Agility, Java programming, New technologies and more…
  • rss
  • Home
  • Management
  • Agile Programming
  • Technology
  • Linux
  • Event
  • Android app
  • Contact
  • About the author
  • English
  • Francais

Tips to make your WordPress website secure

Fabian Piau | Wednesday October 10th, 2018 - 06:43 PM
  • Print
  • Twitter
  • LinkedIn
  • Facebook
  • Pocket

 Version française disponible

Update
January, 14th, 2021 : Update security headers, replaced “Feature-policy” with “Permissions-policy”.

WordPress is one of the most popular CMS (Content Management System). That popularity also means that it is a target of choice for hackers.
In this article, I will give you some tips to keep your website secure and avoid being attacked.


1. Use latest versions

This is true for WordPress itself but also for all your extensions. There are new versions available regularly. If a plugin has not been updated for a while, it is probably not maintained anymore and you might need to remove or replace it. This is also applicable for your theme.
The version of PHP is also important, check with your hosting provider that you are running the latest version of PHP (7.X), especially the versions 5.X won’t be supported by the end of the year.
Also, note that the more extensions you have installed, the more risk you are taking, as your WordPress configuration will rely on more 3rd party code. You should only keep the plugins that you really need. If a plugin is disabled, don’t keep its source code and remove all its associated files.


2. Use secure login details

Never use the default admin user. If you do, disable this account and create your own account with a personalized username.
Choose a strong password. If several users are managing your website, make sure the permissions are valid and avoid giving the admin permission to everyone.


3. Scan your website

This is an easy and quick way to find vulnerabilities and see if one of your plugins is vulnerable or not. You can use these 2 online tools:

  • WordPress Security Scan (my favourite with a detailed report)
  • WPSec


4. Use .htaccess files to protect your directories

The .htaccess file is a server configuration file. It allows you to define rules for your server to follow.

For example, in /wp-content/uploads, I have created the following .htaccess:

# Deny access to everything by default
Order deny,allow
Deny from all

# Allow access to media files
<FilesMatch '\.(jpg|jpeg|png|gif|bmp|zip|rar|pdf)$'>
    Allow from all
</FilesMatch>

This config ensures only media files are accessible from the browser, any JavaScript, PHP files will be discarded. It is not 100% bulletproof as only the extension is checked, but it is better than nothing.

To avoid execution of malicious PHP in some folder (e.g. in /wp-includes), you can create another .htaccess file with the following content:

<Files *.php>
Order allow,deny
Deny from all
</Files>


5. Review file and directory permission

Make sure the critical files (wp-config.php, php.ini…) are not writable publicly, only readable. Only owners should be able to write.


6. Use security headers

You can check which security headers you currently use with this online tool.

At the root folder, update the .htaccess file and add:

# Extra Security Headers
<IfModule mod_headers.c>
	Header set Strict-Transport-Security 'max-age=31536000; includeSubDomains'
	Header set X-XSS-Protection '1; mode=block'
	Header set X-Frame-Options 'sameorigin'
	Header set X-Content-Type-Options 'nosniff'
	Header unset Server
	Header always unset X-Powered-By
	Header unset X-Powered-By
	Header unset X-CF-Powered-By
	Header unset X-Mod-Pagespeed
	Header unset X-Pingback
</IfModule>

In wp-config.php, add:

/** Extra Security */
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
header('Strict-Transport-Security:max-age=31536000; includeSubdomains; preload');
header('Referrer-Policy: no-referrer-when-downgrade');
header('Content-Security-Policy: upgrade-insecure-requests');
header('Permissions-Policy: autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), microphone=(), midi=(), payment=()');
header_remove('X-Powered-By');
header_remove('Server');
header_remove('X-CF-Powered-By');
header_remove('X-Mod-Pagespeed');
header_remove('X-Pingback');
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);


7. Do not expose too much information

At the root folder of your website, in php.ini, add the line:

expose_php = Off

Your current version of PHP will not be exposed.


8. Backup your website regularly

Last but not least! You don’t need a particular software or extra plugin to achieve this.

  • With your favourite FTP tool (e.g. Filezilla), save all the files available on your server.
  • For the database, use the available MySQL backup feature. Many hosting companies provide access to phpMyAdmin, an online tool.

I recommend doing a backup every month, and keep the history of the last 6 backups somewhere safe. Of course, it depends on the volume of articles you are writing and how critical is your data.


That’s it! If you have done all the above, your website should be more resilient to attacks. In the worst case, you should be able to recover easily.

Happy safe blogging!

