One place for hosting & domains

      security

      How You Can Enhance DreamShield With a Security Audit Log


      While it can be tempting to install a WordPress security plugin and sign off, the best website security strategies combine various tools to protect both users and content. However, knowing which tools are worth your time can be challenging.

      It’s vital to take a close look at the features your security tools provide and pair them up so that all your bases are covered. For example, you might start with a malware scanning and removal tool such as DreamShield and then enhance it with a security audit log plugin.

      In this post, we’ll explore this exact combination. We’ll start by introducing you to both DreamShield and WordPress security logs. Then we’ll cover three ways this duo can help protect your site. Let’s get started!

      Do More with DreamPress

      DreamPress’ automatic updates and strong security defenses take server management off your hands so you can focus on creating great content.

      A few years ago, we released DreamShield, a security scanning and malware removal tool for DreamHost users. It not only alerts you to vulnerabilities on your WordPress site but also helps you recover after an attack by automatically removing malware and fixing permissions issues.

      The DreamShield information page.

      By using DreamShield, you can keep your site more secure without lifting a finger. Once enabled, DreamShield performs weekly scans for malware and other potential security risks.

      You’ll also receive update notifications to remind you when your WordPress installation, plugins, and themes need to be upgraded to the latest version. These notifications can help you take advantage of security patches for known problems.

      DreamShield is an add-on for DreamHost plans. You can incorporate it into your hosting account for just $3 per month. Considering the price tags on some other big-name WordPress security tools that offer DreamShield’s features, this is a steal (in our humble opinion)!

      The Benefits of Tracking User Actions Within WordPress

      However, no one security tool can do it all. For this reason, you should consider enhancing DreamShield with a security audit log, which sometimes is also called an activity log.  A security audit log is a record of every action taken on your site so you can spot and quickly resolve problems.

      WordPress doesn’t include a security log out of the box. However, you can keep a security log by installing a plugin. WP Security Audit Log is one of the most popular and highly rated.

      The WP Security Audit Log plugin.

      You’ll be able to easily keep track of all the changes made to your WordPress site, including theme and plugin installations and updates, as well as which user made each change. Additionally, you can see each login attempt, including when and where it took place.

      If you spot any activity that seems suspicious, you can log users out remotely with a single click. While all of this may seem overwhelming and hard to track, email notifications can alert you to the most significant changes, and comprehensive monthly reports can provide a detailed overview.

      WP Security Audit Log is available in both free and premium editions. You can download the free version to keep the audit logs or go with WP Security Audit Log Premium to add SMS and email notifications, reports, user sessions management, and much more. Licenses start at $89 per year.

      How You Can Enhance DreamShield With a Security Log (3 Tips)

      While DreamShield and a security log are individually useful for maintaining your WordPress site’s security, they work really well together. Here are three ways a security log can improve DreamShield’s effectiveness.

      1. Monitor Your Logged In Users

      By using a security log, you can easily keep track of who’s logged in to your site, when, and from where.

      Monitoring user login activity with WP Security Audit Log.

      You’ll also be able to see when a non-existent username tries to log in, when a series of unsuccessful logins has taken place, and when there has been a number of failed login attempts. All of these indicate a possible brute force attack.

      Tracking suspicious and failed login attempts with WP Security Audit Log.

      This feature is beneficial for a few reasons. In addition to monitoring for brute force attacks, you can note suspicious behavior — users who are logging in from an unusual IP address or at strange times of the day.

      A security log complements DreamShield’s scanning and malware removing features. You can keep an eye out for suspicious behavior and prevent attacks by logging out and blocking suspicious users.

      While the free version of WP Security Audit Log will allow you to monitor login attempts, you’ll need the premium plugin to log out WordPress users remotely and block them from your site. It also enables you to prevent simultaneous sessions so two people can’t log in to the same account at the same time.

      Be Awesome on the Internet

      Join our monthly newsletter for tips and tricks to build your dream website!

      2. Boost Your Prevention of Malicious Activity

      In addition to monitoring when users log in and out, you can also see when they make changes to your site, such as updating posts and pages or uploading files to your Media Library.

      A file upload event in WP Security Audit Log.

      If users are making unauthorized changes to your site, it could indicate malicious behavior. A user with bad intentions could add spam links to your posts, upload malicious files, or even delete content from your site altogether — stealing hours of hard work.

      While DreamShield’s automated malware removal feature is an excellent way to recover after an attack, it’s always best to avoid a security breach in the first place. By noting unusual changes made to your site, you can stop an attack as or before it’s happening.

      Plus, you’ll know exactly what’s been done to your site and can work to reverse changes not covered by DreamShield such as spam links or deleted content. Our DreamPress plans come with automated backups and one-click restore functionality to help you recover what you’ve lost as well.

      3. Troubleshoot More Efficiently

      Sometimes the trouble with your WordPress site isn’t directly security-related. Compatibility errors following WordPress core, plugin, or theme updates can spell disaster for both you and your users if your site becomes inaccessible.

