WordPress is a powerful web application and is used by up to 43% of the internet, to date. But with great popularity comes great threats. With numbers like these, many would-be attackers are constantly on the lookout for weaknesses in your site — a good reason to implement these WordPress security best practices, right now.
WordPress security best practices
Sans the usual best practices — like keeping your core files, theme(s) and plugins up to date — there are also many other factors to take into consideration. File and directory permissions, and more are necessary to keep safe that which you’ve worked hard on and treasure.
1. Update file permissions
The default file permissions for all files on a WordPress site are typically set to 644. The default directory permissions are set at 755. There are scenarios that warrant differences.
For instance, it is a good idea to have your wp-config.php file set to permissions stronger than 644.
I know of folks who set that file’s permissions to 440. This helps make it harder for the riff raff to access the file. Some people set theirs to 600. That’s fine too.
You can change the file and directory’s permissions via File Manager, in your hosting plan. You can also alter these permissions in your favorite FTP program.
2. Disable the xmlrpc.php File
What is this file? Well, simply put, the XMLRPC is a system that allows for remote updates to WordPress from other applications. To make sure your site stays secure, it’s a good idea to disable xmlrpc.php completely.
However, if you need some of the functions necessary for remote publishing and the Jetpack plugin (for instance), you should use a workaround plugin that allows for these features while still fixing all the security gaps.
One plugin that comes to mind is called Disable XML-RPC. This plugin uses the built-in WordPress filter xmlrpc_enabled to simply disable the XML-RPC API on a WordPress site. This renders it unobtainable by someone looking to compromise your site.
Another plugin that comes to mind is the Disable XML-RPC Pingback plugin, which lets you disable just the pingback functionality. This means that you will still have access to other features of XML-RPC if you need happen to need them — for instance, if you’re running Jetpack. There are other plugins that will also disable this file. See below for more details on that plugin.
Both plugins are easy to use. You just have to install and activate them. They do the rest for you.
In the event that you want to have more control over how the XMLRPC plugin works, you can instead install the REST XML-RPC Data Checker plugin. Once installed and activated, you would just need to go to Settings > REST XML-RPC Data Checker, and then click the XML-RPC tab.
Once there, you will be able to navigate through the interface to better control the xmlrpc.php file and what it does.
If you already have a ton of plugins and want to avoid installing yet another, you can control the xmlrpc.php file via the .htaccess file by adding this line to it:
add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );
That will just turn it off altogether.
You can also edit the .htaccess file with this command:
Order Allow, Deny
Deny from all
Or have your hosting provider disable the file itself.
3. Hide your sensitive details
Once you’ve got your site all dialed in and live, hide certain details from the public eye that might lure someone towards wanting to compromise all your arduous work. A nice plugin for this is called Hide My WP Ghost. This plugin is a paid plugin, but it’s worth the coin, and it’s on sale now for a 5-pack license.
This plugin does a fantastic job of hiding your core files, file paths, login page, and more. It performs the following functions, to name just a few:
- Change the wp-admin and wp-login URLs
- Change lost password URL
- Hide /wp-login path
- Disable XML-RPC access
- Change URLs using URL Mapping
- Weekly security checks and reports
- Email support, and more
4. WAF/CDN protection
A big step towards protection is blocking people you don’t want to have access to your site, altogether. This can be accomplished via a WAF (web application firewall) combined with a CDN (content delivery network).
Fortunately, GoDaddy offers this type of protection through Sucuri. Once purchased and set up, you can go into the firewall settings and enable GeoBlocking, if you so desire, and block entire countries from accessing your site.
The WAF will also help to speed up your site, since it does a wonderful job of blocking the known bad IPs and allowing the good ones to access your site.
5. Combat comment Spam
Another nuisance is comment form spam. There is a great way to limit or prevent this type of problem. The method I like is to utilize the plugin called wpDiscuz.
With this plugin, wpDiscuz will take over your site’s commenting and check against a host of bad actors, filtering out bad or malicious comments by forcing the commenter to enter credentials to comment. You get an email sent to you with each successful comment on your site, so you can then moderate further, if needed.
6. Enable CAPTCHA
It is highly recommended that you also enable CAPTCHA on all forms on your site(s). This will aid in the prevention of form spam. There are several types of CAPTCHA additions out there. Some ask the user to solve a math equation, some have a puzzle to solve, others have you select a series of pictures, and there are more variations.
