Securing a WordPress Website

There’s no single security product that can protect your site 100%. Instead, apply multiple security layers to keep your site safe. Even if you have a small site, you should make sure it’s properly protected because attacks are often performed by bots that select sites randomly.

1. Use a secure password and change it regularly

Use a complex password that is hard to guess, and don’t use the same password for different accounts.

Set a reminder to change your password regularly – at least once per quarter. If you have additional admin users on your site, remind them to change their passwords as well.

Complex passwords are a necessity these days and it can be a burden to remember every single password. The solution is to use a password manager to keep track of all your passwords. In its simplest form, a password manager uses one master password to secure a vault containing all the passwords that you use across websites and online services. Many have functions to automatically type the stored password for you, saving you from copying and pasting, or worse manually typing them in. The best password managers work across all platforms including mobile phones and tablets.

Popular password managers

Most password managers are a paid service, and the price is worth the added security. If you require a free solution, KeePass is your best choice, especially in single user environments. It has fewer features than most other password managers but does not take any shortcuts with regards to security.

2. Limit sign in attempts

Another way to prevent unwanted access to your site is to limit sign-in attempts. This blocks the WordPress sign in page after a certain number of failed sign-in attempts, making it harder for bad actors to guess your username and password. Not just bad actors, but also bot that try to brute-force guess the admin password. This is why using a secure password and changing it regularly is so important.

  1. Sign into your WordPress dashboard.
  2. In the left-side menu, select Plugins > Add New.
  3. Search for “Limit Login Attempts Reloaded”.
  4. Select Install.
  5. Select Activate.
  6. Go to Settings > Limit Login Attempts.

From the Settings page you can change how many attempts a user gets, set how long they are locked out for, set what kind of notifications you get when a lock occurs, and make the plugin GDPR compliant.

From the Logs page you can Safelist/Blocklist specific IPs and/or usernames.

3. Keep your site updated

Make sure you update WordPress, plugins, and themes regularly. The newest versions contain security improvements and bug fixes for vulnerabilities that exist in previous versions. Allowing outdated software to continue running makes your site vulnerable because bad actors can simply exploit the known weak points in the outdated version, using them to gain access to your website, including all the data you may have on customer and their purchases.

To update your WordPress:

  1. Sign into your WordPress dashboard.
  2. At the top left-hand corner of your dashboard, if there’s a notification that the new WordPress version is available, select Please update now. Note: If you don’t see the notification, your site is already running on the latest version of WordPress.
  3. From the same page you can also update all the installed plugins and themes.

4. Delete themes and plugins you don’t use

We recommend deleting plugins and themes you don’t use. Unnecessary software can make your site more vulnerable, especially if you forget to update it regularly.

5. Use a security plugin

Having a security plugin adds additional layers of security to your site. There are many free and premium WordPress security plugins available. Note: It may be best to work with your webmaster or developer to install and configure a security plugin. They will be able to recommend the best option for you and have the knowledge and experience to get it setup correctly.

6. Get an SSL certificate

Having an SSL certificate is necessary for the security and credibility of your site, especially if you sell services or goods online. It has also become one of the key factors that affect your ranking on search engines, so it’s beneficial for SEO.

There are several plugins available for WordPress that enable using SSL, most of which are free.

While in the past SSL certificates were expensive, that is no longer the case. Let’s Encrypt provides free SSL certificates to anyone, as well as tools to automate the maintenance and renewal of their certificates. It can be a little tricky getting started with SSL so feel free to contact our support team for assistance.

7. Watch for unexpected changes on your site

Although prevention is key when it comes to WordPress security, it’s also important to know what to look for in case bad actors do manage to gain access to your site. Signs that your site might be compromised are a sudden increase in traffic and/or unexpected changes in the overall amount of disk space consumed by your website. Additionally, you may see an increase in the number of emails being sent from your website with a corresponding increase in complaints of users receiving spam from you.

To detect the sudden change in traffic, you can connect your site to Google Analytics and monitor the data.

To make sure the space your website uses has not increased, check the size of your site in the WordPress dashboard.

  1. Sign into your WordPress dashboard.
  2. In the left-hand menu, select Tools > Site Health.
  3. Select Info.
  4. Select Directories and Sizes.
  5. Next to WordPress directory size, you can find the total size of your site. In the rows below, you can see the size of the Uploads, Plugins, and Themes directories.

