WordPress 5.8 comes out today and it has some VERY exciting capabilities. In short, it can help your site rank higher, go faster, look prettier, be more manageable, and get more creative.

Does this release sound too good to be true? Here’s a teaser of what WordPress 5.8 includes:

• WordPress 5.8 integrates ‘patterns’, which is an entire directory of ready to go layouts that you can add to any WP site via a simple copy/paste.
• WP 5.8 adds support for WebP images which are 30% smaller, makes your site faster, improves your visitor experience, and which, as we’ll explain on the show, can result in higher search engine rankings.
• Creating crazy complex block-driven pages? 5.8 includes a “list view” which lets you easily manage many blocks on a single page or post.
• The days of sterile boring sidebars are over! Sidebar widgets can now contain blocks and are editable in the WP block editor.

Just a few hours ago WordPress suddenly released 4.7.5 which is a security release. They mentioned about fixing six vulnerabilities. We highly recommend you to update to 4.7.5 as soon as possible. Unless you have disabled automatic updates, your site may have already been upgraded to WordPress 4.7.5. This security release is supposed to be a ‘minor’ release and WordPress by default automatically updates core minor releases.

However, there might be more than just fixing a few vulnerabilities because it went out without much pre-announcement. Due to the nature of its release, there are doubts that this release may have fixed more than the vulnerabilities that have been detailed on the WordPress blog.

In last update as well earlier this year, they delayed disclosing a vulnerability for a week. That vulnerability was the infamous WordPress defacement vulnerability which resulted in hundreds of thousands of sites being affected. We are not 100% sure at this point in time whether this release includes an additional security fix that is unannounced. But recent history indicates it is probably a good idea to update immediately.

We know from experience that having your website hacked is not fun. That’s why keeping your WordPress setups secure on regular basis has become essentially important. Your website should be carefully optimized to be as secure as possible. There are, however, still a handful of potential security risks, but taking few security measures can make wonders of differences. With that in mind, here are a few things you can do to improve your WordPress security.

• You should choose a hosting with proper research and select a company with a good track record of strong security.
• You should always keep everything up to date in your WordPress setup. Every new release contains patches and fixes that address potential vulnerabilities. Most of the hackers target older versions intentionally with known security lapses. Keep everything including plugins, themes. Don’t ignore this very important task with your WordPress site in regular basis.
• 10% of the hacked websites are down because of the weak passwords. Don’t assign common passwords which are generally a habit among the developers. Instruct your developers not to follow the habit to keep weak passwords.
• If you always use “admin” as username and you have a weak password, your website is very vulnerable to a malicious attack. There are known scripts running on internet with repeated login attempts using username as “admin”. After WordPress 3.0, now default usernames are no more “admin” as now you can choose your username at the time of the setup.
• One of the most essential parts of security is to limit login attempts. In the case of a hacker or a bot attempting a brute-force attack to crack your password, it can be useful to limit the number of failed login attempts from a single IP address. After certain attempts, you should block the IP for a specific period of time or for always depending upon your preferences. There is a well know plugin to achieve this is Limit Login Attempts
• In a default WordPress installation, you can navigate to Appearance > Editor and edit any of your theme files right in the dashboard. Now if someone hacks into your admin site and gain access to your files, they can edit your core theme files. So it is important to disable this method of file editing, by adding the following to your wp-config.php file: define( ‘DISALLOW_FILE_EDIT’, true );
• Avoid free unknown themes and plugins. Prefer to choose them from WordPress depository.
• There is no need to emphasize the importance of making regular backups of your website. This is something that many people put off until it’s too late. Even with the best security measures at your disposal, you never know when something unexpected could happen that might leave your site open to an attack. If that happens you want to make sure all of your content is safely backed up, so that you can easily restore your site to its former glory. One recommended backup system mostly used is BackupBuddy.
• There are tons of plugins you can use to tighten your site’s security and reduce the likelihood of being hacked. It is always recommended to use the security plugins to add extra bit to the security of the website.

This may all sound pretty overwhelming if you’re a beginner at WordPress but it’s just important to discuss the topic of security regularly. You don’t have to do everything on this list (although it certainly wouldn’t hurt). Even if you just remove the ‘admin’ username and start using stronger passwords, your site will be that little bit safer.

On average, 30,000 new websites are hacked each day. WordPress sites can be an easy target for attacks because of plugin vulnerabilities, weak passwords and outdated version of the software. Most WordPress admins don’t even know they’re vulnerable, but with alertness and security measures, an expert can help you fix common holes, stop automated attacks and strengthen user credentials.

Top 10 important steps to start securing your website immediately:

1. Change the urls for WordPress dashboard including login, admin etc. This will hide the login page (wp-login.php, wp-admin, admin and login) making it harder to find by automated attacks. Also rename “admin” account username. This will improve the security of your WordPress installation by removing common user attributes that can be used to target your site.
2. Completely turn off the ability to login for a given time period (away mode). As most sites are only updated at certain times of the day it is not always necessary to provide access to the WordPress dashboard 24 hours a day, 7 days a week. Disable access to the WordPress Dashboard for the specified period. Of course this depends on your work timings and access levels at multiple locations but this is a good practice.
3. Remove theme, plugin, and core update notifications from users who do not have permission to update them. Change wp-content path and rename the directory so that the most important directory can be saved from possible attacks.
4. Prevent public access to readme.html, readme.txt, wp-config.php, install.php, wp-includes, and .htaccess. These files can give away important information on your site and serve no purpose to the public once WordPress has been successfully installed.
5. Scan your website theme or plugin files regularly for malware to make sure that there are no injections to the files. Use server log files to obtain data on which files got changed recently. Ban troublesome bots, user agents and other hosts immediately. Prevent users from seeing a list of files in a directory when no index file is present.
6. Change the WordPress database table prefix. By default, WordPress assigns the prefix “wp” to all tables in the database where your content, users, and objects exist. For potential attackers, this means it is easier to write scripts that can target WordPress databases as all the important table names for 95% of sites are already known. Changing the “wp” prefix makes it more difficult for tools that are trying to take advantage of vulnerabilities in other places to affect the database of your site.
7. Prevent brute force attacks by banning hosts and users with too many invalid login attempts. If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site they eventually would, right? This method of attack, known as a brute force attack, is something that WordPress is acutely susceptible by default as the system doesn’t care how many attempts a user makes to login. It will always let you try again. You should install tools or functions for enabling login limits to ban the host user from attempting to login again after the specified bad login threshold.
8. Force users to choose a unique nickname when updating their profile or creating a new account which prevents bots and attackers from easily harvesting user’s login usernames from the code on author pages. You can enforce password expiration; add a strong passwords generator to user profiles. For more advanced security to dashboard, force SSL for admin pages (on supporting servers).
9. Take or schedule backups of the websites on regular basis. There are automated tools available which can actually schedule backups of the entire site including database and migrate the site to another server or same server within minutes if required.
10. Ban users hitting a large number of non-existent pages which results them getting a large number of 404 errors. 404 detection assumes that a user who hits a lot of 404 errors in a short period of time is scanning for something (most probably vulnerability) and locks them out accordingly.

These are few of the most important steps to help improve the security of your WordPress installation from many common attack methods. For further steps take a look at 30 Ways to Secure Your WordPress Website. You cannot prevent every possible attack but nothing replaces diligence and good practice. Continuous monitoring is essential. There are many more known practices which you can implement on your WordPress site to prevent malicious injections to your site. We recommend hiring an expert to help secure your WordPress site. Don’t hesitate to contact Digital Saber for your questions.

Let us help you secure your WordPress site:

[zoho_form]