SECURITY BEST PRACTICES FOR WORDPRESS WEBSITES

WordPress securty best practices  – 2019

Keep WordPress up-to-date (duh)

When you login to the wordpress dashboard and see that “Update available” banner, click it and update your site. If you’re not sure about something breaking, make a backup before installing it. The important thing is that you do it, and with regularity. Information about any security holes that were fixed from the previous version are now available to the public, which means an out of date site is all the more vulnerable.

Recommedation : enable core wordpress auto update

Keep plugins and themes up-to-date

Just as you update the WordPress Core regularly, you should also update plugins and themes. Each plugin and theme installed on your site is like a backdoor into your site’s admin. Unless properly secured (vetted thoroughly, updated regularly, etc), plugins and themes are like an open door to your personal info.

Recommedation :  Set Plugins and Themes to Update Automatically when ever possible. License and register all premium plugins.

 

Delete all  plugins or themes you’re not using. 

Along the same line of thinking as what’s listed above, getting rid of any plugins or themes you don’t need will reduce the likelihood of being hacked. If you’re not using them, you’re not going to want to update them, so it’s a much better idea to delete them.

Recommedation:  Deactivating plugins isn’t enough; you must actually click “Delete.”

 

Secure file permissions.

Avoid configuring directories with 777 permissions. If any plugin demands this setting, please don’t use them. There is always alternative plugins.

Recommedation  : You should set directories to  755 or 750, instead, according to WordPress.org. While you’re at it, set files to 640 or 644 and wp-config.php to 600.

 

Recommedation  : Never use “admin” as a username. 

If you’ve already installed WordPress using “admin” as your username or something else very simple, you can change it by inputing an SQL query in PHPMyAdmin .  Its recommended to make the username hard to guess just like the password.

Also its recommended to hide author usernames from appearing under posts and pages. It gives away usernames in the database to hackers making it easy to plan a brute-force attack on the password.

 

Change your password often  and make them really strong

Random strings of letters and numbers are best. If you don’t feel like coming up with something manually, you can use a password generator to accomplish the task like

Norton Password Generator or Strong Password Generator.  Also wordpress user manager generates real strong passwords.

 

Recommedation   : Add two-step authentication to backend.

A really good way to prevent brute force attacks is to set up two-step authentication. This means a password is required plus an authorization code that is sent to your phone in order to login to your site. Often, the second login code is sent via SMS. Several plugins can be used to add this feature including ClefGoogle Authenticator, and Duo Two-Factor Authentication.

 

Recommedation  : Limit login attempts. 

The brute force attack is tactic #1 for hackers. If you let them, they’ll try to login to your site over and over again until they crack your password. That’s why it’s called “brute force” because the onslaught is relentless. However, there are plugins that allow you to limit the number of times a person from a specific IP can attempt to login within an allotted period of time. The user is restricted from attempting to login again for a given period of time. Login LockDown is great for offering this feature but other plugins that offer a whole set of security features often include login limiting like iThemes Security and Sucuri Security.

 

 Limit user access . 

A good rule of thumb is to only grant access to those who absolutely need it and even then, only give them the bare minimum of permissions to complete their assigned tasks.  WordPress allows creation of non-admin backend users, assign editor roles to everyone who are not technically capable to tweak the website global settings is recommended.

Recommendation :  Create less Administrator accounts and downgrade other accounts to bare minimum permissions to carry out their work.

 

Backup your site. 

Scheduled backups are an essential part of any site’s security strategy because it ensures that if your site is compromised, you’ll be able to restore it to a version prior to the damage with ease. Choose an automated solution with built-in restore options.

Recommedation:  offsite backup like DropBox or GDrive is a must.

 

Check for theme authenticity and conduct security scans. 

Just as you install an antivirus software on your desktop or laptop  to check for malware, so too should you install a scanner on WordPress. A security scanner will check for malicious code in your plugins, core files, and plugins to ensure nothing has been tampered with. Several scanners exist that you may wish to consider including Sucuri SitecheckCodeGuardTheme Authenticity Checker, and AntiVirus.

Themes bought from theme stores like Themeforest releases security patches time-to-time fixing major security issues in their themes. Be sure to subscribe to their mailing lists and know as the updates are released and update asap.

