With the rise of modern information technology and the proliferation of cybersecurity breaches happening, being able to detect attacks in your network has become quite the necessity. Cybercriminals certainly aren’t slacking. Every day, they come up with all manner of new strategies that they can use to infiltrate a vulnerable network. In such an environment, your top priority should be to take preventative measures rather than reactive ones. You should be able to sniff out an attack long before it happens.
However, that’s easier said than done because, as it turns out, one of the most difficult and expensive endeavors to embark on is monitoring your system’s activity to prevent network attacks. It doesn’t have to be that way, however. You need to have a good idea of the best ways to handle it.
Ultimately, the main thing that matters to stopping network attacks before they get out of hand is transparency. You need to increase visibility in your network so that you can see more of and consequently stop more often. That’s what we’re going to be looking at today: tips on how to increase visibility in your network with Syslog.
1. Always Be Vigilant :
At its very core, Syslog is no more than a standard whose job is to log system messages. It is much more useful than that in practice, however, as it gives us a way to abstract the system messages in such a way that we can separate the systems that store and analyze source software from the source software itself. This makes it possible for us to be very flexible and control the kind of low-level detailed communication that takes place in our networks.
One of the reasons why it makes sense to get syslog services from a cloud provider, rather than do it yourself, is that you can be overwhelmed by the sheer volume of messages coming from the different devices on a network when you’re monitoring your infrastructure. You’ve got network appliances, storage appliances, servers, desktops, printers and so on. All these devices are pumping out logs, most of them rather cryptic and you’re probably wondering where you should start.
The answer to that question becomes simple once you remember the whole purpose of syslog in the first place, which is to increase visibility. If you want to maximize the visibility you are getting out of your logging environment, then you should have at least one centralized log repository and deploy it. This is what infrastructure monitoring services do. The log repositories act as dynamic organizers and managers of the messages flowing out of your system. With this highly organized aggregation and analysis of your system logs, you will be able to solve your problems in real time, but you will also be able to collect vital information that will help you to prevent future attacks.
We can’t get into the specifics associated with setting up a remote logging server, but that doesn’t mean the process isn’t straightforward. You need to find the -/etc/syslog.conf- file on your most critical devices once you initialize the server and then get the file to point to the repository you have just created. That way all messages are funneled through to that repository. All these messages come in as plain text files, so it’s a good idea if you tunnel them through SSH port 514.
2. Catching the Threats :
So, you have a central place where you are collecting system messages. You should now have a way to analyze these messages that is automated. The messages are usually tagged with the facility and severity, which means it’s very easy to sort them. This is where a third-party logging system helps since it can filter out logs from various devices, such as network appliances, for such things as internet protocols (IPs) you do not recognize, dropped packets, port scanners and lots of other things that hint at malicious behavior.
Now all you need to do is configure any messages that report suspicious IPs or dropped packet floods to trigger notifications automatically and the resolutions that follow. A third party log analyzer will have these triggers already integrated and probably connected to your email or text messaging. The resolution measures, such as port switching, IP blocking and alterations to the firewall can also be set up to respond in a times manner to deal with attacks.
Try to configure each solution effectively. You should figure out the usefulness of the information you are getting from each device that you make a priority. The highest priority devices should be the most visible.
Ultimately, most of the information you need to protect your network is already being generated by your network. All you need to do is organize it and make it visible.
You might end up on this article searching for How to secure WordPress website against exploits? or
How to prevent by WordPress site against hacks and malware?
Or Tips securing your WordPress website against all exploits.
Of course this is the right article and this talks about all sorts of techniques, tools and plugins to help you secure your WordPress website.
As per W3Techs WordPress powers more than 58% of all the websites that use CMS which comes out to 24.9% of all websites in the world.
So with the increase in usage of WordPress and with the ever increasing popularity of how easy it is to set up and how easy it is to use there has been a rise of using more and more WordPress Themes as well as plugins.
But since it is easy there is also a rider which comes along with it. It becomes quite easy for hackers to hack it if used in all its default settings.
Hence the need to understand security and to secure your WordPress powered website because no one likes to get their website hacked.
It is obvious when you search on Google this keyword: “prevent WordPress hack” it comes up with 8 million or more results that how desperately people like developers as well as novice users want to know hack prevention techniques and tools for their WordPress website.
Here is a list of tips and tools as well as techniques we as WordPress theme developers could think of.
Of course this article can lead to a discussion and more input and more additions can be made as time passes by.