7. Enable 2-factor authentication (2FA)
A tried-and-true way of keeping out the knuckleheads out there who would seek to do your site harm is to enable 2-factor authentication on every user of your site. If you are on your site all the time, it can be a mild inconvenience to have to enter the 2FA each time you log in. But that is a small price to pay for the security of your site.
8. Change the WP-admin URL
The default admin URL has been the same, on WordPress, for years. All bad actors know it and routinely attempt to gain access to your site via said URL. The above mentioned Hide My WP Ghost plugin does a great job of obscuring this URL by simply changing it.
9. Add server-level protection
If your WordPress site is hosted on a server, you can enable other security features that will help keep your site safe. One such feature is in WHM. You can help prevent or limit the possibility of an AnonymousFox compromise by simply turning off Reset Password for cPanel Accounts and Reset Password for Subaccounts.
Simply go to WHM > Tweak Settings > search for password. From there, for the Reset Password for cPanel Accounts and Reset Password for Subaccounts features, select Off. This will help in preventing a bad actor from accessing — and then changing — the cPanel and subaccounts passwords.
The second thing you’ll want to do, if your site is hosted on a server, is to disable shell access to all your cPanel accounts. Just go to WHM > Manage Shell Access > Disable Shell for all cPanel accounts.
10. Strong login credentials
Last among our WordPress security best practices, but certainly not least, always use strong passwords and obscure usernames. I can’t tell you how many times I’ve come across passwords like Password123!. Another common mistake is making the username something relative to the site itself.
If you want to get compromised, that is a sure-fire way to do it.
Long and randomly generated passwords, in conjunction with usernames that have nothing to do with the site, are always your best combo.
Another great idea is to continually change your passwords. It might seem like a pain, but that pales in comparison to getting hacked. How often you change your passwords is up to your discretion. — just as long as you do. (You’ll be glad you did.)
Closing thoughts on WordPress security best practices
All in all, you have worked so hard for your intellectual property (or your client’s). Why not keep it safe? These few, but helpful, WordPress security best practices can go a long way toward a successful and compromise-free website for years to come.
New Cybersecurity Regulations Are Coming. Here’s How to Prepare.
Cybersecurity has reached a tipping point. After decades of private-sector organizations more or less being left to deal with cyber incidents on their own, the scale and impact of cyberattacks means that the fallout from these incidents can ripple across societies and borders.
Now, governments feel a need to “do something,” and many are considering new laws and regulations. Yet lawmakers often struggle to regulate technology — they respond to political urgency, and most don’t have a firm grasp on the technology they’re aiming to control. The consequences, impacts, and uncertainties on companies are often not realized until afterward.
In the United States, a whole suite of new regulations and enforcement are in the offing: the Federal Trade Commission, Food and Drug Administration, Department of Transportation, Department of Energy, and Cybersecurity and Infrastructure Security Agency are all working on new rules. In addition, in 2021 alone, 36 states enacted new cybersecurity legislation. Globally, there are many initiatives such as China and Russia’s data localization requirements, India’s CERT-In incident reporting requirements, and the EU’s GDPR and its incident reporting.
Companies don’t need to just sit by and wait for the rules to be written and then implemented, however. Rather, they need to be working now to understand the kinds of regulations that are presently being considered, ascertain the uncertainties and potential impacts, and prepare to act.
What We Don’t Know About Cyberattacks
To date, most countries’ cybersecurity-related regulations have been focused on privacy rather than cybersecurity, thus most cybersecurity attacks are not required to be reported. If private information is stolen, such as names and credit card numbers, that must be reported to the appropriate authority. But, for instance, when Colonial Pipeline suffered a ransomware attack that caused it to shut down the pipeline that provided fuel to nearly 50% of the U.S. east coast, it wasn’t required to report it because no personal information was stolen. (Of course, it is hard to keep things secret when thousands of gasoline stations can’t get fuel.)
As a result, it’s almost impossible to know how many cyberattacks there really are, and what form they take. Some have suggested that only 25% of cybersecurity incidents are reported, others say only about 18%, others say that 10% or less are reported.
