv-heading272_dacd50-72[data-kb-block=\"kb-adv-heading272_dacd50-72\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_dacd50-72 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_dacd50-72[data-kb-block=\"kb-adv-heading272_dacd50-72\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_dacd50-72 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_dacd50-72[data-kb-block=\"kb-adv-heading272_dacd50-72\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_dacd50-72 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_dacd50-72\">Chrome Warnings<\/h3>\n\n\n\n<p>As of&nbsp;<a href=\"https:\/\/blog.chromium.org\/2018\/02\/a-secure-web-is-here-to-stay.html\" target=\"_blank\" rel=\"noopener noreferrer\">July 24th, 2018<\/a>, versions of Chrome 68 and higher started marking all non-HTTPS sites as \u201cNot Secure.\u201d&nbsp;Regardless of whether they collect data or not. This is why HTTPS is more important than ever!<\/p>\n\n\n\n<p>This is especially important if your website gets a majority of its traffic from Chrome.&nbsp;You can look in Google Analytics&nbsp;under the Audience section in Browser &amp; OS so see the percentage of traffic your WordPress site gets from Google Chrome. Google is making it a lot more clear to visitors that your WordPress website might not be running on a secured connection.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_b6e87e-da, .wp-block-kadence-advancedheading.kt-adv-heading272_b6e87e-da[data-kb-block=\"kb-adv-heading272_b6e87e-da\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_b6e87e-da mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_b6e87e-da[data-kb-block=\"kb-adv-heading272_b6e87e-da\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_b6e87e-da img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_b6e87e-da[data-kb-block=\"kb-adv-heading272_b6e87e-da\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_b6e87e-da wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_b6e87e-da\">Performance<\/h3>\n\n\n\n<p>Because of a protocol called&nbsp;HTTP\/2, a lot of times, those running properly optimized sites over HTTPS can even see speed improvements. HTTP\/2 requires HTTPS because of browser support. The improvement in performance is due to a variety of reasons such as HTTP\/2 being able to support better&nbsp;multiplexing, parallelism, HPACK compression with Huffman encoding, the ALPN extension, and server push.<\/p>\n\n\n\n<p>And with&nbsp;TLS 1.3, HTTPS connections are even faster.&nbsp;<strong>Neoxea supports TLS 1.3 on all of our servers.<\/strong><\/p>\n\n\n\n<p>Re-thinking HTTPS now?&nbsp;Check out our in-depth&nbsp;WordPress HTTPS migration guide&nbsp;to get you up and going and learn more in our&nbsp;TLS vs SSL comparison.<\/p>\n\n\n\n<p>To&nbsp;enforce a secure, encrypted connection between you and the server when logging in to and administering your site, add the following line to your&nbsp;<code>wp-config.php<\/code>&nbsp;file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">define('FORCE_SSL_ADMIN', true);<\/pre>\n\n\n\n<p>(Suggested reading: if you\u2019re using legacy TLS versions, you might want to fix&nbsp;ERR_SSL_OBSOLETE_VERSION&nbsp;Notifications in Chrome).<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_0ca890-16, .wp-block-kadence-advancedheading.kt-adv-heading272_0ca890-16[data-kb-block=\"kb-adv-heading272_0ca890-16\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_0ca890-16 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_0ca890-16[data-kb-block=\"kb-adv-heading272_0ca890-16\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_0ca890-16 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_0ca890-16[data-kb-block=\"kb-adv-heading272_0ca890-16\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_0ca890-16 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_0ca890-16\">Harden Your wp-config.php file<\/h3>\n\n\n\n<p>Your wp-config.php&nbsp;file is like the heart and soul of your WordPress installation. It is by far the most important file on your site when it comes to WordPress security. It contains your database login information and security keys which handle the encryption of information in cookies.&nbsp;Below are a couple of things you can do to better protect this important file.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_292f1d-1a, .wp-block-kadence-advancedheading.kt-adv-heading272_292f1d-1a[data-kb-block=\"kb-adv-heading272_292f1d-1a\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_292f1d-1a mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_292f1d-1a[data-kb-block=\"kb-adv-heading272_292f1d-1a\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_292f1d-1a img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_292f1d-1a[data-kb-block=\"kb-adv-heading272_292f1d-1a\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_292f1d-1a wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_292f1d-1a\">Move wp-config.php<\/h3>\n\n\n\n<p>By default, your wp-config.php file resides in the root directory of your WordPress installation (your&nbsp;<code>\/public<\/code>&nbsp;HTML folder). But you can move this to a non-www accessible directory. Aaron Adams wrote up a&nbsp;<a href=\"http:\/\/wordpress.stackexchange.com\/questions\/58391\/is-moving-wp-config-outside-the-web-root-really-beneficial\/74972#74972\" target=\"_blank\" rel=\"noopener noreferrer\">great explanation of why<\/a>&nbsp;this is beneficial.<\/p>\n\n\n\n<p>To move your&nbsp;<code>wp-config.php<\/code>&nbsp;file simply copy everything out of it into a different file. Then in your&nbsp;<code>wp-config.php<\/code>&nbsp;file you can place the following snippet to simply include your other file. Note: the directory path might be different based on your web host and setup. Typically though it is simply one directory above.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php\ninclude('\/home\/yourname\/wp-config.php');<\/pre>\n\n\n\n<p>Note:&nbsp;<strong>this won\u2019t work for Neoxea customers and will break functionality on our platform. <\/strong>This is because our open_basedir restrictions don\u2019t allow the execution of PHP above the&nbsp;<code>~\/public<\/code>&nbsp;directory for security reasons. The good news is we handle this for you!&nbsp;We do effectively the same thing by blocking access to&nbsp;<code>wp-login.php<\/code>&nbsp;within the&nbsp;<code>~\/public<\/code>&nbsp;directory. Our default Nginx config includes a rule that will return a 403 for any attempted access of&nbsp;<code>wp-config.php<\/code>.