WordPress Security - GreenGeeks https://www.greengeeks.com/tutorials/category/wordpress-security/ How-to Website Tutorials Mon, 18 Dec 2023 13:27:12 +0000 en-US hourly 1 https://wordpress.org/?v=6.5.3 How to Use the Booter Bot and Webcrawler Manager in WordPress https://www.greengeeks.com/tutorials/booter-bot-webcrawler-manager-wordpress/ https://www.greengeeks.com/tutorials/booter-bot-webcrawler-manager-wordpress/#respond Mon, 14 Jun 2021 14:00:19 +0000 https://www.greengeeks.com/tutorials/?post_type=ht_kb&p=42792 Is your website suffering from a high number of requests from bots and crawlers? This can cause massive performance issues and even cause 404 errors […]

The post How to Use the Booter Bot and Webcrawler Manager in WordPress appeared first on GreenGeeks.

]]>
Is your website suffering from a high number of requests from bots and crawlers? This can cause massive performance issues and even cause 404 errors in some cases. However, you can avoid this by using the right plugin, like Booter.

This plugin is able to help block harmful bot and crawler requests, while not impacting the good ones, like search engine bots. It also blocks links in the fastest ways by sending HTTP status code to ensure search engines forget about them.

Today, I will demonstrate how to use the Booter plugin to manage crawlers WordPress.

Why Bot Management Matters

Bots are computer programs that simulate the activity of a normal user. They can continue operating indefinitely if left alone. They can serve many purposes, and not all bots or crawlers are bad. In fact, many of them are necessary like Google’s crawler.

However, just like everything else, bad bots exist and they can cripple websites.

The bad type of bots can steal data, upload malware or ransomware, launch Denial of Service (DDoS) attacks, and a variety of other things you don’t want to happen. These can affect any type of website. But since WordPress sites are the most common, they are a bigger target.

That said, with a proper security plugin, you should be fine.

However, as your website grows and the data you house becomes more valuable, the security measures you take should also grow. Thus, managing bot and web crawler activity is a must.

How to Use Booter in WordPress

Step 1: Install Booter

Booter is a website bot manager that can detect and block bot activity in WordPress. Once you set it up, it will operate with next to no input on your end. However, due to the complexity of bot management, you are going to need to enter some data that cannot be automated.

Overall, the setup process isn’t very difficult but does require some specific information.

To begin, click on Plugins and select the Add New option on the left-hand admin panel.

Add New

Search for Booter in the available search box. This may pull up additional plugins that you may find helpful.

Booter

Scroll down until you find the Booter plugin and click on the “Install Now” button and activate the plugin for use.

Install Now

Step 2: Configure Settings

The plugin will immediately begin working after activation. However, some of the key features are not online by default. You will have to go through the settings to make sure the plugin works exactly how you want.

On the left-hand admin panel, click on Settings and select the Booter option.

Settings

Luckily, the plugin does a good job at explaining each setting, but there are several tabs to go through.

Let’s take a look at these together.

General

The General tab has all of the main features of the plugin. You choose to enable or disable any of them by using the slider.

By default, the Block Bad Robots, Reject Links, and 404 logging features are enabled. While the robots.txt Management and Rate Limiting options are off by default.

The Robots.txt Management better protects the file from bots. It can even help SEO efforts with some of the more advanced options, that we will discuss later. Just keep in mind that it will save the original file as a backup and create a new one if enabled.

The plugin recommends enabling the Rate Limiting feature which will throttle any excessive activity from a bot.

Rate Limiting

You can also check the status of all of these features at the top of WordPress.

Active Features

The advanced settings consist of two options. The first allows you to delete all data when you uninstall the plugin. While the second activates the plugin’s debug mode to view every single event and track down issues.

Advanced

If you made any changes, click on the “Save Changes” button at the bottom.

Bad Bots Blocking

This section requires no input on your end, but it does include a full list of bots that the plugin automatically blocks. The list is compiled from bots with malicious history and is constantly updated.

You can manually update the list by clicking the “Update Bad Bots From Predefined List” button.

Bad Bots Blocking

You can also manually remove any of the blocked bots. Though, I do not recommend doing this. They’re on the list for a reason.

Robots.txt

The Robots.txt section is off by default. It allows you to further customize the feature. You can choose to deny all crawlers access to the file. All legitimate crawlers will listen to this request.

You can also make sure a link to the sitemap is in the file to help the search engine webcrawler bot find it. I highly recommend turning this option on if you have chosen to enable the feature as a whole.

Robots txt

Don’t forget to save if you made a change.

Rate Limit

The Rate Limit section allows you to further customize the plugin. By default, it is off. Yet, it is recommended to be on. You can choose to limit logged-in users, how many requests trigger the limit, how long they should be blocked for, and exclude any user agents.

Rate Limit

Note: Limiting real users can lead to a poor user experience. That said, some malicious users could create an account to get by this setting. Thus, setting a high request limit that only a bot could achieve is ideal.

Reject Links

Similar to the previous two, the Reject Links section allows you to further customize this feature. This one is on by default and the additional options include the ability to reject links from everyone or just bots, an option for WooCommerce URLs,  URL strings, and multiple options for regular strings.

Reject Links

404 Errors Log & Disavow Backlinks

The next two sections require very little, thus I will combine them.

The 404 Error Log section allows you to decide how often an error report is sent to your email. By default, you will not receive one. But, you can set it for daily, weekly, or monthly.

Note: The plugin will send the reports to the admin email address. You cannot change this.

Receive Reports

The Disavow Backlinks allows you to download a file that you can upload directly to a search engine (Google Search Console, Bing Webmaster Tools, etc.). It allows you to protect yourself against low-quality links leading to your website.

Click on the “Download Disavow List” button to receive the file.

Disavow List

The remaining sections just provide more information on how to use Booter and other facts. After going through all of the settings and saving any changes made, you are officially done, congratulations.

Bots Are Becoming More Common

As the internet has aged, bots have become a much bigger part of it. While bots can be used for good or bad, there is no denying the risk. Thus, every website should have safeguards in place to protect data and ensure the website is running well.

Booter does this and then some. It is the ideal tool for WordPress websites to manage bots because everything happens with very little interaction from you. Instead, you can keep focusing on making great content.

Do you find it easy to manage webcrawler bots in WordPress? Are there any other plugins you use to handle bots?

The post How to Use the Booter Bot and Webcrawler Manager in WordPress appeared first on GreenGeeks.

]]>
https://www.greengeeks.com/tutorials/booter-bot-webcrawler-manager-wordpress/feed/ 0
How to Drop the Banhammer on Unwanted Visits in WordPress https://www.greengeeks.com/tutorials/banhammer-wordpress/ https://www.greengeeks.com/tutorials/banhammer-wordpress/#respond Wed, 10 Mar 2021 15:00:06 +0000 https://www.greengeeks.com/tutorials/?post_type=ht_kb&p=40110 Do you ever wonder about suspicious users and other questionable web traffic on your WordPress site? Well, then you are in the same boat as […]

The post How to Drop the Banhammer on Unwanted Visits in WordPress appeared first on GreenGeeks.

]]>
Do you ever wonder about suspicious users and other questionable web traffic on your WordPress site? Well, then you are in the same boat as all of us, as this is a part of having an online presence. What if you could monitor this activity and ban visitors in WordPress? Now you can, using a smooth plugin called Banhammer.

There are all sorts of steps you can take in WordPress that will allow you to keep your website safe and running smoothly. Using a plugin like Banhammer is one of those ways, and it is a very powerful tool if used correctly.

Why You Should Ban IP Addresses

First off, you have to know what exactly an IP ban is. These types of blocks are basically set up by a server to reject requests made from a particular IP or range of IP addresses. These types of IP bans can be put in place using two methods:

  1. Automatically by the server based on abuse pattern
  2. Manually by the administrator

An IP ban actually protects the server from a number of types of abuse. These include brute force attacks, email blocking from known spammers, and certain usage limits by users.