We will start with the simplest techniques and then move on to the more complex ones:
Simpler tips for security:
1. Hosting: Your hosting plays a crucial and important part in having your WordPress website secure. Many times its the bad host which gets you hacked. If you have a great hosting in place many things can be sorted out quickly and most of your frustration can be reduced. For example: Backups are easy. Brute Force attacks and spam and SQL injection are often checked and avoided. Hence we will talk about the most recommended hosts and their tools.
a. Shared Hosting: Most people just want to start their website and hence they don’t want to spend a lot in their first go and thus select shared hosting as their platform. There are thousands of hosting companies which provide shared hosting and we can’t possibly add all of them here but we are including only 4 shared hosting which we have personally tried and can recommend. However there might be even better or similar service. Do let us know:
i. Bluehost: Bluehost has been referred constantly by WordPress.org on its hosting page: https://wordpress.org/hosting/ It is a good starting point for shared hosting in case you need a WordPress website since it has both WordPress premium hosting for future and simple shared hosting with 1 click install. Since its a shared hosting which costs you 3 to 4 USD per month you can’t complain much about lack of features or services. However it has an automated tool for backup known as backup wizard comes along with cpanel which you can use. Thus backups can ensure that you are safe and if ever your website gets hacked you can restore the backup.
ii. A Small Orange: We are personally hosted on this hosting and most of the features present in Bluehost are present here. But above all which we like most and can say that is even better than the above host is the support. Support tickets are answered within 5-6 hours and always we get to chat with someone on the live chat within a few minutes. Support is what makes this host stand out from the rest because there are a lot of answers and help which they can provide free. All you need to do is ask them for it. Example: NGINX server cache installation, Backups and how to use it etc.
iii. SiteGround: Another popular WordPress shared hosting they also provide good tools for you to backup your website. Rest cpanel and standard features are present. Chat is also proactive and support tickets are answered often.
iv. Godaddy: Godaddy is the largest registrar of domains and hence many prefer it for their hosting as well. Overtime Godaddy also has made several changes to make it a reliable hosting for WordPress. It also has started giving standard Cpanel WordPress hosting which allows for backups and other easy to use tools.
b. Managed WordPress hosting: For those who have a little budget and want to have hosting manage their security for them. These 2 hosting companies out of the many out there we found reliable, cheaper than rest and often helping you secure your website as well as letting you know which plugins are good and which aren’t good. They also have nightly backups means that you are at peace of mind with them. So ever a hack happens which is rare since they manage it, they can restore the backup quickly:
i. WP Engine: WP Engine lets you know the list of plugins that they recommend for most. Hence vulnerable plugins are kept at bay.
ii. FlyWheel: Flywheel tells you not to install any security plugin as they handle the security themselves which means you don’t need to do anything once you install with them and they take care of the rest.
2. Back Ups: BackUps can be by use of cpanel file manager or via ftp (for files) and database download using phpMyAdmin using cpanel or the host database access. There are 100s of tutorials out there on how you can backup your WordPress website manually. However you should consider reading the Codex Backup Procedures as they are safe and have been written nicely: http://codex.wordpress.org/WordPress_Backups. There are several plugins as well. We will talk about them in short as most of them we mentioned here are working fine and have good reviews from others:
a. BackUpWordPress https://wordpress.org/plugins/backupwordpress/
b. BackUpBuddy (paid version of this plugin also present)
c. VaultPress
d. Dropbox Backup and Restore
e. Amazon S3 BackUp and Restore
3. Update WordPress Version: Most of the times due to use of older version of WordPress your site is at risk of getting hacked. WordPress recognises many security flaws and parameters in its previous versions and as reported by fellow contributors which from time to time are updated. Hence using the latest version of WordPress should reduce the risk of getting hacked or attached by malware.
4. Updating WordPress plugins and themes: Generally in the same way theme authors and plugin authors release updates and features. Most of the time they are feature updates. But from time to time these authors also recoginize security flaws and hence its a good practice to keep using the updated plugins and themes as well.
5. Change default username and password: Default username and default password use like simple series of number or keeping admin is fine as long as you are on local server or on a test site. But for business websites it is important that you change the default username and password. Now with WordPress latest versions it is possible to choose secured username and it generates secured password but for users with older versions of WordPress you may go to your profile to change your password. However for changing username use either phpMyAdmin in case you are comfortable changing it from there or else use any of the plugins below:
a. Admin renamer extended
b. Username Changer
6. 2 Step Authentication for Brute Force Attacks: 2 step authentication is essential in case your site receives a lot of Brute force attacks and has a high traffic or sensitive information. 2 step authentication secures your WordPress login area and makes it very complex for brute force attacks. Plugins which can be used for 2 step authentication are:
a. Clef
b. Duo
c. Authy
d. Google Authenticator
e. Rublon
These simple steps should make an user feel at piece of mind in terms of at least having timely backups and at least presenting his website with bare minimum security.
The next steps we are going to discuss are more complex steps in securing your WordPress website even further.
Complex Steps:
1. Steps listed in Hardening WordPress by Codex: http://codex.wordpress.org/Hardening_WordPress
Most of these steps are for developers or for people who have been using WordPress for quite long and understand how wp-config works. Have used file manager or ftp and can implement changes in htaccess, wp-config etc.