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_756033-98, .wp-block-kadence-advancedheading.kt-adv-heading272_756033-98[data-kb-block=\"kb-adv-heading272_756033-98\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_756033-98 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_756033-98[data-kb-block=\"kb-adv-heading272_756033-98\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_756033-98 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_756033-98[data-kb-block=\"kb-adv-heading272_756033-98\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_756033-98 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_756033-98\">Update WordPress Security&nbsp;Keys<\/h3>\n\n\n\n<p>WordPress security&nbsp;keys are a set of random variables that improve the encryption of information stored in the user\u2019s cookies. Since WordPress 2.7 there have been 4 different keys:&nbsp;<code>AUTH_KEY<\/code>,&nbsp;<code>SECURE_AUTH_KEY<\/code>,&nbsp;<code>LOGGED_IN_KEY<\/code>, and&nbsp;<code>NONCE_KEY<\/code>.<\/p>\n\n\n\n<p>When you install WordPress these are generated randomly for you. However, if you have gone through multiple migrations (check our curated list of the&nbsp;best WordPress migration plugins) or purchased a site from someone else, it can be good to create fresh WordPress keys.<\/p>\n\n\n\n<p>WordPress actually has a free tool that you can use to&nbsp;<a href=\"https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/\" target=\"_blank\" rel=\"noopener noreferrer\">generate random keys<\/a>. You can update your current keys which are stored in your&nbsp;wp-config.php file.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_3bedc0-09, .wp-block-kadence-advancedheading.kt-adv-heading272_3bedc0-09[data-kb-block=\"kb-adv-heading272_3bedc0-09\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_3bedc0-09 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_3bedc0-09[data-kb-block=\"kb-adv-heading272_3bedc0-09\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_3bedc0-09 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_3bedc0-09[data-kb-block=\"kb-adv-heading272_3bedc0-09\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_3bedc0-09 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_3bedc0-09\">Change Permissions<\/h3>\n\n\n\n<p>Typically files in the root directory of a WordPress site will be set to 644, which means that files are readable and writeable by the owner of the file and readable by users in the group owner of that file and readable by everyone else.&nbsp;According to the&nbsp;<a href=\"https:\/\/codex.wordpress.org\/Changing_File_Permissions\" target=\"_blank\" rel=\"noopener noreferrer\">WordPress documentation<\/a>, the permissions on the&nbsp;<code>wp-config.php<\/code>&nbsp;file should be set to 440 or 400 to prevent other users on the server from reading it. You can easily change this with your&nbsp;FTP client.<\/p>\n\n\n\n<p>On some hosting platforms, the permissions might need to be different because the user running the web server doesn\u2019t have permission to write files. If you aren\u2019t sure about this, check with your hosting provider.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_4b2e30-b8, .wp-block-kadence-advancedheading.kt-adv-heading272_4b2e30-b8[data-kb-block=\"kb-adv-heading272_4b2e30-b8\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_4b2e30-b8 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_4b2e30-b8[data-kb-block=\"kb-adv-heading272_4b2e30-b8\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_4b2e30-b8 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_4b2e30-b8[data-kb-block=\"kb-adv-heading272_4b2e30-b8\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_4b2e30-b8 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_4b2e30-b8\">Disable XML-RPC<\/h3>\n\n\n\n<p>In the&nbsp;<a href=\"https:\/\/blog.sucuri.net\/2014\/07\/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html\" target=\"_blank\" rel=\"noopener noreferrer\">past years<\/a>&nbsp;XML-RPC has become an&nbsp;<a href=\"https:\/\/blog.sucuri.net\/2015\/10\/brute-force-amplification-attacks-against-wordpress-xmlrpc.html\" target=\"_blank\" rel=\"noopener noreferrer\">increasingly large<\/a>&nbsp;target for brute force attacks. As Sucuri mentioned, one of the hidden features of XML-RPC is that you can use the system.multicall&nbsp;method to execute multiple methods inside a single request. That\u2019s very useful as it allows applications to pass multiple commands within one HTTP request. But what also happens is that it is used for malicious intent.<\/p>\n\n\n\n<p>There are a few WordPress plugins like&nbsp;Jetpack&nbsp;that rely on XML-RPC, but a majority of people out there won\u2019t need this and it can be beneficial to simply disable access to it.&nbsp;Not sure if XML-RPC is currently running on your website? Danilo Ercoli, from the Automattic team, wrote a little tool called the&nbsp;<a href=\"http:\/\/xmlrpc.eritreo.it\/\" target=\"_blank\" rel=\"noopener noreferrer\">XML-RPC Validator<\/a>. You can run your WordPress site through that to see if it has XML-RPC enabled. If it isn\u2019t, you will see a failure message such as shown in the image below on the Neoxea blog.<\/p>\n\n\n\n<p>To disable this completely you can install the free&nbsp;<a href=\"https:\/\/wordpress.org\/plugins\/disable-xml-rpc\/\" target=\"_blank\" rel=\"noopener noreferrer\">Disable XML-RPC<\/a>&nbsp;plugin. Or you can disable it with the premium&nbsp;<a href=\"https:\/\/perfmatters.io\/\" target=\"_blank\" rel=\"noopener noreferrer\">perfmatters<\/a>&nbsp;plugin, which also contains web performance improvements.<\/p>\n\n\n\n<p><strong>If you are a customer here at Neoxea this is not needed<\/strong>&nbsp;because&nbsp;when an attack through&nbsp;XML-RPC is detected a little snippet of code is added into the Litespeed config file to stop them in their tracks \u2013 producing a 403 error.