They are so effective that a properly put-together ban can go as far as allowing the server to block IP addresses from even accessing a website, forum, and email.

Today, I am going to show you how you can easily ban IP addresses in WordPress using a smooth and nifty plugin that does all the heavy lifting for you. Let’s take a look at the plugin in question and see all that it has to offer.

Banhammer

Banhammer plugin

Banhammer is a plugin that is specifically designed to give you full control over who and what may access your website. The plugin is built with a specific focus on performance, so it will not slow your website, and your page load speeds will remain fast and efficient.

This plugin will allow you to easily ban visitors in WordPress and monitor all traffic and suspicious visitors. It provides a number of tools to do this, and if implemented properly, can be very powerful against unwanted visitors, attempted brute force attacks, and other malicious activity.

Any users that you ban will be denied any type of access from your website until you manually restore it using tools that Banhammer provides called “Tower.” The plugin is packed full of features and options. Some of the main ones include:

  • Ability to ban or warn any WP user or IP address
  • Easily restore access to any banned targets
  • Monitor all site traffic in the provided “Armory”
  • Manage banned users in the provided “Tower”
  • Ajax-powered navigation
  • A ton of included useful tools
  • Complete documentation from the Help tab
  • Automatically clear logged data
  • Built-in sound effects for processes
  • Manually block any IP at any time

And this is just the tip of the iceberg. Banhammer includes so many useful tools that it may become your favorite plugin to use. With so many options and features, you will be able to protect your entire site right from the comfort of your WordPress website dashboard.

Let’s get the plugin installed and set up together so that you can start making the changes you need.

Using Banhammer to Block Unwanted Visitors

Step 1: Install and Activate the Plugin 

Before you can start banning IPs and blocking users that are trying to hurt your site, you first need to install and activate the Banhammer plugin. You can do this by going to the Plugins page in the WordPress admin dashboard.

INstall and activate banhammer

Simply use the available search field and search the plugin by name. When you see it pop up, install and activate it right from there.

Step 2: Go to the Settings Page

Now that the plugin is installed and activated, you need to access the main settings page for the plugin. To do this, click on Banhammer > Settings, located on the left menu area of the dashboard.

Click on banhmamer then on settings

You can see that this option is now available because you activated the plugin. Here, you will configure the settings how you see fit and start the process of protecting your site.

Step 3: Configure Plugin Settings

At this point, you have arrived at the main settings page for the plugin. Here, you are going to go through the settings and configure them how you want. There are three main sections on the page. They include:

  • Basic Settings
  • Banhammer Response
  • Advanced Settings

Let’s go through them together.

Basic Settings

Go ahead and go through a few checkboxes here and make sure the things you want are enabled.

Basic settings

Banhammer Response

Here, you can create the response you want users to see when you have banned them from your site. You can include a custom message and a redirection if you want.

Banhammer response

Advanced Settings

These are the advanced settings for the plugin. Configure them how you see fit. You can always come back and adjust them when you need to.

Advanced settings

Save your settings and you are all set.

Step 4: Monitor Traffic

Now that you have set up the plugin, you are ready to go monitor traffic. To do this, click on the “Armory” option located on the left menu dashboard.

Click on Armory

The Armory is where you monitor all site traffic and make decisions on what users you may need to warn or block.

In the demo below, you can see there are only a few site users. This is because this is a demo site. Your armory will be filled with site users based on your traffic.

Monitor traffic

Step 5: Monitor Banned Users

Last but not least, head over the the “Tower” section of the plugin. This is where you will monitor all the users you have banned. To get there, simply click on the Tower link on the left side dashboard.

Click on tower

Use the tools here to delete, restore, warn, and totally ban users.

Monitor banhammer banned users

That’s it! You are now monitoring all your site traffic and have the ability to protect yourself by banning IPs when needed.

Note: There is a Banhammer pro version of this plugin. It offers more features and configuration settings. If you feel this is something you need, then feel free to check out that version of the plugin.

Don’t Ban Yourself!

Be careful not to ban yourself when using the Banhammer plugin. Yes, this can and has happened to users. Here are some things to be mindful of when using the plugin in order to make sure you don’t ban yourself.

  • Always know your own IP address and WP username.
  • Disable the setting for the “Login Page” so you always have access to it.
  • Enable the setting “Ignore Users” so you can always access the Tower, and your visits will not be logged in the Armory.

Final Thoughts

Protecting your WordPress site can be a daunting task, as there is always someone out there looking to cause trouble. However, with help from a solid plugin like Banhammer, the entire process can be easy, fun, and educational.

I hope the article was able to show you how easy it can be to monitor traffic and block IP addresses when needed. 

What other plugins have you used to block an IP? Have you found it difficult to monitor traffic in the past?

The post How to Drop the Banhammer on Unwanted Visits in WordPress appeared first on GreenGeeks.

]]>
https://www.greengeeks.com/tutorials/banhammer-wordpress/feed/ 0
How to Embed a Facebook Page in WordPress with Showeblogin https://www.greengeeks.com/tutorials/facebook-page-wordpress-showeblogin/ https://www.greengeeks.com/tutorials/facebook-page-wordpress-showeblogin/#respond Wed, 18 Nov 2020 20:59:47 +0000 https://www.greengeeks.com/tutorials/?post_type=ht_kb&p=38676 With over 2.7 billion monthly users, Facebook has become too big for anyone to ignore. Thus, it is only natural to look for ways to […]

The post How to Embed a Facebook Page in WordPress with Showeblogin appeared first on GreenGeeks.

]]>
With over 2.7 billion monthly users, Facebook has become too big for anyone to ignore. Thus, it is only natural to look for ways to incorporate it into WordPress. Luckily, the Showeblogin Social Plugin gives you a variety of tools to do the job.

The plugin is simple, offers a variety of features, and is completely free to use. As such, it’s exactly what most websites are looking for in WordPress. Today, I will demonstrate how to use the Showeblogin plugin to add a variety of Facebook features.

Why Is Facebook Integration So Important?

Facebook is the world’s most popular social media platform, and any successful business has a presence. It provides businesses of any size an opportunity to reach out to their target audience and promote their brand.

The term Facebook integration refers to any type of feature related to Facebook being added to your website. For example, it’s quite common to ask visitors to “like and share our page on Facebook” but they can’t do that easily unless we actually add a Facebook like button.

Of course, there are more complex ways to integrate Facebook and WordPress. For instance, if you have a need for a chatbox, you can use Facebook Messenger to do it. In fact, you can even create a bot to greet customers and collect general information.

Some of the more common integrations for WordPress include a Facebook login, using Facebook Pixel, or auto-posting to Facebook when a new post is published.  The options are there for those interested.

The point is Facebook is popular, and there are a lot of ways to take advantage of that popularity for website owners.

How to Use Showeblogin in WordPress

Step 1: Install Showeblogin

The Showeblogin plugin offers a variety of tools which include showing a Facebook-like button for any page, embed a Facebook post or page, use a Facebook comment box (allows users to comment with their Facebook account), and much more.

All of this is done via shortcodes, which is why it’s so easy to use. And most importantly, it gives you the control you need to add it in any location, including a text widget.

Let’s start by clicking on Plugins and selecting the Add New option on the left-hand admin panel.

Add New

Search for Showeblogin Social Plugin in the available search box. This will pull up additional plugins that you may find helpful.

Showeblogin Social Plugin

Scroll down until you find the Showeblogin Social Plugin and click on the “Install Now” button and activate the plugin for use.

Install Now

Step 2: Add the Facebook Widget

There is one oddity in this plugin. Even though the plugin uses shortcodes, you must have the widget on your website to use it. Even if you just add the widget to your sidebar and do not customize it, that will allow the plugin to work.

Thus, there is no way around adding the widget, it must be done.

However, you can also use the widget to integrate WordPress with your Facebook page. And this might be a good thing if you are not a fan of shortcodes.

On the left-hand admin panel, click on Appearance and select the Widgets option.

Widgets

Locate the Showeblogin Social widget and add it to the desired widget area.