These steps surely act as a starting point in securing your website. However still some of the few security plugins we are going to discuss next will place a net cover of security on your WordPress website and hence you should check the following ones as well:
2. Plugins that will help in malware detections and change of files detection:
a. Sucuri Site Scan: Sucuri Site Scan has quite a few tabs. On the first tab are general settings about when to get notified for alerts like login, brute force attacks, registration of new users, alerts for failed login attempts, plugin installation etc. So if you have many users in your website and many administrators or editors who might install plugin then these features are useful and essential. The second one is malware scan which tells you about any kind of malware or malicious codes present in any plugin or theme directory. It also checks for error files, modified files if any. Scan should be reduced if your site traffic is low and you are hosted on shared hosting since scan also takes up a lot of hosting ram. The third part is hardening of security like removing WordPress version (as lower versions are more prone to hack, hackers check version and they know on which version what kind of security vulnerabilities are present). Hence removal of WordPress version, Uploads directory where media gets stored needs to be secured and hardened, restricting wp-content access, readme.html to be hardened, default admin account to be removed and changed, default database prefix to be changed Sucuri Firewall protection we haven’t tested this but shows up using Cloudproxy Firewall which it claims should help you secure your site against DDOS, Brute Force and SQL injections. If you have used this feature then do let us know as we don’t have proof of this firewall really helping.
b. Antivirus: Another plugin which we have found useful is Antivirus. It detects WordPress Theme files and database files for security and exploit. Only con of this security plugin is that it will use wp-cron and if you set up a daily scan and in case your shared hosting isn’t that powerful and your website is bigger in size in terms of pages, posts and database then this plugin might eat up a lot of resource as it scans through the files and database tables.
c. Anti-Malware and Brute Force Security by ELI: Anti-malware and Brute Force Security as the name suggests does a great job in this regard. In case you sign up for the plugin at gotmls.net you get all the updates of known threats. It also scans htaccess for any scripts, it checks for timthumb exploits and warns you, it checks for any backdoor scripts and asks not to use you, and checks your login for any vulnerabilities. So this way this plugin does the task of anti-malware. Checks all original WordPress files as well. You may use it and check for any problems in your existing website and rectify them.
d. Theme Authenticity Checker: Well for most cases we try to have plugins scanned and general WordPress dashboard security like login, WordPress files etc but WordPress themes and their security is also important because there can be unnecessary scripts or obfuscated malicious code which can be easily hacked. Hence this plugin serves as a nice tool to get your theme scanned and checked and once you know which files are unwanted or which code is problematic can refer it to original theme author for either removal or change of code to safer practices or if there are too many vulnerabilities rather use a more safer theme. For most cases for theme checks it does better than Antivirus.
3. Security Plugins that will secure it further
a. All in One WP Security and Firewall: This one takes care of the following which summarizes most of the security you can take on your website:
i. User Login Security
ii. User Account Security
iii. User Registration Security
iv. System File Security
v. Firewall SetUp
vi. Blacklist Feature
vii. Database Security
viii. BackUps
ix. Firewall and Brute Force
b. WordFence Security
c. Better WP Security (now iThemes Security)
d. BulletProof Security
4. Others kept out of this list but may be useful:
a. Acunetix WP Security: Recently a lot of negative reviews have cropped up for this plugin on WordPress.org hence we couldn’t recommend it to you.
b. 6Scan Security: Many clients have complained about site going blank after installation of this plugin and hence we couldn’t recommend it to you.
As a webmaster, you want the world to have access to your website. That’s especially true if you have a product or service to sell.
However, there are reasons why you may want to restrict access to your website. If you happen to operate a landscaping company in British Columbia, Canada, then you’re probably not interested in generating interest from potential customers in the Philippines. Broadcasting your website to the world and allowing other countries to index it is a waste of bandwidth.
Allowing worldwide access to your website is a bad idea for other reasons. As Privacy Australia notes, many hacking and phishing schemes are conducted by bad actors in other countries.
Which Countries Have the Most Hackers?
According to Security Today, the countries that have the most hackers are China, Turkey, Russia, Brazil and the U.S. Depending upon where your company is located, you may want to block access from any or all of these countries.
If you have customers in these nations, then blocking access won’t work. Instead, you’ll have to beef up website security. Some of these steps may include:
Whether you’ll be blocking access from certain countries or not, the above list of security protocols is critical to protecting your website.
What Is .htaccess?
Suppose that you have identified users from a country that you suspect are trying to hack or otherwise undermine your website. You’re located in Canada, and the website visitors have IP addresses that originate in Turkey. Your business does not operate in Turkey, you have no customers there and you’re worried that you’re being targeted for an attack.
What can you do?
The answer may lie in .htaccess. This configuration file is used on web servers that run Apache Web Server software. The .htaccess file is loaded onto the server software where it is subsequently executed. These files can be used to disable or enable numerous functions and features.