The truth is that we don’t know what we don’t know. This is a terrible situation. As the management guru Peter Drucker famously said: “If you can’t measure it, you can’t manage it.”
What Needs To Be Reported, by Whom, and When?
Governments have decided that this approach is untenable. In the United States, for instance, the White House, Congress, the Securities and Exchange Commission (SEC), and many other agencies and local governments are considering, pursuing, or starting to enforce new rules that would require companies to report cyber incidents — especially critical infrastructure industries, such as energy, health care, communications and financial services. Under these new rules, Colonial Pipeline would be required to report a ransomware attack.
To an extent, these requirements have been inspired by the reporting recommended for “near misses” or “close calls” for aircraft: When aircraft come close to crashing, they’re required to file a report, so that failures that cause such events can be identified and avoided in the future.
On its face, a similar requirement for cybersecurity seems very reasonable. The problem is, what should count as a cybersecurity “incident” is much less clear than the “near miss” of two aircraft being closer than allowed. A cyber “incident” is something that could have led to a cyber breach, but does not need to have become an actual cyber breach: By one official definition, it only requires an action that “imminently jeopardizes” a system or presents an “imminent threat” of violating a law.
This leaves companies navigating a lot of gray area, however. For example, if someone tries to log in to your system but is denied because the password is wrong. Is that an “imminent threat”? What about a phishing email? Or someone searching for a known, common vulnerability, such as the log4j vulnerability, in your system? What if an attacker actually got into your system, but was discovered and expelled before any harm had been done?
This ambiguity requires companies and regulators to strike a balance. All companies are safer when there’s more information about what attackers are trying to do, but that requires companies to report meaningful incidents in a timely manner. For example, based on data gathered from current incident reports, we learned that just 288 out of the nearly 200,000 known vulnerabilities in the National Vulnerability Database (NVD) are actively being exploited in ransomware attacks. Knowing this allows companies to prioritize addressing these vulnerabilities.
On the other hand, using an overly broad definition might mean that a typical large company might be required to report thousands of incidents per day, even if most were spam emails that were ignored or repelled. This would be an enormous burden both on the company to produce these reports as well as the agency that would need to process and make sense out of such a deluge of reports.
International companies will also need to navigate the different reporting standards in the European Union, Australia, and elsewhere, including how quickly a report must be filed — whether that’s six hours in India, 72 hours in the EU under GDPR, or four business days in the Unites States, and often many variations in each country since there is a flood of regulations coming out of diverse agencies.
What Companies Can Do Now
Make sure your procedures are up to the task.
Companies subject to SEC regulations, which includes most large companies in the United States, need to quickly define “materiality” and review their current policies and procedures for determining whether “materiality” applies, in light of these new regulations. They’ll likely need to revise them to streamline their operation — especially if such decisions must be done frequently and quickly.
Keep ransomware policies up to date.
Regulations are also being formulated in areas such as reporting ransomware attacks and even making it a crime to pay a ransom. Company policies regarding paying ransomware need to be reviewed, along with likely changes to cyberinsurance policies.
Prepare for required “Software Bill of Materials” in order to better vet your digital supply chain.
Many companies did not know that they had the log4j vulnerability in their systems because that software was often bundled with other software that was bundled with other software. There are regulations being proposed to require companies to maintain a detailed and up-to-date Software Bill of Materials (SBOM) so that they can quickly and accurately know all the different pieces of software embedded in their complex computer systems.
Although an SBOM is useful for other purposes too, it may require significant changes to the ways that software is developed and acquired in your company. The impact of these changes needs to be reviewed by management.
What More Should You Do?
Someone, or likely a group in your company, should be reviewing these new or proposed regulations and evaluate what impacts they will have on your organization. These are rarely just technical details left to your information technology or cybersecurity team — they have companywide implications and likely changes to many policies and procedures throughout your organization. To the extent that most of these new regulations are still malleable, your organization may want to actively influence what directions these regulations take and how they are implemented and enforced.
Acknowledgement: This research was supported, in part, by funds from the members of the Cybersecurity at MIT Sloan (CAMS) consortium.
How does the local search algorithm work?
The internet has revolutionized the business world and changed how we conduct business. Any business that aims to increase its visibility and boost profit needs to pay much attention to top ranking factors, including local SEO — which introduces the topic of the local search algorithm.