Showeblogin Widget

At this point, you just wanted to use shortcodes, you are done with the widget. All that is required is that the widget is in a widget area. If you do not enter any information into the fields it will not do anything to that widget area.

However, the widget is a good addition, so I will cover how to use it for those interested.

You can add a title, I recommend something like “Check Out Facebook Page” or something similar. Enter your Facebook URL, the sizes you want to use (340 width and 500 height is a good choice), select a specific tab to display (for example you can display upcoming events), and fill out the rest of the widget.

Note: You can add any Facebook URL into the widget. This can be useful if you are doing a collaboration event and want to help promote someone else.

Click on the “Save” button and you can view it on your website.

Showeblogin Widget

Shortcodes provide another way to add your Facebook page in WordPress, so let’s take a look.

Step 3: Use the Shortcodes

The shortcodes are quite easy to use, and if you have used a shortcode before, you will not have any trouble with these. Note that, if you skipped the last section, adding a widget is a requirement.

If you don’t do it, the shortcodes will not work.

The plugin has two shortcodes, but only one of them is actually going to be used.

The first one is very basic and cannot be altered in any way, and probably not practical for what you want to do:

[swt-fb-likebox]

Adding this will simply connect you to the Showeblogin Facebook page, thus, it is useless to an actual website. Although, it can give you an idea of what the plugin can do, so check it out on a private post or draft.

Instead, the second shortcode is what you are going to use, and it can be customized in a variety of ways:

[swt-fb-likebox url=”https://www.facebook.com/SuperWebTricks” width=”340″ height=”500″ tabs=”timeline,events,messages” hide_cover=”false” show_faces=”true” hide_call_action=”true” small_header=”false” adapt_container_width=”true” data_lazy=”true”]

The only change you need to make is switching the Facebook URL to the one you want to display. Doing so will result in a Facebook like page box with your most recent posts like so:

Facebook Like Page

On it, visitors, can click the like button to like the page, click on the Share button to share it with friends, or simply scroll through your posts. It’s very compact but shows all of the important information.

Remember, the shortcode can be added to any post, page, or even a text widget.

Congratulations on learning how to use the Showeblogin plugin to integrate your Facebook page in WordPress. If you decide to delete the plugin, remember to manually remove all of the shortcodes you added.

Make It Easy to Interact With Social Media

One of the biggest mistakes new web developers do is overestimate how far visitors will go to support a website. If you think just asking for someone to visit your Facebook page is enough, let me assure you, it isn’t.

Instead, you need to provide a link or a direct way to send the visitor there.

If you want them to like a page, subscribe to a channel, or some other social media following system, you need to provide that social button to the visitor. And the good news is that WordPress supports every social media platform thanks to the large library of plugins.

As a result, it only takes a few minutes to provide visitors with the direction they need. And it can seriously help you grow your following on the said platform.

Facebook is Big, But There Are Other Options

Facebook is definitely the leader of the pack when it comes to audience size, but don’t think that is your only option. Twitter, YouTube, Instagram, and many other platforms also have well over a billion monthly users.

As a website owner, you should try to have a presence on as many social media platforms as you can to help you grow faster.

How easy did you find the Showeblogin Social Plugin to use? Do you think WordPress should have more social media options baked into it?

The post How to Embed a Facebook Page in WordPress with Showeblogin appeared first on GreenGeeks.

]]>
https://www.greengeeks.com/tutorials/facebook-page-wordpress-showeblogin/feed/ 0
How to Use WPS Hide Login to Protect the WordPress Admin Page https://www.greengeeks.com/tutorials/use-wps-hide-login/ https://www.greengeeks.com/tutorials/use-wps-hide-login/#respond Tue, 07 Jul 2020 14:00:34 +0000 https://www.greengeeks.com/tutorials/?post_type=ht_kb&p=35629 Are you looking for a simple, yet effective way to protect your admin page? If so, you can use the WPS Hide Login plugin to […]

The post How to Use WPS Hide Login to Protect the WordPress Admin Page appeared first on GreenGeeks.

]]>
Are you looking for a simple, yet effective way to protect your admin page? If so, you can use the WPS Hide Login plugin to change the location of the login page.

The most popular method to break into a website is brute force (continually entering login information until it is right).

However, you can’t brute force your way into a website if you do not know where to input the login information. Thus, this method is quite effective.

Today, I will demonstrate how to protect your admin page with the WPS Hide Login plugin.

Why Does This Work?

So, you are probably wondering why is changing the location of the WP login an effective strategy.

By default, the WordPress admin login is located with the same subdirectory(the last part of the URL). Thus, regardless of how well your website’s security is, anyone can type in your website and add the “/login” at the end of the URL.

Now, with proper security protection like choosing a strong password, reCaptcha, limited attempts before the lockout, and more, you can rest easy that a brute force won’t get through.

However, what happens if the hacker was able to obtain the correct login through other means?

Well, they would get into your website, but if you were to hide admin login in WordPress, that information won’t do them any good, or at the very least it will stall them.

Only Protects Against Amateurs

Hiding your WordPress blog login area sounds great on paper, but I do need to make something very clear.

This will only stop amateurs.

Someone who is experienced in WordPress and actively tries to break into websites will undoubtedly be able to locate the login page on your website. I will not explain how since that undermines the plugin, but it is possible.

Thus, even if you do add this feature, you should still incorporate other security elements to protect your website.

Installing WPS Hide Login

The WPS Hide Login plugin allows you to change the location of your WP login without rewriting any files. Instead, the plugin simply intercepts the page requests and sends you to the location of your choosing.

If you are running other plugins that also utilize this login like BuddyPress, Jetpack, etc., you don’t need to worry, this plugin is compatible. However, note that some plugins are hardcoded to wp-login.php. In those instances, the plugins will not work correctly or interfere with this one.

Let’s start by clicking on Plugins and selecting the Add New option on the left-hand admin panel.

Add New

Search for WPS Hide Login in the available search box. This will pull up additional plugins that you may find helpful.

WPS Hide Login

Scroll down until you find the WPS Hide Login plugin and click on the “Install Now” button and activate the plugin for use.

Install-Now

Hiding Your Login Area

The plugin is really simple to use and doesn’t require you to do anything fancy. In fact, all you really need to do is change one thing in the settings.

Click on Settings and select the WPS Hide Login option.

Settings

While you do only need to change one thing, there is an entire page for this area. Most of the sections are auto-filled and include your website’s URL, admin email, timezone, language, date format, and more.

And that is because this is just the General settings of WordPress.

All of these should already be set up for your website and should not require you to change anything. Thus, you can scroll down to the WPS Hide Login section.

There are two options here, Login URL and Redirection URL.

Login URL

The Login URL is what you must type into your web browser to find the login area.

So for example, you could change the default “login” to “taco” which would mean you would visit:[ht_message mstyle=”info” title=”” show_icon=”” id=”” class=”” style=”” ]www.yourwebsite.com/taco[/ht_message]

That would now pull up the login screen of WordPress.

Note: You must remember this URL. If you forget it, you will have to do a lot of work to find it. I highly recommend writing down the URL for safekeeping and bookmarking the page in your browser.

Change the Login URL of your website.

Login URL

Redirection URL

The Redirection URL is where users will go if they type in the default login URL.

By default, this will send anyone to a 404 error screen when they type in the default login URL. This can be left alone or you can go the extra mile and create a page for this specific redirect, but that is completely up to you.

Change the Redirection URL to whatever you want.

Redirection URL

View It Live

Again, I want to stress writing down the URL to your login area. If you lose it, it is not a simple thing to find. Once you have done this, click on the “Save Changes” button.

Save Changes

Go to the login URL you just created to see it in action. If you visit the default login URL, you will be redirected to what you chose.

Login URL

Congratulations on setting up the WPS Hide Login plugin to protect your login area. You can change the login URL at any time, just make sure to remember what it is.

What If I Forget my Login URL?

You have two options.