Among the capabilities of .htaccess is blocking website visitors from unwanted IP addresses. Here is an example of the code you would create to restrict visitors from certain IP addresses from being able to access your website:
order allow,deny
deny from 255.0.0.0
deny from 124.35.6
allow from all
Accordingly, all visitors with either the IP address 255.0.0.0 or 124.35.6 will be denied access. Notice that in the second denied IP address, the fourth set of numerals is missing. All IP addresses that begin with “124.35.6” will be blocked regardless of the content of the fourth set of digits.
The next time that someone from a blocked IP address tries to access your website, they will receive an error message that says “403 Forbidden.”
What If You Have a Long List of IP Addresses to Block?
Any hacker worth their salt isn’t going to use just one IP address. They may use several, and many hackers now work out of farms. A webmaster can block one IP address, but the same bad actor just pops up a few minutes later with a new IP address.
Adding each IP address to the “deny” list in your coding is time-consuming and likely to be a losing battle. Fortunately, you may be able to make use of some alternatives.
Some webmasters who are really concerned about being targeted by hackers in another country are getting memberships for service providers such as Country IP Blocks. This Internet-based service allows users to choose specific countries that they would like to block from accessing their website. It’s possible to select multiple countries at a time and what kind of restriction protocol, including .htaccess, should be used.
After making selections, the website generates code that can be copied into the user’s website to prevent web browsers from certain countries from accessing the website. Comprehensive in scope, this is an efficient shortcut when compared to having to painstakingly enter IP addresses one by one.
Options for People Who Don’t Want to Use .htaccess
.htaccess configuration files are fairly helpful when it comes to limiting access to a website. However, it’s not necessarily the most effective or efficient method.
IP2Location may be a reasonable alternative. This company sells IP geolocation databases as well as offering a free and extensive database firewall list. Organized by country, it’s possible to choose to allow everyone in the IP address list to access your website or to ban them. If you sign up for a free account, you can block as many as 30 countries. Choose the selection Apache .htaccess deny from the menu, which gives you an appropriate text file to upload the directory on your homepage.
BlockACountry.com is another website that may be useful if you have several websites to protect. After signing up for a free membership, you enter a website address and select which countries you would like to block. This enables you to download the appropriate block list.
Your Web Host May Be Able to Help
The better your web host, the more secure your website is going to be. If you’re using shared hosting, then there may be little that your host can do to block IP address from particular countries. Although you may have access to a control panel, you may not have networking controls because any changes you made might affect all of the other websites that are hosted on the same server.
Still, you may be able to add certain IPs to your firewall. This also is the case with bare metal servers. You have complete control over this server, but you may not have control over how the back end is routed.
When it comes to blocking certain countries from accessing your website, you have many options. One or a combination of these options may help to protect your website from a hacker.
Despite Windows being the most popular desktop OS in the world, a lot of security and design conscious users opt for the Mac OS for running their desktops. One of the biggest reasons behind this choice is the common perception that Macs are more secure than Windows when it comes to preventing users from attacks that involve exploiting system vulnerabilities.
And yes, Macs certainly are better adept at protecting their users from such catastrophes as compared to Windows. Just take a look at how the ransomware Wannacry wreaked havoc on systems running the Windows OS in 2017 and you will get a very good idea on how opting for Mac as your OS was definitely the better choice indeed.
But, despite the magnificent in-built protective features like sandboxing and restrictive root base access offering maximum security to your system by virtue of not having such zero-day points of entry, Macs can still suffer from malware and ransomware attacks if you are not taking enough steps towards toughening up your cybersecurity.
We now spend a major chunk of our times online, performing almost all types of tasks ranging from conducting financial transactions to accessing our social media handles. Highly sensitive information passes through our internet connection when we do that and without adequate protection, anyone from hackers to even your ISP can siphon that data or invade your connection on a whim.
To secure your privacy online and ensure that your data remains protected while it’s being transferred in the online domain, it needs to pass through a VPN enabled connection.
VPNs, simply put, are tools that allow your online activities to pass through a private connection, thereby effectively sealing your internet activity from any undue meddling.
If you are still not using a VPN on your Mac device, then you are surely setting yourself up for an impending disaster. Using a VPN on Macs is not hard at all, contrary to popular belief. Modern-day VPNs are easy to use, even by newbie users, allowing you to take your online security up a notch and bring your overall privacy to an unassailable level.
Still, need more reasons to convince you that deploying a VPN on your Mac is absolutely necessary? Or are you a bit hesitant that you don’t know much about VPNs?
Don’t worry, we’ve got it covered. We’ve covered everything about using VPNs on Mac in this guide. Let’s get you through it from the beginning:
1) Let’s Start At The Beginning:
First things first, do you first want to know what a VPN actually is?
Well, a VPN is currently the best tool available to safeguard your privacy and make you go anonymous online. This tool encrypts your data and makes it pass through a secure tunnel, along with activating other safeguards to make sure that your internet connection cannot be broken through in.
