WordPress and You: WordPress Security

WordPress security when setting up an install

Some ways to increase security start at the very beginning: when you’re setting up the initial
installation of WordPress. If you’re looking to create a new WordPress website, keep these tips in
mind when setting up everything to start off with a more secure website. However, if you already
have your website set up and created, you can still make these easy changes to your WordPress
settings.

The first is very easy: when creating the admin account choose a username besides the default
“Admin” name. If you already have your website set up, you can create a new admin account and
then delete the default “Admin” account. You should also make sure that the password for any
admin account is secure. You can use websites, such as Strong Password Generator, to generate
secure passwords.

The second thing you can do while setting up your WordPress website is change the default
database name so that it does not include “WP”. Making this change with a website already set
up requires a bit more work, but can still be done relatively easily.

To make the change with an existing WordPress install, you will need to have access to your
databases, phpMyAdmin, and your wp-config.php file. When making changes to your website’s
database, you will have a small down time. I would suggest that you make these changes during
an off peak time. Once you are ready to make the changes to your database, you will need to
access your database via phpMyAdmin. Under the Operations tab, you will see the “Rename
database to:” section. Type in the new database you would like to have for your website, and click
on “go”.

Changing your database username in phpMyAdmin

After the operation is complete, you will need to make a few more changes. First, you will need to
update your wp-config.php file to reflect the new changes. To do this, access the directory that
WordPress is installed in and you will see the wp-config.php file in the main directory. Open the
file and look for the following:

// ** MySQL settings - You can get this info from your web host **
//
/** The name of the database for WordPress */
 define('DB_NAME', 'user_databasename');

Once you have found these lines, you will need to change the 'user_databasename' to the new
database name. Please note that you should not remove the user part of the database name. If
you would also like to change the database username, you will find the settings for it and the
password below the database name.

Now that you have updated the wp-config.php file, you will need to make sure that the database
has the right “Privileged User”. You can do this via cPanel under Databases > MySQL Databases .
Find your database in the list of databases you have on your web hosting account, and you will see
a list of “Privileged Users”. If you do not see the right user, or no user at all, you can add the user
to the database below the list, under “Add a User to a Database”.

Backend Security

There are a few changes to your files and directories that you can utilize to enhance your website’s
security. Keeping your file permissions to the “default” that is set by WordPress, and changing the
permission for your wp-config.php file, can help keep your website secure. To make permission
changes to your files and directories, you will need to have access to your files, either via SSH, FTP,
or cPanel’s File Manager. Check to make sure all of your files and directories permissions are set
to the following:

Directories should have their permissions set to 750 or 755

All files should have their permissions set to 640 or 644

Your wp-config.php file should have its permission set to 400 or 440

Another great tool at your disposal that can help with security is your .htaccess file. With it you
can block any IP addresses that have been blacklisted, or have caused issues to your website
previously. To do this, add the following lines in your .htaccess file in WordPress’s installation
directory:

Order Deny,Allow
Deny from 1.1.1.1

Where the IP address 1.1.1.1 is the IP you would like to block. This will prevent anyone using that
IP address from accessing your website.

You can easily block anyone from accessing your wp-admin log in page with the deny from all rule
in your .htaccess file. To do this, you will need to create an .htaccess file in your /wp-admin
directory and add the following rule to it:

Order Deny,Allow
Deny from all
Allow from $yourIPaddress
With this rule, only those accessing your wp-admin log in page from your IP address will be to see
the page. Everyone else will be denied access to the page. If you have mutliple admins for your
website, you can easily allow more IP addresses to access the wp-admin page by adding the Allow
From $IPaddress on another line with their IP address(es).