The first and by far the easiest way is to log into your cPanel, the login information is provided to you by your web host, and delete the WPS Hide Login plugin. This will revert your login URL to the default page.

You can then reinstall the plugin if you desire.

The second option is to go to your MySQL database and look for the value of whl_page. If you do not have much experience using the MySQL database, you are better off by removing the plugin file.

Add More Defense to Your Site

While this is a useful technique to prevent amateurs from trying to brute force their way into your website, you can better protect it by other means.

One way to do this is to limit the number of login attempts. This makes it so instead of having an infinite number of chances to guess a password, you only get a handful of them before a lockout occurs.

And wouldn’t you know it, there is a WPS Limit Login plugin from the same makers that get the job done. It’s just as simple to use as the one detailed above, and they can work in conjunction with each other.

You may also want to consider more robust security plugins that offer features like this among other things.

Take Security Seriously

Unfortunately, new website owners don’t take security as seriously as they should.

This stems from the misconception that their website has nothing on it to steal. And while that may be true when starting out, it doesn’t stop a hacker from getting in and leaving a backdoor.

They can use that backdoor to come back when you do have something to steal. You could also just be dealing with someone who just wants to take your website offline for some reason.

Some hackers will simply add fake pages to your site to steal information from unsuspecting visitors.

In any case, strong security needs to be established from the get-go.

Do you think WordPress should allow developers to change their login URL by default? What other security measures are you considering to use?

The post How to Use WPS Hide Login to Protect the WordPress Admin Page appeared first on GreenGeeks.

]]>
https://www.greengeeks.com/tutorials/use-wps-hide-login/feed/ 0
How to Protect WordPress from Brute Force Attacks with Loginizer https://www.greengeeks.com/tutorials/protect-wordpress-brute-force-attacks-loginizer/ https://www.greengeeks.com/tutorials/protect-wordpress-brute-force-attacks-loginizer/#respond Mon, 06 Jul 2020 14:00:07 +0000 https://www.greengeeks.com/tutorials/?post_type=ht_kb&p=35624 Brute force attacks are still an issue for many WordPress websites. There are several ways you can protect yourself from this kind of attack. Today, […]

The post How to Protect WordPress from Brute Force Attacks with Loginizer appeared first on GreenGeeks.

]]>
Brute force attacks are still an issue for many WordPress websites. There are several ways you can protect yourself from this kind of attack. Today, I am going to show you how to use a plugin called Loginizer.

This plugin will help prevent your site from succumbing to a brute force attack.

Loginizer

Loginizer plugin

Solid custom brute force protection is hard to come by these days. This is especially true if you are looking to get that kind of protection for free. However, now you can with a smooth plugin called Loginizer.

The plugin is very lightweight, easy to install, and easy to set up. It works in the fight against brute force attacks by blocking logins for the IP after it reaches maximum retries allowed.

The plugin is automatically running once you activate it, so immediately, it goes to work based on default settings. However, you can also go to the configuration page and perform a setup more tailored to what you want for your website.

Loginizer gives you the ability to blacklist and whitelist IPs for login as well. So you have a good amount of control right away. There are also several other ways to control a brute force attack, all of which are presented to you within the plugin.

Once the user tries to log in unsuccessfully a certain amount of times (based on your settings) they are hit with an automatic WordPress lockout and won’t be able to access anything.

The Loginizer plugin comes packed with features. Some of the main ones include:

  • Block and IP after maximum retries are hit
  • Extended lockout option after maximum lockouts
  • Sends email notification after maximum lockouts is hit
  • Blacklist IP/IP Range
  • Whitelist IP/IP Range
  • You can check all logs of failed attempts in the backend
  • Create and delete IP ranges

Loginizer gives you custom write force protection for free. Let’s take a look at how to install the plugin and then set it up.

Note: This plugin does have a pro version that will give you more functionality and other protection options. Feel free to check that out if you feel it is something you need. That being said, this tutorial is based on the free version, as it gives you everything you need to protect against brute force attacks.

Install and Activate Plugin

In order to start using Loginizer to help against brute force attacks, you first need to install and activate the plugin. You can do this by going to the Plugins page inside your WordPress admin dashboard.

Simply search for the plugin by name and install it right from there.

Install and activate loginizer

Once the plugin has been installed and activated, you want to access the main settings and configuration page. To do this, click on Loginizer Security > Brute Force.

You will see this option in the left side menu area of your dashboard once the plugin has been activated.

Click loginizer security then brite force

From here you can configure the plugin how you see fit according to your needs.

Note: The plugin starts running automatically as soon as it is installed. You can configure it from there.

Setup Custom Brute Force Protection

At this point, you should be on the main configuration page for the Loginizer plugin. It is a single-page layout, but has a few different options to go over. Let’s go over these together.

At the top portion of the page, you will see a box that shows you all the failed login attempts over the last 24 hours. Here you can see who is trying to log in and when they try. This is a valuable list to have because you can use it to blacklist or whitelist IPs.

Failed login attempts

Now scroll down some and give the “Brute Force Settings” configuration box a look. Here is where you will set all your entry limits and lockout times. This is the heart of your setup. Go ahead and fill out all the entries according to how you want them to take hold on your site.

Brute force settings

Below that, you will find the configuration box for the blacklist IP settings. You can blacklist as many IPs as you want. So feel free to add any that you already have in a list.

Blacklist IP settings

The same goes for the whitelist IP box. You can whitelist as many as you want.

Whitelist Ip settings

Finally, at the bottom of the page, you will see a configuration box for error messages. You can see that there are two default messages. However, you can make the messages say whatever you want.

Error Messages

Don’t forget to click on the “Save” buttons as you go through all your options. That’s it! You have set up custom brute force protection using Loginizer and you are all set.

You can adjust settings at any time.

Loginizer Dashboard

Loginizer also provides you with a dashboard so that you can monitor everything that is happening. To access this dashboard, click on Loginizer Security > Dashboard.

Click loginizer security then click dashboard

You can see at the top of the dashboard is all the system information. Go ahead and check that out and make sure all is running correctly.

System information

Below that, you can see all the file permissions.

File permissions for loginizer

What is a Brute Force Attack?

Simply put, a brute force attack is an attempt to crack a password or username, or find a hidden web page, or keys used to encrypt a message. It uses a trial and error approach method in hopes that it will eventually guess correctly.

This kind of attack is actually an old method, but it is still widely used and oftentimes successful. Depending on how complex a password is, cracking it can take anywhere from a few seconds, to years.

IBM created a report showing that some hackers will target the same system for months and even years at a time. Their data shows how dedicated and resourceful hackers are and how they will wait and wait while the brute force attacks continue to go to work on a website over time.

These kinds of attacks happen to WordPress sites often. That is why it is a good idea to have a tool in place that can help protect your site against them. The info above will give you a solid tool and good starting point in order to help protect your website from brute force attacks.

Final Thoughts

Brute force attacks have been a long-standing issue for website owners. Even though the method is fairly old, it is still very popular and widely used because of its effectiveness.

There are certain steps you want to take in order to secure and protect your website. One of the most important ones is having the ability to build custom brute force attack protection from the backend of your website.

The Loginizer plugin is a fantastic way to get this process started and will work to immediately secure your site. With all the functionality and ability the plugin gives, you should be able to build up a solid wall around your site and protect it.

Has your website ever been the victim of a brute force attack? Have you found that the Loginizer plugin has helped protect against this when used properly?

The post How to Protect WordPress from Brute Force Attacks with Loginizer appeared first on GreenGeeks.

]]>
https://www.greengeeks.com/tutorials/protect-wordpress-brute-force-attacks-loginizer/feed/ 0
How to Force a Login Before Visitors Access WordPress and Why https://www.greengeeks.com/tutorials/force-login-before-visitors-access-wordpress/ https://www.greengeeks.com/tutorials/force-login-before-visitors-access-wordpress/#comments Wed, 17 Jun 2020 16:21:08 +0000 https://www.greengeeks.com/tutorials/?post_type=ht_kb&p=35291 There may come a time when you have built a WordPress website that you don’t want anyone to see without having to log in first. […]

The post How to Force a Login Before Visitors Access WordPress and Why appeared first on GreenGeeks.

