The Ultimate WordPress Security Guide (Step by Step)

WordPress security is a topic of huge importance for every website owner. Each week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. If you are serious about your website, then you need to pay attention to the WordPress security best practices.… Read More »

The post The Ultimate WordPress Security Guide (Step by Step) appeared first on WPBeginner.

WordPress security is a topic of huge importance for every website owner. Each week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. If you are serious about your website, then you need to pay attention to the WordPress security best practices. In this guide, we will share all the top WordPress security tips to help you protect your website against hackers and malware.

Improve WordPress Security

While WordPress core software is very secure, and it’s audited regularly by hundreds of developers, there is a lot that can be done to harden your WordPress website.

At WPBeginner, we believe that security is not just about risk elimination. It’s also about risk reduction. As a website owner, there’s a lot that you can do to improve your WordPress security (even if you’re not tech savvy).

We have a number of actionable steps that you can take to improve your WordPress security.

To make it easy, we have created a table of content to help you easily navigate through our ultimate WordPress security guide.

Table of Contents

Basics of WordPress Security

WordPress Security in Easy Steps (No Coding)

WordPress Security for DIY Users

Ready? Let’s get started.

Why Website Security is Important?

A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users.

Worst, you may find yourself paying ransomware to hackers just to regain access to your website.

Why WordPress Security is Important

In March 2016, Google reported that more than 50 million website users have been warned about a website they’re visiting may contain malware or steal information.

Furthermore, Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week.

If your website is a business, then you need to pay extra attention to your WordPress security.

Similar to how it’s the business owners responsibility to protect their physical store building, as an online business owner it is your responsibility to protect your business website.

[Back to Top ↑]

Keeping WordPress Updated

Keeping WordPress Updated

WordPress is an open source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update.

WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well.

These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are up to date.

[Back to Top ↑]

Strong Passwords and User Permissions

Manage strong passwords

The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin area, but also for FTP accounts, database, WordPress hosting account, and your professional email address.

The top reason why beginners don’t like using strong passwords is because they’re hard to remember. The good thing is you don’t need to remember passwords anymore. You can use a password manager. See our guide on how to manage WordPress passwords.

Another way to reduce the risk is to not give any one access to your WordPress admin account unless you absolutely have to. If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user and authors to your WordPress site.

[Back to Top ↑]

The Role of WordPress Hosting

Your WordPress hosting service plays the most important role in the security of your WordPress site. A good shared hosting provider like BlueHost or Siteground take the extra measures to protect their servers against common threats.

However, on shared hosting you share the server resources with many other customers. This opens the risk of cross-site contamination where a hacker can use a neighboring site to attack your website.

Using a managed WordPress hosting service provides a more secure platform for your website. Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website

We recommend WPEngine as our preferred managed WordPress hosting provider. They’re also the most popular one in the industry. (See our special WPEngine coupon).

[Back to Top ↑]

WordPress Security in Easy Steps (No Coding)

We know that improving WordPress security can be a terrifying thought for beginners. Specially if you’re not techy. Guess what – you’re not alone.

We have helped thousands of WordPress users in hardening their WordPress security.

We will show you how you can improve your WordPress security with just a few clicks (no coding required).

If you can point-and-click, you can do this!

Install a WordPress Backup Solution

Install a WordPress backup solution

Backups are your first defense against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours.

Backups allow you to quickly restore your WordPress site in case something bad was to happen.

There are many free and paid WordPress backup plugins that you can use. The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account).

We recommend storing it on a cloud service like Amazon, Dropbox, or private clouds like Stash.

Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups.

Thankfully this can be easily done by using plugins like VaultPress or BackupBuddy. They are both reliable and most importantly easy to use (no coding needed).

[Back to Top ↑]

Best WordPress Security Plugin

After backups, the next thing we need to do is setup an auditing and monitoring system that keeps track of everything that happens on your website.

This includes file integrity monitoring, failed login attempts, malware scanning, etc.

Thankfully, this can be all taken care by the best free WordPress security plugin, Sucuri Scanner.

You need to install and activate the free Sucuri Security plugin. For more details, please see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to go to the Sucuri menu in your WordPress admin.

Sucuri Admin Menu

The first thing you will be asked to do is Generate a free API key. This enables audit logging, integrity checking, email alerts, and other important features.

Sucuri Generate Free API

The next thing, you need to do is click on the Hardening tab from the Sucuri Menu. Go through every option and click on the “Harden” button.

Sucuri Hardening

These options help you lock down the key areas that hackers often use in their attacks. The only hardening option that’s a paid upgrade is the Web Application Firewall which we will explain in the next step, so skip it for now.

