Photo by ground.zero

Whether you’re starting an online business or setting up a personal blog, there are several security priorities you better look at if you want to reduce the risk of getting website robbed online. Below you’ll find 9 steps of what I consider to be the most important security actions to take if running WordPress.

If you’re all new to WordPress, this guide will take you through in the right order, step by step, and at the end you’ll come out with a much better WordPress setup than what you had when you first started. So settle up and we’ll get started.

Before we start, always remember to backup your WordPress database if you already got WP installed.

Step 1: Start with your database

• The first step you should take is by installing WordPress on its OWN database. The reason is simply a step to avoid other information been on risk if someone manages to gain access to one of your sites if you’re running several sites or applications on the same server.

• Create one user for your WordPress database and set user privileges to only “SELECT, INSERT, UPDATE, DELETE and ALTER“. That’s enough privileges to make WP run and at the same time make things really hard for someone unauthorized to control your database.

Depending on your host, this should normally be a simple task to accomplish through CPanel.

Step 2: Modify wp-config.php

As default, the wp-config-sample.php must be renamed to wp-config.php

Before we upload the config file, its recommended that we add a little more security. Open up your wp-config.php in your text editor (notepad works great) and follow the 2 important steps below:

1. Generate unique keys using https://api.wordpress.org/secret-key/1.1/ Simply copy the 4 lines of code, past and replace them with those within your wp-config.php. You can change these keys at any time without any problem. If any users are logged in at the time you do the change, they will be forced to log in again.
2. To avoid attackers guessing your WordPress database prefix, we should add our own little prefix modification. Instead of using WordPress default prefix wp_, we should  add a more random name like for example 7i64u_. This makes it more difficult for an attacker to guess your database prefix. Simply locate $table_prefix = 'wp_'; inside wp-config.php and add your own random name.

Example – Instead of:

$table_prefix = 'wp_';

Choose your own random name:

$table_prefix = '7i64u_';

Step 3: Change default “admin” username

By default WordPress chooses “admin” as the administrator username. While Fantastico users are able to pick a different username when installing, manually installations of WordPress will have to do this by modifying the database.

There are several ways to get this done, so pick the one that suites you best.

• While logged into your WordPress Dashboard, click on “Users” and “Add New”. Then create a new user with all administration rights. Now log out as “admin” and log in with your new username. Go to “Users” again and delete the original “admin” user.
• If you know your way around in phpMyAdmin you may do the change simply by editing the user_login value to the username you prefers.
• You may also use a WordPress Plugin to change your username. There are several plugins out there that will help you do this. The plugin I recommend: http://w-shadow.com/blog/2008/07/24/change-admin-username-in-wordpress/

Step 4: Hide your Wordpress Version

By default, Wordpress themes displays the Wordpress version in the meta tag. This makes it extra easy for hackers or others to discover what version of Wordpress you’re using.

Displaying your version number might lead to attacks. So prevent yourself from been a target for specific wordpress attacks.

There are several ways hide your WordPress version, but the best way is to add this line of code inside your themes function.php – if you ain’t got any functions.php inside your themes folder, simply add a new file and name it functions.php

I’ve seen many who just add the code you see below, including myself, but without proper checking they don’t realize that the feed is leaking the wordpress version! So to clarify, the line of code below ONLY removes the version from the meta tags – NOT from the feed generator!

//Removes WordPress version from Meta Tag
remove_action('wp_head', 'wp_generator');

To completely remove the WordPress version, add the following code to your functions.php

//Stops WordPress from leaking the version number
add_filter( 'the_generator', create_function('$a', "return null;") );

Step 5: Block public directories browsing

There are two simple ways to prevent someone from the public browsing your directories, and that is to:

• Make an empty index.html file inside each folder

or

• Add the following line of code to your .htaccess file located in your server root.

Options All -Indexes

Step 6: Restricting your wp-content and wp-includes directory

Add .htaccess to restrict files and only accept images, css, and javascripts. Thanks to http://blogsecurity.net.