]]>
There may come a time when you have built a WordPress website that you don’t want anyone to see without having to log in first. There may be several reasons behind this. If so, it is ideal to figure out a way to force login on a WordPress website.

Why Force Login in WordPress?

There may be several reasons behind you wanting to push forward with a WordPress force login layout. Maybe you have a blog that has content you only want registered users to see.

Or, you may just want to hide your website from everyone except specific people. In this case, when you force a login in WordPress, you are basically saying that users can only see your site content if they are actually logged into the website.

Perhaps you want to build a members-only platform for your local group or business.

Remember, there are several WordPress User Roles available. Just because you force login for a user does not mean that they have admin access or editor access to your website. It simply means that you are forcing them to log into your site as a member or user in order to view the content in question.

In order to force a login within WordPress, you either have to know some code, or find a plugin that will automatically do this for you. Fortunately, I have found an outstanding plugin that will accomplish this.

Not only that, but I will also show you some different PHP code to use for certain situations. So, below we will look at the plugin itself, as well as some code strings to use in order to force the login in certain situations on a WordPress website.

Let’s take a look at the plugin in question. After that, I will go over installation and usage with you.

Force Login

Force Login plugin

The Force Login plugin is simple, straightforward, and very easy to use. The plugin name reflects exactly what it does when installed and activated. Basically, it hides your WordPress website from public viewing by requiring visitors to log in first.

While plugin usage and setup is as easy as flipping a switch, it still comes with a number of great features that you can use to your advantage. Some of the main features include:

  • Compatible With WordPress MultiSite
  • Login Will Redirect Visitors Back to URL They Tried to Visit
  • Developer API (Extensive Hooks and Filters)
  • Highly Customizable (Set Specific URL)
  • Page and Post Filter Exceptions
  • Ability to Restrict REST API to Authenticated Users
  • WPML Certified and Translation Ready

Basically, you can force login and block content in a number of ways. Let’s take a look at how to get the plugin installed and activated.

Install and Activate the Plugin

In order to force login in WordPress, you first need to install and activate the plugin. You can do this by heading over to the Plugins page inside your WordPress admin dashboard. Simply search the plugin name and install it from there.

INstall and activate force login

Once the plugin has been installed and activated, you are actually good to go. There are no settings and no other setup. Force login is automatically turned on and working.

As mentioned above, it is basically like flipping a switch.

However, there are some code strings we can look at and force login in different situations. Let’s take a look at those in order to give you a better idea of what else you can do with this plugin.

Force Login Options

As I said above, anytime someone tries to go to your website now, or any URL on your site, they are automatically redirected to the WordPress login page for your website. Here, they can log in with their credentials to access the content.

Remember, when a user signs in, they will automatically be redirected to the URL they were trying to view. Or, if they were on the home page, the redirection will take them back.

However, what if you want to perform some other force login options based on certain situations? That can definitely be done. You simply have to access the functions.php file and add some of the code listed below for the relevant situation.

You can access the functions.php file by clicking on Appearance > Theme Editor.

Click on appearance then on theme editor

This takes you to the Theme Files page where you will see all your theme files. Click on the Theme Functions (functions.php) file take and add any of the code below to the end of the file and save it.

Click on the theme functions functions.php file

Specify a URL to Redirect To Upon Login

If you want a user redirected to a specific URL no matter what, then use this code:

/**
* Set the URL to redirect to on login.
*
* @param string $url The visited URL.
* @return string The URL to redirect to on login. Must be absolute.
*/
function my_forcelogin_redirect( $url ) {
return home_url( '/mypage/' );
}
add_filter( 'v_forcelogin_redirect', 'my_forcelogin_redirect' );

Add Exceptions for Certain Pages and Posts

You are able to bypass force login based on any conditions. You can also use WordPress conditional tags. Below is the code to bypass, and the code to whitelist URLs.

Bypass Force Login

* Bypass Force Login to allow for exceptions.
*
* @param bool $bypass Whether to disable Force Login. Default false.
* @return bool
*/
function my_forcelogin_bypass( $bypass ) {
if ( is_single() ) {
$bypass = true;
}
return $bypass;
}
add_filter( 'v_forcelogin_bypass', 'my_forcelogin_bypass' );

Whitelist URLs

/**
* Filter Force Login to allow exceptions for specific URLs.
*
* @param array $whitelist An array of URLs. Must be absolute.
* @return array
*/
function my_forcelogin_whitelist( $whitelist ) {
$whitelist[] = home_url( '/mypage/' );
$whitelist[] = home_url( '/2015/03/post-title/' );
return $whitelist;
}
add_filter( 'v_forcelogin_whitelist', 'my_forcelogin_whitelist' );

Get the WordPress Mobile App Working

By default, the Force Login plugin blocks access to all page URLs when it is activated. However, you might need to whitelist the XML-RPC page. this will allow the WordPress app to access your site for remote publishing.

/**
* Filter Force Login to allow exceptions for specific URLs.
*
* @param array $whitelist An array of URLs. Must be absolute.
* @return array
*/
function my_forcelogin_whitelist( $whitelist ) {
$whitelist[] = site_url( '/xmlrpc.php' );
return $whitelist;
}
add_filter( 'v_forcelogin_whitelist', 'my_forcelogin_whitelist' );

Hide “Back to Sitename” Link

The WordPress login page always includes a “back to sitename” link on the page. if you would like to hide that link, then add the following code:

// Hide the 'Back to {sitename}' link on the login screen.
function my_forcelogin_hide_backtoblog() {
echo '';
}
add_action( 'login_enqueue_scripts', 'my_forcelogin_hide_backtoblog' );

Final Thoughts

Forcing a user to log in to view your WordPress website is as easy as installing and activating the plugin above. Once it is running, your site visitors will automatically be forced to log in before they can view any pages on your website.

You also have several code options available that give you the ability to force login in certain situations, whitelist URLs, and even attach the WordPress mobile app.

I hope this tutorial gave you clear and easy instructions for forcing users to log in to access your WordPress website pages.

Do you have a website that you force users to log in before they can view? Have you used the plugin above in the past?

The post How to Force a Login Before Visitors Access WordPress and Why appeared first on GreenGeeks.

]]>
https://www.greengeeks.com/tutorials/force-login-before-visitors-access-wordpress/feed/ 7
How to Block Country IP Addresses in WordPress to Prevent Access https://www.greengeeks.com/tutorials/block-country-ip-addresses-wordpress/ https://www.greengeeks.com/tutorials/block-country-ip-addresses-wordpress/#respond Mon, 11 May 2020 16:35:03 +0000 https://www.greengeeks.com/tutorials/?post_type=ht_kb&p=34601 So you have your website up and running, but for one reason or another, you want to block the IP address of a specific country. […]

The post How to Block Country IP Addresses in WordPress to Prevent Access appeared first on GreenGeeks.

]]>
So you have your website up and running, but for one reason or another, you want to block the IP address of a specific country. Doing so can help you reduce spam bots and ensure visitors do not see your website in a country where it may be illegal.

However, this is not a native feature in WordPress. Instead, you will need to install a plugin that allows you to block IP addresses in bulk. Luckily, there are a lot of options you can choose from.

Today, I will show you how to easily accomplish this by using a smooth, lightweight plugin that is easy to configure.

What Is An IP Address?

As simple as I can put it, an IP address is a unique string of numbers that is separated by periods. These numbers are used to identify computers using the Internet Protocol to connect and communicate over a network.

If we break it down even more and make it easier to understand, an IP address is actually a label. This label is used to identify all types of devices on a computer network, like the Internet.

Think of it as a postal address, except for computers. The number is written in binary, and it can tell someone where a device is accessing the web. Each address has two parts. One part specifies the computer or group of computers, while the other part specifies the network.

Why Block The IP Address Of A Country?