 

Limit Admin Access to limited known IPs / computers   (extreme measure)

This can really make life hard for admins to since only computers with a static IP can be used to access the wordpress backend  like from a office computer. Most of the mobile, 4G,3G routers does not have static IPs, so access will be difficult when this step is implemented.

But in a difficult to manage hacking attack, this can help until the website is secured and stabilized.

 

Be sure to logout from the admin when you use a public computer and don’t save passwords

Should you happen to use a public computer, like one in a library to access wordpress backend, please remember to logoff before leaving the computer to prevent others accessing the admin panel.

Just closing the browser does not end your session on the wordpress backend.

Also check if the passwords are getting saved to the browser automatically.

 

Recommedation  : Disable user registration

If you don’t need people to register on your website, disable WordPress user registration feature.

This stops lot of spam problems and people using email to snoop on your websites internal working like  examining email header to understand the server technology.

 

Remove the Plugin and Theme Editor

This online tool available to all wordpress websites allow administrators to program online using php.  This can make a hackers life easier as he does not have to bring his own tools to program and change the website if he succeeds in getting in to the website.

 

Disable PHP errors

Hackers use various error messages generated by the website to find weaknesses on the server and plan an attack. Always disable php errors and debug info.

 

Recommedation  : Install an auditing plugin to monitor backend activities.

good plugin for this purpose is  WP Security Audit Log. This free plugin maintains a log of everything that happens on your site’s backend, so you can easily view both what users and hackers are doing. This plugin keeps track of everything from when a new user is created to file management to published post changes.

 

Recommedation  : Hide the login URL  wp-admin and wp-login

Many plugins are available that make this simple change for you including Lockdown WP Admin as well as several of the major WordPress security plugins. This is an important step to stop automated hacking scripts from attacking well known wp-admin and wp-login urls.

 

Recommedation   : Use a reputed hosting service with easy to access technical support.

How well your website is secured,  there will be a day that I can get hacked, sabotaged or mal-functioning because of a user mistake. Then might we need technical support from the hosting server to  give us a backup from last working state or just to assist us on recovery process.

Better to use a hosting service with a account manager, then that person will know your website from the beginning , which make it easy to get help.

 

Finally : Take care of the passwords.

Don’t save passwords on computers in plain text. Most modern computer viruses scan user files to locate usernames, passwords and creditcard numbers.  If they find any, they will get sent to  automated programs that will carry out attacks on websites and servers.

Using a password manager software like Last pass is recommended.

 

In case of a hacking !

Let a skilled web developer/ ethical hacker do his job in recovering and then strengthening the website security.

Call us if such person is not available in handy or  you need it done at an affordable cost!

Voodoo and other forms of sorcery are also encouraged to bolster protection of the website. 😉

June 23rd – 25th Google Search Algorithm Update Seems Real

Lot of Search Engine Experts are claiming that Google has updated its Panda and Penguin algorithms between 23rd and 25th of June.

Search Experts came to this conclusion after observing the SERP ( Search Engine Ranking Position) variation of my websites.

Google Desktop SERP Fluctuation Last 30 days

Althout its too early to find what exactly has changed in the algorithm, many suggest its about content quality and internal linking.

Googles Muller has given a hint on the update in below tweet.

 

 

Please check this post for more updates later on.

Google Plans to Replace Google Site Search with Custom Search Engine ( CSE )

Google plans to discontinue Google Site Search, a product it has sold to web publishers that wanted to apply the industry’s leading search technology to their own sites.

CSE Sign up for the basics is free, but should you need to remove Google branding and adverts , then it starts from USD 100 a year!

Check out what are the differences and how it affects your website , if it is using Google site search already.

Google Site SearchFree CSE
Search options
Search the entire web
Image-only search
Look and feel
Option to remove ads
Access to XML API for results
JSON APIUnlimitedDaily limit
Make money with AdSense
Option to remove Google branding
Administration
Transfer ownership
Share query quotas with a business group
Technical Support
Access to the support forum
Email support

Learn more about Custom Search Engine by Google.

This could affect your SEO if you have implemented GSS in your website, please consult a SEO Sri Lanka Service Provider or a Web Design Company in Sri Lanka to consult about how to fix this.

Joomla 3.7 is released with a ton of new features including custom fields!

Joomla.org has released the latest version of Joomla! with a load of new features. Joomla Developers around the world will be excited to try out the uses of these new features and improved workflows

Custom fields allows a joomla developer to show additional information with articles such as data from a database. Multiple types of fields are now supported in Joomla 3.7 including text fields, lists , selects etc.]