Related posts

Maven siteMaven Site, one step further IT securitySome basic rules to prevent your accounts from getting hacked Apache CamelFirst steps with Apache Camel printerOptimize your website for print in 5 minutes
Comments
No Comments »
Categories
Technology
Tags
hacking, hacker, security, wordpress
Comments rss Comments rss

TransferWise, Revolut and Monzo, a small revolution for travelers and expats

Fabian Piau | Saturday January 20th, 2018 - 07:06 PM
  • Print
  • Twitter
  • LinkedIn
  • Facebook
  • Pocket

 Version française disponible

Update
June, 11th, 2019 : Curve card enables you to combine all your existing cards in one.
April 22, 2018 : TransferWise is now providing a debit card for its borderless accounts.

For this first article of the year 2018, I will present 3 financial services proven and used by myself for several months, even years. They allow me to make significant savings on my foreign currency transactions by avoiding the high fees of traditional banks. This article is in no way sponsored, but I have allowed myself to include some referral links.

For those who know me or follow me, it’s been a while since I live in England, 3 years already! I also travel abroad to discover new countries, new cultures and incidentally escape from the London Fog…

After arriving in England, I quickly needed to open a local bank account where the currency is, of course, not the Euro, but the Pound Sterling.

To deposit money into this account (while waiting for my first pay), I had to transfer money from my French account to my English account. In the pre-Brexit era when the Pound was very strong, it was a little painful… And like if it was not enough, my bank would also take its share with a rather exorbitant fee on my transfer. To avoid being ripped off twice, I looked on the Internet and browsed some forums looking for advice. I quickly decided to choose TransferWise.


TransferWise

The principle is simple and based on common sense. British people sometimes need euros, for example when they travel in Europe; conversely, European people need pounds when they come to England. TransferWise allows you to link these requests by acting as an intermediary. The company has accounts in different currencies and distributes the amounts between people. For example, for a transfer of 1000 euros to a British account (so about 900 pounds at the moment), the system may need 2 people (one person who wants to convert 400 pounds in euros and another who wants to convert 500 pounds in euros) or 3 people (who want to convert 300 pounds in euros each) or 9 people (who want to convert 100 pounds each). I guess you understand how the system works!

Once the account of TransferWise is registered with your traditional bank (this may take some time depending on your bank) and the transfer has been made from your original account, you will receive the money quickly in your destination account (usually in 1 day).

You will not be charged because your original account and the TransferWise account are using the same currency. It’s not a big surprise that TransferWise will charge a fee, but almost insignificant (e.g. 5 euros for a transfer of 1000 euros). You can do a simulation on their site, the fee is proportional to the amount transferred.

More recently, TransferWise has set up the borderless account. With this “multi-account” you can receive transfers in different currencies in a transparent way, you just need a click to activate a currency and get your corresponding local bank details (IBAN / BIC) that you can then forward to to the person who owes you money. Since April 2018, you will receive a debit card so you can use it to pay anywhere with your borderless account.

It is important to note that the transfer is executed at the market rate. Since you decide when you want to make the transfer, it is wise to do it when the rate is the most advantageous for you. In my case, it was much more interesting to make pound-to-euro transfers before Brexit.

Also in my example, I mentioned the Pound and Euro exchange, but many currencies are supported: the Swiss Franc, the US Dollar, the Japanese Yen, etc.

Feel free to look for yourself and use my referral link to open your account (and your first transfer will be free).


If you can use TransferWise for money transfers between accounts, how can you manage your expenses on the spot when you are travelling around the world? Who has not already paid a high fee when withdrawing abroad or when paying the bill at a restaurant? Who has not already made a large withdrawal at an ATM to avoid fixed costs, taking the risk to walk around with a large amount of money?


Revolut

Opening a Revolut account makes perfect sense. It’s an online bank, which means that you won’t find any physical offices, you manage everything yourself from the application on your smartphone: from changing the PIN code to the deactivation of the card, or the change of your address. Revolut is free, you just have to pay a small fee (5 pounds or equivalent in your currency) to receive your multi-currency debit card at home, unless you use my referral link to avoid entry fees.

You can convert currencies in advance from the application to ensure your exchange rate (advanced use) or it will be automatically calculated in the country according to the current rate and usage of your card (personally, I find it sufficient). The exchange rate is very low and matches the interbank rate (it is therefore a very low rate close to the real one without extra fee).

Revolut strongly advises its customer to keep an account in a traditional bank in case the card is not accepted, it is a Mastercard so it should not be a problem, but you will probably be happy to have your good old Visa card on hand, just in case.

The mobile application is well made with a breakdown of your expenses by category, an instant notification on your smartphone for each expense (useful for a contactless payment to verify the amount), the possibility of refunding another person instantly or share an expense easily.