Actually, blocking IP addresses is not limited to countries. You may want to block a number of IP addresses for one reason or another. The thing is, sometimes you want to block a country’s IP range because you simply don’t have a website that is tailored toward that area of the world.

Other times you may want to block IP addresses for more personal reasons. Here are some good examples.

Say you own a local store and your primary market is locally and throughout your state. There is no need to allow other countries to index or waste bandwidth on your server. You simply want your site accessible to your market.

Or, in another case, you may run a personal, or private website. This could include a family blog or a private members-only site that you want to restrict traffic to. Using WordPress to block an IP is ideal here as well.

Perhaps you may want to ban or block IP addresses that are known for spamming, mining, data, or hacking attempts.

Whatever your reason may be, there is a fantastic plugin we are going to go over that will allow you to easily block a country’s IP address. It will also allow you to block any IP address for that matter.

How to Block The IP Address Of A Country

There are quite a few plugins you can use to block IP addresses in WordPress and one of the best options is the IP2Location Country Blocker plugin. As the name implies, it allows you to block an entire country from accessing your website.

It can even take this a step further by blocking groupings of countries from accessing the website like the European Union (EU) or the Asia-Pacific (APAC), and others. It’s quite easy to use, so it’s fine for any skill level.

Note: This plugin is not compatible with caching plugins. If you have one installed, this plugin will not work.

Step 1: Install IP2Location Country Blocker

Let’s start by clicking on Plugins and selecting the Add New option on the left-hand admin panel.

Add-New

Search for IP2Location Country Blocker in the available search box. This will pull up additional plugins that you may find helpful.

Use IP2Location Country Blocker to block the IP address of a country

Scroll down until you find the IP2Location Country Blocker plugin and click on the “Install Now” button and activate the plugin for use.

Install Now Button

Step 2: Follow The Setup Wizard

The plugin has a setup wizard, but its main purpose is for getting the necessary database installed. It is required, so let’s use it. To access it, click on the Country Blocker option.

Country Blocker

You will then see a small pop-up mentioning the step-by-step guide. Click on the “Get Started” button to begin.

Get Started

The first thing you will need to do is enter the IP2Location LITE download token. This is free but does require you to make an account. If you already have the token, enter it. If not, click on the “free account” link to create one.

Enter the account token

If you are making an account, you just need to enter some basic information. You will need a valid email address as the account verifies the email. Upon verification, you can follow the link in the email to obtain the token.

Then, you just have to copy and paste that code into the setup wizard.

Next, the wizard will use the token to download the database, and the third step congratulates you. Next, it’s time to configure the settings.

Step 3: Choose A Country to Block

By default, the plugin does not block anything because Frontend Blocking is disabled. Thus, the first step is to enable Frontend Blocking. If you do not do this, the settings are not configurable.

Enable Frontend Blocking

The first option of this plugin is what we are after – Block By Country.

There are two options. You can block all of the counties you enter into the textbox below or you can block every country not listed in the textbox.

Which option you pick depends on what your goal is. For example, let’s say you run a local plumbing business. There is no reason for anyone outside of the country it resides in to ever view your page.

Thus, you may want to just enter your home country and block all of the others.

In any case, check the option that applies to you. In this case, I will choose to block the countries listed in the box below and enter China.

Block the IP Address of a country

The Block by Proxy section requires a different database to be installed, which this tutorial will not cover. However, it’s not all that difficult of a process.

Below this, you will find some general settings that you can configure. This allows you to whitelist bots & crawlers, choose the error message users will see in blocked countries, and gives you the ability to blacklist or whitelist specific IP addresses.

Click on the “Save Changes” button when you are done.

Save Changes

And that’s it! Congratulations on learning how to block a country’s IP address in WordPress. Just remember to be sure about what you are doing because it can seriously impact who has access to your website.

Other Plugins to Block Country IP Addresses

WordPress is home to a variety of plugins, so there are a lot of alternative plugins that can block IP addresses. Here are a few you may find useful.

iQ Block Country

iQ Block Country

The iQ Block Country plugin is an excellent alternative when you want to restrict access to your website. It makes it easy to block IP addresses from specific countries.

Of course, it also has other features like IP address blocking and whitelisting, so you can make exceptions as needed. Overall, it’s easy to use, so be sure to give it a try.

WordFence Security

Wordfence Security

There’s a good chance you already have Wordfence Security installed on your website, and if you do, you actually already have a way to block IP addresses in WordPress.

This plugin allows you to block IP addresses individually, or you can block an entire country. Since you should have a security plugin installed, this one kills two birds with one stone.

Final Thoughts

If you have the right plugin and know how to use it, then having the ability to block country IP addresses is not difficult. If you don’t want certain people accessing your website content, then the IP2Location Country Blocker plugin is exactly what you need.

Not only will you be able to be more private with your site, but it is also easy to set up. Now you can block and redirect IP addresses from anywhere in the world the way you see fit.

Have you ever tried to block an IP address using another process? Have you found that things run smoother on your website if you can block IP addresses?

The post How to Block Country IP Addresses in WordPress to Prevent Access appeared first on GreenGeeks.

]]>
https://www.greengeeks.com/tutorials/block-country-ip-addresses-wordpress/feed/ 0
How to Create a WordPress Activity Log and Why https://www.greengeeks.com/tutorials/create-wordpress-activity-log/ https://www.greengeeks.com/tutorials/create-wordpress-activity-log/#respond Wed, 25 Dec 2019 15:00:49 +0000 https://www.greengeeks.com/tutorials/?post_type=ht_kb&p=31566 If you have multiple website contributors or administrators, you need a WordPress activity log. An activity log keeps you abreast of changes at a glance. […]

The post How to Create a WordPress Activity Log and Why appeared first on GreenGeeks.

]]>
If you have multiple website contributors or administrators, you need a WordPress activity log. An activity log keeps you abreast of changes at a glance. You can see who changed what and when it was done.

Even if you are the only site administrator, a record of when changes were made can come in very handy. For instance, when you have to troubleshoot an error or other problem. Knowing exactly when you did something will make fixing any resulting problems much easier.

WordPress doesn’t have any built-in logging abilities, so to start logging changes, we have to use a plugin. There are a few logging plugin options, but we’re going to install the Activity Log plugin to do our logging.

Activity Log will show us when posts were published and who published them. It keeps track of when plugins are activated or deactivated. We’ll even be able to receive email based on specific activity triggers.

Once you use the plugin to track user activity, you’ll wonder how you ever lived without a web activity log as a crucial part of your WordPress site.

Installing the Activity Log Plugin

Log in to your WordPress admin panel.

In the left column navigation, mouse over the “Plugins” link and click the “Add New” link.

mouse over the "Plugins" link and click the "Add New" link

In the “Search plugins…” box, enter “Activity Log.”

search for the WordPress Activity Log plugin

Once you have located the plugin, click the “Install Now” button.

click to install the WordPress Activity Log plugin

Now the plugin is installed, but it has to be activated before you can use it.

Click the “Activate” button.

click to activate the WordPress Activity Log plugin

Configuring Activity Log

In the left column navigation, mouse over the “Activity Log” link and click the “Settings” link.

click the "Settings" link

There are two tabs on the “Activity Log Settings” page. For now, we’re working on the “General” tab.

Change the “Keep logs for” setting if you want to increase or decrease the number of days that are logged. Bear in mind that like any cumulative data, the longer the retention period, the more space the logs will consume.

Click the “Save Changes” button to save your update.

click the "Save Changes" button

Unlike traditional website logs, the activity logs are stored in your WordPress database. Be sure to consider that if database size or storage space is a concern. The longer you keep logs, the larger your database backups will become.

The other option on the page is to delete existing logs. Click the “Reset Database” link to clear the records. It is not possible to retrieve old logs once you do this.

click the "Reset Database" link

Viewing the WordPress Activity Log

In the left column navigation, click the “Activity Log” link.

click the "Activity Log" link

Now you can see just how comprehensive the activity logs are. It’s an impressive amount of useful information.

activity logs

Note that the plugin also serves as a WooCommerce log, noting changes made in WooCommerce configuration. And it doesn’t stop there. It will do that for (almost) every plugin that you have installed.