<\/p>\n\n\n\n<p>Struggling with downtime and WordPress problems? Neoxea is the hosting solution designed to save you time! Check out our features<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>location ~* ^\/xmlrpc.php$ {\nreturn 403;\n}<\/code><\/pre>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_a9060a-65, .wp-block-kadence-advancedheading.kt-adv-heading272_a9060a-65[data-kb-block=\"kb-adv-heading272_a9060a-65\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_a9060a-65 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_a9060a-65[data-kb-block=\"kb-adv-heading272_a9060a-65\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_a9060a-65 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_a9060a-65[data-kb-block=\"kb-adv-heading272_a9060a-65\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_a9060a-65 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_a9060a-65\">Hide Your WordPress Version<\/h3>\n\n\n\n<p>Hiding your WordPress version touches again on the subject of&nbsp;<strong>WordPress security by obscurity<\/strong>. The less other people know about your WordPress site configuration the better. If they see you are running an out-of-date WordPress installation, this could be a welcome sign to intruders. By default, the WordPress version shows up in the header of your site\u2019s source code. Again, we recommend simply making sure your WordPress installation is always up to date so you don\u2019t have to worry about this.<\/p>\n\n\n\n<p>You can use the following code to remove this. Simply add&nbsp;it to your WordPress theme\u2019s&nbsp;<code>functions.php<\/code>&nbsp;file.<\/p>\n\n\n\n<p>Important! Editing the source code of a WordPress theme&nbsp;could break your site if not done correctly. If you are not comfortable doing this, please check with a developer first.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">function wp_version_remove_version() {\nreturn '';\n}\nadd_filter('the_generator', 'wp_version_remove_version');<\/pre>\n\n\n\n<p>You could also use a premium plugin like&nbsp;<a href=\"https:\/\/perfmatters.io\/\" target=\"_blank\" rel=\"noopener noreferrer\">perfmatters<\/a>, which allows you to hide the WordPress version with one click, along with other optimizations for your WordPress site.<\/p>\n\n\n\n<p>Another place where the WordPress version shows up is in the default&nbsp;<code>readme.html<\/code>&nbsp;file (as shown below) that is included in every WordPress version. It is located in the root of your installation,&nbsp;<code>domain.com\/readme.html<\/code>. You can safely delete this file via FTP.<\/p>\n\n\n\n<p>If you\u2019re running WordPress 5.0 or higher this is no longer applicable as the version number is no longer included in the file.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_373bf6-fd, .wp-block-kadence-advancedheading.kt-adv-heading272_373bf6-fd[data-kb-block=\"kb-adv-heading272_373bf6-fd\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_373bf6-fd mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_373bf6-fd[data-kb-block=\"kb-adv-heading272_373bf6-fd\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_373bf6-fd img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_373bf6-fd[data-kb-block=\"kb-adv-heading272_373bf6-fd\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_373bf6-fd wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_373bf6-fd\">Add Latest HTTP Security Headers<\/h3>\n\n\n\n<p>Another step you can take to harden your WordPress security is to take advantage of HTTP security headers. These are usually configured at the web server level and tell the browser how to behave when handling your site\u2019s content. There are a lot of different HTTP security headers, but below are typically the most important ones.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.keycdn.com\/support\/content-security-policy\/\" target=\"_blank\" rel=\"noopener noreferrer\">Content-Security Policy<\/a><\/li>\n\n\n\n<li>X-XSS-Protection<\/li>\n\n\n\n<li>Strict-Transport-Security<\/li>\n\n\n\n<li>X-Frame-Options<\/li>\n\n\n\n<li><a href=\"https:\/\/scotthelme.co.uk\/hpkp-http-public-key-pinning\/\" target=\"_blank\" rel=\"noopener noreferrer\">Public-Key-Pins<\/a><\/li>\n\n\n\n<li>X-Content-Type<\/li>\n<\/ul>\n\n\n\n<p>KeyCDN has a great in-depth post if you want to read more about&nbsp;<a href=\"https:\/\/www.keycdn.com\/blog\/http-security-headers\/\" target=\"_blank\" rel=\"noopener noreferrer\">HTTP security headers<\/a>.<\/p>\n\n\n\n<p>You can check which headers are currently running on your WordPress site by launching Chrome devtools and looking at the header on your site\u2019s initial response.<\/p>\n\n\n\n<p>You can also scan your WordPress website with the free&nbsp;<a href=\"https:\/\/securityheaders.io\/\" target=\"_blank\" rel=\"noopener noreferrer\">securityheaders.io<\/a>&nbsp;tool by Scott Helme. This will show you which HTTP security headers you currently have on your site. If you aren\u2019t sure how to implement them you can always ask your host if they can help.<\/p>\n\n\n\n<p>Note: It is also important to remember that when you implement HTTP security headers how it might affect your&nbsp;WordPress subdomains. For example, if you add the Content Security Policy header and restrict access by domains, that you need to add your own subdomains as well.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_602208-ee, .wp-block-kadence-advancedheading.kt-adv-heading272_602208-ee[data-kb-block=\"kb-adv-heading272_602208-ee\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_602208-ee mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_602208-ee[data-kb-block=\"kb-adv-heading272_602208-ee\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_602208-ee img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_602208-ee[data-kb-block=\"kb-adv-heading272_602208-ee\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_602208-ee wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_602208-ee\">Use WordPress Security Plugins<\/h3>\n\n\n\n<p>And of course, we have to give some WordPress security plugins some mentions. There are a lot of great developers and companies out there which provide great solutions to help better protect your WordPress site. Here is a couple of them.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/wordpress.org\/plugins\/sucuri-scanner\/\" target=\"_blank\" rel=\"noopener noreferrer\">Sucuri Security<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/wordpress.org\/plugins\/better-wp-security\/\" target=\"_blank\" rel=\"noopener noreferrer\">iThemes Security<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/wordpress.org\/plugins\/wordfence\/\" target=\"_blank\" rel=\"noopener noreferrer\">WordFence Security<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/wordpress.org\/plugins\/wp-fail2ban\/\" target=\"_blank\" rel=\"noopener noreferrer\">WP fail2ban<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/wordpress.org\/plugins\/secupress\/\" target=\"_blank\" rel=\"noopener noreferrer\">SecuPress<\/a><\/li>\n<\/ul>\n\n\n\n<p>We use hardware firewalls, active and passive security, by-the-minute uptime checks, and scores of other advanced features to prevent attackers from gaining access to your data.