Multilingual Sites

Making multilingual sites is easier and better managed thanks to the multilingual associations feature.

Improved Workflow

Build your menu item and your content type in one step!

More Convenience

  • See your global settings in your item, no more guess work or having to double check.
  • A flatter, more modern backend template.
  • An upgraded date and time picker, now multilingual.
  • A single login for your site’s backend and frontend. No need anymore to login separately!

Read the full news article at https://www.joomla.org/3/

magento web development sri lanka
  1. In Magento Admin Panel and navigate to System > Configuration
    magento_rss_enable_menu
  2. Rss Config section set Enable RSS to ‘Enable’.
  3. In the Catalog section set required feeds to ‘Enable’. An experienced Magento Developer may know what needs to be activated.
    • New Products. This RSS feed tracks new products added to the store catalog.
    • Special Products. This RSS feed will syndicate products with special pricing.
    • Coupons/Discounts. Any special coupons or discounts in your store will be added to this RSS feed.
    • Tags Products. The tags products RSS feed manages and syndicates newly added product tags.
    • Top Level Category. This RSS feed tracks new top level categories or root level categories in your catalog.
  4.  Press Save Config
  5. To see the RSS feeds activated add ‘/rss’ after your site URL, f.e. ‘http://yourdomainname.com/rss’:

Why has WordPress taken a lions share of CMS market over others like Joomla and Drupal ?

WordPress is used to create 58% of most visited 1 million websites of the world! While Joomla and Drupal are great CMSes, its important to understand how wordpress got 58% of the most visited websites and improving.

While it is apparent that the leading CMSes WordPress, Joomla and Drupal are matured, fully featured CMS systems with huge amount of community and industrial backing , wordpress  stands out . Lets see what are the advantages of WordPress which people love it so much.

  1. Target

    WordPress targets content websites , specially bloggers, while other CMSes try to be the cure for all the diseases!
    having clearly defined use helps wordpress to be easily found and to be improvised to other uses.

  2. User Friendliness 

    Its by far the easiest CMS to be get started with. Hosted or self-hosted, WordPress allows to create a basic website within minutes.

    And when its setup, its completely ready to start publishing content, unlike other CMSes which you might want to install several plugins and configure them to work correctly. The best example is your WYSIWYG editor, wordpress comes with a very decent editor by default while Joomla’s TinyMCE which is far from perfect and Drupal does not come with a editor at all!

    Installing plugins and extending the features is also easy with WordPress. Built-in plugin browser can install most of the required extensions inclusing famous WooCoommerce which is the leading ecommerce plugin for WordPress.

    These are not the only factors affecting the sweeping success the wordpress cms is enjoying these days. but the clearly defined user base and ease of use is clearly helping it to win the CMS race.

PT to PX Converter & Font Size Measurements : Convert PT to Pixels, EMS and Percentages

Web design and any computer aided design industry all over the world uses different units of measurements to specify the sizes of the elements on a webpage or screen. On this page , we have a PT to PX converter and a PX to PT converter.  we try to provide a comprehensive set of tools to convert from one unit to another for the web designers who are working with multiple units. PT ) points) , PX ( Pixels) , EMS and Percentages can be converted using the tools below.

Here’s a chart that converts points to pixels (and ems and %). It’s an approximation, which will depend on font, browser and the operating system.

These are important to know when you are doing web designs that fit to every screen.

In below chart we are listing some frequently used measurements in Points, Pixels, Ems and Percents.

PT to PX Converter ( Points to Pixels) – PT to PX Calculator

PX to PT Converter ( Pixels to Points ) – PX to PT Calculator


PX to PT Conversion Table

Some commonly used values are in the below chart for your easy reference.
Points
Pixels
Ems
Percent
6pt
8px
0.5em
50%
7pt
9px
0.55em
55%
7.5pt
10px
0.625em
62.5%
8pt
11px
0.7em
70%
9pt
12px
0.75em
75%
10pt
13px
0.8em
80%
10.5pt
14px
0.875em
87.5%
11pt
15px
0.95em
95%
12pt
16px
1em
100%
13pt
17px
1.05em
105%
13.5pt
18px
1.125em
112.5%
14pt
19px
1.2em
120%
14.5pt
20px
1.25em
125%
15pt
21px
1.3em
130%
16pt
22px
1.4em
140%
17pt
23px
1.45em
145%
18pt
24px
1.5em
150%
20pt
26px
1.6em
160%
22pt
29px
1.8em
180%
24pt
32px
2em
200%
26pt
35px
2.2em
220%
27pt
36px
2.25em
225%
28pt
37px
2.3em
230%
29pt
38px
2.35em
235%
30pt
40px
2.45em
245%
32pt
42px
2.55em
255%
34pt
45px
2.75em
275%
36pt
48px
3em
300%