Keep track of these numbers in a spreadsheet so that you know for sure when there has been significant change. By comparing the results on a regular basis, you will notice when something is suspicious and can take the necessary steps.

8. Back up your site regularly

If your site does become compromised, having a clean recent backup can save the day by allowing you to restore a clean version of your site. In WordPress, you can use UpdraftPlus, a free plugin to schedule automated backups, so you don’t have to do it manually.

Alternatively, you can add a 100% managed nightly backup to your hosting plan by contacting us. We will set it up and manage it for you for a small annual fee, giving you better security and peace of mind.

Using the /etc/hosts file for custom domains during development

This document shows how to review a website with a custom domain name before the domain is publicly mapped to the web server. Lets assume your production/public website is at example.com. You would like to review the new version of the site using the example.com domain name but do not wish to have those changes seen by the general public.

This is accomplished by modifying the /etc/hosts file on your local computer to point the domain name to the IP Address of the development or staging web server you want to test. The /etc/hosts file contains a mappings of IP addresses to domain names that override what would normally be provided by DNS.

Editing your /etc/hosts file on a Mac

If you’re using a Mac with macOS, to edit your /etc/hosts file, open a Terminal window and run the following command:

sudo nano /private/etc/hosts

You may be asked for your password to edit the file. Enter your password.

Editing your /etc/hosts file using Windows

If you’re using Windows, to edit your \etc\hosts file, open %windir%\system32\drivers\etc\hosts and edit the file. If the directory and file don’t exist, you can create them.

Most Windows users may have trouble editing their \etc\hosts file because Windows includes file overwrite protections that allow only an Administrator to make changes to the file. To launch Notepad as Administrator, press the Windows key, type Notepad, right-click the Notepad application that appears, and select Run as administrator. (You can also launch any other text editor you prefer, such as Notepad++.)

Adding entries to the /etc/hosts file

The IP addresses for your website will have been provided to you. Add an entry to your /etc/hosts file in the following format:

[IP address]  [URL]

For example, if your Prod environment has the IP address 199.119.218.152 and the custom domain you want to use is www.example.com, add the following line to your /etc/hosts file:

199.119.218.152    example.com   www.example.com

With this change, whenever you visitexample.com or www.example.com, your browser will take you to your website hosted at the IP Address instead of website pointed to by the DNS record. You will likely need to completely close and restart your web browser for it to take effect.

When you  finished working with the development or staging website simply reverse these steps to restore normal browsing behavior.  If you need to switch between development/staging and production you may simply “comment out” the change by placing a # at the beginning of the line and saving the file:

#199.119.218.152    example.com   www.example.com

Email Migrations

If you’re migrating to our email services there are some steps you will need to take to help this process along.

Before Migration

Before migrating, you will need to change some of your account settings. It’s best to make sure these steps are done from your primary computer.

If you’re using webmail, to ensure the best compatibility, you should download any folders to your local machine. We recommend doing this as not all webmail services are compatible with our email migration tools.

POP3 users must ensure they uncheck “leave a copy of my email on the server” options as emails may be duplicated otherwise. Each email client is different but the option should be in one of the advanced areas of account management. Outlook, for example, can be found under “Account Settings > Change your account > more settings > advanced” and on a Mac, it can be found at “Mail > Preferences > Accounts > highlight the account > Advanced”

After Migration

POP3 users can return their “leave a copy of my email on the server” to their original settings.

If you wish to switch to IMAP from POP3 we recommend creating a brand new IMAP account, and copying emails to the IMAP account by dragging and dropping.
Emails can be lost if the POP3 account is deleted before moving messages. For added security, you may wish to backup your current emails first.

Troubleshooting

The migration can take up to 12 hours to work, during this time email shouldn’t be lost. If you’re having trouble connecting please make sure at least 12 hours has passed since the migration started before changing the configuration. While editing these settings ensure that you do not delete the account, some or all of your email may be lost.

Also at any point in time, you may log in your webmail at https://provisionmail.net to check your email.

Open your account settings and change the following:

Incoming Mail Server (IMAP)

Server: provisionmail.net
User Name: <your email address>
Password: <your password>
Incoming (IMAP) Port: 143 (or 993 for Secure SSL/TLS)

Outgoing Mail Server (SMTP)

Server: provisionmail.net
User Name: <your email address>
Password: <your password>
Outgoing (SMTP ) Port: 587 (or 465 for Secure SSL/TLS)
*The Outgoing (SMTP) server requires authentication

If you have trouble with any of this, please contact us.