From offering obfuscated servers to prevent deep packet inspection to being based in countries that have no data retention laws, modern-day VPNs work towards sealing off all those gaping holes through which your security can be compromised.
And they also care for offering maximum user ease by offering easy to use client apps for every popular platform, even Macs.
2) Advantages
You can get a lot of advantages just simply by deploying a VPN over your internet connection that you might not even have been aware off till now.
Firstly, they secure your internet connection protecting you from a diverse range of threats like Man in the Middle attacks that often afflict people who nonchalantly us Public Wi-Fi.
Secondly, they allow you to bypass geo-restrictions so that even if you are in place with restricted access to the free internet like China, you can still visit all of your favorite sites whenever you want.
Thirdly, VPNs also amplify your entertainment experience as they offer you the chance to access your favorite streaming sites like Netflix and BBC iPlayer even when you are not in locations that don’t offer access to them.
Fourthly, they can save you an incredible amount of money. For e.g., if the price of room booking in hotels or air tickets differs between regions, you can turn on your VPN, connect to the server placed in the area where prices are lower and buy the same service or product at a reduced price.
The advantages that VPNs offer are almost all relevant to the problems you can face online, so you won’t ever regret subscribing to one in the first place.
3) Best VPN Software for Mac:
If you make up your mind to subscribe to a VPN service, the next question that will pop up in your mind would be related towards the best provider that suits your needs perfectly.
And while there a lot of providers out there that claim to offer the best VPN services for Mac, here are some points that you need to look for in a provider to verify its claim:
Does it offer Military Grade Encryption?
Does it support OpenVPN Protocol?
Can it unblock Netflix or other geo-restricted streaming sites?
Does it offer a compatible client app for Mac and other related devices?
How many multi-logins does it support?
Are its pricing plans equal to the value it’s offering?
Does it offer a good server infrastructure?
Does it work in China?
Does it protect against DNS or WebRTC leaks?
Does it keep zero logs?
Is it based in a place with no data retention laws?
Does it offer unlimited bandwidth?
Does it support high speeds?
4) Other Things You Need To Know:
VPNs are incredible towards protecting your security as you might know by now, but still, there are a lot of caveats in this domain that you need to be aware of.
Free services are mostly to be avoided, even though they look enticing. Paid providers might feel expensive to subscribe to, but they guarantee you a premium performance. Running a VPN is expensive stuff and if a provider is offering a free service, then it must be making money out of nefarious areas like selling your data.
Also, take care even when you opt for the paid providers. Not all of them are trustworthy enough. Some VPNs market themselves as secure but actually aren’t. So do make it a point to do proper research on whether they have ever complied with government data gag requests, are they owned by someone credible etc. to ensure that you are entrusting your privacy in safe, reliable hands.
5) The Pros and Cons of VPNs
VPNs have a lot of pros but they also have cons, which are mostly unavoidable due to the nature of their service.
The pros include the obvious, which we’ve already covered in this post above, like making your connection private, unblocking geo-restricted sites, reducing costs of products by spoofing your location etc.
But there are some cons that you will have to contend with if you choose to use a VPN on your Mac for e.g. you will experience a considerable speed loss once you turn your VPN due to the heavy encryption, tunneling, and location hop that your internet connection goes through.
Sometimes they can stop working suddenly leaving you exposed online as well, which is a big problem if you are doing something extremely sensitive on your Mac like Torrenting. But some VPNs offer protection against this issue by virtue of a kill switch, which stops your real IP from being exposed online by killing off your internet connection as well when the VPN goes down.
Conclusion:
Subscribing to VPNs is one of the best investments you can make in today’s world where you spend most of your time on Macs traversing the online sphere. Improving your cyber-security ensures that hackers can’t find their way so easily into your system just like they do on unprotected systems.
However, do keep in mind that even though your Mac might be a secure device and you also protecting your online privacy through a VPN, both of these can never be enough alone for your overall internet hygiene.
So keep stronger passwords, enable two factor authentication whenever possible, don’t click on spam links or emails and learn to recognize spear phishing attempts along with opting for a VPN for your Mac and you will virtually never be at receiving end of a malicious ransomware or malware attack that could steal your sensitive personal or private data.
When it comes to improving the security of a WordPress website, installing security plugins is usually considered as the best practice that every WordPress website must follow. However, people don’t pay much attention to setting up file permissions and ownership of a WordPress site. But remember that, file permissions and ownership are crucial elements that help ensure the overall security of a website. And, not setting up them properly can cause fatal errors and can compromise the security of your site and make it susceptible to attack.
Through this post, I’ll provide a detailed insight on setting up proper file permissions and ownerships in a WordPress site: what exactly do we mean by file permissions and ownerships and how to properly set them up. I’ll also share with you the different type of WordPress file configurations and how they differ from each other.