We have also covered a lot of these “Hardening” options later in this article for those who want to do it without using a plugin or the ones that require additional steps such as “Database Prefix change” or “Changing the Admin Username”.

After the hardening part, most default settings of this plugin are good and doesn’t need changing. The only thing we recommend customizing is the Email Alerts.

The default alert settings can clutter your inbox with emails. We recommend receiving alerts for key actions like changes in plugins, new user registration, etc. You can configure the alerts by going to Sucuri Settings » Alerts.

Sucuri Email Alerts

This WordPress security plugin is very powerful, so browse through all the tabs and settings to see all that it does such as Malware scanning, Audit logs, Failed Login Attempt tracking, etc.

Enable Web Application Firewall (WAF)

The easiest way to protect your website and be confident about your WordPress security is by using a web application firewall (WAF). The firewall blocks all malicious traffic before it even reaches your website.

Sucuri Website Application Firewall

We use and recommend Sucuri as the best web-application firewall for WordPress. You can read about how Sucuri helped us block 450,000 WordPress attacks in a month.

Sucuri Attack Block Chart

The best part about Sucuri’s firewall is that it also comes with a malware cleanup and blacklist removal guarantee. Basically if you were to be hacked under their watch, they guarantee that they will fix your website (no matter how many pages you have).

This is a pretty strong warranty because repairing hacked websites is expensive. Security experts normally charge $250 per hour. Whereas you can get the entire Sucuri security stack for $199 per year.

Improve your WordPress Security with the Sucuri Firewall »

Sucuri is not the only firewall provider out there. The other popular competitor is Cloudflare. See our comparison of Sucuri vs Cloudflare (Pros and Cons).

[Back to Top ↑]

WordPress Security for DIY Users

If you do everything that we have mentioned thus far, then you’re in a pretty good shape.

But as always, there’s more that you can do to harden your WordPress security.

Some of these steps may require coding knowledge.

Change the Default “admin” username

In the old days, the default WordPress admin username was “admin”. Since usernames make up half of login credentials, this made it easier for hackers to do brute-force attacks.

Thankfully, WordPress has since changed this and now requires you to select a custom username at the time of installing WordPress.

However, some 1-click WordPress installers, still set the default admin username to “admin”. If you notice that to be the case, then it’s probably a good idea to switch your web hosting.

Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.

  1. Create a new admin username and delete the old one.
  2. Use the Username Changer plugin
  3. Update username from phpMyAdmin

We have covered all three of these in our detailed guide on how to properly change your WordPress username (step by step).

Note: We’re talking about the username called “admin”, not the administrator role.

[Back to Top ↑]

Disable File Editing

WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.

Disable file editing

You can easily do this by adding the following code in your wp-config.php file.

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

[Back to Top ↑]

Disable PHP File Execution in Certain WordPress Directories

Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed such as /wp-content/uploads/.

You can do this by opening a text editor like Notepad and paste this code:

<Files *.php>
deny from all
</Files>

Next, you need to save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client.

For more detailed explanation, see our guide on how to disable PHP execution in certain WordPress directories

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

[Back to Top ↑]

Limit Login Attempts

By default, WordPress allows users to try to login as many time as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to login with different combinations.

This can be easily fixed by limiting the failed login attempts a user can make. If you’re using the web application firewall mentioned earlier, then this is automatically take care of.

However, if you don’t have the firewall setup, then proceed with the steps below.

First, you need to install and activate the Login LockDown plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, visit Settings » Login LockDown page to setup the plugin.

Login LockDown settings

For detailed instructions, take a look at our guide on how and why you should limit login attempts in WordPress.

[Back to Top ↑]

Change WordPress Database Prefix

By default, WordPress uses wp_ as the prefix for all tables in your WordPress database. If your WordPress site is using the default database prefix, then it makes it easier for hackers to guess what your table name is. This is why we recommend changing it.

You can change your database prefix by following our step by step tutorial on how to change WordPress database prefix to improve security.

Note: This can break your site if it’s not done properly. Only proceed, if you feel comfortable with your coding skills.

[Back to Top ↑]

Password Protect WordPress Admin and Login Page

Password protecting wp-admin

Normally, hackers can request your wp-admin folder and login page without any restriction. This allows hackers to try their hacking tricks or run DDoS attacks.

You can add additional password protection on a server side which will effectively block those requests.

Follow our step-by-step instructions on how to password protect your WordPress admin (wp-admin) directory.

[Back to Top ↑]

Disable Directory Indexing and Browsing

Directory browsing

Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.

Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information. This is why it is highly recommended that you turn off directory indexing and browsing.

You need to connect to your website using FTP or cPanel’s file manager. Next, locate the .htaccess file in your website’s root directory. If you cannot see it there, then refer to our guide on why you can’t see .htaccess file in WordPress.

After that, you need to add the following line at the end of the .htaccess file:

Options -Indexes

Don’t forget to save and upload .htaccess file back to your site. For more on this topic, see our article on how to disable directory browsing in WordPress.

[Back to Top ↑]

Disable XML-RPC in WordPress

XML-RPC was enabled by default in WordPress 3.5 because it helps connecting your WordPress site with web and mobile apps.

However because of it’s powerful nature, XML-RPC can significantly amplify the brute-force attacks.

For example, traditionally if a hacker wanted to try 500 different passwords on your website, they would have to make 500 separate login attempts which will be caught and blocked by the login lockdown plugin.

But with XML-RPC, a hacker can use the system.multicall function to try thousands of password with say 20 or 50 requests.

This is why if you’re not using XML-RPC, we recommend that you disable it.

There are 3 ways to disable XML-RPC in WordPress, and we have covered all of them in our step by step tutorial on how to disable XML-RPC in WordPress.

Tip: The .htaccess method is the best one because it’s the least resource intensive.

If you’re using the web-application firewall mentioned earlier, then this can be taken care of by the firewall.

[Back to Top ↑]

Automatically log out Idle Users in WordPress

Logged in users can sometimes wander away from screen, and this poses a security risk. Someone can hijack their session, change passwords, or make changes to their account.

This is why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.

You will need to install and activate the Idle User Logout plugin. Upon activation, visit Settings » Idle User Logout page to configure plugin settings.

Logout idle user

Simply set the time duration and uncheck the box next to ‘Disable in wp admin’ option for better security. Don’t forget to click on the save changes button to store your settings.

For more detailed instructions, see our guide on how to automatically log out idle users in WordPress.

[Back to Top ↑]

Add Security Questions to WordPress Login Screen

Security questions on login screen

Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.

You can add security questions by installing the WP Security Questions plugin. Upon activation, you need to visit Settings » Security Questions page to configure the plugin settings.

For more detailed instructions, see our tutorial on how to add security questions to WordPress login screen.

[Back to Top ↑]

Fixing a Hacked WordPress Site

Many WordPress users don’t realize the importance of backups and website security until their website is hacked.

Cleaning up a WordPress site can be very difficult and time consuming. Our first advice would be to let a professional take care of it.

Hackers install backdoors on affected sites, and if these backdoors are not fixed properly, then your website will likely get hacked again.

Allowing a professional security company like Sucuri to fix your website will ensure that your site is safe to use again. It will also protect you against any future attacks.

For the adventurous and DIY users, we have compiled a step by step guide on fixing a hacked WordPress site.

[Back to Top ↑]

That’s all, we hope this article helped you learn the top WordPress security best practices as well as discover the best WordPress security plugins for your website.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post The Ultimate WordPress Security Guide (Step by Step) appeared first on WPBeginner.

Sucuri vs CloudFlare (Pros and Cons) – Which One is Better?

Due to an increased emphasis on website security in today’s digital landscape, one of the most common requests we’ve gotten from readers is to do a pros and cons analysis of Sucuri vs CloudFlare to explain which one is better. Sucuri and CloudFlare are online… Read More »

The post Sucuri vs CloudFlare (Pros and Cons) – Which One is Better? appeared first on WPBeginner.

Due to an increased emphasis on website security in today’s digital landscape, one of the most common requests we’ve gotten from readers is to do a pros and cons analysis of Sucuri vs CloudFlare to explain which one is better. Sucuri and CloudFlare are online services that offer website firewall, CDN, and DDoS protection services. In this article, we will compare Sucuri vs Cloudflare with pros and cons to find out which one is better.

Sucuri vs CloudFlare (Pros and Cons)

Even the most secure websites on the internet are vulnerable to distributed denial of service attacks (DDoS), hacking attempts, and malware injection.

As a WordPress site owner you can use some security best practices like password protecting admin directory, limiting login attempts, adding two factor authentication, etc.

However these tips only work on software level which leaves your website mostly open to other types of attacks. These attacks can cause financial damage, data loss, poor search rankings and bad user experience.

Sucuri and CloudFlare offer a website application firewall (WAF).

This means that all your website’s traffic goes through their server scanners. If a request looks malicious, then the firewall would block it before it even reaches your website.

On the surface, these two services look nearly identical, but there are some key differences.