If you have old plug-ins you no longer use for your website, they should definitely be deactivated
and removed from your WordPress website. If you do not need the plug-in, don’t have it installed
on your website. And finally, keeping everything related to your WordPress up to date will help
tremendously with your WordPress security.
Webmaster Wednesday Tip: .htaccess

For this week’s Webmaster Wednesday we will cover .htaccess. The .htaccess file, or hypertext
access file, is a very useful tool that you can utilize for your websites. With it you can set up
“rules” that may affect how your website is seen, or who can access your website. You can easily
use it to: redirect your URL, either to another domain or another directory; force https, if you have
an SSL Certificate installed, or force your website to load with www; block any IP addresses;
restrict access by requiring a username and password for access to a certain page.

If you’re using any type of CMS, such as WordPress or Joomla, you probably already have
an .htaccess file created with rules set up. Because .htaccess is a “dot file” it is considered a
hidden file – so it won’t show up by default if you’re using cPanel’s File Manager. If you’re not
seeing it in your directory, you will need to make sure that you have this option enabled prior to
accessing the files via File Manager. If you still do not see the file, it is likely that it doesn’t exist
yet.

You can easily create the .htaccess file with any text editor or with cPanel’s File Manager. When
creating the file, make sure that the name for it is exactly “.htaccess” with no other extensions
(.txt or .doc).

Sample .htaccess Rules

Here are some very simple, and commonly used .htaccess rules. Most of these sample rules are
ready to go and can be used in your .htaccess files without changing any of the information
making them easier to use for beginners.

After you’ve had an SSL Certificate installed for your domain or subdomain, you will want to force
https:// for your domain. This way, when people visit your website they automatically load your
website as: ” https://domain.com” and, thus, loading your website securely.

<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
 </IfModule>

If you want to have your website always load with “www.” you can easily add the following lines
to your .htaccess file, and every visitor will be redirected to “www.domain.com”.

RewriteCond %{HTTP_HOST} !^$

RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

If you’re looking to redirect your domain to a subdirectory (such as domain.com/forums), you can
easily do so with the following line, where $DIRECTORY is the subdirectory you would like to
redirect to:

RedirectMatch ^/$ /$DIRECTORY

If you have IP address(es) that you would like to block from your website, you can add the
following lines to your .htaccess to block them. Just replace the 1.1.1.1 with the IP address that
you would like to block, and they’ll no longer have access to your website. To add more to the list,
just type “deny $IP” in the next line.

Order Deny,Allow
Deny from 1.1.1.1

There are plenty of great free resources out there once you would like to get into the more
advance set ups and rules for your .htaccess files. Until then, you’ll find that these rules will make
things easier when you’re looking to set up some simple rules for your website.
¿CÓMO AUMENTAR LA SEGURIDAD EN WORDPRESS SIN MORIRSE EN EL INTENTO?

https://www.lifestylealcuadrado.com/seguridad-en-wordpress/

Los 5 mejores plugins de seguridad de WordPress 2017, tu web a salvo!

https://bcnwebteam.com/es/wordpress/los-5-mejores-plugins-de-seguridad/

La guía definitiva para configurar el mejor blog con WordPress

https://www.blogpocket.com/configurar-mejor-blog-wordpress/

Curso de WordPress avanzado para empresas, pequeños negocios y bloggers

https://www.blogpocket.com/wordpress-avanzado/

Tutorial tienda con WordPress y WooCommerce.

https://lievanosan.com/curso/crear-tienda-wordpress-woocommerce/

WooCommerce Guided Tour Videos

https://docs.woocommerce.com/document/woocommerce-guided-tour-videos/

Seguridad de WordPress – Mejor Plugin.

https://sucuri.net/es/seguridad-de-wordpress/seguridad-de-wordpress-monitoreo

E-mail marketing

How To Create A Killer Opt-in Page In 10 Short & Simple Steps

https://aureliustjin.com/how-to-create-a-killer-opt-in-page-in-10-short-simple-steps

How to Setup an Email Opt-in Page – Free HTML Template

http://www.hectorpreneur.com/how-to-setup-email-opt-in-page-free-html-template/