Using Terminal For Changing Permissions and Ownerships Over FTP Client
As you read through this post, in several sections, you’ll find that terminal is used for changing permissions and ownerships. But, probably a few of you might wonder why can’t you use an FTP Client to serve such a need? The reason that we’ll not be using the FTP client is that it comes with certain limitations.
Wondering what?
While it’s true that the FTP Client can help in transferring files and changing the permissions of files and folders, but it refrains users from changing the ownerships settings. Now, before you begin to setup your file permissions and ownerships, be sure about getting logged-in into your server using the “SSH” command. If you’re not familiar with using Linux commands, then you can have a better understanding of the same by going the article: “Introduction to Linux Commands.”
Understanding the Difference Between Groups and Users
One important concept that you need to become familiar with before getting down to anything technical is the difference between users or groups. That’s because, both users and groups are closely related and are used to define permissions.
The user is basically an account having access to a computer system, while a group that help identify a set of users. What this means is that at the time whenever you need to transfer your files using an FTP client, you’ll need to get logged in with your main server – using your user account. And based on how your web host has set up your user account, you might be a part of one or more groups.
In essence, you can consider “Users” and “Groups” to be just like WordPress users roles. Both of these concepts are same in a contextual manner, however, the former is being used on the server.
What makes users and groups important is that they help in recognizing identifying files and folder privileges. Any user, who is the owner, of a particular file usually have complete privileges on that file; a few other users belonging to the same group as the owner will have lesser privileges to the file. Lastly, everyone else won’t be having any privileges on the file.
What Exactly Does File Permissions Mean?
So now that you’ve come to know about a few basic aspects of file permissions and ownerships, let us now talk about what exactly do we mean by WordPress file permissions.
In simple terms, permission is something that makes users authorized to read, write, modify and access different files and directories, belonging to a website. In WordPress, permission is normally highlighted by a set of different numbers, such as: 644 or 777. These numbers are also referred to as “permission mode”.
If you’re a programmer and have worked on WordPress files and plugins before, then you most likely would have stumbled across a situation wherein: a certain program asks to change the permissions associated with some specific files and directory, since they cannot be configured by a plugin. Put it simply, in order to give your web server the ability to access anything from a file, you’re required to change the file’s permission.
Oftentimes, permission mode in WordPress are being referred to as a statement: “who can do what”, to which every single numeric value (of the permission mode) represents the “who” part of that statement.
The first numeric value corresponds to what can a user account having ownership of the file can do.
The second numeric
value corresponds to what all other user accounts – that are a part of the group that owns the file – can do.
The third numeric value represents
what leftover user accounts can do.
Next, in the permission mode the numbers represent
the “what” part of the programming statement, and is basically the “sum of the combinations” of the following digits:
4: Read a file, or the many different names of the files placed in a particular folder
2: Write a file or modify it, or allow modifying the contents of a specific folder.
1: Executes a file or run it, or help provide access to the files inside a particular folder.
The above mentioned digits are actually the privileges that are associated with the “who” part of the permission mode. Note: Permissions can vary from one host to the other.
Understanding How You Should Modify the Permission Modes
An FTP client provides an interface that allows to change the permissions of all the files and folders in a highly convenient manner. The interface of the FTP client looks something like:
You can even make changes to the permission mode of your WordPress website files using the server’s terminal, but you must-have access to the terminal. Apart from having access to the terminal, you can make use of the “chmod” command for making the desired changes to permission modes of a particular file as well:
sudo chmod 644
Now, for making modification to all of the files (and folders) of your site, you’ll have to use the chmod command together with the find command, as follows:
sudo find . -type f -exec chmod 644 {} +
A Look at the WordPress Server Configurations
Before you start to make changes to your WordPress file permissions, it’s very important for you to become familiar with the process of setting up the server first. You can find many different server configurations that requires a distinct set of permission modes to make a WordPress site work in a proper and secure manner. But, I’ll be sharing only two of the most important and commonly used configurations and how you can set up proper file permissions for those configurations.
1. Standard Server Configuration – This WordPress configuration does not have any relationship between the user account and web server. This is because the configuration requires that the web server must run as any other user account. Before we start with the process of setting up permissions for the files for the standard server configuration, we must make some adjustments to the ownerships of files and folders taking into account the following considerations:
your user account must own all the files and folders of a WordPress install.
your user account and another user account of your web server should be part of the same group.
You can find out the group that your user accounts are associated with, using the “groups” command within your server’s terminal. And, to figure out the groups that your web server is a part of use the following PHP script:
echo exec( ‘groups’ );
If you come across a situation where your user and the web server belongs to a different group, then you can add a user to any group of your web server, by using the below provided command in the terminal:
sudo usermod -a -G <a-the-group-name> mygroup
In order to ensure that your user account has access to all the things of your WordPress folder and belongs to the newly created shared group, simply run the below mentioned command within the folder of your WordPress install:
Abiding by all of the aforementioned commands will ensure that all the files and folders of your WordPress site have correct ownership. Lastly, all you have to do is to make adjustments to the file and folder permission mode. To do so, you must keep the following key points in mind:
All files are required to have 664 permission mode.