<\/p>\n\n\n\n<p>Here are some typical features and uses of the plugins above:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Generate and force strong passwords when creating user profiles<\/li>\n\n\n\n<li>Force passwords to expire and be reset on a regular basis<\/li>\n\n\n\n<li>User action logging<\/li>\n\n\n\n<li>Easy updates of WordPress security keys<\/li>\n\n\n\n<li>Malware Scanning<\/li>\n\n\n\n<li>Two-factor authentication<\/li>\n\n\n\n<li>reCAPTCHAs<\/li>\n\n\n\n<li>WordPress security firewalls<\/li>\n\n\n\n<li>IP whitelisting<\/li>\n\n\n\n<li>IP blacklisting<\/li>\n\n\n\n<li>File changelogs<\/li>\n\n\n\n<li>Monitor DNS changes<\/li>\n\n\n\n<li>Block malicious networks<\/li>\n\n\n\n<li>View WHOIS information on visitors<\/li>\n<\/ul>\n\n\n\n<p>A very important feature that many security plugins include is a checksum utility. What this means is that they inspect your WordPress installation and look for modifications on the core files as provided by WordPress.org (via the API). Any changes or modifications to these files could indicate a hack. You can also use WP-CLI to&nbsp;<a href=\"https:\/\/developer.wordpress.org\/cli\/commands\/core\/verify-checksums\/\" target=\"_blank\" rel=\"noopener noreferrer\">run your own checksum<\/a>.<\/p>\n\n\n\n<p>Make sure to read our thorough&nbsp;guide on File Integrity Monitoring.<\/p>\n\n\n\n<p>Another great plugin that deserves an honorable mention is the&nbsp;<a href=\"https:\/\/wordpress.org\/plugins\/wp-security-audit-log\/\" target=\"_blank\" rel=\"noopener noreferrer\">WP Security Audit Log plugin.<\/a>&nbsp;This is awesome for those of you working on&nbsp;WordPress multisite&nbsp;or simply multi-author sites. It helps ensure user productivity and lets administrators see everything that is being changed; such as logins, password changes, theme changes, widget changes, new post creations, WordPress updates, etc.<\/p>\n\n\n\n<p>It\u2019s a complete&nbsp;WordPress activity log&nbsp;solution. As of writing this the WP Security Audit Log plugin has over 80,000+ active installs with a 4.7 out of 5-star rating. It is an excellent choice if you\u2019re looking for&nbsp;a WordPress multisite compatible&nbsp;security solution.<\/p>\n\n\n\n<p>It also has additional premium add-ons such as email notifications, user sessions management, search, and reports. Check out these additional&nbsp;WordPress security plugins&nbsp;that can help lock out the bad guys.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_14f18d-c5, .wp-block-kadence-advancedheading.kt-adv-heading272_14f18d-c5[data-kb-block=\"kb-adv-heading272_14f18d-c5\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_14f18d-c5 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_14f18d-c5[data-kb-block=\"kb-adv-heading272_14f18d-c5\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_14f18d-c5 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_14f18d-c5[data-kb-block=\"kb-adv-heading272_14f18d-c5\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_14f18d-c5 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_14f18d-c5\">Harden Database Security<\/h3>\n\n\n\n<p>There are a couple of ways to&nbsp;better the security of your WordPress database. The first is to&nbsp;use a clever database name. If your site is named volleyball tricks, by default your WordPress database is most likely named&nbsp;wp_volleyballtricks. Changing your database name to some more obscure it helps protect your site by making it more difficult for hackers to identify and access your database details.<\/p>\n\n\n\n<p>A second recommendation is to use a different database table prefix. By default WordPress uses&nbsp;<code>wp_<\/code>. Changing this to something like&nbsp;<code>39xw_<\/code> can be much more secure. When you install WordPress it asks for a table prefix (as seen below). There are also ways to change the WordPress table prefix on existing installations. If you\u2019re a neoxea customer, this isn\u2019t needed. We\u2019ve got site and database locked down!<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_52b3e9-68, .wp-block-kadence-advancedheading.kt-adv-heading272_52b3e9-68[data-kb-block=\"kb-adv-heading272_52b3e9-68\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_52b3e9-68 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_52b3e9-68[data-kb-block=\"kb-adv-heading272_52b3e9-68\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_52b3e9-68 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_52b3e9-68[data-kb-block=\"kb-adv-heading272_52b3e9-68\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_52b3e9-68 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_52b3e9-68\">Always Use Secure Connections<\/h3>\n\n\n\n<p>We can\u2019t stress enough how important it is to use secure connections! Ensure that your WordPress host it taking precautions such as offering SFTP or SSH.&nbsp;SFTP or&nbsp;Secure File Transfer Protocol (also known as SSH file transfer protocol), is&nbsp;a network protocol&nbsp;used for file transfers.&nbsp;It is a more secure method vs standard FTP.<\/p>\n\n\n\n<p>We only&nbsp;support SFTP connections at Neoxea to ensure your data remains safe and encrypted. Most WordPress hosts also typically use port 22 for SFTP.<\/p>\n\n\n\n<p>It\u2019s also important to ensure that your home router is setup correctly. If someone hacks your home network they could gain access to all sorts of information, including possibly where your important information about your WordPress site(s) is stored. Here are some simple tips:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Don\u2019t enable remote management (VPN). Typical users never use this feature and by keeping it off you can keep from exposing your network to the outside world.<\/li>\n\n\n\n<li>Routers by default use IPs in the range such as 192.168.1.1. Use a different range, such as 10.9.8.7.<\/li>\n\n\n\n<li>Enable the highest level of encryption on your Wifi.<\/li>\n\n\n\n<li>IP white-list your Wifi so that only people with the password and certain IP can access it.<\/li>\n\n\n\n<li>Keep the firmware on your router up to date.