I take the example of trips abroad, but nothing prevents you from using it every day by topping up your card regularly. You will be able to see your expenses by category, month after month, and refine your budget.

Wondering where is the scam? Well, it’s like TransferWise, there is not really a catch! But there are withdrawal and card payment limits (daily, weekly and monthly). Frankly, unless you travel for 6 months a year or you are really bad at spreading out your expenses, it should be enough for you. It is still possible to subscribe to the premium option to increase the limits and access additional services.

Revolut is a young, fast-growing company available in several countries. New features are added every month (cryptocurrency exchange, insurance, credit, etc.).

Again, feel free to have a look for yourself and use my referral link to open your account for free. There is very little chance for you to regret it.


Monzo

Monzo is also an online bank. It provides a very similar service to Revolut, so you will receive a Mastercard card to make payments in different currencies at the interbank rate.

I must say that I use it for longer and more regularly than Revolut. Unfortunately at that time, the service is only available in UK. Unlike Revolut, there is no charge to receive the card, there is no premium option available, and it’s totally free. However, there is a waiting list to open an account (a few weeks at most).

They are still in a beta test phase, but it’s been a year since I am with them, I had no problem. It’s a bit like Gmail which has been in beta for years… However, it is possible that Monzo change its business model and start charging its users when their customer database will be big enough, hard to say, but as long as the service is free, you may just try it!

Unlike Revolut, Monzo focuses exclusively on the multi-currency expenses and reporting aspect, you won’t find any insurance, crypto exchange or other services. But what it does, it does it very well! Personally I find the smartphone app a little more convenient. They have limits too, but higher than on Revolut.

In my case, using both services and having 2 debit cards indirectly raise the limits. Also, it is possible that a Revolut card does not work in a place abroad, while it works with Monzo, and vice versa.


Curve

Last but not least, Curve is also an online bank. The main benefit of this card is that it allows you to group all your cards in one, like a wrapper. If you do not want to take all your cards with you all the time: Revolut, Monzo or any other professional or personal cards, it is possible to use only one: the Curve card. From the application, a simple tap is enough to select the card that will be active. It’s efficient and will make your wallet a little lighter. Note that there may be some limitations in case of disputes, but this will be suitable for everyday use. And since it’s free, why not giving it a try?

You can use my referral link to open your account and get £5 for free. Use code “EKGQQJQN” at sign up.


Once is not custom, I did not look at the technical side, but the post is still about new technologies in the banking system, I hope you’ve found the reading interesting. It also shows that small startups (Fintech) can move the lines of the banking landscape and shape our future. It is critical for traditional banks to constantly innovate to stay in the race, not sure they have all made the shift in time, and the customers of yesterday are no longer the young people of today.

And perhaps you will embrace online banking through your smartphone and even save some money… At least I don’t see any reason not to try!

Related posts

kubernetesFlagger – Canary deployments on Kubernetes EclEmmaEclEmma – Do you need a good cover for this winter ? hostingChoose the web hosting service that fits your needs webservicesAPI, REST, JSON, XML, HTTP, URI… What language do you speak?
Comments
No Comments »
Categories
Technology
Tags
bank, tool, society
Comments rss Comments rss
Page 1 of 2212345…1020…22
Download CarmaBlog App

RSS feeds

  • RSS Feed RSS - Posts
  • RSS Feed RSS - Comments

Most viewed posts

  • Changing the language in Firefox - 115,004 views
  • Using Google Forms / Drive / Docs to create an online survey - 61,842 views
  • FAQ – Online survey with Google Forms / Drive / Docs - 44,394 views
  • Customizing Gnome 3 (Shell) - 29,207 views
  • The meaning of URL, URI, URN - 16,127 views
  • Java EE & CDI vs. Spring - 14,894 views
  • Open Street Map, better map than Google Maps? - 13,869 views
  • Comparing NoSQL: Couchbase & MongoDB - 13,580 views
  • Firefox Nightly, Aurora, Beta, Desktop, Mobile, ESR & Co. - 12,757 views
  • First steps with Apache Camel - 11,793 views

Recent Comments

  • Fabian Piau on FAQ – Online survey with Google Forms / Drive / DocsBonjour, un formulaire ouvert avec Google est forc…
  • Aurélie on FAQ – Online survey with Google Forms / Drive / DocsBonjour J'ai créé il y a quelques temps un questio…
  • Fabian Piau on FAQ – Online survey with Google Forms / Drive / DocsBonjour, ce message de confirmation est commun à l…
  • Simon on FAQ – Online survey with Google Forms / Drive / DocsBonjour, J'ai une question concernant le message d…
  • Léooon on FAQ – Online survey with Google Forms / Drive / DocsJ'en suis même certaine... Très bien merci beaucou…