 

What is PT or Points used in Typography / Web Design

In typography, the point ( PT)  is the smallest unit of measure. It is used for measuring font size, leading, and other items on a printed page. The size of the point has varied throughout the history of printing. Since the 18th century, the point’s size has varied from 0.18 to 0.4 millimeters.  Source

What is PX or Pixel used in Typography / Web Design

A pixel (px) at 96DPI (dots per inch) is equal to 0.2645835‬ millimeters, 0.010416675‬ inches, or 0.75 point. It is a measurement of how tall a font is in pixels which are visible on your computer screen. So, if a font is 12 pixels in height, that means it takes up 12 pixels on your screen from the top of the letter, to the bottom, which also includes the characters that have sections which are under the guide line, such as a “p” character.

What is EM or EMS used in Typography / Web Design

An em is a unit of measurement. Just like pixels, ems can determine the size of elements on a web page. Unlike pixels, which are absolute, ems are relative to their parent’s font size.  Therefore Em value can be calculated using the below formula.

Value in Ems  = Expected Pixel Value / Inherited Pixel  Value

Inherited Pixel value is the parent’s font size.

Lanka websites is a leading Web Design company in Sri Lanka with 12 years expertise in web design, dynamic website development and ecommerce website development.

USA Measurements PT or PX

In the USA, its often seen the use of multiple measurement units, especially in design and web development. Whether you’re dealing with points (pt) in print materials, pixels (px) for screen displays, or ems and percentages for responsive web design, it can get confusing. That’s where our PT to PX Converter comes in handy. It’s a simple, yet powerful tool designed to streamline your workflow. By instantly converting between points, pixels, ems, and percentages, it eliminates the guesswork and ensures accurate, consistent measurements across different platforms. No more struggling with complex calculations or relying on approximations. Our converter provides precise results, saving you time and effort. Whether you’re a seasoned designer or just starting out, our tool simplifies unit conversions, making your work easier and more efficient. Try our PT to PX Converter today and experience the convenience of seamless unit conversions. It’s a must-have tool for anyone working with design and web development in the USA.

Recursively applying proper directory permissions for your live Joomla website

website security

Applying proper directory permissions for your live Joomla websites is one important step in securing it from malicious users online.

Use below commands to recursively set permissions to files and directories.  Joomla recommends 707 special permissions for the /images and /images/stories directories.

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
chmod 707 images
chmod 707 images/stories
chown apache:apache cache

Inserting an Iframe to Joomla article using JCE editor

Have you tried to embed the an iframe in an article using the JCE editor in Joomla ?

You may have been frustrated to see your iframe code stripped off when the articles is finally saved.

Most of the time iframe is the easiest way to include external content in an webpage such as videos, forms and social feeds.

A quick fix for this would be to allow iframes in JCE editor settings below.

In Joomla admin, to to components > JCE Editor >

Profles -> desired Profile -> Plugin parameters -> Allow IFrames.

The setting is available in the media settings tab.

How to stop Google indexing your site when it is under construction or maintenance

seo process in a hand drawn diagram

When you are creating a new website with Joomla or with any other method on a live server, Google might index the half-done pages and give you crappy search results for some time.  Best thing is to block google from visiting the site using the good old robots.txt

change the content of the robots.txt in the root folder to

User-agent: *
Disallow: /

thats it , google will never look at your site untill you remove these lines. So dont forget to replace these codes with original Joomla robots.txt file contents later.

User-agent: *
Disallow: /administrator/
Disallow: /cache/
Disallow: /components/
Disallow: /images/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /libraries/
Disallow: /media/
Disallow: /modules/
Disallow: /plugins/
Disallow: /templates/
Disallow: /tmp/
Disallow: /xmlrpc/