The following line of codes helps from restricting access to your directories. Add the code to a new .htaccess file and upload it to your directories.

Order Allow,Deny
Deny from all
<Files ~ "\.(css|jpe?g|png|gif|js)$">
Allow from all
</Files>

On the other hand, if you want certain files to gain access, you may do so by adding the following to your /wp-content/.htaccess file.

<Files ".php">
Allow from all
</Files>

Note if you’re using several plugins – you might need to spend a little time tweaking before it works correctly.

PS. I had some problems getting this to work under the wp-includes folder without disabling some of the WP toolbar features. If you’re having the same problem, skip to add the .htaccess file inside the wp-includes, but make sure you include it in your wp-content folder.

Step 7: Security scanning your site

Wordpress scanner allows you to measure security on your site. It’s a free plugin ready to be uploaded to your server.

There are 2 ways to run the scann. Choose the one that suites you.

1. Download the plugin, extract and upload to /plugin/ directory
2. Login to your WordPress admin and activate plugin.
3. Go to BlogSecurity.net and type in your website url as well as the security code.
4. Click “Start Scan”

The scanner will then connect to you site to check if it got the permission to do a scan. It will then prompt you with recommendations if any security issues are located.

The scanner also supports text-file for scan verification.

1. Download the text file and upload it to your blog directory /wordpress/wpscan.txt directory
2. Go to BlogSecurity.net and type in your website url as well as the security code.
3. Click “Start Scan”

As same as the plugin version, the scanner will then connect to you site to check if it got the permission to do a scan. It will then prompt you with recommendations if any security issues are located.

Remember to disable the plugin when finish scanning. Otherwise, other people would be able to scan your site as well.

Step 8: Habit of picking strong passwords

With password all over the place, we have all been tempted to choose a password we easily remember. Sound familiar…? Then please take your right hand and give yourself a big security slap!

Do yourself a favor from now on and choose a strong password containing both uppercase, lowercase as well as some numbers. If you want to go extra deep, add a few special tags like brackets, question marks etc.

Try Microsoft’s password checker to test the strength of your passwords.

To generate strong passwords, try Strong Password Generator web generator for free.

If you want a software to manage, auto-fill and generate passwords for you, I recommend checking out RoboForm’s password manager for free.

Step 9: Update update update

Keep your WordPress well updated on security releases, updates and plugin updates by simply using the Automatic Update from your WordPress admin or manually download WordPress 2.8.x.

Final Word

If you have followed every step, you’ve now taken a huge step in making you WP more secure. Congratulations! Remember to keep it updated.

Photo by Vince Alongi

There’s only one foolproof way to make sure your online business doesn’t fail, and that is to make sure your product sells like hot chocolate! Here’s 5 steps to help your online business career on your way:

Step 1. Upfront researching:

Before getting started you should do some research to get a feel of what’s popular in today’s online market. You probably don’t want to find yourself down the road with no fuel left getting you nowhere. So by doing a little research before getting started will help you from spending a ridiculous amount of time on a project that has no future.

To get a feel of what’s popular, dig around and see if there’s any pain or urgency. Remember that people go online to search for solutions to their problems. Be there and help them.

You can simply have a look around popular online sites like Amazon Hot Releases, Google’s Top 100 Trends, eBay Pulse to get a feel of what’s considered to be popular and hot.

Choose wisely – and by that I recommend going for products that your passionate about – if not, the risk of failing is more likely to occur. So search around to see what might fit your interests.

Step 2. Building your product line:

Got some awesome ideas lined up already? Great! If not, don’t worry – simply go back, take your time and look around. I’ll be here when you’re ready to take the next step.

Don’t be afraid going into a well established niche. Popular niches are probably the easiest ways to make money online – you just have to remember to bring new interesting information or solutions to your product line.