As you can see, it is also a settings log, tracking settings changes made to WordPress, in addition to logging plugin activation and deactivation.

Here’s what each column is telling you:

  • Date shows the date and time of the change.
  • Author is the user who made the change.
  • IP is the user’s IP address.
  • Type shows the category of the change.
  • Label is a note on the location of the change, or other information.
  • Action is what was done as part of the change.
  • Description is specific information about, or the location of, the changes.

You can filter the WordPress logs by some pre-defined date ranges, or show actions by a specific user. The logs can also be filtered by actions.

For example, to see all plugin deactivations, select “Deactivated” from the drop-down, and click the “Filter” button.

plugin deactivation log filtering

plugin deactivation activity logs

How to Get Email Alerts From the WordPress Update Log

The most convenient way to monitor user activity is via email alerts. Setting up those alerts is easy, and the plugin is very flexible as far as which information can be sent.

In the left column navigation, mouse over the “Activity Log” link and click the “Settings” link.

Click the “Notifications” tab.

click the "Notifications" tab

The “Notification Events” section is where you choose what kind of action will trigger an email.

For example, if you want to receive an email every time a particular user makes a change, leave the first drop-down set to “User,” the second drop-down to “Equals to,” then select the user from the final drop-down.

configuring alert email

Clicking the “+ and” button in “Notification Events” adds another condition to the configuration. So you can receive an alert when a user makes a post by specifying with a second condition.

In the interest of keeping this tutorial simple, we’ll use only a single condition. But to get the most out of the plugin, you’ll want to explore using multiple conditions.

In the “Email” section, set “Enable?” to “Yes.”

Enter the email address that you want the notice sent from in the “From Email” field, and the email address of the recipient of the notice in the “To Email” field.

You can customize the email in the “Message” field.

Click the “Save Changes” button.

configuring alert email

The only drawback to the system is that it isn’t possible to set up multiple notification emails. If you want to add an event, click the “+ and” button in “Notification Events” to add another condition to the existing notice.

What Happens if You Uninstall the Plugin

Uninstalling the plugin does not affect your site.

When you deactivate the plugin, its database table—and all the existing log data—remains. If you uninstall the plugin, the database table and data are deleted. Keep that in mind if you want to retain the change data the plugin has collected.

If You Need a WordPress Activity Log for a Multisite Installation

Check out the WP Security Audit Log plugin.

WP Security Audit Log

The plugin performs essentially the same logging as Activity Log, but it does logging for WordPress Multisite installations.

It will work on your single site installation as well, but certain features, like email notifications, are only available if you upgrade to a paid version of the plugin.

Keeping Your Eye on the Comings and Goings

I don’t know about you, but I’ve been frustrated by a lack of information about website changes more times than I care to remember. Even when I know I’m the person who made the changes.

A tool like the Activity Log plugin could have saved me from some of that frustration. It’s the most full-featured of the available monitor plugins. The ability to be notified of important changes with an email ensures that no changes will slip past you unnoticed.

The renowned impressionist painter Claude Monet said, “It’s on the strength of observation and reflection that one finds a way. So we must dig and delve unceasingly.” Not to get too esoteric on you, name-checking an impressionist painter, but I think that applies here. 😉

If we know what’s happening, if we observe, it can help us find our way toward increased efficiency and productivity. Maybe not exactly what Monet had in mind, but it works.

Do you make use of activity logs as part of your website management duties? Is there any user activity that this plugin doesn’t log but that you would like to monitor? Let me know in the comments.

The post How to Create a WordPress Activity Log and Why appeared first on GreenGeeks.

]]>
https://www.greengeeks.com/tutorials/create-wordpress-activity-log/feed/ 0
How to Fix a WP-VCD Infected Site https://www.greengeeks.com/tutorials/how-to-fix-wp-vcd-infected-site/ https://www.greengeeks.com/tutorials/how-to-fix-wp-vcd-infected-site/#respond Tue, 17 Dec 2019 22:11:33 +0000 https://www.greengeeks.com/tutorials/?post_type=ht_kb&p=30966 Are your comments infested with SEO spam for WordPress theme sites, pharmacies, or other spammy destinations? Is there a mysterious admin user in your WordPress […]

The post How to Fix a WP-VCD Infected Site appeared first on GreenGeeks.

]]>
Are your comments infested with SEO spam for WordPress theme sites, pharmacies, or other spammy destinations? Is there a mysterious admin user in your WordPress admin panel? Have you noticed unknown PHP files or JavaScript code in your WordPress files? If so, your site may well be infected by WP-VCD.

What Is WP-VCD?

WP-VCD is malware. Malware is malicious software that is intended to damage, disable, or take control of systems. The system, in this case, is your website. The WP-VCD malware creates a hidden WordPress admin user and injects spam links throughout your content. It can even redirect pages to spam sites.

Malware can not only damage your site, but it can also take it offline. WP-VCD isn’t designed to take your site offline. But if your host finds the malware infection before you do, they will likely take your site offline as a preventative measure.

How Is WP-VCD Spread?

WordPress VCD malware is spread through WordPress themes and plugins. It is most commonly spread through “nulled,” or pirated, premium themes.

Premium WordPress themes often include code that prevents the theme from being installed on an unpaid site. If someone removes that protection and makes the theme downloadable for free, that is known as a “nulled” theme.

In the case of WP-VCD, when the nulled theme is activated, the malware immediately goes about injecting spam links. Once it’s active on your site, WP-VCD can also spread to WordPress installations on other domains in your cPanel account.

How Can I Tell If My Site Is Infected With WP-VCD?

The most obvious sign would be the presence of a WordPress admin user that is unfamiliar to you, or new links on your website (usually in comments) pointing to theme downloads, pharmaceutical, or other spammy sites.

The admin user created by WP-VCD may be hidden, so you’ll have to check the WordPress database to be sure.

Here we’re logged in to a WordPress database with phpMyAdmin, and we can see an admin user that we didn’t create (and that we can’t see from the admin panel on the site).

unknown user in wordpress database

Next, look for files on your hosting account that are typically infected by WP-VCD.

These are the core wp-vcd malware files, and are commonly found in the /wp-includes directory:

  • wp-vcd.php
  • wp-tmp.php

malware files in /wp-includes

These extra files may reside in your root /public_html/ (or the main /public_html/sub-folder/ if you have addon or sub-domains):

  • class.wp.php
  • admin.txt
  • codexc.txt
  • code1.php

Finally, we’re going to look in the theme files. They are in /wp-content/themes/[theme name]/

In this example, the infected theme is in the /nulled-theme directory. So we go look in /wp-content/themes/nulled-theme for:

  • class.theme-modules.php

Check all themes! Even themes that aren’t in use on your website. WP-VCD will attach itself to every theme it can find.

malware files in themes

If you find some or all of these files, chances are that the theme (and probably every other theme in your WordPress installation) is infected.

How to Fix a Site Infected With WP-VCD

The best way to fix a WordPress site that has been infected by malware is to start over from scratch.

I know that sounds like the last thing you would want to do if your site is established and has a lot of posts or pages, but it’s the best way to be confident that your website is “clean”.

Starting from scratch doesn’t mean you have to lose all of your content. The good thing about malware like WP-VCD (not that anything about it is good, but, you know) is it doesn’t usually add code to the posts or pages in your database. So, it is possible to export only your posts and pages and import them into a new WordPress installation.

And it should go without saying, do not use a nulled theme or plugin in your new installation!

If You Still Want to Try to Clean a Site Infected With WP-VCD

To remove VP-VCD, the first step is to delete any nulled plugins if applicable, while making sure all others you are planning to keep are current and updated.