 

Premium Shared Resources

Our premium email service subscribers will be able to enjoy use of our shared and personal calendars. To get started with a new calendar follow the step by step instructions below.

New Calendar or Task List

To begin, log in to your email account through the web interface at https://provisionmail.net

  1. Click Settings
  2. Expand My Settings to find Calendar Settings
  3. Change tabs to Calendars
  4. Click Add
  5. Enter the options you would like to use
  6. Click Save.

Your new Calendar or Task list should now be available to use through the relative menu items.

Share Personal Resources

sharedresourcesTo begin, log in to your email account through the web interface at https://provisionmail.net
Please keep in mind that a shared resource must have an owner. If an account is deleted it’s shared resources are deleted too. An administrator can, however, create domain resources.

  1. Click Settings
  2. Expand My Settings then Sharing to find Shared Resources
  3. Select New to start the wizard to create a new share
  4. Select the resource you wish to share, then click Next
  5. Select the Users or Groups to share with, and those user’s access permissions
  6. Click Save.

The resource should now be available to the shared users.

Domain Resources

domainadminsharedTo begin, log in to your domain administration account through the web interface at https://provisionmail.net

  1. Click Settings
  2. Expand Domain Settings to find Shared Resources
  3. Select New to start the wizard
  4. Enter a name and resource type, then click Save
    Using the conference room option will make the resource available to everyone.
  5. Select and Edit the new resource
  6. Click Add Permission
  7. Select the Users or Groups to share with, and set the access permissions
    Auto Map attaches the resource to all selected users. See Mapped Resources below
  8. Click Save

The domain resource is now available.

Mapped Resources

mappedresourcesFor a user to view a shared resource they must map it to their account. Auto mapping options are also available when setting permissions for a shared resource. To begin, log in to your email account through the web interface at https://provisionmail.net

  1. Click Settings
  2. Expand My Settings and Sharing to find Mapped Resources
  3. Select a shared resource and click attach
  4. Specify a name
  5. Click Save

The resource should now appear alongside the other items.

Add to Outlook

calendarTo begin, log in to your email account through the web interface at https://provisionmail.net

  1. Click Calendar
  2. Click Actions and select Add to Outlook
  3. Follow on-screen instructions and click Save
  4. You will see a request to open the application
    The application opening the request should be listed
    Click Launch Application
  5. In Outlook a popup will ask you to confirm adding the calendar
    Clicking Yes will allow Outlook to talk with SmarterMail.

tooutlookThe resource should be available to the Outlook Calendar.

Spinmail/Spincaster Email Configuration

If you’re a Provision Mail customer you will need to use the Provision Mail settings.

Web Mail

You can access your email from any modern web browser by going to https://spinmail.provisionmail.net/.  Simply login with your full email address and password.

Server Settings

IMAP server: spinmail.provisionmail.net
IMAP port: 143 (or 993 for Secure SSL)

SMTP server: spinmail.provisionmail.net
SMTP port: 587 (or 465 Secure SSL)

The outgoing server (SMTP) requires authentication

Some customers may be configured differently. If you’re having trouble please contact us.

Change sent, draft and deleted folders on an iPhone

On occasion messages can appear to vanish when using multiple devices to check your IMAP email account. This can sometimes be fixed by changing a few settings on the phone.

  1. Open the Settings app.
  2. Scroll to Mail and open it.
  3. Select your email account
  4. Select the displayed IMAP account
  5. Scroll down and tap Advanced
  6. Under Mailbox Behaviors make ensure the following are set:
    1. Drafts Mailbox: Drafts on my iPhone/iPad
    2. Sent Mailbox: Sent Items on the Server
    3. Deleted Mailbox: Deleted Items on the Server
    4. Archive Mailbox: Archive on my iPhone/iPad
  7. Under Move Discarded Messages Into:
    1. Ensure Deleted Mailbox is selected
  8. Under Deleted Messages:
    1. Choose a time-frame that appropriate for you.  The recommended setting is one month.
  9. Tap < Account
  10. Tap Done
  11. Tap < Accounts

You may wish to login you your web mail account and move items from Deleted Messages to Deleted Items, etc.

Email Content Filtering

Content filtering is a great way to perform actions on emails that meet specific criteria. For example, you can use content filters to delete messages with certain attachments (e.g., attachments with a .exe extension), forward messages from a specific email address to another account, or even alter the subject of specific types of email. Content filters are most commonly used to organize email by moving messages to specific folders. However, content filtering is extremely flexible and allows you to filter messages the way you want to.