All folders are required to have 775 permission mode.
The permission mode of the wp-config.php file ought to be 660.
Use either an FTP client for modifying the permission modes, or simply use the below mentioned commands within your WordPress install directory to serve such needs:
2. Shared Server (Or SuEXEC) Configuration: Compared to the standard WordPress server configuration, the permissions for the shared server configuration can be implemented in a remarkably easier way. This is because, we don’t need to emphasize on setting up the ownership since the web server owns the files and folders. This means that both our user account and web server are the owners, and have same privileges. And so, all we have to do is to modify the permission modes considering the below listed key points:
all the files ought to be 644.
all your folders ought to be 755.
And the permission mode of wp-config.php file should be 600.
To change the permissions of the files and folders, simply use the following commands in your WordPress website directory:
sudo find . -type f -exec chmod 644 {} +
sudo find . -type d -exec chmod 755 {} +
sudo chmod 600 wp-config.php
Final Words
One more important thing that you must consider is to avoid using the ‘777’ permission mode since it allows anyone to get access to the list of files, and enables to make modifications to any file in the folder. It’s pretty obvious that giving access privileges of a file to everyone is not good for your website security, as malicious users can place code in the file that can compromise your site’s security.
Hope that the post will make you better understand about the correct way to set up the file permissions and ownerships of your WordPress website.
Author Biography:
Jack Calder is a master in Web development technologies. He has successfully completed so many projects on time. Right now he is a PSD to WordPress Conversion service provider for some potential clients for SKT Themes.
DDoS (distributed denial of service) attacks are one of the most popular and hardest to deter hacking attacks known. In a distributed denial of service attack, a server is flooded with so many connection requests that it buckles and goes down because it doesn’t have the bandwidth to support all the connection requests. This is similar to what happens to a website when it goes viral and is flooded with traffic until it goes down, only in this case, the traffic isn’t legitimate viewers. The whole purpose of a DDoS attack is to take the website down and disrupt its ability to support legitimate web traffic, as well as incur high bandwidth fees and possible disruption of service for the website owner.
You may wonder, who would want to do that to my website? Why would they want to do that to my website? The answer is that it could be anyone that doesn’t like you, disagrees with the content of your website, or even just in general feels like causing chaos.
Good web hosts already take security measures to help protect you from these types of attacks. You can find out who the best web hosting is by browsing through the expert and user reviews and ratings. But, even the most secure web host can’t provide complete protection for your website. The rest is up to you.
1. Virtual Private Networks
A virtual private network (VPN) is an encrypted server you can connect your website to. Its entire purpose is to mask the origin of your website’s server, which makes it much more difficult to target your website in a DDoS attack. VPNs were originally used by businesses and private users to connect to the internet safely, but nowadays they can be utilized by websites as well for an extra measure of protection.
Another major way in which a VPN can help protect you is encrypting your web traffic between you and your website if you use it on your personal PC. This makes it much harder for a hacker to use sniffing tools (tools designed to intercept and access the information passed between you and the internet) to find out your login credentials and hijack your website.
2. Plugins
If you’re using WordPress, there is great news for you. WordPress already has several plugins to help you protect yourself against a DDoS attack. Loginizer limits the amount of times someone can try logging into an account before their IP address gets blocked from your website, which is helpful in preventing brute force attempts as well as attempts to flood and confuse your server with login traffic. The Wordfence and Bulletproof Security plugins assist further by blocking traffic that is demanding too many connection requests at once, as well as setting up blacklists of bad IP address ranges that have been found to have malicious intent.
However, plugins shouldn’t be your only choice for protecting your website from DDoS attacks. Many plugins go neglected by their developers and lack up to date security measures to keep your website safe. You should make sure you are only using plugins that are up to date, have numerous good reviews, and are well trusted within the WordPress community.
3. Surveillance
None of the security tools in the world can replace your own eyes. In the case that a DDoS attack slips through, you may notice that your pages are loading slowly and have time to block the bad IP address ranges before your website goes completely down.
Check your website out every day by doing a scan through the main pages. If you notice anything out of place, go ahead and assume that something is wrong and take measures to block any suspicious traffic. The same goes for your page views and other web performance statistics. If these suddenly drop for apparently no reason, don’t just assume it’s a bad day. Investigate further to see if you’re a victim of an attack.
Again, make sure that your web host is a good web host that takes security measures to help protect your website against DDoS attacks, as well. If they don’t, or if you notice you keep getting DDoS attacks, it may be time to switch web hosting providers.
4. Don’t Go Looking For Trouble
You have every right to defend yourself and your website online, but first ask yourself if the fight is really worth the battle. You never know if the person you get in a dispute with online is a hacker or has hacker friends, and hackers love to have any excuse to attack a website. A DDoS attack may be the least of your concerns if you manage to piss a hacker (or hacker’s friend) off.