<\/li>\n<\/ul>\n\n\n\n<p>And always be careful when logging into your WordPress site in public locations. Remember,&nbsp;<strong>Free Wi-fi is not a secure network!<\/strong>&nbsp;Take precautions such as verifying the network SSID before you click connect. You can also use a 3rd party VPN service such as&nbsp;<a href=\"https:\/\/www.expressvpn.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">ExpressVPN<\/a>&nbsp;to encrypt your internet traffic and hide your IP address from hackers.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_7fe003-e9, .wp-block-kadence-advancedheading.kt-adv-heading272_7fe003-e9[data-kb-block=\"kb-adv-heading272_7fe003-e9\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_7fe003-e9 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_7fe003-e9[data-kb-block=\"kb-adv-heading272_7fe003-e9\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_7fe003-e9 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_7fe003-e9[data-kb-block=\"kb-adv-heading272_7fe003-e9\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_7fe003-e9 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_7fe003-e9\">Check File and Server Permissions<\/h3>\n\n\n\n<p>File permissions on both your installation and web server are crucial to beef up your WordPress security.&nbsp;If permissions are too loose, someone could easily gain access to your site and wreak havoc. On the other hand, if your permissions are too strict this could break functionality on your site. So it is important to have the correct permissions set across the board.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_416d57-66, .wp-block-kadence-advancedheading.kt-adv-heading272_416d57-66[data-kb-block=\"kb-adv-heading272_416d57-66\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_416d57-66 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_416d57-66[data-kb-block=\"kb-adv-heading272_416d57-66\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_416d57-66 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_416d57-66[data-kb-block=\"kb-adv-heading272_416d57-66\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_416d57-66 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_416d57-66\">File Permissions<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Read&nbsp;<\/strong>permissions&nbsp;are&nbsp;assigned if the user has rights to read the file.<\/li>\n\n\n\n<li><strong>Write&nbsp;<\/strong>permissions are assigned&nbsp;if the user has rights&nbsp;to&nbsp;write or modify the file.<\/li>\n\n\n\n<li><strong>Execute&nbsp;<\/strong>permissions are assigned if the user has the rights&nbsp;to&nbsp;run the file and\/or execute it as a script.<\/li>\n<\/ul>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_622126-66, .wp-block-kadence-advancedheading.kt-adv-heading272_622126-66[data-kb-block=\"kb-adv-heading272_622126-66\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_622126-66 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_622126-66[data-kb-block=\"kb-adv-heading272_622126-66\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_622126-66 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_622126-66[data-kb-block=\"kb-adv-heading272_622126-66\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_622126-66 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_622126-66\">Directory Permissions<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Read<\/strong>&nbsp;permissions are assigned if the user has the rights&nbsp;to access the contents of the identified folder\/directory.<\/li>\n\n\n\n<li><strong>Write&nbsp;<\/strong>permissions are assigned if the user has the rights&nbsp;to add or delete files that are contained inside the folder\/directory.<\/li>\n\n\n\n<li><strong>Execute&nbsp;<\/strong>permissions are assigned if the user has the rights to access the actual directory and perform functions and commands, including the ability to delete the data within the folder\/directory.<\/li>\n<\/ul>\n\n\n\n<p>You can use a free plugin like&nbsp;<a href=\"https:\/\/wordpress.org\/plugins\/better-wp-security\/\" target=\"_blank\" rel=\"noopener noreferrer\">iThemes Security<\/a>&nbsp;to scan the permissions on your WordPress site.<\/p>\n\n\n\n<p>Here are some typical recommendations for permissions when it comes to file and folder permissions in WordPress. See the WordPress Codex article on&nbsp;<a href=\"https:\/\/codex.wordpress.org\/Changing_File_Permissions\" target=\"_blank\" rel=\"noopener noreferrer\">changing file permissions<\/a>&nbsp;for a more in-depth explanation.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>All files should be 644 or 640. Exception: wp-config.php should be 440 or 400 to prevent other users on the server from reading it.<\/li>\n\n\n\n<li>All directories should be 755 or 750.<\/li>\n\n\n\n<li>No directories should ever be given 777, even upload directories.<\/li>\n<\/ul>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_e910d9-52, .wp-block-kadence-advancedheading.kt-adv-heading272_e910d9-52[data-kb-block=\"kb-adv-heading272_e910d9-52\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_e910d9-52 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_e910d9-52[data-kb-block=\"kb-adv-heading272_e910d9-52\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_e910d9-52 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_e910d9-52[data-kb-block=\"kb-adv-heading272_e910d9-52\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_e910d9-52 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_e910d9-52\">Disable File Editing in WordPress Dashboard<\/h3>\n\n\n\n<p>A lot of WordPress sites have multiple users and administrators, which can make WordPress security more complicated. A&nbsp;<strong>very bad practice is to give authors or contributors administrator access<\/strong>, but unfortunately, it happens all the time. It is important to give users the correct roles and permissions so that they don\u2019t break anything.&nbsp;Because of this, it can be beneficial to simply disable the \u201cAppearance Editor\u201d in WordPress.<\/p>\n\n\n\n<p>Most of you have probably been there at one point or another. You go to quickly edit something in the Appearance Editor and suddenly you are left with a&nbsp;white screen of death.&nbsp;It is much better to edit the file locally and upload it via FTP. And of course, in best practice, you should be&nbsp;testing things like this on a development site first.