Recent posts

  • Flagger – Monitor your Canary deployments with Grafana - 9 months and 2 weeks ago
  • Flagger – Canary deployments on Kubernetes - 10 months and 3 weeks ago
  • Flagger – Get Started with Istio and Kubernetes - 11 months and 1 week ago
  • Expedia CoderDojo in London - 1 year and 8 months ago
  • Volunteering at Devoxx4Kids - 1 year and 11 months ago
  • A Java 11 migration successful story - 2 years and 3 months ago
  • Tips to make your WordPress website secure - 2 years and 6 months ago
  • Devoxx UK 2018 – Day 2 - 2 years and 10 months ago
  • Devoxx UK 2018 – Day 1 - 2 years and 10 months ago
  • TransferWise, Revolut and Monzo, a small revolution for travelers and expats - 3 years and 2 months ago
  • Autocomplete for Git - 3 years and 10 months ago
  • Swagger, the automated API documentation - 4 years and 1 month ago
  • Microservices architecture – Best practices - 4 years and 6 months ago
  • FAQ – Online survey with Google Forms / Drive / Docs - 4 years and 11 months ago
  • QCon London 2016 – Project Jigsaw in JDK 9 – Modularity comes to Java - 4 years and 11 months ago
Buy me a coffee

Language

  • Français
  • English

Follow me!

Follow me on Linkedin
Follow me on Twitter
Follow me on Stackoverflow
Follow me on Github
Follow me on Rss
Link to my Contact

Email subscription

Enter your email address to receive notifications of new posts.

Tags

.net agility android bash best practices blog cache cloud computing conference continuous integration css developer devoxx docker docs drive eclipse extreme programming firefox flagger forms google helm hibernate istio java job jug kubernetes london mobile computing overview performance plugin programmer qcon script sharing society spring tool ubuntu windows wordpress

Links

  • Blog Ippon Technologies
  • Blog Publicis Sapient
  • Blog Zenika
  • Classpert
  • CommitStrip
  • Coursera
  • Le Touilleur Express
  • Les Cast Codeurs Podcast
  • OCTO talks !
  • The Twelve-Factor App

Categories

  • Event (15)
  • Linux (3)
  • Management (7)
  • Agile programming (29)
  • Technology (44)

Archives

  • June 2020 (1)
  • May 2020 (2)
  • July 2019 (1)
  • May 2019 (1)
  • December 2018 (1)
  • October 2018 (1)
  • June 2018 (1)
  • May 2018 (1)
  • January 2018 (1)
  • May 2017 (1)
  • March 2017 (1)
  • October 2016 (1)
  • April 2016 (2)
  • March 2016 (1)
  • November 2015 (1)
  • May 2015 (1)
  • February 2015 (1)
  • December 2014 (1)
  • November 2014 (1)
  • September 2014 (2)
  • August 2014 (1)
  • July 2014 (2)
  • June 2014 (1)
  • April 2014 (1)
  • March 2014 (1)
  • February 2014 (2)
  • January 2014 (1)
  • December 2013 (1)
  • November 2013 (1)
  • October 2013 (3)
  • September 2013 (5)
  • July 2013 (1)
  • June 2013 (1)
  • May 2013 (1)
  • April 2013 (1)
  • March 2013 (2)
  • February 2013 (1)
  • January 2013 (2)
  • December 2012 (2)
  • October 2012 (1)
  • September 2012 (1)
  • July 2012 (1)
  • May 2012 (1)
  • April 2012 (1)
  • March 2012 (1)
  • February 2012 (1)
  • January 2012 (2)
  • December 2011 (1)
  • November 2011 (2)
  • October 2011 (2)
  • September 2011 (1)
  • July 2011 (1)
  • June 2011 (2)
  • April 2011 (1)
  • March 2011 (1)
  • February 2011 (1)
  • January 2011 (2)
  • November 2010 (2)
  • September 2010 (1)
  • August 2010 (1)
  • July 2010 (1)
  • June 2010 (1)
  • May 2010 (1)
  • April 2010 (1)
  • March 2010 (1)
  • February 2010 (1)
  • December 2009 (1)
  • November 2009 (1)
  • October 2009 (2)
  • September 2009 (2)
  • August 2009 (3)
  • July 2009 (1)
  • June 2009 (2)
Follow me on Twitter
Follow me on Linkedin
Follow me on Stackoverflow
Follow me on Rss
Link to my Contact
Follow me on Github
 
Fabian Piau | © 2009 - 2021
All Rights Reserved | Top ↑