To be able to sell your products like crazy, you got to remember to create a one-of-a-kind idea. Also bear in mind, you won’t make it a step further if you ain’t got a user friendly product.

So make it simple to understand and make it unique. This is also your first product in line, so learn as you go further.

I know this might seem as a lot of work, and yes that true, but that’s why I’m here to help. So to help ease the workflow you may want to consider outsource some of your design work, or even more, with experts at Elance. Then you can focus your mind of the main important things like your content and the next step…

Step 3. Creating your landing page:

by Hamed Saber

Now as you got your ideas and products in place, you should focus on building a landing page for your product. This is an important piece of the puzzle where you send visitors to your site.

The landing page should be kept simple, and do not include a bunch of image or text links pointing out of the page. Neat headline and text will do just fine. Remember pain and urgency! What would be the outcome when using your product?

Remember to add terms and conditions and privacy policy at the bottom of the page.

I’ll do an article later on building your kickass landing page.

Step 4. Learn marketing:

You ain’t going nowhere without learning some marketing. How can you get your products out to the public if you can’t manage at least some dissent marketing tactics?

Marketing services like Google Adwords, Ad Brite are good places to start. Let me know if theres any interest in learning more about these services and I’ll set up an article on getting started.

Hot Tip: Words that Sell, Revised and Expanded Edition are some excellent information to read.

Hot Tip 2: More Words That Sell

Both books are simply, a bunch of words, that sell well! So use them in your marketing.

Step 5. Make a free offer:

Take some of your best advice and give it away. Make it a free downloadable ebook, video, tele class etc. Don’t expect to tell your customers into buying. They should get a feel of what you’re offering and by giving away some valuable free information they’ll be wanting more.

Remember to gather visitors email address when offering free content.

You’re building an online business that’s here to support your future – so start thinking of it like your real business and get busy building your line of products.

From the WordPress Team this morning:

As for what this security path is all about, this is what the WordPress Team had to say:

Unfortunately, I missed some places when fixing the privilege escalation issues for 2.8.1.  Luckily, the entire WordPress community has our backs.  Several folks in the community dug deeper and discovered areas that were overlooked.  With their help, the remaining issues are fixed in 2.8.3.  Since this is a security release, upgrading is highly recommended.  Download 2.8.3, or upgrade automatically from your admin.

So make sure you update your WordPress to the latest version by simply using the Automatic Update from your WordPress admin or manually download WordPress 2.8.3 from here

1. Manually backup through phpMyAdmin

1. 1. Login to your phpMyAdmin and select the database where you got WordPress installed.
2. 2. Click the Export button on your top menu.
3. 3. Export “Select All” type should be “SQL”.
4. 4. Hit “Save as file” to save this backup as a file
5. 4. Choose compression type. Zipped or Gzipped. I prefer Gzipped.
6. 5. Hit Go or Export to store the file and save it on your computer.

You’re done!

2. Automatic backup using WordPress plugin

There are several automatic backup plugins available for WordPress. I’ve been trying a few, and are currently using WP-DBManager by Lester ‘GaMerZ’ Chan.

Another one that works great as well are WP-DB-Backup.

It’s up to you which one you choose, they both supports automatic email to backup files and both works great. The automatic email is a neat feature that lets you schedule your backup to be emailed to you at what time you’d like.

1. 1. Simply choose the one you like, extract and upload the folder to your /plugin/ directory
2. 2. Activate it under the Plugins menu
3. 3. For WP-DBManager, go to “WP-Admin” -> “Database” -> “DB Options” to configure the database options. Enter the email address you like the backup files being sent to and set when you’d like the backups to take place.
4. 4. For WP-DB-Backup, go to “WP-Admin” -> “Backup” to set how you’d like the backup to be delivered.

PS! Sending the backup emails to an email provider that’s not related to your regular host helps you from losing your backup if the host loses everything. Simply apply for a free Gmail account that allows large attachments and free storage up to 7.3 GB and use that one to send your backups to.