<\/p>\n\n\n\n<p>Also,&nbsp;if your WordPress site is hacked&nbsp;the very first thing they might do is try to edit a PHP file or theme via the Appearance Editor. This is a quick way for them to execute malicious code on your site. If they don\u2019t have access to this from the dashboard, to begin with, it can help prevent attacks. Place the following code in your&nbsp;<code>wp-config.php<\/code>&nbsp;file to remove&nbsp;the \u2018edit_themes\u2019, \u2018edit_plugins\u2019 and \u2018edit_files\u2019 capabilities of all users.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">define('DISALLOW_FILE_EDIT', true);<\/pre>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_1ce229-a7, .wp-block-kadence-advancedheading.kt-adv-heading272_1ce229-a7[data-kb-block=\"kb-adv-heading272_1ce229-a7\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_1ce229-a7 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_1ce229-a7[data-kb-block=\"kb-adv-heading272_1ce229-a7\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_1ce229-a7 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_1ce229-a7[data-kb-block=\"kb-adv-heading272_1ce229-a7\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_1ce229-a7 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_1ce229-a7\">Prevent Hotlinking<\/h3>\n\n\n\n<p>The concept of&nbsp;hotlinking&nbsp;is very simple. You find an image on the Internet somewhere and use the URL of the image directly on your site. This image will be displayed on your website but it will be served from the original location. This is&nbsp;actually theft as it is using the hotlinked site\u2019s bandwidth.&nbsp;This might not seem like a big deal, but it could generate a lot of extra costs.<\/p>\n\n\n\n<p><a href=\"http:\/\/theoatmeal.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">The Oatmeal<\/a>&nbsp;is a great example. The Huffington Post hotlinked a cartoon of his which consisted of multiple images and it racked up a whopping $1,000+ bill.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_16d0bd-35, .wp-block-kadence-advancedheading.kt-adv-heading272_16d0bd-35[data-kb-block=\"kb-adv-heading272_16d0bd-35\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_16d0bd-35 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_16d0bd-35[data-kb-block=\"kb-adv-heading272_16d0bd-35\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_16d0bd-35 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_16d0bd-35[data-kb-block=\"kb-adv-heading272_16d0bd-35\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_16d0bd-35 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_16d0bd-35\">Prevent Hotlinking in Apache<\/h3>\n\n\n\n<p>To prevent hotlinking in&nbsp;Apache&nbsp;simply add the following code to your&nbsp;<code>.htaccess<\/code>&nbsp;file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>RewriteEngine on\nRewriteCond %{HTTP_REFERER} !^$\nRewriteCond %{HTTP_REFERER} !^http(s)?:\/\/(www.)?yourdomain.com &#91;NC]\nRewriteRule .(jpg|jpeg|png|gif)$ http:\/\/dropbox.com\/hotlink-placeholder.jpg &#91;NC,R,L]<\/code><\/pre>\n\n\n\n<p>The second row defines the allowed referrer \u2013 the site that is allowed to link to the image directly, this should be your actual website. If you want to allow multiple sites you can duplicate this row and replace the referrer. If you want to generate some more complex rules, take a look at this&nbsp;<a href=\"http:\/\/www.htaccesstools.com\/hotlink-protection\/\" target=\"_blank\" rel=\"noopener noreferrer\">htaccess hotlink protection generator<\/a>.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_c659c3-3f, .wp-block-kadence-advancedheading.kt-adv-heading272_c659c3-3f[data-kb-block=\"kb-adv-heading272_c659c3-3f\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_c659c3-3f mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_c659c3-3f[data-kb-block=\"kb-adv-heading272_c659c3-3f\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_c659c3-3f img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_c659c3-3f[data-kb-block=\"kb-adv-heading272_c659c3-3f\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_c659c3-3f wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_c659c3-3f\">Prevent Hotlinking in NGINX<\/h3>\n\n\n\n<p>To prevent hotlinking in NGINX simply add the following code to your config file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>location ~ .(gif|png|jpe?g)$ {\nvalid_referers none blocked ~.google. ~.bing. ~.yahoo yourdomain.com *.yourdomain.com;\nif ($invalid_referer) {\nreturn 403;\n}\n}\n<\/code><\/pre>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_984959-f1, .wp-block-kadence-advancedheading.kt-adv-heading272_984959-f1[data-kb-block=\"kb-adv-heading272_984959-f1\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_984959-f1 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_984959-f1[data-kb-block=\"kb-adv-heading272_984959-f1\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_984959-f1 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_984959-f1[data-kb-block=\"kb-adv-heading272_984959-f1\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_984959-f1 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_984959-f1\">Prevent Hotlinking on CDN<\/h3>\n\n\n\n<p>If you are serving your images from a CDN then the setup might be slightly different. Here are some resources with popular CDN providers.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.keycdn.com\/support\/create-a-zonereferrer\/\" target=\"_blank\" rel=\"noopener noreferrer\">Hotlink protection with KeyCDN<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/support.cloudflare.com\/hc\/en-us\/articles\/200170026-What-does-enabling-CloudFlare-Hotlink-Protection-do-\" target=\"_blank\" rel=\"noopener noreferrer\">Hotlink protection with Cloudflare<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.maxcdn.com\/blog\/http-referer-blacklisting\/\" target=\"_blank\" rel=\"noopener noreferrer\">Hotlink protection with MaxCDN<\/a><\/li>\n<\/ul>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_557022-74, .wp-block-kadence-advancedheading.kt-adv-heading272_557022-74[data-kb-block=\"kb-adv-heading272_557022-74\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_557022-74 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_557022-74[data-kb-block=\"kb-adv-heading272_557022-74\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_557022-74 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_557022-74[data-kb-block=\"kb-adv-heading272_557022-74\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_557022-74 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_557022-74\">Always Take Backups<\/h3>\n\n\n\n<p>Backups are the one thing everyone knows they need but don\u2019t always take. Most of the recommendations above are security measures you can take to better protect yourself. But no matter how secure your site is, it will never be 100% safe. So you want backups in case the worst happens.