In this comparison, we’ll focus on:

  • Features
  • Pricing
  • Malware Removal Service

By the end, you’ll know exactly which platform is best for you.

Ready? Let’s compare Sucuri vs Cloudflare.

Features

In this section, we will look at the features offered by Sucuri and CloudFlare.

It’s important to note that both services offer different plans that come with different set of features.

As a user, make sure you’re not a victim of their marketing site because not all plans come with all the features.

CloudFlare Features

CloudFlare is best known for their free CDN service. They specialize in mitigating DDOS attacks using their Website Application Firewall product. CloudFlare keep your site available to users during an attack or under heavy traffic when your server is not responsive.

Their website firewall blocks suspicious traffic before it even reaches your website. The firewall also extends to form submissions which protects your website from comment spam and registration spam.

CloudFlare website firewall

CloudFlare also offers free and custom SSL certificates with all their plans. Free and pro plans only allow you to use CloudFlare issued certificate. For custom certificate you will need to upgrade to their Business or Enterprise plan.

While CloudFlare offer a free option that includes CDN, most other features including their Website Application Firewall require a paid plan.

CloudFlare doesn’t offer server scanning service to detect malware. It also doesn’t offer a malware removal guarantee if you were to be hacked on their watch.

Sucuri Features

Sucuri is one of the most reputable website security and monitoring service. They offer comprehensive website monitoring, scanning for malware, DDoS protection, and malware removal services.

Sucuri offers CloudProxy, a website firewall and load balancing service. It blocks suspicious traffic from reaching your website by effectively blocking DDoS attacks, code injection, bad bots, and other website threats. See our case study of how Sucuri helped us block 450,000 attacks in 3 months.

Sucuri offers integration with the free Let’s Encrypt SSL for their basic plan. You can also use custom SSL certificates with their professional and business plans.

Sucuri CloudProxy

Sucuri scans your website regularly for file changes, code injection, and malware. They clean up hacked sites, with support for all popular CMS software like WordPress, Joomla, Drupal, etc.

Winner: Sucuri is a clear winner because they offer a better combination of tools and services (Website Firewall + Load Balancing + Malware Cleanup / Hack Repair).

Pricing

Pricing is an important factor for many small businesses.

Here, we will compare the different pricing plans offered by CloudFlare and Sucuri, so you know exactly what you’re getting for your money.

FREE is not always better :)

CloudFlare Pricing Plans

CloudFlare offers a free CDN service for all. They don’t charge you for the bandwidth which means you will be able to use their free CDN regardless of your traffic volume.

However, this free plan does not come with the website application firewall. Your website may benefit from CDN, but it will not be properly protected against DDoS attacks, spam, bad traffic, etc.

For their web application firewall, you need the Pro plan which costs $20 / month (this is what you need for improved security).

This pro plan does not include advanced DDoS mitigation and custom SSL. For those features, you will need their Business plan which costs $200 per month.

Sucuri Pricing Plans

Unlike CloudFlare, Sucuri doesn’t offer a free plan. Their website security stack plan starts at $199.99 for an year, which is cheaper than CloudFlare’s pro plan.

This basic plan includes full website monitoring, website application firewall, DDoS protection, malware removal, and free LetsEncrypt SSL certificate.

Instead of excluding features from lower level plans, Sucuri uses priority as an incentive for their higher paying plans.

For example, malware removal estimated time for basic plan is 12 hours, 6 hours for professional plan, and 4 hours for business plan. However, the actual cleanup timings are way faster than that for all customers.

They offer 24/7 support as part of all plans. Their business plan subscribers can also use the Live Chat support.

Winner: Sucuri is an obvious choice for small businesses when it comes to pricing. CloudFlare Pro costs $240 / year vs Sucuri cost $199 / year and offer more features. To unlock same features, you’d have move up to CloudFlare’s $2400 / year plan. Sucuri’s most expensive plan is at $499 / year.

Malware Removal Service

Apart from denial of service attacks, malware and code injections are the most common threats faced by WordPress site owners.

Let’s see how both services protect your website against those common threats.

Website security and malware removal

CloudFlare – Security and Malware Removal

CloudFlare free version is basically a content delivery network which helps make your website fast.

The website security firewall comes with their paid plan. It includes CloudFlare’s ready to use custom rules set. These rules protect your site from common code injection hacks, XSS JavaScript exploits, and form submissions.

However, they do not offer file change detection, malware scanning, blacklist monitoring, and many other security features. You can add third-party apps for malware scanning, but these services will cost you additional fees.

