How to secure Alidropship website?

[Erwin Francis]

Hi, I would like some input on how I can secure my site from being hacked and/or run into security issues. Not very familiar yet with Woocommerce so not totally sure what are the things I need to do. Any advice is greatly appreciated.

 

[kingpin]

This is one of the best question here according to me.

Everybody here is more about How to make sales very few ask about the security of the site.

So lemme add some points here. Follow them and you'll be all strong and confident about your site being hacked or compromised.

1. Never use cheap shared hosting
2. Always keep your Wordpress installation and themes & plugins up to date.
3. Restrict directory browsing on cpanel
4. Choose strong password
5. Rename theme name
6. Remove hello dolly plugin
7. Install GOTMLS malware scan plugin
8. Never use pirated themes or plugins
9. Limit login attacks
10. Hide .httaccess file
11. renove license.txt file from cpanel
12. Hide theme and plugin editor
13. Use of SSL
14. Use of cdn. cloudflare is free


Just some points

 

[Erwin Francis]

Wow! Thank you so much for the input. I see that I have lots to cover but it's good as I think that having a secured site is key to having a long-term business. Again, really appreciate the help. I have a few question though.

1. If I rename the theme name, will Wordpress still be able to update the theme?
2. About removing the license.txt file, do you mean the file that came with the Wordpress files?
3. I'm going with the Ultimate Managed Wordpress plan with GoDaddy, do you think it's good enough?

Thanks again

 

[Jefri]

This is one of the best question here according to me.

Everybody here is more about How to make sales very few ask about the security of the site.

So lemme add some points here. Follow them and you'll be all strong and confident about your site being hacked or compromised.

1. Never use cheap shared hosting
2. Always keep your Wordpress installation and themes & plugins up to date.
3. Restrict directory browsing on cpanel
4. Choose strong password
5. Rename theme name
6. Remove hello dolly plugin
7. Install GOTMLS malware scan plugin
8. Never use pirated themes or plugins
9. Limit login attacks
10. Hide .httaccess file
11. renove license.txt file from cpanel
12. Hide theme and plugin editor
13. Use of SSL
14. Use of cdn. cloudflare is free


Just some points

Hello Kingpin

- Sometime we got problems when update plugins, how to anticipate it?
- How to limit login attack?
- How to hide .httaccess file?
- Hot to hide theme and plugin editor? do you mean we should edit it? such as theme creator name, date, company, etc?

Thank you

 

[kingpin]

Google the terms
How to hide plugin and theme editor on wordpress

Better use child themes

Google that also
Very easy process

There are plugins like limit login attempts to protect login attacks or ddos on there.

Use GOTMLS and scan your site once a while to keep it malware, adware free

 

[Jefri]

Thank you Kingpin for your sharing. Really appreciate it!

 

[alexmorco]

I was also looking for the same query for my WordPress website and I have found the best guide on WordPress Security Issues And How to Fix Them, the steps they have listed can be followed for any store or website. You must go through with a proper checklist to prevent hacks and attacks.

 

[Direct Webstore]

This entire thread is a full-on, overly complicated drama.

Just do this people ...

Install Wordfence

Done.

Then concentrate on this ...

make sales

 

[the_lyall]

In addition to wordfence I use the following:

- WPS Hide Login (seriously, you can't hack the login page if you don't know the URL of the login page if it's been changed from wp-login). Wordfence went down to showing zero new failed login attempts after adding this.
- PCI DSS/ISO27001 compliant hosting (While PCI is not directly related, the fact that it's guaranteed to pass the quarterly scans means it has to be up to date and secure)

Other than that, Wordfence has you covered for firewall, malware scans, bruteforce protection, and pretty much everything else you need.

As a side note, one of my clients BP/Castrol has seen a 750% increase in malware installations in their supplier sites recently, therefore we now have to use 2FA for all admin users. With wordfence, 2FA is built in even in the free version and I recommend you take advantage of it. I always put it off but now I use it.

There's nothing wrong with cheap shared hosting as long as the servers are secure and the application security is sufficient - check the hosting company website for details or run a pen test scan (don't get your IP blocked). Cheap hosting gets a bad rap but everyone has to start somewhere.

 

[Direct Webstore]

As a side note, one of my clients BP/Castrol has seen a 750% increase in malware installations

I had a test site without Wordfence get hacked just last week. A redirect script was added to the themes header file, a few other files, and throughout the database. That's what really made me realize the importance of something like Wordfence.

 

[chris37]

Guys if any one of you know, i have 6 different website in the same share hosting , in some of them i have wordfence and some of them no .
If the ones without wordfence get infected is can infect and the rest of the file(website in my share hosting) ?

 

[Direct Webstore]

Guys if any one of you know, i have 6 different website in the same share hosting , in some of them i have wordfence and some of them no .
If the ones without wordfence get infected is can infect and the rest of the file(website in my share hosting) ?

No. They are separate domains. And attacks are random. I have sites on the same server and they don't all get attacked by the same people/I.Ps. Some get attacked. Some don't. It's all random. The only way all domains in the same hosting could get infected is if the actual host/server got infected.

 

[chris37]

No. They are separate domains. The only way all domains in the same hosting could get infected is if the actual host/server got infected.

Thanks God!

 

[Direct Webstore]

some of them no .

The brave ones.

 

[Direct Webstore]

But I'm shocked to see in this "Security" thread not one mention of making regular backups. That should have been number 15 on KP's list above.

 

[chris37]

The brave ones.

I don't 'really update those websites ,they are regular eshop with stable products, and I have the final backup of them in my compute....
But you are right backup and security plugin must be the first thing your must do when you install a fresh wordpress website.

 

[Direct Webstore]

backup

I have Updraft Plus automatically backing my sites up to their Google Drives once a week. And set to keep a copy of the last three backups. So the oldest of the 3 gets deleted each time. Set and forget.

 

[chris37]

I have Updraft Plus automatically backing my sites up to their Google Drives once a week. And set to keep a copy of the last three backups. So the oldest of the 3 gets deleted each time. Set and forget.

I do that us well, but when I bulided a site I download one final backup in my pc,
In my active site I use the automatic(Google drive) and manual backup us well (my pc).

 

[the_lyall]

No. They are separate domains. And attacks are random. I have sites on the same server and they don't all get attacked by the same people/I.Ps. Some get attacked. Some don't. It's all random. The only way all domains in the same hosting could get infected is if the actual host/server got infected.

This is true, but if it was a targeted attack and not random it would be possible to use information from one compromised site to help gaining access to the others. You would be able to see the location of the root folder on the server which all your sites would be in (if in the same hosting account) as well as get clues on things that are likely to be similar across multiple sites, such as database or admin credentials/usernames (I suspect you use the same admin username for multiple sites as most people including myself do).

It would have to be a targeted attack with a determined personal attacker (I.e. not a bot) to do that, which is less likely to happen if you're not a well known high profile business so I wouldn't worry too much. But for completeness, it is a risk.

Why not add wordfence to all of them though, as it's free and can't do any harm.

 

[the_lyall]

I have Updraft Plus automatically backing my sites up to their Google Drives once a week. And set to keep a copy of the last three backups. So the oldest of the 3 gets deleted each time. Set and forget.

I use Updraft Plus too, it backs up daily so if I cock up when updating something I've got a more recent backup (if I forgot to make a manual one first). Technically my sites are backed up every 3 hours by my host so I don't need to, but there's something about the 'your site has been backed up' emails that adds a sense of security. It's also probably easier to restore from updraft, i haven't tried it the other way yet.