While you are updating your plugins, this is a good time to also completely remove any unused plugins from your WordPress installation. This dramatically reduces security risks for your site from plugins that are not updated by their author or have known vulnerabilities. This is something you should do periodically whether you’ve suffered a malware infection or not.

I’d strongly suggest deleting every theme, even the default ones from your WordPress Installation. Then, after removing the files below, reinstall the single theme you are planning on using from a reputable source. The repository of WordPress.org is usually a safe way to install themes.

Files to Look for that May Signify Infection

I could tell you to look for specific code in your theme’s functions.php file and delete it, but that’s ineffective and unnecessary. It’s ineffective because malware is always evolving. So new code could show up, and anything specific that I mention here becomes obsolete. Purging your theme directory is highly advisable.

Next, remember the files we looked for earlier? We’re going to delete those, but they should be deleted in this order to avoid reinfection:

  1. wp-includes/wp-vcd.php
  2. wp-includes/wp-tmp.php

You will also want to delete any file matching these below no matter where they are. (don’t worry if you can’t find any, that’s good):

  • class.theme-modules.php
  • class.wp.php
  • admin.txt
  • codexc.txt
  • code1.php

Next, review or replace /wp-includes/post.php and ensure it does not reference the above files. If this file is infected and references wp-vcd.php or class.theme-modules.php, deleting it and replacing it with a clean version from the WordPress official downloads will ensure you have a clean file.

Finally, remove the rogue admin user that was added to your database from within PHPMyAdmin by deleting the row within the table. I would suggest taking a backup of your database before proceeding, just in case.

Please keep in mind that the WP-VCD malware is forever changing, and there could be leftover files or has adapted to common removal techniques. Have your web host perform a new malware scan after your cleaning to check for any leftover infections as a result of the WP-VCD infection.

How Can I Prevent My Site Being Infected With WP-VCD?

The best way to prevent a WP-VCD malware infection is to avoid using a nulled theme or plugin.

How do you do that?

  • Don’t download themes from sketchy websites that advertise premium theme downloads for free.
  • Don’t try to get around paying for a theme or plugin that you know charges a license fee.
  • If you like a premium theme or plugin, pay the developer for a license.

These simple things will protect your website from things like WP-VCD, and it will also help support the third-party WordPress developer ecosystem that makes WordPress the powerhouse that it is.

You can avoid accidentally coming across a nulled theme by only downloading themes from reputable developers or marketplaces, or from WordPress.org. Legitimate WordPress theme marketplaces include Themeforest, Elegant Themes, StudioPress, MOJO Marketplace, CSSIgniter, and others.

Install a WordPress Security Plugin

Security plugins like Wordfence can identify many different kinds of malware and prevent you from installing them, or alert you to their presence. Most of them also perform dozens of other checks and can take steps to increase your WordPress site security.

And of course, there are a lot of things that you can do to enhance the security of your site.

Automatic Protection

While it pays to be aware of threats like WP-VCD, if you’re a GreenGeeks customer, you can rest easy knowing that your website is protected by our Real-Time Security Scanning. Utilizing a sophisticated file tracking system, Real-Time Security Scanning proactively identifies and scans changed files, finding known malware signatures.

So even if you unknowingly upload an infected file to your website, our system will recognize the threat and attempt to isolate the file(s) that contain malware. Real-Time Security Scanning will help you avoid the problems caused by WP-VCD and many other potentially destructive forms of malware.

If you’re a GreenGeeks customer and need further assistance in fixing an infected site, our team is experienced with WP-VCD and can help with cleanup or advise on your options. Feel free to contact us.

Have you ever had to clean up a malware infection? Do you use a WordPress security plugin?

The post How to Fix a WP-VCD Infected Site appeared first on GreenGeeks.

]]>
https://www.greengeeks.com/tutorials/how-to-fix-wp-vcd-infected-site/feed/ 0
How to Track User History in WordPress https://www.greengeeks.com/tutorials/track-user-history-wordpress/ https://www.greengeeks.com/tutorials/track-user-history-wordpress/#respond Thu, 17 Oct 2019 20:20:00 +0000 https://www.greengeeks.com/tutorials/?post_type=ht_kb&p=29841 Have you ever wanted to track user history in WordPress? Oftentimes, there are several different users on a website. However, you can’t track things that […]

The post How to Track User History in WordPress appeared first on GreenGeeks.

]]>
Have you ever wanted to track user history in WordPress? Oftentimes, there are several different users on a website. However, you can’t track things that are happening from these users by default. You need to employ some sort of plugin that tracks WordPress user history.

Well, now you can easily see all recent changes of a site by using a plugin called Simple History. This plugin will allow you to easily track WordPress history from several different aspects.

Why Should You Track User History in WordPress

If you are the owner of a website, then you want to track all the important events that occur within the WordPress admin dashboard. This is especially true if you run a website that has many users who are all doing different things.

Tracking all recent changes allows you to see what users performed what functions. If something goes wrong, you can also track the history to see what may have happened.

Furthermore, with a solid plugin that tracks user history, you are able to track just about everything that happens on the site, not just when users log in and out.

Let’s take a look at how you can easily track user history in WordPress.

Simple History

Simple history plugin

There is a great plugin I found called Simple History. This plugin shows a full user history on your site. It will allow you to track all of the important events that occur. The plugin is packed full of functionality, including:

  • Ability to see what user added, updated, or deleted a post or page
  • See who added, updated, or deleted attachments
  • View who added, updated, or deleted taxonomies
  • Track which users edited comments
  • Get info on added, updated, removed widgets
  • See info on activated and deactivated plugins
  • Track user profile changes
  • Track all user logins
  • View all data import and export and menu edits

Basically, Simple History allows you to track all recent changes in WordPress for just about everything imaginable. The plugin is lightweight and very easy to set up and use.

Install and Activate Simple History

In order to track user history in WordPress, you need to install and activate the Simple History plugin. You can do this from the plugins page of your admin dashboard.

Install and activate user history in wordpress plugin

Once the plugin has been installed and activated, click on Settings > Simple History. This is located on the left menu of your dashboard. Doing so will take you to the setting’s page for the plugin and you will be able to configure it.

Click settings then click simple history

Track WordPress User History

Now that you are on the setting’s page, let’s take a quick look at the setup. You will see three main tabs on this page. They are:

  • Settings
  • Export
  • Debug

Settings 

There are a few simple things to choose from on the setting’s tab. Go ahead and run through these and configure the plugin settings how you would like.

Click on the “Save Changes” button to save all your configuration choices.

User history in wordpress settings

Export

The “Export” tab simply allows you to export a full WordPress user history. You can do this in either a JSON or CSV format.

For example, you could create a spreadsheet of your own using the history data in the CSV file.

Export WordPress user history

Debug

The “Debug” tab shows you everything that is going on with the plugin and will give you suggestions to debug situations that may arise.

In other words, this can be greatly helpful when troubleshooting the plugin.

Simple history debug

How to View User History in WordPress

You can view WordPress user history two ways based on the options you chose in settings. They include:

  • On the dashboard
  • As a page under the dashboard menu

In this scenario we will view user history in WordPress from the dashboard. Click on Dashboard > Simple History.

Click on dashboard and then simple history

From here you will see some search options. You can view all recent changes in WordPress here as they will be listed below the search options.

Or, you can use the search fields to narrow certain functions down to specific dates, keywords, users, and log levels.

Simple history search form

Now, if you scroll down, you will see a list of all WordPress changes that have occurred, either by the default search settings or listed by the search criteria you put in.

User history in wordpress tracking

That’s it! You are now successfully tracking all user history in WordPress.

Final Thoughts

Tracking WordPress changes is an important aspect of running a website. There are a lot of things to consider when you are working with WordPress, but now you have a great option for tracking all WordPress user history. This will be especially helpful to you if you have many people on your website.

Have you tried tracking user history in WordPress using this plugin? Do you prefer to do this another way or not worry about it at all?

The post How to Track User History in WordPress appeared first on GreenGeeks.

]]>
https://www.greengeeks.com/tutorials/track-user-history-wordpress/feed/ 0