      Fortunately, since WP Security Audit Log keeps track of each and every update on your site, you can quickly find offending plugins or themes.

      A plugin update in WP Security Audit Log.

      After restoring a backup of your site to undo the changes made by the update, you can get to work on making sure each part of your website plays nicely with the others. This takes all the guesswork out of traditional WordPress troubleshooting.

      Paired with DreamShield’s update notices, a security log can help ensure your website is up-to-date without causing errors. You’ll be able to better protect your site, users, and revenue by keeping vulnerabilities patched up.

      Conclusion

      Securing your WordPress site isn’t something you want to take lightly. Building an effective security strategy should include combining multiple tools to make sure all your bases are covered, and your users and content are protected.

      When it comes to protecting your WordPress site, DreamHost has your back. Add DreamShield to your hosting plan today!



      Source link

      WordPress security beyond updates


      One of the reasons for the tremendous popularity of WordPress is that it is open source. As open source software, the bare bones of WordPress are free, and the huge ecosystem of themes, plugins, and other extensions that developers are able to create can be combined in countless different ways to build practically any kind of unique, high-quality website. While this ecosystem is what gives WordPress its flexibility and range of capabilities, it is also the chief source of security concerns for websites using the leading content management platform.

      Of just under 4,000 known WordPress vulnerabilities, plugins make up more than half, according to a recent report by wpscan.org. More than a third are found in the WordPress core, and 11 percent are from Themes. Many of these vulnerabilities can be mitigated simply by applying the next update to your WordPress core and each of your plugins, as developers are alerted of vulnerabilities and make changes to eliminate them.

      Keeping everything up to date and using a complex password are the low-hanging fruit of website security. You can set WordPress to automatically apply core updates, and you can also install a plugin to automatically update your other plugins. There are also security-specific plugins to provide functions like malware scanning and a firewall.

      Beyond these basics, there are a few other simple things that WordPress website operators can do to improve the security of their sites.

      Unreliable or untrustworthy sources

      Plugins from even the most professional and responsible developers have vulnerabilities – it is inevitable that hackers will find new ways to compromise previously secure programs and systems, forcing the developer to react with an update. Most attacks are not new, however, but are directed at vulnerabilities that should have already been dealt with.

      A developer that is slow to close vulnerabilities with updates, or that does so improperly, may leave sites exposed even if everything is up to date. Even worse, a few free or cheap alternatives to popular plugins contain malware or built in-vulnerabilities for the specific purpose of attacking every site they are used in.

      File and folder permissions

      It is generally not necessary or advised for WordPress users to modify permissions for who can read, write, and execute (or run) files and folders. It is important that permissions are set properly, however, and if they have been set too broadly, a malicious actor could potentially take complete control over your site. If you discover a permission has been set to 777, it means that owners, privileged users, and the general public all have permission to modify your site in any way, should they gain access to it.

      To change permissions, you need to use an FTP client. Once you have connected to your site, you can right click on root directories and then edit permissions by clicking on “File permissions” in the menu. Enter the recommended setting in the “Numeric field,” which for most users is 755 for all folder and sub-folders, and make sure that “Recurse into subdirectories” is checked, and click “Apply to directories only.” After you click “OK,” it will take a few seconds to make the changes, after which you can move onto files, by highlighting everything in the sites root folder and following the same procedure to bring up the “File permissions” dialogue box. For most users the permission is set at 644, and “Recurse into subdirectories” and “Apply to files only” are checked.

      Two-factor authentication

      Two-factor authentication, or 2FA, adds an extra layer of security to your WordPress sign-in process. You can apply it with any one of several popular plugins, some of which use the Google Authenticator app to provide the second factor (in the form of a token), often by sending you a one-time password (OTP) to enter along with your usual credentials.

      The plugin may provide options to send the OTP to your email account or mobile device, so that an attacker can only gain access to your site by both knowing your password and stealing your device or hacking your email account. It may also use another factor, such as a QR code that you scan. Some plugins provide an option to use a token along with either a username and password, or just a username. Whichever you choose, select a plugin that has been tested with the current version of WordPress.

      Tools and resources

      There are a number of useful tools and resources that have been created specifically for improving WordPress security, due to the platform’s enormous popularity.

      WPScan.org offers a free tool for scanning WordPress sites for vulnerabilities, allowing you to address them before they are exploited. Companies in the WordPress ecosystem provide useful resources, like the “Learning Center” provided by security plugin developer Wordfence, which includes a nine-part series for dealing with malware. WordPress.org also offers quality documentation and forums, like any major software provider, which contain a lot of answers to security-related questions.

      A quality managed service provider like TMD can also help WordPress users harden their perimeter and protect their websites. Just by taking a step beyond updates, any kind of business can have a secure, cost-effective, beautiful website.



      Source link