<\/p>\n\n\n\n<p>Most managed WordPress hosting providers now provide backups. Neoxea has five different types of backups, including automated backups&nbsp;that so that you can rest easy at night.&nbsp;You can even one-click restore your site.<\/p>\n\n\n\n<p>If your host doesn\u2019t have backups there are some popular WordPress services and plugins which you can use to automate the process.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_a7755b-f5, .wp-block-kadence-advancedheading.kt-adv-heading272_a7755b-f5[data-kb-block=\"kb-adv-heading272_a7755b-f5\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_a7755b-f5 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_a7755b-f5[data-kb-block=\"kb-adv-heading272_a7755b-f5\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_a7755b-f5 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_a7755b-f5[data-kb-block=\"kb-adv-heading272_a7755b-f5\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_a7755b-f5 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_a7755b-f5\">WordPress Backup Services<\/h3>\n\n\n\n<p>WordPress site backup&nbsp;services usually have a low monthly fee and store your backups for you in the cloud.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/vaultpress.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">VaultPress<\/a>&nbsp;(from the Automattic team, now part of Jetpack)<\/li>\n\n\n\n<li><a href=\"https:\/\/www.codeguard.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">CodeGuard<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/blogvault.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">BlogVault<\/a><\/li>\n<\/ul>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_459d89-a5, .wp-block-kadence-advancedheading.kt-adv-heading272_459d89-a5[data-kb-block=\"kb-adv-heading272_459d89-a5\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_459d89-a5 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_459d89-a5[data-kb-block=\"kb-adv-heading272_459d89-a5\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_459d89-a5 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_459d89-a5[data-kb-block=\"kb-adv-heading272_459d89-a5\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_459d89-a5 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_459d89-a5\">WordPress Backup Plugins<\/h3>\n\n\n\n<p>WordPress backup plugins allow you to grab your backups via FTP or integrate with an external storage source such as Amazon S3, Google Cloud Storage, Google Drive, or Dropbox. We highly recommend going with an incremental solution so it uses fewer resources.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/wordpress.org\/plugins\/duplicator\/\" target=\"_blank\" rel=\"noopener noreferrer\">Duplicator<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/wptimecapsule.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">WP Time Capsule<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/ithemes.com\/purchase\/backupbuddy\/\" target=\"_blank\" rel=\"noopener noreferrer\">BackupBuddy<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/wordpress.org\/plugins\/updraftplus\/\" target=\"_blank\" rel=\"noopener noreferrer\">UpdraftPlus<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/wordpress.org\/plugins\/backupwordpress\/\" target=\"_blank\" rel=\"noopener noreferrer\">BackUpWordPress<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/wordpress.org\/plugins\/backwpup\/\" target=\"_blank\" rel=\"noopener noreferrer\">BackWPup<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.wpbackitup.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">WP BackItUp<\/a><\/li>\n<\/ul>\n\n\n\n<p>Note: We don\u2019t allow non-incremental backup plugins on Neoxea servers due to performance issues. But this is because we handle all this for you at a server-level so it doesn\u2019t slow down your WordPress site.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading272_e6f00d-e7, .wp-block-kadence-advancedheading.kt-adv-heading272_e6f00d-e7[data-kb-block=\"kb-adv-heading272_e6f00d-e7\"]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading272_e6f00d-e7 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading272_e6f00d-e7[data-kb-block=\"kb-adv-heading272_e6f00d-e7\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading272_e6f00d-e7 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading272_e6f00d-e7[data-kb-block=\"kb-adv-heading272_e6f00d-e7\"] img.kb-inline-image{width:150px;vertical-align:baseline;}<\/style>\n<h3 class=\"kt-adv-heading272_e6f00d-e7 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading272_e6f00d-e7\">DDoS Protection<\/h3>\n\n\n\n<p>DDoS&nbsp;is a type of DOS attack where multiple systems are used to target a single system causing a Denial of Service (DoS) attack.&nbsp;DDoS attacks&nbsp;are nothing new \u2013 according to&nbsp;<a href=\"http:\/\/www.britannica.com\/topic\/denial-of-service-attack\" target=\"_blank\" rel=\"noopener noreferrer\">Britannica<\/a>&nbsp;the first documented case dates back to early 2000.&nbsp;Unlike someone hacking your site, these types of attacks don\u2019t normally harm your site but rather will simply take your site down for a few hours or days.<\/p>\n\n\n\n<p>What can you do to protect yourself? One of the best recommendations is to use a reputable 3rd party security service&nbsp;like&nbsp;<a href=\"https:\/\/www.cloudflare.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Cloudflare<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/sucuri.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">Sucuri<\/a>. If you are running a business it can make sense to invest in their premium plans. If you\u2019re hosted on Neoxea, you don\u2019t need to worry about setting up DDoS protection by yourself. All of our plans include a free Cloudflare integration&nbsp;with DDoS protection built-in.