Sucuri – Security and Malware Removal

Sucuri is a security focused company. They specialize in monitoring websites and protecting them against malware and other attacks.

Sucuri’s website application firewall protects you against DDOS, SQL injections, XSS JavaScript injections, comment and contact form spam.

However, if something crosses all those security barriers and somehow reaches your website, then Sucuri offers to clean up your website (for free).

If you already have a website affected with malware, then Sucuri will clean that up as well.

Winner: Sucuri – For combining website application firewall with monitoring, malware protection, and clean up services.

Conclusion

CloudFlare and Sucuri both offer protection against DDoS attacks on your website. CloudFlare does a little better in the content delivery network area.

Sucuri fares better in the overall features, better security monitoring, and lower prices. If you are using a CMS like WordPress, then Sucuri is what you need.

We hope this article helped you compare pros and cons of Sucuri vs CloudFlare. You may also want to see our list of 7 best WordPress backup plugins.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post Sucuri vs CloudFlare (Pros and Cons) – Which One is Better? appeared first on WPBeginner.

How to Add McAfee SECURE Seal to Your WordPress Site for Free

If you’ve shopped on the internet, then you’re probably familiar with website security seals such as Norton and McAfee. These badges show users that you have taken all the necessary precautions to make your website safe and secure. This social proof helps increase user’s trust… Read More »

To leave a comment please visit How to Add McAfee SECURE Seal to Your WordPress Site for Free on WPBeginner.

If you’ve shopped on the internet, then you’re probably familiar with website security seals such as Norton and McAfee. These badges show users that you have taken all the necessary precautions to make your website safe and secure. This social proof helps increase user’s trust level to subscribe to your website and make a purchase. In this article, we will show you how to easily add McAfee SECURE seal on your WordPress site for free.

cAfee SECURE Trust seal on a WordPress site

What is McAfee SECURE?

McAfee SECURE is a new certification program by McAfee that lets your visitors know that your website is safe.

This is a great solution for small business owners because it allows you to display McAfee SECURE seal on your website for up to 500,000 visitors per month, at no charge.

Social Proof like security seals are proven to boost engagement and increase sales. The video below explains what this security seal does in 50 seconds:

How to Install McAfee SECURE in WordPress

First thing you need to do is install and activate the McAfee SECURE plugin on your website. Upon activation, you need to visit Settings » McAfee SECURE to configure the plugin.

McAfee SECURE plugin settings

Simply provide your email address and your website’s domain name and then click on the get started button.

This will take you to McAfee Secure website, where you need to provide your personal and business information like name, company name, phone number, etc.

Creating your McAfee SECURE account

McAfee will now run some tests on your site, and you will land on a confirmation page. This page will show all tests passed under the security heading. You will also be reminded to confirm your email address. Simply check your inbox for an email from McAfee and then click on the confirmation link inside it.

Confirmation page

Since you already have the plugin installed on your WordPress site, the McAfee SECURE trust badge will be automatically installed on your site. You can simply visit your website to see it in action.

To further strengthen your security, you can add an SSL and HTTPS in WordPress. We also recommend using Sucuri, to regularly monitor your website for malicious code and activity.

We hope this article helped you add McAfee Secure badge to your WordPress site. You may also want to take a look at our list of 40 useful tools to manage and grow your WordPress blog.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

To leave a comment please visit How to Add McAfee SECURE Seal to Your WordPress Site for Free on WPBeginner.

Why You Should Always Use the Latest Version of WordPress

Every time a new WordPress update comes out, we get several emails from users asking whether it’s safe to update their WordPress site. Are you wondering whether you should update your WordPress to the latest version? Want to know the pros and cons of updating… Read More »

To leave a comment please visit Why You Should Always Use the Latest Version of WordPress on WPBeginner.

Every time a new WordPress update comes out, we get several emails from users asking whether it’s safe to update their WordPress site. Are you wondering whether you should update your WordPress to the latest version? Want to know the pros and cons of updating WordPress? In this article, we will explain why it is crucial that you always use the latest version of WordPress as well as show you how to properly update WordPress.

Update WordPress

WordPress is free, and it is developed by a community of developers. With each new release, they fix bugs, add new features, improve performance, and enhance existing features to stay up to date with new industry standards.

So in other words, when you do not update your WordPress site, you are risking your website security and missing out on new features / improvements.

Let’s take a look at pros and cons of updating WordPress.

1. Security

Security is arguably the most important reason why you should keep your WordPress website up to date.

WordPress currently powers 23% of all websites in the world. Due to it’s immense popularity, WordPress is a popular target for hackers, malicious code distributors, data thieves, and wanna be hackers.