So don’t fall for flamebait or trolls. Ask yourself if you’ve got better things to do. Responding to verbal attacks or disagreeable opinions online could just be the fuel that starts a fire you don’t want to have to put out.
Additionally, show good web etiquette and only post your website’s URL where it is welcomed. Don’t advertise or spam other websites with your URL if they are not designed for advertising.
5. Cloud Distribution Networks
Cloud distribution networks (CDN) can give you an extra layer of security by handling your web traffic load for you. These networks spread your web traffic among multiple servers so that in case your website gets a DDoS attack, the traffic gets spread out among their servers and doesn’t take your website down. Additionally, they include security measures such as encryption, connection request limits, and CAPTCHAs to prevent DDoS attacks from happening in the first place. CloudFlare offers their basic tier of service for free, and walks you through the entire setup step by step.
Additionally, don’t assume that just a little bandwidth above your current web traffic load is everything you need. Make sure you have plenty of bandwidth to handle a sudden spike in traffic so if your website goes viral it won’t buckle under the load. Doing this will also make it harder for hackers to take your website down in a DDoS attack, since it will take a lot more traffic than normal to take your website down.
6. Have A Plan
Make sure you have a contingency plan in the event that a DDoS attack takes place. A very simple plan looks something like this:
Check the traffic flow to determine just how much traffic you have to handle during the DDoS attack.
Start using any tools or technologies you have access to that can help you handle the DDoS attack’s traffic load.
Try to identify the originating IP addresses/IP address ranges and, if so, block them from accessing your website.
Temporarily change your IP address with your web hosting provider’s help to throw the attackers off the trail for a bit.
Contact your web hosting provider to see if there’s anything additional they can do to help you.
If everything else fails, shut down your website. This will make the attacker’s efforts useless and they may move on faster.
After the situation has passed, analyze your website’s security and see if there’s anything more you can do to prevent future attacks.
7. Why are DDoS Attacks So Bad?
Ultimately, DDoS attacks are so disastrous because they can lower your readership by causing your viewers to lose faith in your website’s stability. Dead air is just as disastrous for a website as it is a TV or radio station. So, you want to make every preparation you can ahead of time to prevent a DDoS attack from ever being a problem.
Now is the time to take action. Check your website and see what plugins or tools you can install to help you in the event of a DDoS attack. Check every corner of your website and administrative tools and make sure you are familiar with all of it. Teach yourself more on how DDoS attacks work, and create a contingency plan today that will help you know what to do should your website be victimized in a DDoS attack.
Well if you recently upgraded/updated your WordPress website to 4.2.3 and it didn’t break your website you need not worry. But if it did break your website here are some of the possible reasons why it might have caused it in the first place:
WordPress.org core team has actually made changes to the shortcode API as has been listed here: https://make.wordpress.org/core/2015/07/23/changes-to-the-shortcode-api/
What happened due to this was that several plugin developers had used Shortcodes API in the way it suited their requirements and their plugin.
Now with changes to Shortcode API their whole plugin/code came crumbling down and basically breaking the websites which used these plugins.
Most common plugins which got affected were:
1. Types
2. Views
Since then users community have been posting remarks about WordPress auto background updates and whether or not its a good idea.
WordPress.org core team now needs to understand that website development agencies, plugin developers and theme developers all form part of their group and they should have announcements prior to releasing of any major update/changes like this which might possibly break a theme or plugin.
Often nowadays with increase in number of hackers around the world many WordPress sites have become prone to these hackers. They often get compromised with either loss of data or breach of security with important data being thrown out in open supposed to be private.
Sometimes hackers hack the site completely and leave a black or white page with their info written in bold writing hacked by so and so and their email id for contact.
Many clients visit these email addresses and ask them to remove their hack codes and return them their site.
These hackers in turn charge exorbitant prices for returning the site to normal.
And hence we get to see such posts in WordPress support forum: “Wordpress site hacked. Help!” “or my WordPress sites keep getting hacked”
How to deal with such situations?
Well as a best practice you should always have a backup of your site. Also there are a number of resources or plugins one should look at while hardening a WordPress security and also should scan their site at sucuri site scanner.
But people often tend to leave their site as it is and don’t often visit their site or update it.
Although in this WordPress release all the CSRF vulnerabilities weren’t fixed however they fixed the file upload CSRF vulnerability.
On another note all the themes on SKT can automatically be upgraded to version 3.6.1 as they have been found to be fully compatible with.
All the custom codes inside your WordPress themes and plugins shouldn’t get affected by this update since it only holds certain fixes for security.
It is however suggested only for people who run WordPress 3.5 and above to update to latest version. Previous version WordPress users should always first back up their WordPress before upgrading and should rather upgrade to 3.5 first and then upgrade to latest version.