<\/p>\n\n\n\n<p>Their advanced DDoS protection can be used to mitigate DDoS attacks of all forms and sizes including those that target the UDP and ICMP protocols, as well as SYN\/ACK, DNS amplification, and Layer 7 attacks. Other benefits include putting you behind a proxy which helps to hide your origin IP address, although it is not bulletproof.<\/p>\n\n\n\n<p>Make sure to check out our case study on&nbsp;how to stop a DDoS attack. We had a client with a small e-commerce site running Easy Digital Downloads which got over&nbsp;<strong>5 million requests to a single page within 7 days<\/strong>. The site typically only generated between 30-40 MB a day in bandwidth and a couple of hundred visitors per day. But out of the blue, the site instantly went to between 15-19 GB of data transfer a day! That\u2019s an&nbsp;<strong>increase of 4650%<\/strong>.&nbsp;And Google Analytics showed no additional traffic. So that is not good.<\/p>\n\n\n<style>.kb-row-layout-id1958_9b7b8d-00 > .kt-row-column-wrap{align-content:start;}:where(.kb-row-layout-id1958_9b7b8d-00 > .kt-row-column-wrap) > .wp-block-kadence-column{justify-content:start;}.kb-row-layout-id1958_9b7b8d-00 > .kt-row-column-wrap{column-gap:var(--global-kb-gap-md, 2rem);row-gap:var(--global-kb-gap-none, 0rem );padding-top:var(--global-kb-spacing-sm, 1.5rem);padding-bottom:var(--global-kb-spacing-sm, 1.5rem);grid-template-columns:minmax(0, 1fr);}.kb-row-layout-id1958_9b7b8d-00 > .kt-row-layout-overlay{opacity:0.30;}@media all and (max-width: 1024px){.kb-row-layout-id1958_9b7b8d-00 > .kt-row-column-wrap{grid-template-columns:minmax(0, 1fr);}}@media all and (max-width: 767px){.kb-row-layout-id1958_9b7b8d-00 > .kt-row-column-wrap{grid-template-columns:minmax(0, 1fr);}}<\/style><div class=\"kb-row-layout-wrap kb-row-layout-id1958_9b7b8d-00 alignnone wp-block-kadence-rowlayout\"><div class=\"kt-row-column-wrap kt-has-1-columns kt-row-layout-equal kt-tab-layout-inherit kt-mobile-layout-row kt-row-valign-top\">\n<style>.kadence-column1958_62eb2d-49 > .kt-inside-inner-col,.kadence-column1958_62eb2d-49 > .kt-inside-inner-col:before{border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;}.kadence-column1958_62eb2d-49 > .kt-inside-inner-col{column-gap:var(--global-kb-gap-sm, 1rem);}.kadence-column1958_62eb2d-49 > .kt-inside-inner-col{flex-direction:column;}.kadence-column1958_62eb2d-49 > .kt-inside-inner-col > .aligncenter{width:100%;}.kadence-column1958_62eb2d-49 > .kt-inside-inner-col:before{opacity:0.3;}.kadence-column1958_62eb2d-49{position:relative;}@media all and (max-width: 1024px){.kadence-column1958_62eb2d-49 > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}@media all and (max-width: 767px){.kadence-column1958_62eb2d-49 > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}<\/style>\n<div class=\"wp-block-kadence-column kadence-column1958_62eb2d-49\"><div class=\"kt-inside-inner-col\"><style>.wp-block-kadence-spacer.kt-block-spacer-1958_649432-7f .kt-block-spacer{height:60px;}.wp-block-kadence-spacer.kt-block-spacer-1958_649432-7f .kt-divider{border-top-width:5px;height:1px;border-top-color:#3293e3;width:10%;border-top-style:solid;}<\/style>\n<div class=\"wp-block-kadence-spacer aligncenter kt-block-spacer-1958_649432-7f\"><div class=\"kt-block-spacer kt-block-spacer-halign-left\"><hr class=\"kt-divider\"\/><\/div><\/div>\n\n\n\n<p>Save time and money, plus make your website go faster with our next-generation cloud platform available in every Managed WordPress plan. This includes a high-performance web server, DDoS protection, malware and email spam mitigation, a free cache plugin, and the world&#8217;s fastest AMD CPU machines. Get started with no long-term contracts, free migrations, and a 30-day money-back guarantee.<br>Check out our <a href=\"https:\/\/neoxea.com\/pricing\/\">plans<\/a> or talk to <a href=\"https:\/\/neoxea.com\/contact-us\/\">sales<\/a> to find the right plan for you.<\/p>\n<\/div><\/div>\n\n<\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>In this WordPress Security Guide we have put together a huge collection of secure activities you can build to protect your WordPress. Is WordPress Secure? Short answer: yes. But let\u2019s dig into more details as there are things you can do to improve the security of your WordPress installation and prevent attacks and vulnerabilities from&#8230;<\/p>\n","protected":false},"author":1,"featured_media":2091,"comment_status":"open","ping_status":"closed","sticky":true,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[6,27],"tags":[],"class_list":["post-272","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-wordpress"],"taxonomy_info":{"category":[{"value":6,"label":"Security"},{"value":27,"label":"WordPress"}]},"featured_image_src_large":["https:\/\/neoxea.com\/blog\/wp-content\/uploads\/wordpress-security-guide.png",300,300,false],"author_info":{"display_name":"Rodolfo","author_link":"https:\/\/neoxea.com\/blog\/author\/blogxea\/"},"comment_info":0,"category_info":[{"term_id":6,"name":"Security","slug":"security","term_group":0,"term_taxonomy_id":6,"taxonomy":"category","description":"","parent":0,"count":5,"filter":"raw","cat_ID":6,"category_count":5,"category_description":"","cat_name":"Security","category_nicename":"security","category_parent":0},{"term_id":27,"name":"WordPress","slug":"wordpress","term_group":0,"term_taxonomy_id":27,"taxonomy":"category","description":"","parent":0,"count":13,"filter":"raw","cat_ID":27,"category_count":13,"category_description":"","cat_name":"WordPress","category_nicename":"wordpress","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/neoxea.com\/blog\/wp-json\/wp\/v2\/posts\/272","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/neoxea.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/neoxea.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/neoxea.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/neoxea.com\/blog\/wp-json\/wp\/v2\/comments?post=272"}],"version-history":[{"count":1,"href":"https:\/\/neoxea.com\/blog\/wp-json\/wp\/v2\/posts\/272\/revisions"}],"predecessor-version":[{"id":2652,"href":"https:\/\/neoxea.com\/blog\/wp-json\/wp\/v2\/posts\/272\/revisions\/2652"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/neoxea.com\/blog\/wp-json\/wp\/v2\/media\/2091"}],"wp:attachment":[{"href":"https:\/\/neoxea.com\/blog\/wp-json\/wp\/v2\/media?parent=272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/neoxea.com\/blog\/wp-json\/wp\/v2\/categories?post=272"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/neoxea.com\/blog\/wp-json\/wp\/v2\/tags?post=272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}