GPWA Times Magazine - Issue 32 - June 2015

If you're running Windows 8, Microsoft Security Essentials will cover all your needs as it's an anti-virus, anti-spyware malware scanner and a firewall. It's good enough, but again, the first step in preven- tion is not visiting the sites that will infect your computer. Other good tools are Malwarebytes' Anti-Malware, AVG Free, Avira Free, Spybot - Search & Destroy andAd-Aware. You can run these periodically. Install them only to do a full scan and then unin- stall them afterwards. They slow the ma- chine down significantly when left run- ning in the background. Backup A webmaster who does not back up his site will regret it sooner or later. Backups are your No. 1 tool to keep your site safe, as you can replace the hacked site with a healthy earlier version – but only if your backup schedule is smart enough. See if your hosting provider offers au- tomatic backups, and if it does, set up weekly backups of your entire website. You can use these backups to restore the site if something goes wrong. The backup schedule should allow for at least a doz- en weekly backups (the older ones being deleted), plus at least a week's worth of daily backups. You can also back up the site manu- ally using the cPanel Backup Wizard, or you can install a plug-in to do it for you. The most popular plug-ins are BackUpWordPress, ManageWP Worker and VaultPress. Bear in mind that the best way to back up is directly on the server. Don't just store the backups online — keep a copy on your computer. As a general rule of thumb, one backup is not good enough. There should be two copies, stored in two different locations, and one of them should preferably be offline. You should always have a backup you can use if something goes wrong and a back- up you can use if you want to revert to the last major update you did (e.g., a redesign or the addition of a new feature). Scan folders and files This is something most webmasters never do. Detection is a major part of security, as hackers prefer to go undetected so they can keep exploiting your website. Occasionally, log into cPanel File Manager or access the site with FTP and have a look around. Click the folders and see if any- thing looks suspicious. Is there a strange file that doesn't belong there? You can also ask your hosting provider to run a security scan for you. If you suspect something, you can run a WordPress plug-in called Exploit Scanner, which will leave you with a detailed log to troubleshoot. You can (and should) use a plug-in such as Sucuri Security to scan for malware as well. Disable registration and comments If you allow users to register, whether for a forum or just to post comments, you have a whole new set of problems which aren't covered in this article. Think twice: Do you really need to allow users to log in? If you can achieve the same thing by allowing them to log into Facebook or Disqus, that's a better way to go. In that case, the user doesn't actually log into your website, and therefore the hacker doesn't have anything to exploit. WordPress doesn't have a feature to dis- able comments site-wide, so if you want to do that, you'll have to use a plug-in. There's one that's conveniently named Disable Comments that will do the trick. In general, it's very difficult to keep the comments and user registration clean when using WordPress. It's a much better choice to redirect all communication with your visitors to Facebook, Twitter or some other social medium. Newsletter subscriptions are not a prob- lem, because you're just asking visitors to enter their name and e-mail address, and they can't actually log into your site. To sum it up, avoid giving the general public the ability to log into your web- site. Do collect their e-mail addresses, do give your writers login access, but divert all community activities to social media if possible. No one has resolved the prob- lem of comment spam. Disable phpmail() Contact customer support at your hosting provider and ask them to disable the php- mail() function on your entire server. This is the feature that allows mass e-mails to be sent with a small PHP program, and to do so without needing to know the pass- word of the e-mail account. Webmasters use it for contact forms, and hackers ex- ploit it to use your server to send millions of spam e-mails. Contact forms can also use SMTP, which requires user authentication. It's a bit tricky to set this up, but it's worth the trouble as phpmail() really is a major se- curity issue. You'll do less harm to your site by putting a contact e-mail address out in the open than by using a strong feature such as phpmail() only to host a simple contact form. All newsletter tools have the option to use either phpmail() or SMTP, so switch- ing is not a problem, but you will have to update the configuration and change it to SMTP if you're disabling phpmail(). It's important to keep plug-ins to a minimum, reducing the chance of one of them causing a problem down the line. It's equally important to use stable plug-ins by reputable developers. Don't install junk on your site, and uninstall any plug-in or theme you aren't using." COVER STORY WordPress security essentials