CMS Marketshare

Since WordPress is open source, anyone can study the source code to learn and improve it. However it also means that hackers can study it too and find ways to break into websites.

Now the good part is that not all hackers are bad. There are a lot more good hackers than bad ones which means that security experts around the world can study the code and properly report security bugs / fixes. Every time a security vulnerability is reported, the core WordPress team works diligently to release an update that fixes the issue.

This means that if you are not using the latest version of WordPress, then you are using software with known security vulnerabilities. Hackers can search for websites running the older version, and you may become a victim of a sophisticated attack.

Not just WordPress itself, plugins can also be exploited by hackers. You need to make sure that all your WordPress plugins, themes, and the core itself is always up to date.

2. Cool New Features

Each major WordPress release comes with new features and changes to the software. For example, WordPress 4.0 came with improved plugin install experience, 4.1 introduced inline image editing, and 4.2 came with faster plugin updates.

WordPress 4.2 introduced faster plugin updates

Now if you were using an older version of WordPress, then your WordPress experience would be a lot different than someone using the latest version.

You will have trouble finding WordPress help online because you are using an older version. Users on WordPress support forums will assume that you are using the latest version of WordPress.

3. Speed

Each new WordPress version improves performance

WordPress developers are always trying to make things faster. Each new release comes with several performance improvements that makes WordPress run faster and more efficient.

For example, WordPress 4.2 improved JS performance for navigation menus, and WordPress 4.1 improved complex queries which helped with performance of sites using those queries.

Since speed is a huge factor in SEO, you should definitely keep your WordPress updated to ensure maximum performance benefits.

4. Bug Fixes

Older WordPress versions may have bugs

Despite the rigorous testing of major WordPress releases, sometimes bugs may slip through the cracks. That’s why there are timely minor WordPress releases (the ones with X.X.X) to account for that. For example, the most recent WordPress 4.2.3 update fixed 20 bugs from the 4.2 release.

Now if you go to WordPress support forums asking for help, the first advice you will get is to update WordPress because that may fix the issue. If you insist on not updating WordPress, then you will be unable to receive help.

5. Compatibility (or NOT)

Often plugin and theme developers coordinate their updates with major WordPress releases to ensure they’re taking advantage of newly available features and enhancements.

However in some cases, an update can break your existing WordPress plugins if they weren’t following the best practices and coding standards.

This is why it is crucial that you keep regular WordPress backups.

To sum this up, the only downside is that in some rare cases your site will break. However the upside is that you have:

  • Improved WordPress security
  • Cool new WordPress features
  • Faster WordPress experience
  • A bug free WordPress website
  • Better compatibility

Now that you know why it’s important to keep your WordPress site updated, let’s take a look at how to update WordPress.

How to Keep Your WordPress Site Updated

Updating your WordPress core, plugins, and themes whenever there is a new update for them is fairly easy. WordPress comes with a built-in update notification system. It highlights the number of available updates when you log into your WordPress dashboard.

WordPress updates screen

All you need to do is visit Dashboard » Updates page and install those updates. This is a one-click process.

However since many website owners do not login to their WordPress dashboard daily, they may not even know that there is an update available for days. Thankfully, you have a few options.

If you’re using WordPress 3.7 or above, then automatic updates are turned on for minor releases (which are reserved for security and bugfixes). You can turn on automatic updates for major releases, plugins as well as themes.

Alternatively, you can get email notifications when there is a new update for your WordPress site.

Get Email Notifications for Updates in WordPress

When you’re busy running your business, logging into your site to check for updates is usually the last thing on your mind. Wouldn’t it be easier if you could get an email notification whenever there is an update on your WordPress sites?

Well that’s possible.

First thing you need to do is install and activate the WP Updates Notifier plugin. Upon activation, visit Settings » Updates Notifier to configure the plugin settings.

WordPress update notification plugin settings

This plugin uses WordPress cron to check your site for updates every hour. You can change that to once or twice daily. When there is a new update available, this plugin will send you an email notification.

By default it checks for WordPress core update, plugin updates, and theme updates. All you need to do is click on save settings with test email button.

If you do not recieve the test email from the plugin, then check out our guide on how to fix WordPress not sending email issue.

Auto Install WordPress Updates

You can automate the process even further. WordPress allows you to enable automatic updates for major releases, plugins, and themes.

This option is risky if you’re not using managed WordPress hosting. Managed WordPress hosting companies automatically update your site to major WordPress versions and keep an eye out if something breaks.

If you turn on automatic updates, then there is a slight risk that your site may break and you won’t be online to fix it right away. Having that said, if you like to enable automatic updates, then there are two ways to do it (plugin method and code method).