Local SEO is one of the top practices that help boost a business’s visibility and generates more sales.
However, achieving better local SEO rankings is not a walk in the park, especially due to increased competition. To appear higher on local results, businesses and marketers need to understand how the local search algorithm works.
Knowing this helps guide the steps for improving rankings in the local pack.
The competition gets stiffer as more businesses open and optimize for local searching. Besides, Google is updating its algorithm consistently, meaning only businesses that can keep up with these updates can appear at the top of local search results.
Luckily, you have come to this post as this article looks at everything you need to know about Google’s local search algorithm and what you can do to get that top spot in the local pack.
Understanding the local search algorithm
Google aims to provide the best results that match a specific local search query. It constantly updates the local search algorithm to determine which business to rank on top of local search results.
Ideally, Google wants to provide local content that is relevant and valuable to users. As with search engine optimization, keyword stuffing cannot give you that top spot in local search results.
SEO specialists and marketers should consider Google’s local search algorithm updates and make the necessary changes to rank higher. Failure to consider these updates means losing your local search presence, resulting in fewer leads and conversions.
Local algorithms check the Google My Business (GMB) listings to determine where to rank a business in local search rankings.
Ideally, Google’s local algorithm ranks businesses with information that matches a searcher’s query. And the higher a business ranks in local search results, the more chances a potential customer will click on it.
This post looks at the three major pillars that determine local search results to better understand the local search algorithm: proximity, prominence and relevance.
Of course, other factors make up Google’s local search algorithm, but since we cannot identify all of them, we’ll focus on the most crucial ones in this post.
By understanding these pillars, marketers can better position themselves for local search success.
Proximity is one of the major ranking factors when it comes to local search. That means the distance between a business and a searcher is a ranking factor in local search.
When a searcher searches for something, Google considers how far the searcher is from the location of the term they use in the search. When a searcher doesn’t specify the location, Google calculates the distance based on the information they have regarding their location.
Ideally, Google aims to provide the most relevant results to a search query. For instance, why would Google provide a list of coffee shops in Los Angeles if the searcher is searching from Colombia?
That would be irrelevant local search results that won’t benefit the searcher.
Unfortunately, while proximity is a major local search pillar, it’s one of the factors that businesses have little control over. After all, you cannot change where your business is located, right?
You can only ensure your business location is as clear as possible, so that it appears for related nearby queries. Here are steps you can take to achieve this:
- Claim and verify the Google My Business listing
- Ensure local listings are accurate and optimized for local products or services
- Get the Google Maps API Key and optimize for your location and routes
- Set up your profile correctly (for Service Area Businesses) to avoid violating Google’s guidelines
Users can perform several types of local searches, including:
Users will perform geo-modified searches when they are planning to visit somewhere. For instance, a searcher in Los Angeles planning to visit Toronto, Canada, may search for a “coffee shop in Oakville.” The results will differ from if they searched for “coffee” while physically in Oakville.
To be specific, geo-modified searches are mainly based on relevance and prominence as opposed to proximity when a user searches for something when outside the city included in the search.
Searchers perform this type of search when looking for something around them. For instance, a user in Los Angeles performing a local search for “coffee.”
Ideally, the user only needs to search for something and is shown results based on proximity. They will get the results that are closest to them.
“Near me” searches
“Near me” searches have been so popular in recent years. Although their popularity has significantly declined, users still perform this type of search when looking for something locally.
For instance, some users could add “near me” when searching for a coffee shop, hoping to get the most relevant results near them. As we’ve stated, this trend has lost popularity because when you perform a local search, you are searching for something near you.
It is not necessary to add “near me” to what you’re searching.
Prominence refers to how important Google thinks your business is, which gets factored into the local search algorithm.
In other words, it refers to how well a business stands from the rest in various aspects, including directories, links, reviews, mentions, among other things.
If search engines view your business as trustworthy and credible, they will likely show it on top of related search query results.
The local search algorithm views businesses/brands with a stronger online prominence as credible and trustworthy. Some of the factors that determine prominence include:
A local citation is the mention of a business’s information online. The mention can include the partial or complete name, address, and phone number (NAP) of a local business.
Citations are an excellent way for people to learn about local businesses and impact local search results.