Content filtering is not available on our legacy email servers.

To access your content filtering settings,  follow the steps below.

  1. Login to the Web Mail interface using your web browser.
  2. Click on the Settings icon.
  3. Expand My Settings and Filtering Folders.
  4. Click on Content Filtering.

Note: Please create any folders you wish to use prior to creating a rule, as you cannot create a folder from inside the rule wizard.

Use the New button on the screen to create a new rule and follow the steps in the wizard.

To Edit a rule, check the checkbox next to the rule and click the Edit button. Then follow the wizard.

To Delete a rule, check the checkbox net to the rule and click the Delete button.

 

Email – Android 4.0

Due to the wide variation in android devices we can only provide a guide for the stock android mail application, your device may have a 3rd party mail application provided by the manufacturer.

  1. Open “Settings”.
  2. Scroll to “Accounts” and Tap.
  3. Tap “Add Account” and/or the plus (+) icon at the top of the page.
  4. Scroll down to “Personal (IMAP)” and Tap to open.
  5. Enter your email address and tap “Manual Setup”.
  6. Select “Personal (IMAP)” from the list.
  7. Enter your Password
  8. Enter the following
    1. Username: Your Email Address
    2. Authentication: Your Password (should be filled out from before)
    3. Server: provisionmail.net
    4. Security Type: None
    5. Port: 143 (or 993 for Secure SSL)
  9. Tap “Next” and wait for validation
  10. Enter the following
    1. SMTP Server: provisionmail.net
    2. Security Type: None
    3. Port: 587 (or 465 Secure SSL)
    4. Require signin: Checked
    5. Username: Your Email Address
  11. Tap “Next” and wait for validation
  12. Configure account options however you’d like.
  13. Tap “Next” and wait for account creation
  14. Enter a name for the account and enter your name for outgoing messages
  15. Tap “Next” to return to the Accounts screen from step 3

 

If you experience problems please verify that your connection to the server works by opening a Internet browser and typing https://provisionmail.net and verifying that you can login with the supplied credentials.

Add Provision Mail account to Outlook 2016/2019 or 365

 

  1. Open Outlook then click file on the top left corner. If this is the first time opening Outlook, skip to step 3.
  2. Select the info tab and click add account.

      3. Enter your email address, click the advanced options drop down menu and check the radio button that says “Let me set up my account manually”. Click next.

      4. Select IMAP.

      5. Make sure your settings match the screenshot below. Click next.

 

  1. Enter your password then click connect.
  2. If the account added successfully you should see a window like the one below.

 

If you experience problems please verify that your connection to the server works by opening an Internet browser and typing https://provisionmail.net/ and verifying that you can log in with the supplied credentials.

 

Email – OS X Yosemite

  1. Open the Mail menu
  2. Click “Preferences”
  3. Select the “Accounts” tab
  4. On the list to the left use the + button to add a new account
  5. Select “Add Other Mail Account” and click Continue
    Enter the following information

    1. Your name
    2. Your email address
    3. Password
  6. Click “Create”, you may have to wait a second for the next screen.
  7. A note should be added to the screen saying “Account must be manually configured”
  8. Click “Next”
    Enter the following Incoming Mail Server Info

    1. Account Type: Select IMAP
    2. Mail Server: provisionmail.net
    3. Username: (this should be your full email address)
    4. Password.
  9. Click “Next”
    Enter the following Incoming Mail Server Info

    1. Path Prefix: (Leave Blank)
    2. Set Port to 143
    3. Leave Authentication as “Password”
  10. Click “Next”
    Enter the following Outgoing Mail Server Info

    1. Enter provisionmail.net
    2. Username: (this should be your full email address)
    3. Password.
  11. Click Create.
    You may need to modify your outgoing port if you have trouble sending emails.

Outgoing port change.

  1. Open the Mail menu
  2. Click “Preferences”
  3. Select the “Accounts” tab
  4. Select the relevant account name.
  5. Click “Account information” at the top of the right panel
  6. Click the dropdown for Outgoing Mail Server (SMTP) and select “Edit SMTP Server List”
  7. Highlight the correct server by clicking on it. It should contain your domain name.
  8. Select Advanced from the bottom panel
  9. Change Port to 587.
  10. Click Ok

If you experience problems please verify that your connection to the server works by opening a Internet browser and typing https://provisionmail.net/ and verifying that you can login with the supplied credentials.