Let’s take a look at the plugin method first.

First you need to install and activate the Easy Updates Manager plugin. Upon activation, you need to visit Dashboard » Update Options page to configure the plugin.

Setting up WordPress automatic updates

Now you need to scroll down to automatic updates section where you can enable automatic updates for core, plugins, themes, and translation files. Once you are done, simply save your settings.

Enable Auto Updates Using wp-config File

You can enable automatic updates for WordPress core by simply adding this line to your wp-config.php file.

define('WP_AUTO_UPDATE_CORE', true);

If you also want to automatically update your themes and plugins, then you would need to add this to your theme’s functions.php file or a site specific plugin.

add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );

We hope this article helped you learn why you should always use the latest version of WordPress. You may also want to check out our expert pick of 20 must have WordPress plugins for 2015.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

To leave a comment please visit Why You Should Always Use the Latest Version of WordPress on WPBeginner.

How to Stop Users From Sharing Passwords in WordPress

By default a WordPress user can login to an account from multiple locations at the same time. This may compromise security of your multi-author WordPress site, and it can definitely hurt your profits if you run a membership site. In this article, we will show… Read More »

To leave a comment please visit How to Stop Users From Sharing Passwords in WordPress on WPBeginner.

By default a WordPress user can login to an account from multiple locations at the same time. This may compromise security of your multi-author WordPress site, and it can definitely hurt your profits if you run a membership site. In this article, we will show you how to stop users from sharing passwords in WordPress by blocking concurrent logins.

How WordPress Handles User Sessions?

Prevent Concurrent Logins

Before we move on, lets talk a bit about how WordPress handles user sessions. Like many other web applications, WordPress uses cookies to identify a logged in user. These cookies do not contain your password, just your username and a special key as a proof that you knew the password.

Now if you access your site from a public location and by habit checked “Remember Me” button, then anyone from that computer can login to your site because WordPress allows the same username to be logged in from two different locations.

This is a bit troublesome for security, but it can also be bad for business if you run a membership site selling premium content.

Users can simply share their password with their friends and use the same login information to consume your paid content.

Now wouldn’t it be nice if you could prevent users from staying logged into the same account from multiple places?

Recently when a user asked us this question, we looked around and found a plugin that prevents concurrent logins.

Prevent Concurrent Logins and Password Sharing in WordPress

Concurrent logins in WordPress

First thing you need to do is install and activate the Prevent Concurrent Logins plugin. It works out of the box and there are no settings for you to configure.

You can test the plugin in action by signing in to your WordPress site from two different browsers on your computer or using the private / incognito mode.

When you try to login to your site with the same username and password on the second browser, you will be able to successfully login. However, the plugin will terminate the old session, and clicking on any link in the previous browser window will take you to the login page.

That’s all. We hope this article helped you learn how to stop users from sharing passwords in WordPress by blocking concurrent logins. You may also want to check out our guide on how to monitor user activity in WordPress with Simple History.

Also just a friendly reminder: Passwords can be hacked. If you wan to avoid this, then you need to use strong passwords on your WordPress site. You may also want to force strong passwords for all users on your WordPress site.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Google+.

To leave a comment please visit How to Stop Users From Sharing Passwords in WordPress on WPBeginner.

How to Add SSL and HTTPS in WordPress

Are you looking to move from HTTP to HTTPS and install a SSL certificate on your WordPress site? In this article, we will show you how to add SSL and HTTPS in WordPress. Don’t worry, if you have no idea what SSL or HTTPS is.… Read More »

To leave a comment please visit How to Add SSL and HTTPS in WordPress on WPBeginner.

Are you looking to move from HTTP to HTTPS and install a SSL certificate on your WordPress site? In this article, we will show you how to add SSL and HTTPS in WordPress.

Don’t worry, if you have no idea what SSL or HTTPS is. We’re going to explain that as well.

What is HTTPS and SSL?

WordPress Security

Every day we share our personal information with different websites whether it’s making a purchase or simply logging in.

In order to protect the data transfer, a secure connection needs to be created.

That’s when SSL and HTTPS come in.

HTTPS or Secure HTTP is an encryption method that secures the connection between users’ browser and your server. This makes it harder for hackers to eavesdrop on the connection.

Each site is issued a unique SSL certificate for identification purposes. If a server is pretending to be on HTTPS, and it’s certificate doesn’t match, then most modern browsers will warn the user from connecting to the site.

Google Chrome showing warning about an unsecure connection

Now you are probably wondering, why would you ever need to move from HTTP to HTTPS and install a SSL certificate?