A business with high-quality citations can rank better in local search results, although businesses must continually manage citations to ensure data accuracy.
Backlinks play a crucial role in local business prominence. Gaining relevant backlinks from high-quality sites is an excellent way to build a business’ online reputation.
If you’re trying to outrank your competitors without much success, your backlink profile could be the reason.
In that case, you should check your competitor’s backlinks and compare them with yours. When doing this, pay attention to the number and quality of their backlinks.
As a rule of thumb, aim to have high-quality local backlinks pointing to your site to improve your page’s authority.
Next, you need to pay much attention to reviews to improve local prominence. Many customers look at a business’s online reviews before deciding whether to engage more with the business or not. Besides, many positive online reviews can increase a business’ ranking factors.
Consider this scenario. A potential customer is looking for a pub around Oakville. When they perform a search, they are presented with two results: one with over 100 reviews and another with less than 10 reviews.
Which business do you think the searcher would trust? The one with 100 reviews, obviously.
As with search engines, customers need to trust a business before they decide to do business with it. Similarly, search engines can view online reviews and analyze them to determine a business’s online prominence.
That said, here are strategies you can use to boost your online review signals:
Have a strategy
You won’t have a strong online prominence if your products or services are not of a high standard. So, the first step to having many great reviews is to develop great products and services.
After that, develop a strategy to encourage your happy customers to leave honest but valuable reviews of their experience doing business with you to help boost your online reputation.
Monitor and manage the reviews
Having many reviews is one thing; you need to develop a plan to engage with your customers for better results. Responding to reviews shows people that you care and are genuine about your products and services.
People will avoid businesses that don’t respond to customer reviews (whether positive or negative).
Search engines, too, can tell whether you engage with customer reviews or not and will use the information to determine where to rank on local search results.
When responding to online reviews, pay special attention to negative reviews and how you respond to them. While no business likes getting negative reviews, how you respond to them can positively impact your business — respond positively to turn the negative reviews around.
As earlier stated, Google wants to provide the most relevant results to a local search query. This key ranking factor will determine a business’s position in local search results — how well does a local business match a search query?
Even if your business ticks the above pillars (prominence and proximity), if the content on your page isn’t well structured and doesn’t cover the topics that a searcher is looking for, you won’t appear on top of local search results.
Here are factors that businesses should consider to create a relevant listing:
- Local page signals
- Local listing categories and attributes
- Social posts and responses to online reviews
Local listing signals and categories
A business GMB listing and category can impact its relevance score for local searches. As such, complete your business profile carefully and continually add quality content to the web page to ensure it is relevant for proximity searches.
More specifically, ensure that all information on all listing pages, including Yelp, Bing, and Google, is complete and accurate. Aside from these factors, here are two crucial features you should pay attention to:
Selecting the right categories for your local business listing is among the crucial factors for ranking locally. With over 4000 GMB categories, you want to choose categories that best describe your business — ensure they are relevant and specific.
Here are guidelines to follow when selecting a category:
- Describe your business as opposed to your services
- Be specific to minimize competition
- Reduce the number of GMB categories to describe your business better
- Business description
Without a proper description, users won’t know what your business is about. This section is about adding an introduction to your business so that customers and search engines can know more about your business.
However, don’t use this section for marketing your business. Just give users and search engines descriptive info that can help determine whether your business matches their needs.
Local page signals
Another way a business can improve its standing in the local search algorithm is by optimizing web pages for specific keywords. For multi-location businesses, it’s essential to have separate, localized pages for each location, with relevant information and contact details for customers to reach you.
Performing competitor research is advisable to determine what terms or keywords to use for a specific query. Here are top on-page signals to consider when trying to gain relevance for a given topic:
- Keyword research — Before creating local content, you need to find keywords that matter to your business. Perform keyword research to determine highly relevant keywords with high intent. When finding relevant terms to use in your content, base your research on the customer perspective; think about what they search for and the type of content they are looking for.
- Create local content — After finding the right keywords, it’s time to create your content. Google values the quality of content more than the length of the content, so keep this in mind when creating content. Another crucial thing to pay attention to is localizing the content. For example, you can create content on local news and events or use your city’s name within your content.
The goal is to create a connection between what’s happening in your local area and your business. Also, use pictures with your specific geolocation to increase your content relevance.