Why do you need HTTPS and SSL?

If you are running an eCommerce website, then you absolutely need a SSL certificate specially if you are collecting payment information.

Most payment providers like Stripe, PayPal Pro, Authorize.net, etc will require you to have a secure connection using SSL.

Recently, Google also announced that they will be using HTTPS and SSL as a ranking signal in their search results. This means that using HTTPS and SSL will help improve your site’s SEO.

We already use SSL for our eCommerce sites like OptinMonster, Soliloquy, and Envira Gallery. We will also switch all content sites to SSL as well. We just added SSL for Syed Balkhi’s blog (our founder).

A site secured by HTTPs and SSL in WordPress

We’re often asked wouldn’t SSL and HTTPS slow down my WordPress website? In reality, the difference in speed is negligible, so you should not worry about that.

Requirements for using HTTPS/SSL on a WordPress Site

The requirements for using SSL in WordPress is not very high. All you need to do is purchase a SSL certificate.

Some WordPress hosting providers offer free SSL with their plans. Siteground, one of our favorite providers, offer a one year free SSL certificate with their “grow big” plan).

If your hosting provider does not offer a free SSL certificate, then you can ask them if they sell third party SSL Certificates. Most hosting providers like Bluehost sell them around $50-$200.

You can also buy SSL from providers like Godaddy.

Once you have purchased a SSL Certificate, you would need to ask your web hosting provider to install it on your server.

This is a fairly straight forward process.

How to Setup WordPress to Use SSL and HTTPS

If you are starting a new site and/or want to use HTTPS everywhere on your site, then you need to update your site URL.

You can do this by going to Settings » General and updating your WordPress and site URL address fields.

updating-urls

Now if you’re adding SSL to your existing site, then you need to setup WordPress SSL redirect from HTTP to HTTPS.

You can do this by adding the following code in your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.yoursite.com/$1 [R,L]
</IfModule>

Don’t forget to replace yoursite.com with your site URL.

If you are on nginx servers (most users are not), you would add the following to redirect from HTTP to HTTPS:

server {
listen 80;
server_name yoursite.com www.yoursite.com;
return 301 https://yoursite.com$request_uri;
}

By following these steps, you will avoid the WordPress HTTPS not working error because all your site URL and content will be on SSL.

If you want to add SSL and HTTPS on your WordPress multi-site admin area or login pages, then you need to configure SSL in wp-config.php file.

Simply add the following code above the “That’s all, stop editing!” line in your wp-config.php file:

define('FORCE_SSL_ADMIN', true);

This wp-config.php SSL trick works for single sites as well as multi-sites.

Setup SSL and WordPress HTTPS on Exclusive Pages

Now if for some reason, you only want to add HTTPS and SSL on specific pages of your site, then you would need the plugin called WordPress HTTPS (SSL).

First thing you need to do is install and activate the WordPress HTTPS (SSL) plugin.

Please note that this plugin hasn’t been updated for a while, but it works fine and is safe to use. See our guide on installing plugins not tested with your WordPress version for more information.

Upon activation the plugin will add a new menu item labeled HTTPS in your WordPress admin. You can click it to visit the plugin’s settings page.

WordPress HTTPs SSL settings

The first option of the settings page asks you to enter your SSL host. Mostly it is your domain name. However, if you are configuring the site on a subdomain and the SSL certificate you got is for your main domain name, then you will enter the root domain. If your using a shared SSL certificate provided by your web host, then you will need to enter the host information they provided instead of your domain name.

In some cases if you are using a non-traditional SSL host and need to use a different port, then you can add it in the port field.

Force SSL Administration setting forces WordPress to use HTTPs on all admin area pages. You need to check this box to make sure that all traffic to your WordPress admin area is secure.

The next option is to use Force SSL Exclusively. Checking this box will only use SSL on pages where you have checked the Force SSL option. All other traffic will go to the normal HTTP url.

This works if you only want to use SSL on specific pages like shopping cart, checkout, user account pages, etc.

Click on the save changes button to store your plugin settings.

If you want to use HTTPS just for specific pages, then you need to edit those pages and check the Force SSL checkbox.

Forcing HTTPs on specific pages and posts

Once done, visit your page to ensure that you have all green light in Chrome and other browsers.

Chrome WordPress HTTPS error

That’s all, we hope this article helped you add HTTPS and SSL in WordPress. You may also want to check out our guide on when do you really need managed WordPress hosting.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Google+.

To leave a comment please visit How to Add SSL and HTTPS in WordPress on WPBeginner.