Creating quality and relevant content is only the start. You need to optimize your content for on-page signals so local search algorithms can discover and rank them better. Here’s how you can optimize your local content for on-page signals:
- Meta descriptions — Include keywords in your meta descriptions to encourage searchers to click through and increase visibility
- Title tags — Title tags are some of the factors that search engines use to determine where to rank content. Incorporating keywords naturally in your title tags can help boost local rankings
- Image tags — Another way to improve local rankings is by including relevant keywords in your image tags. Including geotags also comes with an added advantage
- Headings — Users and Google value pages with clear structures. Consider creating headings within your content to capture readers’ attention and encourage them to read on. However, ensure your heading tags describe the content that comes after them well. Also, include keywords in your heading tags to help search engines understand them and their importance.
Off-page local signals
Gaining high-quality backlinks is a great way to boost credibility and trust. Backlinks refer to external links from another website to your site. Aim to have more high-quality backlinks to boost your website authority.
Ideally, having many quality backlinks shows search engines that your website or page is credible and trustworthy, which boosts the chances of ranking it higher in search engine results.
Guest posting is one of the best examples of link-building strategies you can use. Finding great guest posting opportunities provides an excellent opportunity to share your content to a new but relevant audience, which helps boost your website authority.
Another strategy you can use is to create longer and better content than what is already available on the web. When your content is high quality and relevant, it will be easier to get high-quality backlinks.
Review and social signals
Online reviews can also help boost relevance for your local business. Aim to get as many positive reviews from your happy customers as possible.
Remember, when customers perform a local search, they get not only the relevant businesses but also reviews related to the search. The more positive reviews a business has, the higher chances a potential customer will do business with them.
Closing thoughts on the local search algorithm
Ranking on top of local search results can seem daunting, but it shouldn’t when you know the vital things to focus on. As you have seen above, the local algorithm is based on three pillars: relevance, proximity, and prominence.
Of course, other factors determine local search rankings depending on your industry and competition.
Email will be with us until the universe dies, so these startups are working to make it better
Ah, email. Why did you send my friend’s birthday party invite to my spam folder? Why do you make it so easy to archive an email when I don’t even know what that means? Why are you … blue now … Gmail?
Email is a necessary evil. So whenever I hear about startups looking to innovate on the decades-old communication tech, I’m instantly intrigued considering the huge number of potential areas of improvement. Plus, talk about a large TAM!
Startups have taken note. Boomerang launched its email productivity software in 2010, and since its 2014 launch, Superhuman has raised $108 million to help users get through their inbox faster. Trying to build a better email mousetrap isn’t exactly a novel concept, but it could be big business.
I recently received pitches from two new upstarts, both of which launched their email innovations in the last year, that really piqued my interest. Let’s meet them.
Sami Azhari is named to 2023 Illinois Superlawyers for White Collar Criminal Defense
Launch of The Daoist DC Course: The World’s First Physio-Pathic Training Program for Chiropractic Physicians
Shop Smart Autos Appoints Guy Campbell and Launches Auto Directory
The Keys to Podcasting Success in 2022
5 business ideas for post-pandemic needs
Strengthen Your Customer Call Experience
News6 days ago
Josh D. Millang, President of Retirement Protectors, was Interviewed on the Influential Entrepreneurs Podcast Discussing IRA Maximization Concepts
News6 days ago
Stephen Ross, CEO of Ross Insurance Brokers-Dave Ramsey Trusted Provider, Interviewed on the Influential Entrepreneurs Podcast Discussing Term Life Insurance
News6 days ago
Women’s Empowerment Coach Laurice Duffy Reveals Strategies For Overcoming Adversity To Achieve Real Transformation on Influencers Radio
News6 days ago
Author Lana Pflanz Empowers Mothers To Find Purpose In The Empty Nest Years
News5 days ago
Sofia Denman, CEO of Cinch it!, Reveals Strategies For Manifesting Bliss on Influencers Radio
News5 days ago
David Tamm, Founder and CEO of Pencerita, Interviewed on the Influential Entrepreneurs Podcast
News2 days ago
Shop Smart Autos Appoints Guy Campbell and Launches Auto Directory
News2 days ago
Launch of The Daoist DC Course: The World’s First Physio-Pathic Training Program for Chiropractic Physicians